Fix conflicts after heimdal-1.1 import and add build infrastructure. Import

all non-style changes made by heimdal to our own libgssapi.

19 files changed, 1722 insertions, 93 deletions

diff --git a/kerberos5/lib/Makefile b/kerberos5/lib/Makefile
index 1d07e0b..c629f24 100644
--- a/kerberos5/lib/Makefile
+++ b/kerberos5/lib/Makefile
@@ -1,6 +1,8 @@
+
 # $FreeBSD$
 
-SUBDIR=	libasn1 libgssapi libhdb libkadm5clnt libkadm5srv \
-	libkafs5 libkrb5 libroken libsl libvers
+SUBDIR=	libasn1 libgssapi_krb5 libgssapi_ntlm libgssapi_spnego libhdb \
+	libheimntlm libhx509 libkadm5clnt libkadm5srv libkafs5 libkrb5 \
+	libroken libsl libvers
 
 .include <bsd.subdir.mk>
diff --git a/kerberos5/lib/Makefile.inc b/kerberos5/lib/Makefile.inc
index 441a0ec..dc07383 100644
--- a/kerberos5/lib/Makefile.inc
+++ b/kerberos5/lib/Makefile.inc
@@ -1,5 +1,5 @@
 # $FreeBSD$
 
-SHLIB_MAJOR?=	9
+SHLIB_MAJOR?=	10
 
 .include "../Makefile.inc"
diff --git a/kerberos5/lib/libasn1/Makefile b/kerberos5/lib/libasn1/Makefile
index b42f802..4a9c21e 100644
--- a/kerberos5/lib/libasn1/Makefile
+++ b/kerberos5/lib/libasn1/Makefile
@@ -1,33 +1,247 @@
 # $FreeBSD$
 
 LIB=	asn1
-INCS=	asn1_err.h krb5_asn1.h
+INCS=	asn1_err.h heim_asn1.h
 
 SRCS=	asn1_err.c \
 	asn1_err.h \
 	der_copy.c \
+	der_cmp.c \
 	der_free.c \
+	der_format.c \
 	der_get.c \
 	der_length.c \
 	der_put.c \
-	krb5_asn1.h \
+	extra.c \
 	timegm.c \
 	${GEN:S/.x$/.c/}
 
 CFLAGS+=-I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/roken -I.
 
