579 files changed, 97092 insertions, 31499 deletions

diff --git a/crypto/heimdal/ChangeLog b/crypto/heimdal/ChangeLog
index b5d265e..8f3f512 100644
--- a/crypto/heimdal/ChangeLog
+++ b/crypto/heimdal/ChangeLog
@@ -1,5608 +1,157 @@
-2000-02-20  Assar Westerlund  <assar@sics.se>
+2001-02-05  Assar Westerlund  <assar@assaris.sics.se>
 
-	* Release 0.2p
+	* Release 0.3e
 
-2000-02-19  Assar Westerlund  <assar@sics.se>
+2001-01-30  Assar Westerlund  <assar@sics.se>
 
-	* lib/krb5/Makefile.am: set version to 9:1:0
-	
-	* lib/krb5/expand_hostname.c (krb5_expand_hostname): make sure
-	that realms is filled in even when getaddrinfo fails or does not
-	return any canonical name
-
-	* kdc/connect.c (descr): add sockaddr and string representation
-	(*): re-write to use the above mentioned
-
-2000-02-16  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/addr_families.c (krb5_parse_address): use
-	krb5_sockaddr2address to copy the result from getaddrinfo.
-
-2000-02-14  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.2o
-
-2000-02-13  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/Makefile.am: set version to 9:0:0
-
-	* kdc/kaserver.c (do_authenticate): return the kvno of the server
-	and not the client.  Thanks to Brandon S. Allbery KF8NH
-	<allbery@kf8nh.apk.net> and Chaskiel M Grundman
-	<cg2v@andrew.cmu.edu> for debugging.
-
-	* kdc/kerberos4.c (do_version4): if an tgs-req is received with an
-	old kvno, return an error reply and write a message in the log.
-	
-2000-02-12  Assar Westerlund  <assar@sics.se>
-
-	* appl/test/gssapi_server.c (proto): with `--fork', create a child
-	and send over/receive creds with export/import_sec_context
-	* appl/test/gssapi_client.c (proto): with `--fork', create a child
-	and send over/receive creds with export/import_sec_context
-	* appl/test/common.c: add `--fork' / `-f' (only used by gssapi)
-
-2000-02-11  Assar Westerlund  <assar@sics.se>
-
-	* kdc/kdc_locl.h: remove keyfile add explicit_addresses
-	* kdc/connect.c (init_sockets): pay attention to
-	explicit_addresses some more comments.  better error messages.
-	* kdc/config.c: add some comments.
-	remove --key-file.
-	add --addresses.
-
-	* lib/krb5/context.c (krb5_set_extra_addresses): const-ize and use
-	proper abstraction
-
-2000-02-07  Johan Danielsson  <joda@pdc.kth.se>
-
-	* lib/krb5/changepw.c: use roken_getaddrinfo_hostspec
-
-2000-02-07  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.2n
-
-2000-02-07  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/Makefile.am: set version to 8:0:0
-	* lib/krb5/keytab.c (krb5_kt_default_name): use strlcpy
-	(krb5_kt_add_entry): set timestamp
-
-2000-02-06  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/krb5.h: add macros for accessing krb5_realm
-	* lib/krb5/time.c (krb5_timeofday): use `krb5_timestamp' instead
-	of `int32_t'
-
-	* lib/krb5/replay.c (checksum_authenticator): update to new API
-	for md5
-
-	* lib/krb5/krb5.h: remove des.h, it's not needed and applications
-	should not have to make sure to find it.
-
-2000-02-03  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/rd_req.c (get_key_from_keytab): rename parameter to
-	`out_key' to avoid conflicting with label.  reported by Sean Doran
-	<smd@ebone.net>
-
-2000-02-02  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/expand_hostname.c: remember to lower-case host names.
-	bug reported by <amu@mit.edu>
-
-	* kdc/kerberos4.c (do_version4): look at check_ticket_addresses
-	and emulate that by setting krb_ignore_ip_address (not a great
-	interface but it doesn't seem like the time to go around fixing
-	libkrb stuff now)
-
-2000-02-01  Johan Danielsson  <joda@pdc.kth.se>
-
-	* kuser/kinit.c: change --noaddresses into --no-addresses
-
-2000-01-28  Assar Westerlund  <assar@sics.se>
-
-	* kpasswd/kpasswd.c (main): make sure the ticket is not
-	forwardable and not proxiable
-
-2000-01-26  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/crypto.c: update to pseudo-standard APIs for
-	md4,md5,sha.  some changes to libdes calls to make them more
-	portable.
-
-2000-01-21  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/verify_init.c (krb5_verify_init_creds): make sure to
- 	clean up the correct creds.
-
-2000-01-16  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/principal.c (append_component): change parameter to
-	`const char *'.  check malloc
-	* lib/krb5/principal.c (append_component, va_ext_princ, va_princ):
-	const-ize
-	* lib/krb5/mk_req.c (krb5_mk_req): make `service' and `hostname'
-	const
-	* lib/krb5/principal.c (replace_chars): also add space here
-	* lib/krb5/principal.c: (quotable_chars): add space
-
-2000-01-12  Assar Westerlund  <assar@sics.se>
-
-	* kdc/kerberos4.c (do_version4): check if preauth was required and
-	bail-out if so since there's no way that could be done in v4.
-	Return NULL_KEY as an error to the client (which is non-obvious,
-	but what can you do?)
-
-2000-01-09  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/principal.c (krb5_sname_to_principal): use
-	krb5_expand_hostname_realms
-	* lib/krb5/mk_req.c (krb5_km_req): use krb5_expand_hostname_realms
-	* lib/krb5/expand_hostname.c (krb5_expand_hostname_realms): new
-	variant of krb5_expand_hostname that tries until it expands into
-	something that's digestable by krb5_get_host_realm, returning also
-	the result from that function.
-
-2000-01-08  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.2m
-
-2000-01-08  Assar Westerlund  <assar@sics.se>
-
-	* configure.in: replace AC_C_BIGENDIAN with KRB_C_BIGENDIAN
-
-	* lib/krb5/Makefile.am: bump version to 7:1:0
-
-	* lib/krb5/principal.c (krb5_sname_to_principal): use
-	krb5_expand_hostname
-	* lib/krb5/expand_hostname.c (krb5_expand_hostname): handle
-	ai_canonname being set in any of the addresses returnedby
-	getaddrinfo.  glibc apparently returns the reverse lookup of every
-	address in ai_canonname.
-
-2000-01-06  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.2l
-
-2000-01-06  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/Makefile.am: set version to 7:0:0
-	* lib/krb5/principal.c (krb5_sname_to_principal): remove `hp'
-
-	* lib/hdb/Makefile.am: set version to 4:1:1
-
-	* kdc/hpropd.c (dump_krb4): use `krb5_get_default_realms'