-GEN=	asn1_APOptions.x \
+GEN_RFC2459 = \
+	asn1_Version.x \
+	asn1_id_pkcs_1.x \
+	asn1_id_pkcs1_rsaEncryption.x \
+	asn1_id_pkcs1_md2WithRSAEncryption.x \
+	asn1_id_pkcs1_md5WithRSAEncryption.x \
+	asn1_id_pkcs1_sha1WithRSAEncryption.x \
+	asn1_id_pkcs1_sha256WithRSAEncryption.x \
+	asn1_id_pkcs1_sha384WithRSAEncryption.x \
+	asn1_id_pkcs1_sha512WithRSAEncryption.x \
+	asn1_id_heim_rsa_pkcs1_x509.x \
+	asn1_id_pkcs_2.x \
+	asn1_id_pkcs2_md2.x \
+	asn1_id_pkcs2_md4.x \
+	asn1_id_pkcs2_md5.x \
+	asn1_id_rsa_digestAlgorithm.x \
+	asn1_id_rsa_digest_md2.x \
+	asn1_id_rsa_digest_md4.x \
+	asn1_id_rsa_digest_md5.x \
+	asn1_id_pkcs_3.x \
+	asn1_id_pkcs3_rc2_cbc.x \
+	asn1_id_pkcs3_rc4.x \
+	asn1_id_pkcs3_des_ede3_cbc.x \
+	asn1_id_rsadsi_encalg.x \
+	asn1_id_rsadsi_rc2_cbc.x \
+	asn1_id_rsadsi_des_ede3_cbc.x \
+	asn1_id_secsig_sha_1.x \
+	asn1_id_nistAlgorithm.x \
+	asn1_id_nist_aes_algs.x \
+	asn1_id_aes_128_cbc.x \
+	asn1_id_aes_192_cbc.x \
+	asn1_id_aes_256_cbc.x \
+	asn1_id_nist_sha_algs.x \
+	asn1_id_sha256.x \
+	asn1_id_sha224.x \
+	asn1_id_sha384.x \
+	asn1_id_sha512.x \
+	asn1_id_dhpublicnumber.x \
+	asn1_id_x9_57.x \
+	asn1_id_dsa.x \
+	asn1_id_dsa_with_sha1.x \
+	asn1_id_x520_at.x \
+	asn1_id_at_commonName.x \
+	asn1_id_at_surname.x \
+	asn1_id_at_serialNumber.x \
+	asn1_id_at_countryName.x \
+	asn1_id_at_localityName.x \
+	asn1_id_at_streetAddress.x \
+	asn1_id_at_stateOrProvinceName.x \
+	asn1_id_at_organizationName.x \
+	asn1_id_at_organizationalUnitName.x \
+	asn1_id_at_name.x \
+	asn1_id_at_givenName.x \
+	asn1_id_at_initials.x \
+	asn1_id_at_generationQualifier.x \
+	asn1_id_at_pseudonym.x \
+	asn1_id_Userid.x \
+	asn1_id_domainComponent.x \
+	asn1_id_x509_ce.x \
+	asn1_id_uspkicommon_card_id.x \
+	asn1_id_uspkicommon_piv_interim.x \
+	asn1_id_netscape.x \
+	asn1_id_netscape_cert_comment.x \
+	asn1_id_ms_cert_enroll_domaincontroller.x \
+	asn1_id_ms_client_authentication.x \
+	asn1_AlgorithmIdentifier.x \
+	asn1_AttributeType.x \
+	asn1_AttributeValue.x \
+	asn1_TeletexStringx.x \
+	asn1_DirectoryString.x \
+	asn1_Attribute.x \
+	asn1_AttributeTypeAndValue.x \
+	asn1_AuthorityInfoAccessSyntax.x \
+	asn1_AccessDescription.x \
+	asn1_RelativeDistinguishedName.x \
+	asn1_RDNSequence.x \
+	asn1_Name.x \
+	asn1_CertificateSerialNumber.x \
+	asn1_Time.x \
+	asn1_Validity.x \
+	asn1_UniqueIdentifier.x \
+	asn1_SubjectPublicKeyInfo.x \
+	asn1_Extension.x \
+	asn1_Extensions.x \
+	asn1_TBSCertificate.x \
+	asn1_Certificate.x \
+	asn1_Certificates.x \
+	asn1_ValidationParms.x \
+	asn1_DomainParameters.x \
+	asn1_DHPublicKey.x \
+	asn1_OtherName.x \
+	asn1_GeneralName.x \
+	asn1_GeneralNames.x \
+	asn1_id_x509_ce_keyUsage.x \
+	asn1_KeyUsage.x \
+	asn1_id_x509_ce_authorityKeyIdentifier.x \
+	asn1_KeyIdentifier.x \
+	asn1_AuthorityKeyIdentifier.x \
+	asn1_id_x509_ce_subjectKeyIdentifier.x \
+	asn1_SubjectKeyIdentifier.x \
+	asn1_id_x509_ce_basicConstraints.x \
+	asn1_BasicConstraints.x \
+	asn1_id_x509_ce_nameConstraints.x \
+	asn1_BaseDistance.x \
+	asn1_GeneralSubtree.x \
+	asn1_GeneralSubtrees.x \
+	asn1_NameConstraints.x \
+	asn1_id_x509_ce_privateKeyUsagePeriod.x \
+	asn1_id_x509_ce_certificatePolicies.x \
+	asn1_id_x509_ce_policyMappings.x \
+	asn1_id_x509_ce_subjectAltName.x \
+	asn1_id_x509_ce_issuerAltName.x \
+	asn1_id_x509_ce_subjectDirectoryAttributes.x \
+	asn1_id_x509_ce_policyConstraints.x \
+	asn1_id_x509_ce_extKeyUsage.x \
+	asn1_ExtKeyUsage.x \
+	asn1_id_x509_ce_cRLDistributionPoints.x \
+	asn1_id_x509_ce_deltaCRLIndicator.x \
+	asn1_id_x509_ce_issuingDistributionPoint.x \
+	asn1_id_x509_ce_holdInstructionCode.x \
+	asn1_id_x509_ce_invalidityDate.x \
+	asn1_id_x509_ce_certificateIssuer.x \
+	asn1_id_x509_ce_inhibitAnyPolicy.x \
+	asn1_DistributionPointReasonFlags.x \
+	asn1_DistributionPointName.x \
+	asn1_DistributionPoint.x \
+	asn1_CRLDistributionPoints.x \
+	asn1_DSASigValue.x \
+	asn1_DSAPublicKey.x \
+	asn1_DSAParams.x \
+	asn1_RSAPublicKey.x \
+	asn1_RSAPrivateKey.x \
+	asn1_DigestInfo.x \
+	asn1_TBSCRLCertList.x \
+	asn1_CRLCertificateList.x \
+	asn1_id_x509_ce_cRLNumber.x \
+	asn1_id_x509_ce_freshestCRL.x \
+	asn1_id_x509_ce_cRLReason.x \
+	asn1_CRLReason.x \
+	asn1_PKIXXmppAddr.x \
+	asn1_id_pkix.x \
+	asn1_id_pkix_on.x \
+	asn1_id_pkix_on_dnsSRV.x \
+	asn1_id_pkix_on_xmppAddr.x \
+	asn1_id_pkix_kp.x \
+	asn1_id_pkix_kp_serverAuth.x \
+	asn1_id_pkix_kp_clientAuth.x \
+	asn1_id_pkix_kp_emailProtection.x \
+	asn1_id_pkix_kp_timeStamping.x \
+	asn1_id_pkix_kp_OCSPSigning.x \
+	asn1_id_pkix_pe.x \
+	asn1_id_pkix_pe_authorityInfoAccess.x \
+	asn1_id_pkix_pe_proxyCertInfo.x \
+	asn1_id_pkix_ppl.x \
+	asn1_id_pkix_ppl_anyLanguage.x \
+	asn1_id_pkix_ppl_inheritAll.x \
+	asn1_id_pkix_ppl_independent.x \
+	asn1_ProxyPolicy.x \
+	asn1_ProxyCertInfo.x 
+
+GEN_CMS = \
+	asn1_CMSAttributes.x \
+	asn1_CMSCBCParameter.x \
+	asn1_CMSEncryptedData.x \
+	asn1_CMSIdentifier.x \
+	asn1_CMSRC2CBCParameter.x \
+	asn1_CMSVersion.x \
+	asn1_CertificateList.x \
+	asn1_CertificateRevocationLists.x \
+	asn1_CertificateSet.x \
+	asn1_ContentEncryptionAlgorithmIdentifier.x \
+	asn1_ContentInfo.x \
+	asn1_ContentType.x \
+	asn1_DigestAlgorithmIdentifier.x \
+	asn1_DigestAlgorithmIdentifiers.x \
+	asn1_EncapsulatedContentInfo.x \
+	asn1_EncryptedContent.x \
+	asn1_EncryptedContentInfo.x \
+	asn1_EncryptedKey.x \
+	asn1_EnvelopedData.x \
+	asn1_IssuerAndSerialNumber.x \
+	asn1_KeyEncryptionAlgorithmIdentifier.x \
+	asn1_KeyTransRecipientInfo.x \
+	asn1_MessageDigest.x \
+	asn1_OriginatorInfo.x \
+	asn1_RecipientIdentifier.x \
+	asn1_RecipientInfo.x \
+	asn1_RecipientInfos.x \
+	asn1_SignatureAlgorithmIdentifier.x \
+	asn1_SignatureValue.x \
+	asn1_SignedData.x \
+	asn1_SignerIdentifier.x \
+	asn1_SignerInfo.x \
+	asn1_SignerInfos.x \
+	asn1_id_pkcs7.x \
+	asn1_id_pkcs7_data.x \
+	asn1_id_pkcs7_digestedData.x \
+	asn1_id_pkcs7_encryptedData.x \
+	asn1_id_pkcs7_envelopedData.x \
+	asn1_id_pkcs7_signedAndEnvelopedData.x \
+	asn1_id_pkcs7_signedData.x \
+	asn1_UnprotectedAttributes.x
+
+GEN_K5=	asn1_AD_AND_OR.x \
+	asn1_AD_IF_RELEVANT.x \
+	asn1_AD_KDCIssued.x \
+	asn1_AD_MANDATORY_FOR_KDC.x \
+	asn1_AD_LoginAlias.x \
+	asn1_APOptions.x \
 	asn1_AP_REP.x \
 	asn1_AP_REQ.x \
 	asn1_AS_REP.x \
 	asn1_AS_REQ.x \
+	asn1_AUTHDATA_TYPE.x \
 	asn1_Authenticator.x \
 	asn1_AuthorizationData.x \
+	asn1_AuthorizationDataElement.x \
 	asn1_CKSUMTYPE.x \
-	asn1_Checksum.x \
 	asn1_ChangePasswdDataMS.x \
+	asn1_Checksum.x \
 	asn1_ENCTYPE.x \
 	asn1_ETYPE_INFO.x \
+	asn1_ETYPE_INFO2.x \
+	asn1_ETYPE_INFO2_ENTRY.x \
 	asn1_ETYPE_INFO_ENTRY.x \
 	asn1_EncAPRepPart.x \
 	asn1_EncASRepPart.x \
@@ -38,6 +252,7 @@ GEN=	asn1_APOptions.x \
 	asn1_EncTicketPart.x \
 	asn1_EncryptedData.x \
 	asn1_EncryptionKey.x \
+	asn1_EtypeList.x \
 	asn1_HostAddress.x \
 	asn1_HostAddresses.x \
 	asn1_KDCOptions.x \
@@ -49,6 +264,7 @@ GEN=	asn1_APOptions.x \
 	asn1_KRB_PRIV.x \
 	asn1_KRB_SAFE.x \
 	asn1_KRB_SAFE_BODY.x \
+	asn1_KerberosString.x \
 	asn1_KerberosTime.x \
 	asn1_KrbCredInfo.x \
 	asn1_LR_TYPE.x \
@@ -58,22 +274,199 @@ GEN=	asn1_APOptions.x \
 	asn1_NAME_TYPE.x \
 	asn1_PADATA_TYPE.x \
 	asn1_PA_DATA.x \
+	asn1_PA_ENC_SAM_RESPONSE_ENC.x \
 	asn1_PA_ENC_TS_ENC.x \
+	asn1_PA_PAC_REQUEST.x \
+	asn1_PA_S4U2Self.x \
+	asn1_PA_SAM_CHALLENGE_2.x \
+	asn1_PA_SAM_CHALLENGE_2_BODY.x  \
+	asn1_PA_SAM_REDIRECT.x \
+	asn1_PA_SAM_RESPONSE_2.x \
+	asn1_PA_SAM_TYPE.x \
+	asn1_PA_ClientCanonicalized.x \
+	asn1_PA_ClientCanonicalizedNames.x \
+	asn1_PA_SvrReferralData.x \
+	asn1_PROV_SRV_LOCATION.x \
 	asn1_Principal.x \
 	asn1_PrincipalName.x \
 	asn1_Realm.x \
+	asn1_SAMFlags.x \
 	asn1_TGS_REP.x \
 	asn1_TGS_REQ.x \
+	asn1_TYPED_DATA.x \
 	asn1_Ticket.x \
 	asn1_TicketFlags.x \
 	asn1_TransitedEncoding.x \
-	asn1_UNSIGNED.x
+	asn1_TypedData.x \
+	asn1_krb5int32.x \
+	asn1_krb5uint32.x \
+	asn1_KRB5SignedPathData.x \
+	asn1_KRB5SignedPathPrincipals.x \
+	asn1_KRB5SignedPath.x
+
+GEN_PKINIT = \
+	asn1_id_pkinit.x \
+	asn1_id_pkauthdata.x \
+	asn1_id_pkdhkeydata.x \
+	asn1_id_pkrkeydata.x \
+	asn1_id_pkekuoid.x \
+	asn1_id_pkkdcekuoid.x \
+	asn1_id_pkinit_san.x \
+	asn1_id_pkinit_ms_eku.x \
+	asn1_id_pkinit_ms_san.x \
+	asn1_MS_UPN_SAN.x \
+	asn1_DHNonce.x \
+	asn1_KDFAlgorithmId.x \
+	asn1_TrustedCA.x \
+	asn1_ExternalPrincipalIdentifier.x \
+	asn1_ExternalPrincipalIdentifiers.x \
+	asn1_PA_PK_AS_REQ.x \
+	asn1_PKAuthenticator.x \
+	asn1_AuthPack.x \
+	asn1_TD_TRUSTED_CERTIFIERS.x \
+	asn1_TD_INVALID_CERTIFICATES.x \
+	asn1_KRB5PrincipalName.x \
+	asn1_AD_INITIAL_VERIFIED_CAS.x \
+	asn1_DHRepInfo.x \
+	asn1_PA_PK_AS_REP.x \
+	asn1_KDCDHKeyInfo.x \
+	asn1_ReplyKeyPack.x \
+	asn1_TD_DH_PARAMETERS.x \
+	asn1_PKAuthenticator_Win2k.x \
+	asn1_AuthPack_Win2k.x \
+	asn1_TrustedCA_Win2k.x \
+	asn1_PA_PK_AS_REQ_Win2k.x \
+	asn1_PA_PK_AS_REP_Win2k.x \
+	asn1_KDCDHKeyInfo_Win2k.x \
+	asn1_ReplyKeyPack_Win2k.x \
+	asn1_PkinitSuppPubInfo.x 
+
+GEN_PKCS8 = \
+	asn1_PKCS8PrivateKeyAlgorithmIdentifier.x \
+	asn1_PKCS8PrivateKey.x \
+	asn1_PKCS8PrivateKeyInfo.x \
+	asn1_PKCS8Attributes.x \
+	asn1_PKCS8EncryptedPrivateKeyInfo.x \
+	asn1_PKCS8EncryptedData.x
+
+GEN_PKCS9 = \
+	asn1_id_pkcs_9.x \
+	asn1_id_pkcs9_contentType.x \
+	asn1_id_pkcs9_emailAddress.x \
+	asn1_id_pkcs9_messageDigest.x \
+	asn1_id_pkcs9_signingTime.x \
+	asn1_id_pkcs9_countersignature.x \
+	asn1_id_pkcs_9_at_friendlyName.x \
+	asn1_id_pkcs_9_at_localKeyId.x \
+	asn1_id_pkcs_9_at_certTypes.x \
+	asn1_id_pkcs_9_at_certTypes_x509.x \
+	asn1_PKCS9_BMPString.x \
+	asn1_PKCS9_friendlyName.x
+
+GEN_PKCS12 = \
+	asn1_id_pkcs_12.x \
+	asn1_id_pkcs_12PbeIds.x \
+	asn1_id_pbeWithSHAAnd128BitRC4.x \
+	asn1_id_pbeWithSHAAnd40BitRC4.x \
+	asn1_id_pbeWithSHAAnd3_KeyTripleDES_CBC.x \
+	asn1_id_pbeWithSHAAnd2_KeyTripleDES_CBC.x \
+	asn1_id_pbeWithSHAAnd128BitRC2_CBC.x \
+	asn1_id_pbewithSHAAnd40BitRC2_CBC.x \
+	asn1_id_pkcs12_bagtypes.x \
+	asn1_id_pkcs12_keyBag.x \
+	asn1_id_pkcs12_pkcs8ShroudedKeyBag.x \
+	asn1_id_pkcs12_certBag.x \
+	asn1_id_pkcs12_crlBag.x \
+	asn1_id_pkcs12_secretBag.x \
+	asn1_id_pkcs12_safeContentsBag.x \
+	asn1_PKCS12_MacData.x \
+	asn1_PKCS12_PFX.x \
+	asn1_PKCS12_AuthenticatedSafe.x \
+	asn1_PKCS12_CertBag.x \
+	asn1_PKCS12_Attribute.x \
+	asn1_PKCS12_Attributes.x \
+	asn1_PKCS12_SafeBag.x \
+	asn1_PKCS12_SafeContents.x \
+	asn1_PKCS12_OctetString.x \
+	asn1_PKCS12_PBEParams.x
+
+GEN_DIGEST= asn1_DigestError.x \
+	asn1_DigestInit.x \
+	asn1_DigestInitReply.x \
+	asn1_DigestREP.x \
+	asn1_DigestREQ.x \
+	asn1_DigestRepInner.x \
+	asn1_DigestReqInner.x \
+	asn1_DigestRequest.x \
+	asn1_DigestResponse.x \
+	asn1_DigestTypes.x \
+	asn1_NTLMInit.x \
+	asn1_NTLMInitReply.x \
+	asn1_NTLMRequest.x \
+	asn1_NTLMResponse.x
+
+GEN_KX509 = \
+	asn1_Kx509Response.x \
+	asn1_Kx509Request.x
+
+GEN+=	${GEN_RFC2459}
+GEN+=	${GEN_CMS}
+GEN+=	${GEN_K5}
+GEN+=	${GEN_PKINIT}
+GEN+=	${GEN_PKCS8}
+GEN+=	${GEN_PKCS9}
+GEN+=	${GEN_PKCS12}
+GEN+=	${GEN_DIGEST}
+GEN+=	${GEN_KX509}
+
+CLEANFILES= ${GEN} ${GEN:S/.x$/.c/} *_asn1_files
+
+GEN_ASN1=cms_asn1.h rfc2459_asn1.h krb5_asn1.h pkinit_asn1.h
+GEN_ASN1+=pkcs8_asn1.h pkcs9_asn1.h pkcs12_asn1.h digest_asn1.h kx509_asn1.h 
+SRCS+= ${GEN_ASN1}
+INCS+= ${GEN_ASN1}
+CLEANFILES+=${GEN_ASN1}
+
+.ORDER: ${GEN} ${GEN_ASN1}
+
+${GEN_CMS} cms_asn1.h: CMS.asn1 ../../tools/asn1_compile/asn1_compile
+	../../tools/asn1_compile/asn1_compile ${.ALLSRC:M*.asn1} cms_asn1
+
+${GEN_RFC2459} rfc2459_asn1.h: rfc2459.asn1 ../../tools/asn1_compile/asn1_compile
+	../../tools/asn1_compile/asn1_compile \
+		--preserve-binary=TBSCertificate \
+		--preserve-binary=TBSCRLCertList \
+		--preserve-binary=Name \
+		--sequence=GeneralNames \
+		--sequence=Extensions \
+		--sequence=CRLDistributionPoints ${.ALLSRC:M*.asn1} rfc2459_asn1
+
+${GEN_K5} krb5_asn1.h: k5.asn1 ../../tools/asn1_compile/asn1_compile
+	../../tools/asn1_compile/asn1_compile \
+		--encode-rfc1510-bit-string \
+		--sequence=KRB5SignedPathPrincipals \
+		--sequence=AuthorizationData \
+		--sequence=METHOD-DATA \
+		--sequence=ETYPE-INFO \
+		--sequence=ETYPE-INFO2 ${.ALLSRC:M*.asn1} krb5_asn1
+
+${GEN_PKINIT} pkinit_asn1.h: pkinit.asn1 ../../tools/asn1_compile/asn1_compile
+	../../tools/asn1_compile/asn1_compile ${.ALLSRC:M*.asn1} pkinit_asn1
+
+${GEN_PKCS8} pkcs8_asn1.h: pkcs8.asn1 ../../tools/asn1_compile/asn1_compile
+	../../tools/asn1_compile/asn1_compile ${.ALLSRC:M*.asn1} pkcs8_asn1
+
+${GEN_PKCS9} pkcs9_asn1.h: pkcs9.asn1 ../../tools/asn1_compile/asn1_compile
+	../../tools/asn1_compile/asn1_compile ${.ALLSRC:M*.asn1} pkcs9_asn1
+
+${GEN_PKCS12} pkcs12_asn1.h: pkcs12.asn1 ../../tools/asn1_compile/asn1_compile
+	../../tools/asn1_compile/asn1_compile ${.ALLSRC:M*.asn1} pkcs12_asn1
 