-	* lib/krb5/get_in_tkt.c (add_padata): change types to make
-	everything work out
-	(krb5_get_in_cred): remove const to make types match
-	* lib/krb5/crypto.c (ARCFOUR_string_to_key): correct signature
-	* lib/krb5/principal.c (krb5_sname_to_principal): handle not
-	getting back a canonname
-
-2000-01-06  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.2k
-
-2000-01-06  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc): advance colon so that
-	we actually parse the port number.  based on a patch from Leif
-	Johansson <leifj@it.su.se>
-
-2000-01-02  Assar Westerlund  <assar@sics.se>
-
-	* admin/purge.c: remove all non-current and old entries from a
-	keytab
-
-	* admin: break up ktutil.c into files
-
-	* admin/ktutil.c (list): support --verbose (also listning time
-	stamps)
-	(kt_add, kt_get): set timestamp in newly created entries
-	(kt_change): add `change' command
-
-	* admin/srvconvert.c (srvconv): set timestamp in newly created
-	entries
-	* lib/krb5/keytab_keyfile.c (akf_next_entry): set timetsamp,
-	always go the a predicatble position on error
-	* lib/krb5/keytab.c (krb5_kt_copy_entry_contents): copy timestamp
-	* lib/krb5/keytab_file.c (fkt_add_entry): store timestamp
-	(fkt_next_entry_int): return timestamp
-	* lib/krb5/krb5.h (krb5_keytab_entry): add timestamp
-
-1999-12-30  Assar Westerlund  <assar@sics.se>
-
-	* configure.in (krb4): use `-ldes' in tests
-
-1999-12-26  Assar Westerlund  <assar@sics.se>
-
-	* lib/hdb/print.c (event2string): handle events without principal.
-  	From Luke Howard <lukeh@PADL.COM>
-
-1999-12-25  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.2j
-
-Tue Dec 21 18:03:17 1999  Assar Westerlund  <assar@sics.se>
-
-	* lib/hdb/Makefile.am (asn1_files): add $(EXEEXT) for cygwin and
- 	related systems
-
-	* lib/asn1/Makefile.am (asn1_files): add $(EXEEXT) for cygwin and
- 	related systems
-
-	* include/Makefile.am (krb5-types.h): add $(EXEEXT) for cygwin and
- 	related systems
-
-1999-12-20  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.2i
-
-1999-12-20  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to 6:3:1
-
-	* lib/krb5/send_to_kdc.c (send_via_proxy): free data
-	* lib/krb5/send_to_kdc.c (send_via_proxy): new function use
-	getaddrinfo instead of gethostbyname{,2}
-	* lib/krb5/get_for_creds.c: use getaddrinfo instead of
-	getnodebyname{,2}
-
-1999-12-17  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.2h
-
-1999-12-17  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.2g
-
-1999-12-16  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/Makefile.am: bump version to 6:2:1
-
-	* lib/krb5/principal.c (krb5_sname_to_principal): handle
-	ai_canonname not being set
-	* lib/krb5/expand_hostname.c (krb5_expand_hostname): handle
-	ai_canonname not being set
-
-	* appl/test/uu_server.c: print messages to stderr
-	* appl/test/tcp_server.c: print messages to stderr
-	* appl/test/nt_gss_server.c: print messages to stderr
-	* appl/test/gssapi_server.c: print messages to stderr
-
-	* appl/test/tcp_client.c (proto): remove shadowing `context'
-	* appl/test/common.c (client_doit): add forgotten ntohs
-
-1999-12-13  Assar Westerlund  <assar@sics.se>
-
-	* configure.in (VERISON): bump to 0.2g-pre
-
-1999-12-12  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/principal.c (krb5_425_conv_principal_ext): be more
- 	robust and handle extra dot at the beginning of default_domain
-
-1999-12-12  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.2f
-
-1999-12-12  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/Makefile.am: bump version to 6:1:1
-	
-	* lib/krb5/changepw.c (get_kdc_address): use
- 	`krb5_get_krb_changepw_hst'
-
-	* lib/krb5/krbhst.c (krb5_get_krb_changepw_hst): add
-
-	* lib/krb5/get_host_realm.c: add support for _kerberos.domain
- 	(according to draft-ietf-cat-krb-dns-locate-01.txt)
-
-1999-12-06  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.2e
-
-1999-12-06  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/changepw.c (krb5_change_password): use the correct
- 	address
-
-	* lib/krb5/Makefile.am: bump version to 6:0:1
-
-	* lib/asn1/Makefile.am: bump version to 1:4:0
-
-1999-12-04  Assar Westerlund  <assar@sics.se>
-
-	* configure.in: move AC_KRB_IPv6 to make sure it's performed
- 	before AC_BROKEN
-	(el_init): use new feature of AC_FIND_FUNC_NO_LIBS
-
-	* appl/test/uu_client.c: use client_doit
-	* appl/test/test_locl.h (client_doit): add prototype
-	* appl/test/tcp_client.c: use client_doit
-	* appl/test/nt_gss_client.c: use client_doit
-	* appl/test/gssapi_client.c: use client_doit
-	* appl/test/common.c (client_doit): move identical code here and
-	start using getaddrinfo
-
-	* appl/kf/kf.c (doit): rewrite to use getaddrinfo
-	* kdc/hprop.c: re-write to use getaddrinfo
-	* lib/krb5/principal.c (krb5_sname_to_principal): use getaddrinfo
-	* lib/krb5/expand_hostname.c (krb5_expand_hostname): use
-	getaddrinfo
-	* lib/krb5/changepw.c: re-write to use getaddrinfo
-	* lib/krb5/addr_families.c (krb5_parse_address): use getaddrinfo
-
-1999-12-03  Assar Westerlund  <assar@sics.se>
-
-	* configure.in (BROKEN): check for freeaddrinfo, getaddrinfo,
-	getnameinfo, gai_strerror
-	(socklen_t): check for
-
-1999-12-02  Johan Danielsson  <joda@pdc.kth.se>
-
-	* lib/krb5/crypto.c: ARCFOUR_set_key -> RC4_set_key
-
-1999-11-23  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/crypto.c (ARCFOUR_string_to_key): change order of bytes
- 	within unicode characters.  this should probably be done in some
- 	arbitrarly complex way to do it properly and you would have to
- 	know what character encoding was used for the password and salt
- 	string.
-
-	* lib/krb5/addr_families.c (ipv4_uninteresting): ignore 0.0.0.0
-	(INADDR_ANY)
-	(ipv6_uninteresting): remove unused macro
-
-1999-11-22  Johan Danielsson  <joda@pdc.kth.se>
-
-	* lib/krb5/krb5.h: rc4->arcfour
-
-	* lib/krb5/crypto.c: rc4->arcfour
-
-1999-11-17  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/krb5_locl.h: add <rc4.h>
-	* lib/krb5/krb5.h (krb5_keytype): add KEYTYPE_RC4
-	* lib/krb5/crypto.c: some code for doing RC4/MD5/HMAC which might
-	not be totally different from some small company up in the
-	north-west corner of the US
-