-CLEANFILES= ${GEN} ${GEN:S/.x$/.c/} krb5_asn1.h asn1_files
+${GEN_DIGEST} digest_asn1.h: digest.asn1 ../../tools/asn1_compile/asn1_compile
+	../../tools/asn1_compile/asn1_compile ${.ALLSRC:M*.asn1} digest_asn1
 
-.ORDER: ${GEN} krb5_asn1.h
-${GEN} krb5_asn1.h: k5.asn1 ../../tools/asn1_compile/asn1_compile
-	../../tools/asn1_compile/asn1_compile ${.ALLSRC:M*.asn1} krb5_asn1
+${GEN_KX509} kx509_asn1.h: kx509.asn1 ../../tools/asn1_compile/asn1_compile
+	../../tools/asn1_compile/asn1_compile ${.ALLSRC:M*.asn1} kx509_asn1
 
 ../../tools/asn1_compile/asn1_compile:
 	cd ${.CURDIR}/../../tools/asn1_compile && ${MAKE}
diff --git a/kerberos5/lib/libgssapi/Makefile b/kerberos5/lib/libgssapi/Makefile
deleted file mode 100644
index 518b445..0000000
--- a/kerberos5/lib/libgssapi/Makefile
+++ /dev/null
@@ -1,58 +0,0 @@
-# $FreeBSD$
-
-LIB=	gssapi_krb5
-LDFLAGS= -Wl,-Bsymbolic
-LDADD=	-lkrb5 -lcrypto -lroken -lasn1 -lcom_err -lcrypt
-DPADD=	${LIBKRB5} ${LIBCRYPTO} ${LIBROKEN} ${LIBASN1} ${LIBCOM_ERR} \
-	${LIBCRYPT}
-
-SRCS=	8003.c \
-	accept_sec_context.c \
-	acquire_cred.c \
-	add_cred.c \
-	add_oid_set_member.c \
-	address_to_krb5addr.c \
-	arcfour.c \
-	canonicalize_name.c \
-	compare_name.c \
-	compat.c \
-	context_time.c \
-	copy_ccache.c \
-	create_emtpy_oid_set.c \
-	decapsulate.c \
-	delete_sec_context.c \
-	display_name.c \
-	display_status.c \
-	duplicate_name.c \
-	encapsulate.c \
-	export_name.c \
-	export_sec_context.c \
-	external.c \
-	get_mic.c \
-	import_name.c \
-	import_sec_context.c \
-	indicate_mechs.c \
-	init.c \
-	init_sec_context.c \
-	inquire_context.c \
-	inquire_cred.c \
-	inquire_cred_by_mech.c \
-	inquire_mechs_for_name.c \
-	inquire_names_for_mech.c \
-	process_context_token.c \
-	release_buffer.c \
-	release_cred.c \
-	release_name.c \
-	release_oid_set.c \
-	test_oid_set_member.c \
-	unwrap.c \
-	v1.c \
-	verify_mic.c \
-	wrap.c
-
-CFLAGS+=-I${KRB5DIR}/lib/gssapi -I${KRB5DIR}/lib/krb5 \
-	-I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/roken -I.
-
-.include <bsd.lib.mk>
-
-.PATH: ${KRB5DIR}/lib/gssapi
diff --git a/kerberos5/lib/libgssapi_krb5/Makefile b/kerberos5/lib/libgssapi_krb5/Makefile
new file mode 100644
index 0000000..b866d1b
--- /dev/null
+++ b/kerberos5/lib/libgssapi_krb5/Makefile
@@ -0,0 +1,79 @@
+# $FreeBSD$
+
+LIB=	gssapi_krb5
+LDFLAGS= -Wl,-Bsymbolic
+LDADD=	-lkrb5 -lhx509 -lcrypto -lroken -lasn1 -lcom_err -lcrypt
+DPADD=	${LIBKRB5} ${LIBHX509} ${LIBCRYPTO} ${LIBROKEN} ${LIBASN1} \
+	${LIBCOM_ERR} ${LIBCRYPT}
+
+INCS=	${KRB5DIR}/lib/gssapi/gssapi/gssapi_krb5.h
+INCSDIR= ${INCLUDEDIR}/gssapi
+
+SRCS=	8003.c \
+	accept_sec_context.c \
+	acquire_cred.c \
+	add_cred.c \
+	address_to_krb5addr.c \
+	arcfour.c \
+	canonicalize_name.c \
+	ccache_name.c \
+	cfx.c \
+	compare_name.c \
+	compat.c \
+	context_time.c \
+	copy_ccache.c \
+	decapsulate.c \
+	delete_sec_context.c \
+	display_name.c \
+	display_status.c \
+	duplicate_name.c \
+	encapsulate.c \
+	export_name.c \
+	export_sec_context.c \
+	external.c \
+	get_mic.c \
+	gkrb5_err.c \
+	gkrb5_err.h \
+	import_name.c \
+	import_sec_context.c \
+	indicate_mechs.c \
+	init.c \
+	init_sec_context.c \
+	inquire_context.c \
+	inquire_cred.c \
+	inquire_cred_by_mech.c \
+	inquire_cred_by_oid.c \
+	inquire_mechs_for_name.c \
+	inquire_names_for_mech.c \
+	inquire_sec_context_by_oid.c \
+	prefix.c \
+	prf.c \
+	process_context_token.c \
+	release_buffer.c \
+	release_cred.c \
+	release_name.c \
+	sequence.c \
+	set_cred_option.c \
+	set_sec_context_option.c \
+	unwrap.c \
+	v1.c \
+	verify_mic.c \
+	wrap.c \
+	gss_krb5.c
+
+#SRCS+=	gss_add_oid_set_member.c \
+#	gss_create_empty_oid_set.c \
+#	gss_release_buffer.c \
+#	gss_release_oid_set.c \
+#	gss_test_oid_set_member.c \
+#	gss_utils.c
+
+CFLAGS+=-I${KRB5DIR}/lib/gssapi
+CFLAGS+=-I${KRB5DIR}/lib/gssapi/krb5
+CFLAGS+=-I${KRB5DIR}/lib/krb5
+CFLAGS+=-I${KRB5DIR}/lib/asn1
+CFLAGS+=-I${KRB5DIR}/lib/roken -I.
+
+.include <bsd.lib.mk>
+
+.PATH: ${KRB5DIR}/lib/gssapi/krb5 ${.CURDIR}/../../../lib/libgssapi
diff --git a/kerberos5/lib/libgssapi_krb5/gss_krb5.c b/kerberos5/lib/libgssapi_krb5/gss_krb5.c
new file mode 100644
index 0000000..308efd7
--- /dev/null
+++ b/kerberos5/lib/libgssapi_krb5/gss_krb5.c
@@ -0,0 +1,831 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+#include <gssapi/gssapi_krb5.h>
+
+/* RCSID("$Id: gss_krb5.c 21889 2007-08-09 07:43:24Z lha $"); */
+
+#include <krb5.h>
+#include <roken.h>
+
+OM_uint32
+gss_krb5_copy_ccache(OM_uint32 *minor_status,
+		     gss_cred_id_t cred,
+		     krb5_ccache out)
+{
+    gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
+    krb5_context context;
+    krb5_error_code kret;
+    krb5_ccache id;
+    OM_uint32 ret;
+    char *str;
+
+    ret = gss_inquire_cred_by_oid(minor_status,
+				  cred,
+				  GSS_KRB5_COPY_CCACHE_X,
+				  &data_set);
+    if (ret)
+	return ret;
+
+    if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) {
+	gss_release_buffer_set(minor_status, &data_set);
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    kret = krb5_init_context(&context);
+    if (kret) {
+	*minor_status = kret;
+	gss_release_buffer_set(minor_status, &data_set);
+	return GSS_S_FAILURE;
+    }
+
+    kret = asprintf(&str, "%.*s", (int)data_set->elements[0].length,
+		    (char *)data_set->elements[0].value);
+    gss_release_buffer_set(minor_status, &data_set);
+    if (kret == -1) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    kret = krb5_cc_resolve(context, str, &id);
+    free(str);
+    if (kret) {
+	*minor_status = kret;
+	return GSS_S_FAILURE;
+    }
+
+    kret = krb5_cc_copy_cache(context, id, out);
+    krb5_cc_close(context, id);
+    krb5_free_context(context);
+    if (kret) {
+	*minor_status = kret;
+	return GSS_S_FAILURE;
+    }
+
+    return ret;
+}
+
+OM_uint32
+gss_krb5_import_cred(OM_uint32 *minor_status,
+		     krb5_ccache id,
+		     krb5_principal keytab_principal,
+		     krb5_keytab keytab,
+		     gss_cred_id_t *cred)
+{
+    gss_buffer_desc buffer;
+    OM_uint32 major_status;
+    krb5_context context;
+    krb5_error_code ret;
+    krb5_storage *sp;
+    krb5_data data;
+    char *str;
+
+    *cred = GSS_C_NO_CREDENTIAL;
+
+    ret = krb5_init_context(&context);
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    sp = krb5_storage_emem();
+    if (sp == NULL) {
+	*minor_status = ENOMEM;
+	major_status = GSS_S_FAILURE;
+	goto out;
+    }
+
+    if (id) {
+	ret = krb5_cc_get_full_name(context, id, &str);
+	if (ret == 0) {
+	    ret = krb5_store_string(sp, str);
+	    free(str);
+	}
+    } else
+	ret = krb5_store_string(sp, "");
+    if (ret) {
+	*minor_status = ret;
+	major_status = GSS_S_FAILURE;
+	goto out;
+    }
+
+    if (keytab_principal) {
+	ret = krb5_unparse_name(context, keytab_principal, &str);
+	if (ret == 0) {
+	    ret = krb5_store_string(sp, str);
+	    free(str);
+	}
+    } else
+	krb5_store_string(sp, "");
+    if (ret) {
+	*minor_status = ret;
+	major_status = GSS_S_FAILURE;
+	goto out;
+    }
+
+
+    if (keytab) {
+	ret = krb5_kt_get_full_name(context, keytab, &str);
+	if (ret == 0) {
+	    ret = krb5_store_string(sp, str);
+	    free(str);
+	}
+    } else
+	krb5_store_string(sp, "");
+    if (ret) {
+	*minor_status = ret;
+	major_status = GSS_S_FAILURE;
+	goto out;
+    }
+
+    ret = krb5_storage_to_data(sp, &data);
+    if (ret) {
+	*minor_status = ret;
+	major_status = GSS_S_FAILURE;
+	goto out;
+    }
+
+    buffer.value = data.data;
+    buffer.length = data.length;
+    
+    major_status = gss_set_cred_option(minor_status,
+				       cred,
+				       GSS_KRB5_IMPORT_CRED_X,
+				       &buffer);
+    krb5_data_free(&data);
+out:
+    if (sp)
+	krb5_storage_free(sp);
+    krb5_free_context(context);
+    return major_status;
+}
+
+OM_uint32
+gsskrb5_register_acceptor_identity(const char *identity)
+{
+	gss_buffer_desc buffer;
+	OM_uint32 junk;
+
+	buffer.value = rk_UNCONST(identity);
+	buffer.length = strlen(identity);
+
+	gss_set_sec_context_option(&junk, NULL,
+	    GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X, &buffer);
+
+	return (GSS_S_COMPLETE);
+}
+
+OM_uint32
+gsskrb5_set_dns_canonicalize(int flag)
+{
+	gss_buffer_desc buffer;
+	OM_uint32 junk;
+	char b = (flag != 0);
+
+	buffer.value = &b;
+	buffer.length = sizeof(b);
+
+	gss_set_sec_context_option(&junk, NULL,
+	    GSS_KRB5_SET_DNS_CANONICALIZE_X, &buffer);
+
+	return (GSS_S_COMPLETE);
+}
+
+
+
+static krb5_error_code
+set_key(krb5_keyblock *keyblock, gss_krb5_lucid_key_t *key)
+{
+    key->type = keyblock->keytype;
+    key->length = keyblock->keyvalue.length;
+    key->data = malloc(key->length);
+    if (key->data == NULL && key->length != 0)
+	return ENOMEM;
+    memcpy(key->data, keyblock->keyvalue.data, key->length);
+    return 0;
+}
+
+static void
+free_key(gss_krb5_lucid_key_t *key)
+{
+    memset(key->data, 0, key->length);
+    free(key->data);
+    memset(key, 0, sizeof(*key));
+}
+
+OM_uint32
+gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
+				  gss_ctx_id_t *context_handle,
+				  OM_uint32 version,
+				  void **rctx)
+{
+    krb5_context context = NULL;
+    krb5_error_code ret;
+    gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
+    OM_uint32 major_status;
+    gss_krb5_lucid_context_v1_t *ctx = NULL;
+    krb5_storage *sp = NULL;
+    uint32_t num;
+
+    if (context_handle == NULL
+	|| *context_handle == GSS_C_NO_CONTEXT
+	|| version != 1)
+    {
+	ret = EINVAL;
+	return GSS_S_FAILURE;
+    }
+    
+    major_status =
+	gss_inquire_sec_context_by_oid (minor_status,
+					*context_handle,
+					GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X,
+					&data_set);
+    if (major_status)
+	return major_status;
+    
+    if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) {
+	gss_release_buffer_set(minor_status, &data_set);
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	goto out;
+
+    ctx = calloc(1, sizeof(*ctx));
+    if (ctx == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+
+    sp = krb5_storage_from_mem(data_set->elements[0].value,
+			       data_set->elements[0].length);
+    if (sp == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+    
+    ret = krb5_ret_uint32(sp, &num);
+    if (ret) goto out;
+    if (num != 1) {
+	ret = EINVAL;
+	goto out;
+    }
+    ctx->version = 1;
+    /* initiator */
+    ret = krb5_ret_uint32(sp, &ctx->initiate);
+    if (ret) goto out;
+    /* endtime */
+    ret = krb5_ret_uint32(sp, &ctx->endtime);
+    if (ret) goto out;
+    /* send_seq */
+    ret = krb5_ret_uint32(sp, &num);
+    if (ret) goto out;
+    ctx->send_seq = ((uint64_t)num) << 32;
+    ret = krb5_ret_uint32(sp, &num);
+    if (ret) goto out;
+    ctx->send_seq |= num;
+    /* recv_seq */
+    ret = krb5_ret_uint32(sp, &num);
+    if (ret) goto out;
+    ctx->recv_seq = ((uint64_t)num) << 32;
+    ret = krb5_ret_uint32(sp, &num);
+    if (ret) goto out;
+    ctx->recv_seq |= num;
+    /* protocol */
+    ret = krb5_ret_uint32(sp, &ctx->protocol);
+    if (ret) goto out;
+    if (ctx->protocol == 0) {
+	krb5_keyblock key;
+
+	/* sign_alg */
+	ret = krb5_ret_uint32(sp, &ctx->rfc1964_kd.sign_alg);
+	if (ret) goto out;
+	/* seal_alg */
+	ret = krb5_ret_uint32(sp, &ctx->rfc1964_kd.seal_alg);
+	if (ret) goto out;
+	/* ctx_key */
+	ret = krb5_ret_keyblock(sp, &key);
+	if (ret) goto out;
+	ret = set_key(&key, &ctx->rfc1964_kd.ctx_key);
+	krb5_free_keyblock_contents(context, &key);
+	if (ret) goto out;
+    } else if (ctx->protocol == 1) {
+	krb5_keyblock key;
+
+	/* acceptor_subkey */
+	ret = krb5_ret_uint32(sp, &ctx->cfx_kd.have_acceptor_subkey);
+	if (ret) goto out;
+	/* ctx_key */
+	ret = krb5_ret_keyblock(sp, &key);
+	if (ret) goto out;
+	ret = set_key(&key, &ctx->cfx_kd.ctx_key);
+	krb5_free_keyblock_contents(context, &key);
+	if (ret) goto out;
+	/* acceptor_subkey */
+	if (ctx->cfx_kd.have_acceptor_subkey) {
+	    ret = krb5_ret_keyblock(sp, &key);
+	    if (ret) goto out;
+	    ret = set_key(&key, &ctx->cfx_kd.acceptor_subkey);
+	    krb5_free_keyblock_contents(context, &key);
+	    if (ret) goto out;
+	}
+    } else {
+	ret = EINVAL;
+	goto out;
+    }
+
+    *rctx = ctx;
+
+out:
+    gss_release_buffer_set(minor_status, &data_set);
+    if (sp)
+	krb5_storage_free(sp);
+    if (context)
+	krb5_free_context(context);
+
+    if (ret) {
+	if (ctx)
+	    gss_krb5_free_lucid_sec_context(NULL, ctx);
+
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32
+gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status, void *c)
+{
+    gss_krb5_lucid_context_v1_t *ctx = c;
+
+    if (ctx->version != 1) {
+	if (minor_status)
+	    *minor_status = 0;
+	return GSS_S_FAILURE;
+    }
+
+    if (ctx->protocol == 0) {
+	free_key(&ctx->rfc1964_kd.ctx_key);
+    } else if (ctx->protocol == 1) {
+	free_key(&ctx->cfx_kd.ctx_key);
+	if (ctx->cfx_kd.have_acceptor_subkey)
+	    free_key(&ctx->cfx_kd.acceptor_subkey);
+    }
+    free(ctx);
+    if (minor_status)
+	*minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+
+/*
+ *
+ */
+
+OM_uint32
+gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status, 
+				gss_cred_id_t cred,
+				OM_uint32 num_enctypes,
+				int32_t *enctypes)
+{
+    krb5_error_code ret;
+    OM_uint32 maj_status;
+    gss_buffer_desc buffer;
+    krb5_storage *sp;
+    krb5_data data;
+    int i;
+
+    sp = krb5_storage_emem();
+    if (sp == NULL) {
+	*minor_status = ENOMEM;
+	maj_status = GSS_S_FAILURE;
+	goto out;
+    }
+
+    for (i = 0; i < num_enctypes; i++) {
+	ret = krb5_store_int32(sp, enctypes[i]);
+	if (ret) {
+	    *minor_status = ret;
+	    maj_status = GSS_S_FAILURE;
+	    goto out;
+	}
+    }
+
+    ret = krb5_storage_to_data(sp, &data);
+    if (ret) {
+	*minor_status = ret;
+	maj_status = GSS_S_FAILURE;
+	goto out;
+    }
+
+    buffer.value = data.data;
+    buffer.length = data.length;
+
+    maj_status = gss_set_cred_option(minor_status,
+				     &cred,
+				     GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X,
+				     &buffer);
+    krb5_data_free(&data);
+out:
+    if (sp)
+	krb5_storage_free(sp);
+    return maj_status;
+}
+
+/*
+ *
+ */
+
+OM_uint32
+gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *c)
+{
+    gss_buffer_desc buffer;
+    OM_uint32 junk;
+
+    if (c) {
+	buffer.value = c;
+	buffer.length = sizeof(*c);
+    } else {
+	buffer.value = NULL;
+	buffer.length = 0;
+    }
+
+    gss_set_sec_context_option(&junk, NULL,
+	    GSS_KRB5_SEND_TO_KDC_X, &buffer);
+
+    return (GSS_S_COMPLETE);
+}
+
+/*
+ *
+ */
+
+OM_uint32
+gss_krb5_ccache_name(OM_uint32 *minor_status, 
+		     const char *name,
+		     const char **out_name)
+{
+    gss_buffer_desc buffer;
+    OM_uint32 junk;
+
+    if (out_name)
+	*out_name = NULL;
+
+    buffer.value = rk_UNCONST(name);
+    buffer.length = strlen(name);
+
+    gss_set_sec_context_option(&junk, NULL,
+	    GSS_KRB5_CCACHE_NAME_X, &buffer);
+
+    return (GSS_S_COMPLETE);
+}
+
+
+/*
+ *
+ */
+
+OM_uint32
+gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status,
+					  gss_ctx_id_t context_handle,
+					  time_t *authtime)
+{
+    gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
+    OM_uint32 maj_stat;
+
+    if (context_handle == GSS_C_NO_CONTEXT) {
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+    
+    maj_stat =
+	gss_inquire_sec_context_by_oid (minor_status,
+					context_handle,
+					GSS_KRB5_GET_AUTHTIME_X,
+					&data_set);
+    if (maj_stat)
+	return maj_stat;
+    
+    if (data_set == GSS_C_NO_BUFFER_SET) {
+	gss_release_buffer_set(minor_status, &data_set);
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    if (data_set->count != 1) {
+	gss_release_buffer_set(minor_status, &data_set);
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    if (data_set->elements[0].length != 4) {
+	gss_release_buffer_set(minor_status, &data_set);
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    {
+	unsigned char *buf = data_set->elements[0].value;
+	*authtime = (buf[3] <<24) | (buf[2] << 16) | 
+	    (buf[1] << 8) | (buf[0] << 0);
+    }
+
+    gss_release_buffer_set(minor_status, &data_set);
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+
+/*
+ *
+ */
+
+OM_uint32
+gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
+					    gss_ctx_id_t context_handle,
+					    int ad_type,
+					    gss_buffer_t ad_data)
+{
+    gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
+    OM_uint32 maj_stat;
+    gss_OID_desc oid_flat;
+    heim_oid baseoid, oid;
+    size_t size;
+
+    if (context_handle == GSS_C_NO_CONTEXT) {
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    /* All this to append an integer to an oid... */
+
+    if (der_get_oid(GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X->elements,
+		    GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X->length,
+		    &baseoid, NULL) != 0) {
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+    
+    oid.length = baseoid.length + 1;
+    oid.components = calloc(oid.length, sizeof(*oid.components));
+    if (oid.components == NULL) {
+	der_free_oid(&baseoid);
+
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    memcpy(oid.components, baseoid.components, 
+	   baseoid.length * sizeof(*baseoid.components));
+    
+    der_free_oid(&baseoid);
+
+    oid.components[oid.length - 1] = ad_type;
+
+    oid_flat.length = der_length_oid(&oid);
+    oid_flat.elements = malloc(oid_flat.length);
+    if (oid_flat.elements == NULL) {
+	free(oid.components);
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    if (der_put_oid((unsigned char *)oid_flat.elements + oid_flat.length - 1, 
+		    oid_flat.length, &oid, &size) != 0) {
+	free(oid.components);
+	free(oid_flat.elements);
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+    if (oid_flat.length != size)
+	abort();
+
+    free(oid.components);
+
+    /* FINALLY, we have the OID */
+