-	* lib/krb5/get_addrs.c (find_all_addresses): change code to
- 	actually increment buf_size
-
-1999-11-14  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/krb5.h (krb5_context_data): add `scan_interfaces'
-	* lib/krb5/get_addrs.c (krb5_get_all_client_addrs): make interaces
- 	scanning optional
-	* lib/krb5/context.c (init_context_from_config_file): set
- 	`scan_interfaces'
-
-	* lib/krb5/Makefile.am (libkrb5_la_SOURCES): add add_et_list.c
-	* lib/krb5/add_et_list.c (krb5_add_et_list): new function
-
-1999-11-12  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/get_default_realm.c (krb5_get_default_realm,
-	krb5_get_default_realms): set realms if they were unset
-	* lib/krb5/context.c (init_context_from_config_file): don't
-	initialize default realms here.  it's done lazily instead.
-	
-	* lib/krb5/krb5.h (KRB5_TC_*): make constants unsigned
-	* lib/asn1/gen_glue.c (generate_2int, generate_units): make sure
-	bit constants are unsigned
-	* lib/asn1/gen.c (define_type): make length in sequences be
-	unsigned.
-
-	* configure.in: remove duplicate test for setsockopt test for
-	struct tm.tm_isdst
-
-	* lib/krb5/get_in_tkt.c (krb5_get_in_cred): generate
-	preauthentication information if we get back ERR_PREAUTH_REQUIRED
-	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): remove
-	preauthentication generation code.  it's now in krb5_get_in_cred
-	
-	* configure.in (AC_BROKEN_SNPRINTF): add strptime check for struct
-	tm.tm_gmtoff and timezone
-	
-1999-11-11  Johan Danielsson  <joda@pdc.kth.se>
-
-	* kdc/main.c: make this work with multi-db
-
-	* kdc/kdc_locl.h: make this work with multi-db
-
-	* kdc/config.c: make this work with multi-db
-
-1999-11-09  Johan Danielsson  <joda@pdc.kth.se>
-
-	* kdc/misc.c: update for multi-database code
-
-	* kdc/main.c: update for multi-database code
-
-	* kdc/kdc_locl.h: update
-
-	* kdc/config.c: allow us to have more than one database
-
-1999-11-04  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.2d
-
-	* lib/krb5/Makefile.am: bump version to 5:0:0 to be safe
- 	(krb5_context_data has changed and some code do (might) access
- 	fields directly)
-
-	* lib/krb5/krb5.h (krb5_context_data): add `etypes_des'
-
-	* lib/krb5/get_cred.c (init_tgs_req): use
- 	krb5_keytype_to_enctypes_default
-
-	* lib/krb5/crypto.c (krb5_keytype_to_enctypes_default): new
- 	function
-
-	* lib/krb5/context.c (set_etypes): new function
-	(init_context_from_config_file): set both `etypes' and `etypes_des'
-
-1999-11-02  Assar Westerlund  <assar@sics.se>
-
-	* configure.in (VERSION): bump to 0.2d-pre
-
-1999-10-29  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/principal.c (krb5_parse_name): check memory allocations
-
-1999-10-28  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.2c
-
-	* lib/krb5/dump_config.c (print_tree): check for empty tree
-
-	* lib/krb5/string-to-key-test.c (tests): update the test cases
- 	with empty principals so that they actually use an empty realm and
- 	not the default.  use the correct etype for 3DES
-
-	* lib/krb5/Makefile.am: bump version to 4:1:0
-
-	* kdc/config.c (configure): more careful with the port string
-
-1999-10-26  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.2b
-
-1999-10-20  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/Makefile.am: bump version to 4:0:0
- 	(krb524_convert_creds_kdc and potentially some other functions
- 	have changed prototypes)
-
-	* lib/hdb/Makefile.am: bump version to 4:0:1
-
-	* lib/asn1/Makefile.am: bump version to 1:3:0
-
-	* configure.in (LIB_roken): add dbopen.  getcap in roken
- 	references dbopen and with shared libraries we need to add this
- 	dependency.
-
-	* lib/krb5/verify_krb5_conf.c (main): support speicifying the
- 	configuration file to test on the command line
-
-	* lib/krb5/config_file.c (parse_binding): handle line with no
- 	whitespace before =
-	(krb5_config_parse_file_debug): set lineno earlier so that we don't
-	use it unitialized
-
-	* configure.in (AM_INIT_AUTOMAKE): bump to 0.2b-pre opt*: need
- 	more include files for these tests
-
-	* lib/krb5/set_default_realm.c (krb5_set_default_realm): use
- 	krb5_config_get_strings, which means that your configuration file
- 	should look like:
-	
-	[libdefaults]
-	  default_realm = realm1 realm2 realm3
-
-	* lib/krb5/set_default_realm.c (config_binding_to_list): fix
- 	copy-o.  From Michal Vocu <michal@karlin.mff.cuni.cz>
-
-	* kdc/config.c (configure): add a missing strdup.  From Michal
- 	Vocu <michal@karlin.mff.cuni.cz>
-
-1999-10-17  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.2a
-
-	* configure.in: only test for db.h with using berkeley_db. remember
- 	to link with LIB_tgetent when checking for el_init. add xnlock
-
-	* appl/Makefile.am: add xnlock
-
-	* kdc/kerberos5.c (find_etype): support null keys
-
-	* kdc/kerberos4.c (get_des_key): support null keys
-
-	* lib/krb5/crypto.c (krb5_get_wrapped_length): more correct
- 	calculation
-
-1999-10-16  Johan Danielsson  <joda@pdc.kth.se>
-
-	* kuser/kinit.c (main): pass ccache to krb524_convert_creds_kdc
-
-1999-10-12  Johan Danielsson  <joda@pdc.kth.se>
-
-	* lib/krb5/crypto.c (krb5_enctype_to_keytype): remove warning
-
-1999-10-10  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/mk_req.c (krb5_mk_req): use krb5_free_host_realm
-
-	* lib/krb5/krb5.h (krb5_ccache_data): make `ops' const
-
-	* lib/krb5/crypto.c (krb5_string_to_salttype): new function
-
-	* **/*.[ch]: const-ize
-
-1999-10-06  Assar Westerlund  <assar@sics.se>
-	
-	* lib/krb5/creds.c (krb5_compare_creds): const-ify
-	
-	* lib/krb5/cache.c: clean-up and comment-up
-
-	* lib/krb5/copy_host_realm.c (krb5_copy_host_realm): copy all the
- 	strings
-
-	* lib/krb5/verify_user.c (krb5_verify_user_lrealm): free the
- 	correct realm part
-
-	* kdc/connect.c (handle_tcp): things work much better when ret is
- 	initialized
-
-1999-10-03  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/convert_creds.c (krb524_convert_creds_kdc): look at the
- 	type of the session key
-
-	* lib/krb5/crypto.c (krb5_enctypes_compatible_keys): spell
- 	correctly
-
-	* lib/krb5/creds.c (krb5_compare_creds): fix spelling of
- 	krb5_enctypes_compatible_keys
-
-	* lib/krb5/convert_creds.c (krb524_convert_creds_kdc): get new