+    maj_stat = gss_inquire_sec_context_by_oid (minor_status,
+					       context_handle,
+					       &oid_flat,
+					       &data_set);
+
+    free(oid_flat.elements);
+
+    if (maj_stat)
+	return maj_stat;
+    
+    if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) {
+	gss_release_buffer_set(minor_status, &data_set);
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    ad_data->value = malloc(data_set->elements[0].length);
+    if (ad_data->value == NULL) {
+	gss_release_buffer_set(minor_status, &data_set);
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    ad_data->length = data_set->elements[0].length;
+    memcpy(ad_data->value, data_set->elements[0].value, ad_data->length);
+    gss_release_buffer_set(minor_status, &data_set);
+    
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+
+/*
+ *
+ */
+
+static OM_uint32
+gsskrb5_extract_key(OM_uint32 *minor_status,
+		    gss_ctx_id_t context_handle,
+		    const gss_OID oid, 
+		    krb5_keyblock **keyblock)
+{
+    krb5_error_code ret;
+    gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
+    OM_uint32 major_status;
+    krb5_context context = NULL;
+    krb5_storage *sp = NULL;
+
+    if (context_handle == GSS_C_NO_CONTEXT) {
+	ret = EINVAL;
+	return GSS_S_FAILURE;
+    }
+    
+    ret = krb5_init_context(&context);
+    if(ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    major_status =
+	gss_inquire_sec_context_by_oid (minor_status,
+					context_handle,
+					oid,
+					&data_set);
+    if (major_status)
+	return major_status;
+    
+    if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) {
+	gss_release_buffer_set(minor_status, &data_set);
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    sp = krb5_storage_from_mem(data_set->elements[0].value,
+			       data_set->elements[0].length);
+    if (sp == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+    
+    *keyblock = calloc(1, sizeof(**keyblock));
+    if (keyblock == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+
+    ret = krb5_ret_keyblock(sp, *keyblock);
+
+out: 
+    gss_release_buffer_set(minor_status, &data_set);
+    if (sp)
+	krb5_storage_free(sp);
+    if (ret && keyblock) {
+	krb5_free_keyblock(context, *keyblock);
+	*keyblock = NULL;
+    }
+    if (context)
+	krb5_free_context(context);
+
+    *minor_status = ret;
+    if (ret)
+	return GSS_S_FAILURE;
+
+    return GSS_S_COMPLETE;
+}
+
+/*
+ *
+ */
+
+OM_uint32
+gsskrb5_extract_service_keyblock(OM_uint32 *minor_status,
+				 gss_ctx_id_t context_handle,
+				 krb5_keyblock **keyblock)
+{
+    return gsskrb5_extract_key(minor_status,
+			       context_handle,
+			       GSS_KRB5_GET_SERVICE_KEYBLOCK_X,
+			       keyblock);
+}
+
+OM_uint32
+gsskrb5_get_initiator_subkey(OM_uint32 *minor_status,
+			     gss_ctx_id_t context_handle,
+			     krb5_keyblock **keyblock)
+{
+    return gsskrb5_extract_key(minor_status,
+			       context_handle,
+			       GSS_KRB5_GET_INITIATOR_SUBKEY_X,
+			       keyblock);
+}
+
+OM_uint32
+gsskrb5_get_subkey(OM_uint32 *minor_status,
+		   gss_ctx_id_t context_handle,
+		   krb5_keyblock **keyblock)
+{
+    return gsskrb5_extract_key(minor_status,
+			       context_handle,
+			       GSS_KRB5_GET_SUBKEY_X,
+			       keyblock);
+}
+
+OM_uint32
+gsskrb5_set_default_realm(const char *realm)
+{
+	gss_buffer_desc buffer;
+	OM_uint32 junk;
+
+	buffer.value = rk_UNCONST(realm);
+	buffer.length = strlen(realm);
+
+	gss_set_sec_context_option(&junk, NULL,
+	    GSS_KRB5_SET_DEFAULT_REALM_X, &buffer);
+
+	return (GSS_S_COMPLETE);
+}
+
+OM_uint32
+gss_krb5_get_tkt_flags(OM_uint32 *minor_status,
+		       gss_ctx_id_t context_handle,
+		       OM_uint32 *tkt_flags)
+{
+
+    OM_uint32 major_status;
+    gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
+
+    if (context_handle == GSS_C_NO_CONTEXT) {
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+    
+    major_status =
+	gss_inquire_sec_context_by_oid (minor_status,
+					context_handle,
+					GSS_KRB5_GET_TKT_FLAGS_X,
+					&data_set);
+    if (major_status)
+	return major_status;
+    
+    if (data_set == GSS_C_NO_BUFFER_SET || 
+	data_set->count != 1 ||
+	data_set->elements[0].length < 4) {
+	gss_release_buffer_set(minor_status, &data_set);
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    {
+	const u_char *p = data_set->elements[0].value;
+	*tkt_flags = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
+    }
+
+    gss_release_buffer_set(minor_status, &data_set);
+    return GSS_S_COMPLETE;
+}
+
diff --git a/kerberos5/lib/libgssapi_krb5/prefix.c b/kerberos5/lib/libgssapi_krb5/prefix.c
new file mode 100644
index 0000000..086b744
--- /dev/null
+++ b/kerberos5/lib/libgssapi_krb5/prefix.c
@@ -0,0 +1,33 @@
+/*-
+ * Copyright (c) 2008 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+const char *
+_gss_name_prefix(void)
+{
+	return "_gsskrb5";
+}
diff --git a/kerberos5/lib/libgssapi_ntlm/Makefile b/kerberos5/lib/libgssapi_ntlm/Makefile
new file mode 100644
index 0000000..cbecc2d
--- /dev/null
+++ b/kerberos5/lib/libgssapi_ntlm/Makefile
@@ -0,0 +1,44 @@
+# $FreeBSD$
+
+LIB=	gssapi_ntlm
+LDFLAGS= -Wl,-Bsymbolic
+LDADD=	-lkrb5 -lhx509 -lheimntlm -lroken
+DPADD=	${LIBKRB5} ${LIBHX509} ${LIBHEIMNTLM} ${LIBROKEN}
+
+SRCS=	accept_sec_context.c \
+	acquire_cred.c \
+	add_cred.c \
+	canonicalize_name.c \
+	compare_name.c \
+	context_time.c \
+	crypto.c \
+	delete_sec_context.c \
+	display_name.c \
+	display_status.c \
+	duplicate_name.c \
+	export_name.c \
+	export_sec_context.c \
+	external.c \
+	ntlm.h \
+	ntlm-private.h \
+	import_name.c \
+	import_sec_context.c \
+	indicate_mechs.c \
+	init_sec_context.c \
+	inquire_context.c \
+	inquire_cred.c \
+	inquire_cred_by_mech.c \
+	inquire_mechs_for_name.c \
+	inquire_names_for_mech.c \
+	prefix.c \
+	process_context_token.c \
+	release_cred.c \
+	release_name.c \
+	digest.c
+
+CFLAGS+=-I${KRB5DIR}/lib/gssapi
+CFLAGS+=-I${KRB5DIR}/lib/ntlm
+
+.include <bsd.lib.mk>
+
+.PATH: ${KRB5DIR}/lib/gssapi/ntlm ${.CURDIR}/../../../lib/libgssapi
diff --git a/kerberos5/lib/libgssapi_ntlm/prefix.c b/kerberos5/lib/libgssapi_ntlm/prefix.c
new file mode 100644
index 0000000..68db641
--- /dev/null
+++ b/kerberos5/lib/libgssapi_ntlm/prefix.c
@@ -0,0 +1,33 @@
+/*-
+ * Copyright (c) 2008 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+const char *
+_gss_name_prefix(void)
+{
+	return "_gss_ntlm";
+}
diff --git a/kerberos5/lib/libgssapi_spnego/Makefile b/kerberos5/lib/libgssapi_spnego/Makefile
new file mode 100644
index 0000000..af98880
--- /dev/null
+++ b/kerberos5/lib/libgssapi_spnego/Makefile
@@ -0,0 +1,48 @@
+# $FreeBSD$
+
+LIB=	gssapi_spnego
+LDFLAGS= -Wl,-Bsymbolic
+LDADD=	-lasn1
+DPADD=	${LIBASN1}
+
+SRCS=	accept_sec_context.c \
+	compat.c \
+	context_stubs.c \
+	cred_stubs.c \
+	external.c \
+	init_sec_context.c \
+	prefix.c \
+	spnego_asn1.h \
+	${GEN:S/.x$/.c/}
+
+GEN=	asn1_ContextFlags.x \
+	asn1_MechType.x \
+	asn1_MechTypeList.x \
+	asn1_NegotiationToken.x \
+	asn1_NegotiationTokenWin.x \
+	asn1_NegHints.x \
+	asn1_NegTokenInit.x \
+	asn1_NegTokenInitWin.x \
+	asn1_NegTokenResp.x
+
+CFLAGS+=-I${KRB5DIR}/lib/gssapi
+CFLAGS+=-I${KRB5DIR}/lib/asn1
+CFLAGS+=-I${KRB5DIR}/lib/roken -I.
+
+CLEANFILES= ${GEN} ${GEN:S/.x$/.c/} spnego_asn1.h asn1_files
+
+.ORDER: ${GEN} spnego_asn1.h
+${GEN} spnego_asn1.h: spnego.asn1 ../../tools/asn1_compile/asn1_compile
+	../../tools/asn1_compile/asn1_compile --sequence=MechTypeList ${.ALLSRC:M*.asn1} spnego_asn1
+
+../../tools/asn1_compile/asn1_compile:
+	cd ${.CURDIR}/../../tools/asn1_compile && ${MAKE}
+
+.for I in ${GEN}
+${I:R}.c: ${I}
+	cat ${.ALLSRC} > ${.TARGET}
+.endfor
+
+.include <bsd.lib.mk>
+
+.PATH: ${KRB5DIR}/lib/gssapi/spnego ${.CURDIR}/../../../lib/libgssapi
diff --git a/kerberos5/lib/libgssapi_spnego/prefix.c b/kerberos5/lib/libgssapi_spnego/prefix.c
new file mode 100644
index 0000000..575c951
--- /dev/null
+++ b/kerberos5/lib/libgssapi_spnego/prefix.c
@@ -0,0 +1,45 @@
+/*-
+ * Copyright (c) 2008 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+
+static gss_OID_desc gss_c_peer_has_updated_spnego_oid_desc =
+{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x05"};
+
+gss_OID GSS_C_PEER_HAS_UPDATED_SPNEGO = &gss_c_peer_has_updated_spnego_oid_desc;
+
+static gss_OID_desc gss_krb5_mechanism_oid_desc =
+{9, (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"};
+
+gss_OID GSS_KRB5_MECHANISM = &gss_krb5_mechanism_oid_desc;
+
+const char *
+_gss_name_prefix(void)
+{
+	return "_gss_spnego";
+}
diff --git a/kerberos5/lib/libhdb/Makefile b/kerberos5/lib/libhdb/Makefile
index eef619f..75465d3 100644
--- a/kerberos5/lib/libhdb/Makefile
+++ b/kerberos5/lib/libhdb/Makefile
@@ -11,11 +11,14 @@ INCS=	hdb-private.h \
 SRCS=	common.c \
 	db.c \
 	db3.c \
+	dbinfo.c \
+	ext.c \
 	hdb-ldap.c \
 	hdb.c \
 	hdb_asn1.h \
 	hdb_err.c \
 	hdb_err.h \
+	keys.c \
 	keytab.c \
 	mkey.c \
 	ndbm.c \
@@ -24,13 +27,23 @@ SRCS=	common.c \
 