- 	credentials from the KDC if the existing one doesn't have a DES
- 	session key.
-
-	* lib/45/get_ad_tkt.c (get_ad_tkt): update to new
- 	krb524_convert_creds_kdc
-
-1999-10-03  Johan Danielsson  <joda@pdc.kth.se>
-
-	* lib/krb5/keytab_keyfile.c: make krb5_akf_ops const
-
-	* lib/krb5/keytab_memory.c: make krb5_mkt_ops const
-
-	* lib/krb5/keytab_file.c: make krb5_fkt_ops const
-
-1999-10-01  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/config_file.c: rewritten to allow error messages
-
-	* lib/krb5/Makefile.am (bin_PROGRAMS): add verify_krb5_conf
-	(libkrb5_la_SOURCES): add config_file_netinfo.c
-
-	* lib/krb5/verify_krb5_conf.c: new program for verifying that
-	krb5.conf is corret
-
-	* lib/krb5/config_file_netinfo.c: moved netinfo code here from
- 	config_file.c
-
-1999-09-28  Assar Westerlund  <assar@sics.se>
-
-	* kdc/hpropd.c (dump_krb4): kludge default_realm
-
-	* lib/asn1/check-der.c: add test cases for Generalized time and
- 	make sure we return the correct value
-
-	* lib/asn1/der_put.c: simplify by using der_put_length_and_tag
-
-	* lib/krb5/verify_user.c (krb5_verify_user_lrealm): ariant of
- 	krb5_verify_user that tries in all the local realms
-
-	* lib/krb5/set_default_realm.c: add support for having several
- 	default realms
-
-	* lib/krb5/kuserok.c (krb5_kuserok): use `krb5_get_default_realms'
-
-	* lib/krb5/get_default_realm.c (krb5_get_default_realms): add
-
-	* lib/krb5/krb5.h (krb5_context_data): change `default_realm' to
- 	`default_realms'
-
-	* lib/krb5/context.c: change from `default_realm' to
- 	`default_realms'
-
-	* lib/krb5/aname_to_localname.c (krb5_aname_to_localname): use
- 	krb5_get_default_realms
-
-	* lib/krb5/Makefile.am (libkrb5_la_SOURCES): add copy_host_realm.c
-
-	* lib/krb5/copy_host_realm.c: new file
-
-1999-09-27  Johan Danielsson  <joda@pdc.kth.se>
-
-	* lib/asn1/der_put.c (encode_generalized_time): encode length
-
-	* lib/krb5/recvauth.c: new function `krb5_recvauth_match_version'
-	that allows more intelligent matching of the application version
-
-1999-09-26  Assar Westerlund  <assar@sics.se>
-
-	* lib/asn1/asn1_print.c: add err.h
-
-	* kdc/config.c (configure): use parse_bytes
-
-	* appl/test/nt_gss_common.c: use the correct header file
-
-1999-09-24  Johan Danielsson  <joda@pdc.kth.se>
-
-	* kuser/klist.c: add a `--cache' flag
-
-	* kuser/kinit.c (main): only get default value for `get_v4_tgt' if
-	it's explicitly set in krb5.conf
-
-1999-09-23  Assar Westerlund  <assar@sics.se>
-
-	* lib/asn1/asn1_print.c (tag_names); add another univeral tag
-
-	* lib/asn1/der.h: update universal tags
-
-1999-09-22  Assar Westerlund  <assar@sics.se>
-
-	* lib/asn1/asn1_print.c (loop): print length of octet string
-
-1999-09-21  Johan Danielsson  <joda@pdc.kth.se>
-
-	* admin/ktutil.c (kt_get): add `--help'
-
-1999-09-21  Assar Westerlund  <assar@sics.se>
-
-	* kuser/Makefile.am: add kdecode_ticket
-
-	* kuser/kdecode_ticket.c: new debug program
-
-	* appl/test/nt_gss_server.c: new program to test against `Sample *
- 	SSPI Code' in Windows 2000 RC1 SDK.
-
-	* appl/test/Makefile.am: add nt_gss_client and nt_gss_server
-
-	* lib/asn1/der_get.c (decode_general_string): remember to advance
- 	ret over the length-len
-
-	* lib/asn1/Makefile.am: add asn1_print
-
-	* lib/asn1/asn1_print.c: new program for printing DER-structures
-
-	* lib/asn1/der_put.c: make functions more consistent
-
-	* lib/asn1/der_get.c: make functions more consistent
-
-1999-09-20  Johan Danielsson  <joda@pdc.kth.se>
-
-	* kdc/kerberos5.c: be more informative in pa-data error messages
-
-1999-09-16  Assar Westerlund  <assar@sics.se>
-
-	* configure.in: test for strlcpy, strlcat
-
-1999-09-14  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): return
- 	KRB5_LIBOS_PWDINTR when interrupted
-
-	* lib/krb5/get_in_tkt_pw.c (krb5_password_key_proc): check return
- 	value from des_read_pw_string
-
-	* kuser/kinit.c (main): don't print any error if reading the
- 	password was interrupted
-
-	* kpasswd/kpasswd.c (main): don't print any error if reading the
- 	password was interrupted
-
-	* kdc/string2key.c (main): check the return value from fgets
-
-	* kdc/kstash.c (main): check return value from des_read_pw_string
-
-	* admin/ktutil.c (kt_add): check the return-value from fgets and
- 	overwrite the password for paranoid reasons
-
-	* lib/krb5/keytab_keyfile.c (get_cell_and_realm): only remove the
- 	newline if it's there
-
-1999-09-13  Assar Westerlund  <assar@sics.se>
-
-	* kdc/hpropd.c (main): remove bogus error with `--print'.  remove
- 	sysloging of number of principals transferred
-
-	* kdc/hprop.c (ka_convert): set flags correctly for krbtgt/CELL
- 	principals
-	(main): get rid of bogus opening of hdb database when propagating
-	ka-server database
-
-1999-09-12  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/krb5_locl.h (O_BINARY): add fallback definition
-
-	* lib/krb5/krb5.h (krb5_context_data): add keytab types
-
-	* configure.in: revert back awk test, not worked around in
- 	roken.awk
-
-	* lib/krb5/keytab_krb4.c: remove O_BINARY
-
-	* lib/krb5/keytab_keyfile.c: some support for AFS KeyFile's.  From
-	Love <lha@e.kth.se>
-
-	* lib/krb5/keytab_file.c: remove O_BINARY
-
-	* lib/krb5/keytab.c: move the list of keytab types to the context
-
-	* lib/krb5/fcache.c: remove O_BINARY
-
-	* lib/krb5/context.c (init_context_from_config_file): register all
- 	standard cache and keytab types
-	(krb5_free_context): free `kt_types'
-
-	* lib/krb5/cache.c (krb5_cc_resolve): move the registration of the
- 	standard types of credential caches to context
-
-	* lib/krb5/Makefile.am (libkrb5_la_SOURCES): add keytab_keyfile.c
-
-1999-09-10  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/keytab.c: add comments and clean-up
-
-	* admin/ktutil.c: add `ktutil copy'
-
-	* lib/krb5/keytab_krb4.c: new file
-
-	* lib/krb5/krb5.h (krb5_kt_cursor): add a `data' field
-
-	* lib/krb5/Makefile.am: add keytab_krb4.c
-
-	* lib/krb5/keytab.c: add krb4 and correct some if's
+	* kdc/hprop.c (v4_get_masterkey): check kdb_verify_master_key
+	properly
+	(kdb_prop): decrypt key properly
+	* kdc/hprop.c: handle building with KRB4 always try to decrypt v4
+	data with the master key leave it up to the v5 how to encrypt with
+	that master key
 