 CFLAGS+=-I${KRB5DIR}/lib/hdb -I${KRB5DIR}/lib/asn1 \
 	-I${KRB5DIR}/lib/roken -I. ${LDAPCFLAGS}
+CFLAGS+=-DHDB_DB_DIR="\"/var/heimdal\""
 
-GEN=	asn1_Event.x \
-	asn1_GENERATION.x \
-	asn1_HDBFlags.x \
+GEN=	asn1_Salt.x \
 	asn1_Key.x \
-	asn1_Salt.x \
-	asn1_hdb_entry.x
+	asn1_Event.x \
+	asn1_HDBFlags.x \
+	asn1_GENERATION.x \
+	asn1_HDB_Ext_PKINIT_acl.x \
+	asn1_HDB_Ext_PKINIT_hash.x \
+	asn1_HDB_Ext_Constrained_delegation_acl.x \
+	asn1_HDB_Ext_Lan_Manager_OWF.x \
+	asn1_HDB_Ext_Password.x \
+	asn1_HDB_Ext_Aliases.x \
+	asn1_HDB_extension.x \
+	asn1_HDB_extensions.x \
+	asn1_hdb_entry.x \
+	asn1_hdb_entry_alias.x
 
 CLEANFILES= ${GEN} ${GEN:S/.x$/.c/} hdb_asn1.h asn1_files
 
diff --git a/kerberos5/lib/libheimntlm/Makefile b/kerberos5/lib/libheimntlm/Makefile
new file mode 100644
index 0000000..e223258
--- /dev/null
+++ b/kerberos5/lib/libheimntlm/Makefile
@@ -0,0 +1,11 @@
+# $FreeBSD$
+
+LIB=	heimntlm
+SRCS=	ntlm.c
+INCS=	heimntlm.h heimntlm-protos.h
+CFLAGS+=-I${KRB5DIR}/lib/ntlm
+VERSION_MAP= ${KRB5DIR}/lib/ntlm/version-script.map
+
+.include <bsd.lib.mk>
+
+.PATH: ${KRB5DIR}/lib/ntlm
diff --git a/kerberos5/lib/libhx509/Makefile b/kerberos5/lib/libhx509/Makefile
new file mode 100644
index 0000000..e94831a
--- /dev/null
+++ b/kerberos5/lib/libhx509/Makefile
@@ -0,0 +1,103 @@
+# $FreeBSD$
+
+LIB=	hx509
+VERSION_MAP= ${KRB5DIR}/lib/hx509/version-script.map
+
+INCS=	hx509-private.h \
+	hx509-protos.h \
+	hx509.h \
+	hx509_err.h
+
+SRCS=	ca.c \
+	cert.c \
+	cms.c \
+	collector.c \
+	crypto.c \
+	doxygen.c \
+	error.c \
+	env.c \
+	file.c \
+	hx509-private.h \
+	hx509-protos.h \
+	hx509.h \
+	hx_locl.h \
+	keyset.c \
+	ks_dir.c \
+	ks_file.c \
+	ks_mem.c \
+	ks_null.c \
+	ks_p11.c \
+	ks_p12.c \
+	ks_keychain.c \
+	lock.c \
+	name.c \
+	peer.c \
+	print.c \
+	softp11.c \
+	ref/pkcs11.h \
+	req.c \
+	revoke.c
+
+SRCS+=	hx509_err.c \
+	hx509_err.h
+
+SRCS+=	${GEN:S/.x$/.c/}
+
+CFLAGS+=-I${KRB5DIR}/lib/hx509
+CFLAGS+=-I${KRB5DIR}/lib/hx509/ref
+CFLAGS+=-I${KRB5DIR}/lib/asn1
+CFLAGS+=-I${KRB5DIR}/lib/roken -I.
+
+GEN_OCSP= \
+	asn1_OCSPBasicOCSPResponse.x \
+	asn1_OCSPCertID.x \
+	asn1_OCSPCertStatus.x \
+	asn1_OCSPInnerRequest.x \
+	asn1_OCSPKeyHash.x \
+	asn1_OCSPRequest.x \
+	asn1_OCSPResponderID.x \
+	asn1_OCSPResponse.x \
+	asn1_OCSPResponseBytes.x \
+	asn1_OCSPResponseData.x \
+	asn1_OCSPResponseStatus.x \
+	asn1_OCSPSignature.x \
+	asn1_OCSPSingleResponse.x \
+	asn1_OCSPTBSRequest.x \
+	asn1_OCSPVersion.x \
+	asn1_id_pkix_ocsp.x \
+	asn1_id_pkix_ocsp_basic.x \
+	asn1_id_pkix_ocsp_nonce.x
+
+GEN_PKCS10= \
+	asn1_CertificationRequestInfo.x \
+	asn1_CertificationRequest.x
+
+GEN+=	${GEN_OCSP}
+GEN+=	${GEN_PKCS10}
+
+CLEANFILES= ${GEN} ${GEN:S/.x$/.c/} asn1_files
+
+GEN_ASN1=ocsp_asn1.h pkcs10_asn1.h
+CLEANFILES+=${GEN_ASN1}
+SRCS+=${GEN_ASN1}
+INCS+=${GEN_ASN1}
+
+.ORDER: ${GEN} ${GEN_ASN1}
+
+${GEN_OCSP} ocsp_asn1.h: ocsp.asn1 ../../tools/asn1_compile/asn1_compile
+	../../tools/asn1_compile/asn1_compile --preserve-binary=OCSPTBSRequest --preserve-binary=OCSPResponseData ${.ALLSRC:M*.asn1} ocsp_asn1
+
+${GEN_PKCS10} pkcs10_asn1.h: pkcs10.asn1 ../../tools/asn1_compile/asn1_compile
+	../../tools/asn1_compile/asn1_compile ${.ALLSRC:M*.asn1} pkcs10_asn1
+
+../../tools/asn1_compile/asn1_compile:
+	cd ${.CURDIR}/../../tools/asn1_compile && ${MAKE}
+
+.for I in ${GEN}
+${I:R}.c: ${I}
+	cat ${.ALLSRC} > ${.TARGET}
+.endfor
+
+.include <bsd.lib.mk>
+
+.PATH: ${KRB5DIR}/lib/hx509 ${KRB5DIR}/lib/asn1
diff --git a/kerberos5/lib/libkadm5clnt/Makefile b/kerberos5/lib/libkadm5clnt/Makefile
index 32cc80b..3390866 100644
--- a/kerberos5/lib/libkadm5clnt/Makefile
+++ b/kerberos5/lib/libkadm5clnt/Makefile
@@ -10,7 +10,8 @@ INCS=	admin.h \
 