-	* admin/srvconvert.c (srvconv): move common code
+	* kdc/kstash.c: include file name in error messages
+	* kdc/hprop.c: fix a typo and check some more return values
+	* lib/hdb/hdb-ldap.c (LDAP__lookup_princ): call ldap_search_s
+	correctly.  From Jacques Vidrine <n@nectar.com>
+	* kdc/misc.c (db_fetch): HDB_ERR_NOENTRY makes more sense than
+	ENOENT
 
-	* lib/krb5/krb5.h (krb5_fkt_ops, krb5_mkt_ops): new variables
+	* lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to
+	15:0:0
+	* lib/hdb/Makefile.am (libhdb_la_LDFLAGS): bump version to 7:0:0
+	* lib/asn1/Makefile.am (libasn1_la_LDFLAGS): bump version to 4:0:2
+	* kdc/misc.c (db_fetch): return an error code.  change callers to
+	look at this and try to print it in log messages
 
-	* lib/krb5/keytab.c: move out file and memory functions
+	* lib/krb5/crypto.c (decrypt_internal_derived): check that there's
+	enough data
 
-	* lib/krb5/Makefile.am (libkrb5_la_SOURCES): add keytab_file.c,
- 	keytab_memory.c
+2001-01-29  Assar Westerlund  <assar@sics.se>
 
-	* lib/krb5/keytab_memory.c: new file
+	* kdc/hprop.c (realm_buf): move it so it becomes properly
+	conditional on KRB4
 
-	* lib/krb5/keytab_file.c: new file
+	* lib/hdb/mkey.c (hdb_unseal_keys_mkey, hdb_seal_keys_mkey,
+	hdb_unseal_keys, hdb_seal_keys): check that we have the correct
+	master key and that we manage to decrypt the key properly,
+	returning an error code.  fix all callers to check return value.
 
-	* kpasswd/kpasswdd.c: move out password quality functions
+	* tools/krb5-config.in: use @LIB_des_appl@
+	* tools/Makefile.am (krb5-config): add LIB_des_appl
+	* configure.in (LIB_des): set correctly
+	(LIB_des_appl): add for the use by krb5-config.in
 
-1999-09-07  Assar Westerlund  <assar@sics.se>
+	* lib/krb5/store_fd.c (fd_fetch, fd_store): use net_{read,write}
+	to make sure of not dropping data when doing it over a socket.
+	(this might break when used with ordinary files on win32)
 
-	* lib/hdb/Makefile.am (libhdb_la_SOURCES): add keytab.c.  From
- 	Love <lha@e.kth.se>
+	* lib/hdb/hdb_err.et (NO_MKEY): add
 
-	* lib/krb5/convert_creds.c (krb524_convert_creds_kdc): check
- 	return value from `krb5_sendto_kdc'
+	* kdc/kerberos5.c (as_rep): be paranoid and check
+	krb5_enctype_to_string for failure, noted by <lha@stacken.kth.se>
 
-1999-09-06  Assar Westerlund  <assar@sics.se>
+	* lib/krb5/krb5_init_context.3, lib/krb5/krb5_context.3,
+	lib/krb5/krb5_auth_context.3: add new man pages, contributed by
+	<lha@stacken.kth.se>
 
-	* lib/krb5/send_to_kdc.c (send_and_recv): rename to recv_loop and
- 	remove the sending of data.  add a parameter `limit'.  let callers
- 	send the date themselves (and preferably with net_write on tcp
- 	sockets)
-	(send_and_recv_tcp): read first the length field and then only that
-	many bytes
+	* use the openssl api for md4/md5/sha and handle openssl/*.h
 
-1999-09-05  Assar Westerlund  <assar@sics.se>
+	* kdc/kaserver.c (do_getticket): check length of ticket.  noted by
+ 	<lha@stacken.kth.se>
 
-	* kdc/connect.c (handle_tcp): try to print warning `TCP data of
- 	strange type' less often
+2001-01-28  Assar Westerlund  <assar@sics.se>
 
-	* lib/krb5/send_to_kdc.c (send_and_recv): handle EINTR properly.
-  	return on EOF.  always free data.  check return value from
- 	realloc.
-	(send_and_recv_tcp, send_and_recv_http): check advertised length
-	against actual length
+	* configure.in: send -R instead of -rpath to libtool to set
+	runtime library paths
 
-1999-09-01  Johan Danielsson  <joda@pdc.kth.se>
+	* lib/krb5/Makefile.am: remove all dependencies on libkrb
 
-	* configure.in: check for sgi capabilities
+2001-01-27  Assar Westerlund  <assar@sics.se>
 
-1999-08-27  Johan Danielsson  <joda@pdc.kth.se>
+	* appl/rcp: add port of bsd rcp changed to use existing rsh,
+	contributed by Richard Nyberg <rnyberg@it.su.se>
 
-	* lib/krb5/get_addrs.c: krb5_get_all_server_addrs shouldn't return
-	extra addresses
+2001-01-27  Johan Danielsson  <joda@pdc.kth.se>
 
-	* kpasswd/kpasswdd.c: use HDB keytabs; change some error messages;
-	add --realm flag
+	* lib/krb5/get_port.c: don't warn if the port name can't be found,
+	nobody cares anyway
 
-	* lib/krb5/address.c (krb5_append_addresses): remove duplicates
+2001-01-26  Johan Danielsson  <joda@pdc.kth.se>
 
-1999-08-26  Johan Danielsson  <joda@pdc.kth.se>
+	* kdc/hprop.c: make it possible to convert a v4 dump file without
+	having any v4 libraries; the kdb backend still require them
 
-	* lib/hdb/keytab.c: HDB keytab backend
+	* kdc/v4_dump.c: include shadow definition of kdb Principal, so we
+	don't have to depend on any v4 libraries
 
-1999-08-25  Johan Danielsson  <joda@pdc.kth.se>
-
-	* lib/krb5/keytab.c
-	(krb5_kt_{start_seq_get,next_entry,end_seq_get}): check for NULL
-	pointer
-
-1999-08-24  Johan Danielsson  <joda@pdc.kth.se>
-
-	* kpasswd/kpasswdd.c: add `--keytab' flag
-
-1999-08-23  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/addr_families.c (IN6_ADDR_V6_TO_V4): use `s6_addr'
- 	instead of the non-standard `s6_addr32'.  From Yoshinobu Inoue
- 	<shin@kame.net> by way of the KAME repository
-
-1999-08-18  Assar Westerlund  <assar@sics.se>
-
-	* configure.in (--enable-new-des3-code): remove check for `struct
- 	addrinfo'
-
-	* lib/krb5/crypto.c (etypes): remove NEW_DES3_CODE, enable
- 	des3-cbc-sha1 and keep old-des3-cbc-sha1 for backwards
- 	compatability
-
-	* lib/krb5/krb5.h (krb5_enctype): des3-cbc-sha1 (with key
- 	derivation) just got assigned etype 16 by <bcn@isi.edu>.  keep the
- 	old etype at 7.
-
-1999-08-16  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/sendauth.c (krb5_sendauth): only look at errno if
- 	krb5_net_read actually returns -1
-
-	* lib/krb5/recvauth.c (krb5_recvauth): only look at errno if
- 	krb5_net_read actually returns -1
-
-	* appl/kf/kf.c (proto): don't trust errno if krb5_net_read hasn't
- 	returned -1
-
-	* appl/test/tcp_server.c (proto): only trust errno if
- 	krb5_net_read actually returns -1
-
-	* appl/kf/kfd.c (proto): be more careful with the return value
- 	from krb5_net_read
-
-1999-08-13  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/get_addrs.c (get_addrs_int): try the different ways
- 	sequentially instead of just one.  this helps if your heimdal was
- 	built with v6-support but your kernel doesn't have it, for
- 	example.
-
-1999-08-12  Assar Westerlund  <assar@sics.se>
-
-	* kdc/hpropd.c: add inetd flag.  default means try to figure out
- 	if stdin is a socket or not.
-
-	* Makefile.am (ACLOCAL): just use `cf', this variable is only used
- 	when the current directory is $(top_srcdir) anyways and having
- 	$(top_srcdir) there breaks if it's a relative path
-
-1999-08-09  Johan Danielsson  <joda@pdc.kth.se>
-
-	* configure.in: check for setproctitle
-
-1999-08-05  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/principal.c (krb5_sname_to_principal): remember to call
- 	freehostent
-
-	* appl/test/tcp_client.c: call freehostent
-
-	* appl/kf/kf.c (doit): call freehostent
-
-	* appl/kf/kf.c: make v6 friendly and simplify
-
-	* appl/kf/kfd.c: make v6 friendly and simplify
-
-	* appl/test/tcp_server.c: simplify by using krb5_err instead of
- 	errx
-	
-	* appl/test/tcp_client.c: simplify by using krb5_err instead of
- 	errx
-
-	* appl/test/tcp_server.c: make v6 friendly and simplify
-
-	* appl/test/tcp_client.c: make v6 friendly and simplify
-
-1999-08-04  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.1m
-
-1999-08-04  Assar Westerlund  <assar@sics.se>
-
-	* kuser/kinit.c (main): some more KRB4-conditionalizing
-
-	* lib/krb5/get_in_tkt.c: type correctness
-
-	* lib/krb5/get_for_creds.c (krb5_fwd_tgs_creds): set forwarded in
- 	flags.  From Miroslav Ruda <ruda@ics.muni.cz>
-
-	* kuser/kinit.c (main): add config file support for forwardable
- 	and krb4 support.  From Miroslav Ruda <ruda@ics.muni.cz>
-
-	* kdc/kerberos5.c (as_rep): add an empty X500-compress string as
- 	transited.
-	(fix_transited_encoding): check length.
-	From Miroslav Ruda <ruda@ics.muni.cz>
-
-	* kdc/hpropd.c (dump_krb4): check the realm so that we don't dump
- 	principals in some other realm. From Miroslav Ruda
- 	<ruda@ics.muni.cz>
-	(main): rename sa_len -> sin_len, sa_lan is a define on some
-	platforms.
-
-	* appl/kf/kfd.c: add regpag support. From Miroslav Ruda
- 	<ruda@ics.muni.cz>
-
-	* appl/kf/kf.c: add `-G' and forwardable option in krb5.conf.
-  	From Miroslav Ruda <ruda@ics.muni.cz>
-
-	* lib/krb5/config_file.c (parse_list): don't run past end of line
-
-	* appl/test/gss_common.h: new prototypes
-
-	* appl/test/gssapi_client.c: use gss_err instead of abort
-
-	* appl/test/gss_common.c (gss_verr, gss_err): add
-
-1999-08-03  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/Makefile.am (n_fold_test_LDADD): need to set this
- 	otherwise it doesn't build with shared libraries
-
-	* kdc/hpropd.c: v6-ify
-
-	* kdc/hprop.c: v6-ify
-
-1999-08-01  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/mk_req.c (krb5_mk_req): use krb5_expand_hostname
-
-1999-07-31  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/get_host_realm.c (krb5_get_host_realm_int): new
- 	function that takes a FQDN
-
-	* lib/krb5/Makefile.am (libkrb5_la_SOURCES): add exapnd_hostname.c
-
-	* lib/krb5/expand_hostname.c: new file
-
-1999-07-28  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.1l
-
-1999-07-28  Assar Westerlund  <assar@sics.se>
-
-	* lib/asn1/Makefile.am: bump version to 1:2:0
-
-	* lib/krb5/Makefile.am: bump version to 3:1:0
-
-	* configure.in: more inet_pton to roken
-
-	* lib/krb5/principal.c (krb5_sname_to_principal): use
- 	getipnodebyname
-
-1999-07-26  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.1k
-
-1999-07-26  Johan Danielsson  <joda@pdc.kth.se>
-
-	* lib/krb5/Makefile.am: bump version number (changed function
-	signatures)
-
-	* lib/hdb/Makefile.am: bump version number (changes to some
-	function signatures)
-
-1999-07-26  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/Makefile.am: bump version to 3:0:2
-
-	* lib/hdb/Makefile.am: bump version to 2:1:0
-
-	* lib/asn1/Makefile.am: bump version to 1:1:0
-
-1999-07-26  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.1j
-
-1999-07-26  Assar Westerlund  <assar@sics.se>
-
-	* configure.in: rokenize inet_ntop
-
-	* lib/krb5/store_fd.c: lots of changes from size_t to ssize_t
-	
-	* lib/krb5/store_mem.c: lots of changes from size_t to ssize_t
-	
-	* lib/krb5/store_emem.c: lots of changes from size_t to ssize_t
-	
-	* lib/krb5/store.c: lots of changes from size_t to ssize_t
-	(krb5_ret_stringz): check return value from realloc
-
-	* lib/krb5/mk_safe.c: some type correctness
-	
-	* lib/krb5/mk_priv.c: some type correctness
-	
-	* lib/krb5/krb5.h (krb5_storage): change return values of
-	functions from size_t to ssize_t
-	
-1999-07-24  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.1i
-
-	* configure.in (AC_PROG_AWK): disable. mawk seems to mishandle \#
- 	in lib/roken/roken.awk
-
-	* lib/krb5/get_addrs.c (find_all_addresses): try to use SA_LEN to
- 	step over addresses if there's no `sa_lan' field
-
-	* lib/krb5/sock_principal.c (krb5_sock_to_principal): simplify by