 INCSDIR=${INCLUDEDIR}/kadm5
 
-SRCS=	chpass_c.c \
+SRCS=	ad.c \
+	chpass_c.c \
 	client_glue.c \
 	common_glue.c \
 	create_c.c \
diff --git a/kerberos5/lib/libkadm5srv/Makefile b/kerberos5/lib/libkadm5srv/Makefile
index 086cb8f..c0be477 100644
--- a/kerberos5/lib/libkadm5srv/Makefile
+++ b/kerberos5/lib/libkadm5srv/Makefile
@@ -1,6 +1,7 @@
 # $FreeBSD$
 
 LIB=	kadm5srv
+VERSION_MAP= ${KRB5DIR}/lib/kadm5/version-script.map
 
 SRCS=	acl.c \
 	bump_pw_expire.c \
diff --git a/kerberos5/lib/libkafs5/Makefile b/kerberos5/lib/libkafs5/Makefile
index 337c642..e0e0b30 100644
--- a/kerberos5/lib/libkafs5/Makefile
+++ b/kerberos5/lib/libkafs5/Makefile
@@ -19,7 +19,7 @@ MLINKS=	kafs5.3 k_afs_cell_of_file.3 \
 	kafs5.3 krb_afslog.3 \
 	kafs5.3 krb_afslog_uid.3
 
-SRCS=	afssys.c afskrb5.c common.c
+SRCS=	afssys.c afskrb5.c common.c krb5_err.h
 CFLAGS+=-I${KRB5DIR}/lib/kafs -I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/roken
 
 CLEANFILES= kafs5.3
diff --git a/kerberos5/lib/libkrb5/Makefile b/kerberos5/lib/libkrb5/Makefile
index 40cddc3..5ba011b 100644
--- a/kerberos5/lib/libkrb5/Makefile
+++ b/kerberos5/lib/libkrb5/Makefile
@@ -1,45 +1,76 @@
 # $FreeBSD$
 
 LIB=	krb5
+VERSION_MAP= ${KRB5DIR}/lib/krb5/version-script.map
 
 INCS=	heim_err.h \
+	heim_threads.h \
 	k524_err.h \
 	krb5-protos.h \
 	krb5-types.h \
 	krb5.h \
-	krb5_err.h
+	krb5_err.h \
+	krb5-v4compat.h \
+	krb_err.h
 
 MAN=	krb5.3 \
+	krb524_convert_creds_kdc.3 \
 	krb5_425_conv_principal.3 \
+	krb5_acl_match_file.3 \
 	krb5_address.3 \
 	krb5_aname_to_localname.3 \
 	krb5_appdefault.3 \
 	krb5_auth_context.3 \
-	krb5_build_principal.3 \
+	krb5_c_make_checksum.3 \
 	krb5_ccache.3 \
+	krb5_check_transited.3 \
+	krb5_compare_creds.3 \
 	krb5_config.3 \
 	krb5_context.3 \
 	krb5_create_checksum.3 \
+	krb5_creds.3 \
 	krb5_crypto_init.3 \
 	krb5_data.3 \
+	krb5_digest.3 \
+	krb5_eai_to_heim_errno.3 \
 	krb5_encrypt.3 \
-	krb5_free_addresses.3 \
-	krb5_free_principal.3 \
+	krb5_expand_hostname.3 \
+	krb5_find_padata.3 \
+	krb5_generate_random_block.3 \
 	krb5_get_all_client_addrs.3 \
+	krb5_get_credentials.3 \
+	krb5_get_creds.3 \
+	krb5_get_forwarded_creds.3 \
+	krb5_get_in_cred.3 \
+	krb5_get_init_creds.3 \
 	krb5_get_krbhst.3 \
+	krb5_getportbyname.3 \
 	krb5_init_context.3 \
+	krb5_is_thread_safe.3 \
+	krb5_keyblock.3 \
 	krb5_keytab.3 \
 	krb5_krbhst_init.3 \
 	krb5_kuserok.3 \
+	krb5_mk_req.3 \
+	krb5_mk_safe.3 \
 	krb5_openlog.3 \
 	krb5_parse_name.3 \
-	krb5_principal_get_realm.3 \
+	krb5_principal.3 \
+	krb5_rcache.3 \
+	krb5_rd_error.3 \
+	krb5_rd_safe.3 \
 	krb5_set_default_realm.3 \
-	krb5_sname_to_principal.3 \
+	krb5_set_password.3 \
+	krb5_storage.3 \
+	krb5_string_to_key.3 \
+	krb5_ticket.3 \
 	krb5_timeofday.3 \
 	krb5_unparse_name.3 \
+	krb5_verify_init_creds.3 \
 	krb5_verify_user.3 \
-	krb5_warn.3
+	krb5_warn.3 \
+	verify_krb5_conf.8
+
 MAN+=	krb5.conf.5
 MAN+=	kerberos.8
 
@@ -209,7 +240,8 @@ MLINKS=	krb5_425_conv_principal.3 krb5_425_conv_principal_ext.3 \
 	krb5_warn.3 krb5_vwarnx.3 \
 	krb5_warn.3 krb5_warnx.3
 
-SRCS=	acl.c \
+SRCS=	acache.c \
+	acl.c \
 	add_et_list.c \
 	addr_families.c \
 	aname_to_localname.c \
@@ -231,6 +263,7 @@ SRCS=	acl.c \
 	creds.c \
 	crypto.c \
 	data.c \
+	digest.c \
 	eai_to_heim_errno.c \
 	error_string.c \
 	expand_hostname.c \
@@ -250,12 +283,11 @@ SRCS=	acl.c \
 	get_in_tkt_with_keytab.c \
 	get_in_tkt_with_skey.c \
 	get_port.c \
-	heim_err.c \
-	heim_err.h \
+	heim_threads.h \
 	init_creds.c \
 	init_creds_pw.c \
-	k524_err.c \
-	k524_err.h \
+	kcm.c \
+	kcm.h \
 	keyblock.c \
 	keytab.c \
 	keytab_any.c \
@@ -263,8 +295,8 @@ SRCS=	acl.c \
 	keytab_keyfile.c \
 	keytab_krb4.c \
 	keytab_memory.c \
-	krb5_err.c \
-	krb5_err.h \
+	krb5_locl.h \
+	krb5-v4compat.h \
 	krbhst.c \
 	kuserok.c \
 	log.c \
@@ -276,10 +308,13 @@ SRCS=	acl.c \
 	mk_req.c \
 	mk_req_ext.c \
 	mk_safe.c \
+	mit_glue.c \
 	n-fold.c \
 	net_read.c \
 	net_write.c \
+	pac.c \
 	padata.c \
+	pkinit.c \
 	principal.c \
 	prog_setup.c \
 	prompter_posix.c \
@@ -297,20 +332,32 @@ SRCS=	acl.c \
 	set_default_realm.c \
 	sock_principal.c \
 	store.c \
+	store-int.h \
 	store_emem.c \
 	store_fd.c \
 	store_mem.c \
+	plugin.c \
 	ticket.c \
 	time.c \
 	transited.c \
+	v4_glue.c \
 	verify_init.c \
 	verify_user.c \
 	version.c \
 	warn.c \
 	write_message.c
 
+SRCS+=	heim_err.c \
+	heim_err.h \
+	k524_err.c \
+	k524_err.h \
+	krb5_err.c \
+	krb5_err.h \
+	krb_err.c \
+	krb_err.h
+
 CFLAGS+=-I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/roken -I.
 
 .include <bsd.lib.mk>
 
-.PATH: ${KRB5DIR}/lib/krb5 ${.CURDIR}/../../include
+.PATH: ${KRB5DIR}/lib/krb5 ${KRB5DIR}/lib/asn1 ${.CURDIR}/../../include
diff --git a/kerberos5/lib/libroken/Makefile b/kerberos5/lib/libroken/Makefile
index fceb6ec..952740e 100644
--- a/kerberos5/lib/libroken/Makefile
+++ b/kerberos5/lib/libroken/Makefile
@@ -1,13 +1,14 @@
 # $FreeBSD$
 
 LIB=	roken
-SHLIB_MAJOR=	9
 INCS=	roken.h roken-common.h
 
 SRCS=	base64.c \
 	bswap.c \
+	closefrom.c \
 	concat.c \
 	copyhostent.c \
+	dumpdata.c \
 	ecalloc.c \
 	emalloc.c \
 	environment.c \
@@ -21,6 +22,7 @@ SRCS=	base64.c \
 	getaddrinfo_hostspec.c \
 	getarg.c \
 	getnameinfo_verified.c \
+	hex.c \
 	hostent_find_fqdn.c \
 	issuid.c \
 	k_getpwnam.c \
@@ -43,6 +45,7 @@ SRCS=	base64.c \
 	strlwr.c \
 	strndup.c \
 	strnlen.c \
+	strpool.c \
 	strsep_copy.c \
 	strupr.c \
 	timeval.c \