- 	using `struct sockaddr_storage'
-
-	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc): simplify by using
- 	`struct sockaddr_storage'
-
-	* lib/krb5/changepw.c (krb5_change_password): simplify by using
- 	`struct sockaddr_storage'
-
-	* lib/krb5/auth_context.c (krb5_auth_con_setaddrs_from_fd):
- 	simplify by using `struct sockaddr_storage'
-
-	* kpasswd/kpasswdd.c (*): simplify by using `struct
- 	sockaddr_storage'
-
-	* kdc/connect.c (*): simplify by using `struct sockaddr_storage'
-
-	* configure.in (sa_family_t): just test for existence
-	(sockaddr_storage): also specify include file
-
-	* configure.in (AM_INIT_AUTOMAKE): bump version to 0.1i
-	(sa_family_t): test for
-	(struct	sockaddr_storage): test for
-
-	* kdc/hprop.c (propagate_database): typo, NULL should be
- 	auth_context
-
-	* lib/krb5/get_addrs.c: conditionalize on HAVE_IPV6 instead of
- 	AF_INET6
-
-	* appl/kf/kf.c (main): use warnx
-
-	* appl/kf/kf.c (proto): remove shadowing context
-
-	* lib/krb5/get_addrs.c (find_all_addresses): try to handle the
- 	case of getting back an `sockaddr_in6' address when sizeof(struct
- 	sockaddr_in6) > sizeof(struct sockaddr) and we have no sa_len to
- 	tell us how large the address is.  This obviously doesn't work
- 	with unknown protocol types.
-
-1999-07-24  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.1h
-
-1999-07-23  Assar Westerlund  <assar@sics.se>
-
-	* appl/kf/kfd.c: clean-up and more paranoia
-
-	* etc/services.append: add kf
-
-	* appl/kf/kf.c: rename tk_file to ccache for consistency.  clean-up
-
-1999-07-22  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/n-fold-test.c (main): print the correct data
-
-	* appl/Makefile.am (SUBDIRS): add kf
-
-	* appl/kf: new program.  From Miroslav Ruda <ruda@ics.muni.cz>
-
-	* kdc/hprop.c: declare some variables unconditionally to simplify
- 	things
-
-	* kpasswd/kpasswdd.c: initialize kadm5 connection for every change
- 	(otherwise the modifier in the database doesn't get set)
-
-	* kdc/hpropd.c: clean-up and re-organize
-
-	* kdc/hprop.c: clean-up and re-organize
-
- 	* configure.in (SunOS): define to xy for SunOS x.y
-
-1999-07-19  Assar Westerlund  <assar@sics.se>
-
-	* configure.in (AC_BROKEN): test for copyhostent, freehostent,
- 	getipnodebyaddr, getipnodebyname
-
-1999-07-15  Assar Westerlund  <assar@sics.se>
-
-	* lib/asn1/check-der.c: more test cases for integers
-
-	* lib/asn1/der_length.c (length_int): handle the case of the
- 	largest negative integer by not calling abs
-
-1999-07-14  Assar Westerlund  <assar@sics.se>
-
-	* lib/asn1/check-der.c (generic_test): check malloc return value
- 	properly
-
-	* lib/krb5/Makefile.am: add string_to_key_test
-
-	* lib/krb5/prog_setup.c (krb5_program_setup): always initialize
- 	the context
-
-	* lib/krb5/n-fold-test.c (main): return a relevant return value
-
-	* lib/krb5/krbhst.c: do SRV lookups for admin server as well.
-  	some clean-up.
-
-1999-07-12  Assar Westerlund  <assar@sics.se>
-
-	* configure.in: handle not building X programs
-
-1999-07-06  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/addr_families.c (ipv6_parse_addr): remove duplicate
- 	variable
-	(ipv6_sockaddr2port): fix typo
-
-	* etc/services.append: beginning of a file with services
-
-	* lib/krb5/cache.c (krb5_cc_resolve): fall-back to files if
- 	there's no prefix.  also clean-up a little bit.
-
-	* kdc/hprop.c (--kaspecials): new flag for handling special KA
- 	server entries.  From "Brandon S. Allbery KF8NH"
- 	<allbery@kf8nh.apk.net>
-
-1999-07-05  Assar Westerlund  <assar@sics.se>
-
-	* kdc/connect.c (handle_tcp): make sure we have data before
- 	starting to look for HTTP
-
-	* kdc/connect.c (handle_tcp): always do getpeername, we can't
- 	trust recvfrom to return anything sensible
-
-1999-07-04  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/get_in_tkt.c (add_padat): encrypt pre-auth data with
- 	all enctypes
-
-	* kpasswd/kpasswdd.c (change): fetch the salt-type from the entry
-
-	* admin/srvconvert.c (srvconv): better error messages
-
-1999-07-03  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/principal.c (unparse_name): error check malloc properly
-
-	* lib/krb5/get_in_tkt.c (krb5_init_etype): error check malloc
- 	properly
-
-	* lib/krb5/crypto.c (*): do some malloc return-value checks
- 	properly
-
-	* lib/hdb/hdb.c (hdb_process_master_key): simplify by using
- 	krb5_data_alloc
-
-	* lib/hdb/hdb.c (hdb_process_master_key): check return value from
- 	malloc
-
-	* lib/asn1/gen_decode.c (decode_type): fix generation of decoding
- 	information for TSequenceOf.
-
-	* kdc/kerberos5.c (get_pa_etype_info): check return value from
- 	malloc
-
-1999-07-02  Assar Westerlund  <assar@sics.se>
-
-	* lib/asn1/der_copy.c (copy_octet_string): don't fail if length ==
- 	0 and malloc returns NULL
-
-1999-06-29  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/addr_families.c (ipv6_parse_addr): implement
-
-1999-06-24  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/rd_cred.c (krb5_rd_cred): compare the sender's address
- 	as an addrport one
-
-	* lib/krb5/krb5.h (KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_IPPORT):
- 	add
-	(krb5_auth_context): add local and remote port
-
-	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): get the
- 	local and remote address and add them to the krb-cred packet
-
-	* lib/krb5/auth_context.c: save the local and remove ports in the
- 	auth_context
-
-	* lib/krb5/address.c (krb5_make_addrport): create an address of
- 	type KRB5_ADDRESS_ADDRPORT from (addr, port)
-
-	* lib/krb5/addr_families.c (krb5_sockaddr2port): new function for
- 	grabbing the port number out of the sockaddr
-
-1999-06-23  Assar Westerlund  <assar@sics.se>
-
-	* admin/srvcreate.c (srvcreate): always take the DES-CBC-MD5 key.
-  	increase possible verbosity.
-
-	* lib/krb5/config_file.c (parse_list): handle blank lines at
- 	another place
-	
-	* kdc/connect.c (add_port_string): don't return a value
-
- 	* lib/kadm5/init_c.c (get_cred_cache): you cannot reuse the cred
- 	cache if the principals are different.  close and NULL the old one
- 	so that we create a new one.
-
-	* configure.in: move around cgywin et al
-	(LIB_kdb): set at the end of krb4-block
-	(krb4): test for krb_enable_debug and krb_disable_debug
-
-1999-06-16  Assar Westerlund  <assar@sics.se>
-
-	* kuser/kdestroy.c (main): try to destroy v4 ticket even if the
- 	destruction of the v5 one fails
-
-	* lib/krb5/crypto.c (DES3_postproc): new version that does the
- 	right thing
-	(*): don't put and recover length in 3DES encoding
-	other small fixes
-
-1999-06-15  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/get_default_principal.c: rewrite to use
- 	get_default_username
-
-	* lib/krb5/Makefile.am: add n-fold-test
-
-	* kdc/connect.c: add fallbacks for all lookups by service name
-	(handle_tcp): break-up and clean-up
-
-1999-06-09  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/addr_families.c (ipv6_uninteresting): don't consider
- 	the loopback address as uninteresting
-
-	* lib/krb5/get_addrs.c: new magic flag to get loopback address if
- 	there are no other addresses.
-	(krb5_get_all_client_addrs): use that flag
-
-1999-06-04  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/crypto.c (HMAC_SHA1_DES3_checksum): don't include the
- 	length
-	(checksum_sha1, checksum_hmac_sha1_des3): blocksize should be 64
-	(encrypt_internal_derived): don't include the length and don't
-	decrease by the checksum size twice
-	(_get_derived_key): the constant should be 5 bytes
-
-1999-06-02  Johan Danielsson  <joda@pdc.kth.se>
-
-	* configure.in: use KRB_CHECK_X
-	
-	* configure.in: check for netinet/ip.h
-	
-1999-05-31  Assar Westerlund  <assar@sics.se>
-
-	* kpasswd/kpasswdd.c (setup_passwd_quality_check): conditionalize
- 	on RTLD_NOW
-
-1999-05-23  Assar Westerlund  <assar@sics.se>
-
-	* appl/test/uu_server.c: removed unused stuff
-
-	* appl/test/uu_client.c: removed unused stuff
-
-1999-05-21  Assar Westerlund  <assar@sics.se>
-
-	* kuser/kgetcred.c (main): correct error message
-
-	* lib/krb5/crypto.c (verify_checksum): call (*ct->checksum)
- 	directly, avoiding redundant lookups and memory leaks
-
-	* lib/krb5/auth_context.c (krb5_auth_con_setaddrs_from_fd): free
- 	local and remote addresses
-
-	* lib/krb5/get_default_principal.c (get_logname): also try
- 	$USERNAME
-	
-	* lib/asn1/Makefile.am (asn1_files): add $(EXEEXT)
-
-	* lib/krb5/principal.c (USE_RESOLVER): try to define only if we
-	have a libresolv (currently by checking for res_search)
-
-1999-05-18  Johan Danielsson  <joda@pdc.kth.se>
-
-	* kdc/connect.c (handle_tcp): remove %-escapes in request
-
-1999-05-14  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.1g
-
-	* admin/ktutil.c (kt_remove): -t should be -e
-
-	* configure.in (CHECK_NETINET_IP_AND_TCP): use
-
-	* kdc/hpropd.c: support for dumping to krb4.  From Miroslav Ruda
- 	<ruda@ics.muni.cz>
-
-	* admin/ktutil.c (kt_add): new option `--no-salt'.  From Miroslav
- 	Ruda <ruda@ics.muni.cz>
-
-	* configure.in: add cygwin and DOS tests replace sendmsg, recvmsg,
- 	and innetgr with roken versions
-
-	* kuser/kgetcred.c: new program
-
-Tue May 11 14:09:33 1999  Johan Danielsson  <joda@pdc.kth.se>
-
-	* lib/krb5/mcache.c: fix paste-o
-	
-1999-05-10  Johan Danielsson  <joda@pdc.kth.se>
-
-	* configure.in: don't use uname
-
-1999-05-10  Assar Westerlund  <assar@sics.se>
-
-	* acconfig.h (KRB_PUT_INT): if we don't have KRB4 use four
-	arguments :-)
-
-	* appl/test/uu_server.c (setsockopt): cast to get rid of a warning
-	
-	* appl/test/tcp_server.c (setsockopt): cast to get rid of a
-	warning
-
-	* appl/test/tcp_client.c (proto): call krb5_sendauth with ccache
-	== NULL
-
-	* appl/test/gssapi_server.c (setsockopt): cast to get rid of a
-	warning
-
-	* lib/krb5/sendauth.c (krb5_sendauth): handle ccache == NULL by
-	setting the default ccache.
-
-	* configure.in (getsockopt, setsockopt): test for
-	(AM_INIT_AUTOMAKE): bump version to 0.1g
-
-	* appl/Makefile.am (SUBDIRS): add kx
-	
-	* lib/hdb/convert_db.c (main): handle the case of no master key
-	
-1999-05-09  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.1f
-
-	* kuser/kinit.c: add --noaddresses
-	
-	* lib/krb5/get_in_tkt.c (init_as_req): interpret `addrs' being an
-	empty sit of list as to not ask for any addresses.
-	
-1999-05-08  Assar Westerlund  <assar@sics.se>
-
-	* acconfig.h (_GNU_SOURCE): define this to enable (used)
- 	extensions on glibc-based systems such as linux
-
-1999-05-03  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/get_cred.c (get_cred_from_kdc_flags): allocate and free
-	`*out_creds' properly
-
-	* lib/krb5/creds.c (krb5_compare_creds): just verify that the
-	keytypes/enctypes are compatible, not that they are the same
-
-	* kuser/kdestroy.c (cache): const-correctness
-
-1999-05-03  Johan Danielsson  <joda@pdc.kth.se>
-
-	* lib/hdb/hdb.c (hdb_set_master_key): initialise master key
-	version
-
-	* lib/hdb/convert_db.c: add support for upgrading database
-	versions
-
-	* kdc/misc.c: add flags to fetch
-
-	* kdc/kstash.c: unlink keyfile on failure, chmod to 400
-
-	* kdc/hpropd.c: add --print option
-
-	* kdc/hprop.c: pass flags to hdb_foreach
-
-	* lib/hdb/convert_db.c: add some flags
-
-	* lib/hdb/Makefile.am: remove extra LDFLAGS, update version to 2;
-	build prototype headers
-	
-	* lib/hdb/hdb_locl.h: update prototypes
-
-	* lib/hdb/print.c: move printable version of entry from kadmin
-
-	* lib/hdb/hdb.c: change hdb_{seal,unseal}_* to check if the key is
-	sealed or not; add flags to hdb_foreach
-
-	* lib/hdb/ndbm.c: add flags to NDBM_seq, NDBM_firstkey, and
-	NDBM_nextkey
-
-	* lib/hdb/db.c: add flags to DB_seq, DB_firstkey, and DB_nextkey
-
-	* lib/hdb/common.c: add flags to _hdb_{fetch,store}
-
-	* lib/hdb/hdb.h: add master_key_version to struct hdb, update
-	prototypes
-
-	* lib/hdb/hdb.asn1: make mkvno optional, update version to 2
-
-	* configure.in: --enable-netinfo
-
-	* lib/krb5/config_file.c: HAVE_NETINFO_NI_H -> HAVE_NETINFO
-
-	* config.sub: fix for crays
-
-	* config.guess: new version from automake 1.4
-	
-	* config.sub: new version from automake 1.4
-
-Wed Apr 28 00:21:17 1999  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.1e
-
-	* lib/krb5/mcache.c (mcc_get_next): get the current cursor
- 	correctly
-
-	* acconfig.h: correct definition of KRB_PUT_INT for old krb4 code.
-  	From Ake Sandgren <ake@cs.umu.se>
-
-1999-04-27  Johan Danielsson  <joda@pdc.kth.se>
-
-	* kdc/kerberos5.c: fix arguments to decrypt_ticket
-	
-1999-04-25  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/mk_req_ext.c (krb5_mk_req_internal): try to handle old
-	DCE secd's that are not able to handle MD5 checksums by defaulting
-	to MD4 if the keytype was DES-CBC-CRC
-	
-	* lib/krb5/mk_req.c (krb5_mk_req): use auth_context->keytype
-	
-	* lib/krb5/krb5.h (krb5_auth_context_data): add `keytype' and
-	`cksumtype'
-
-	* lib/krb5/get_cred.c (make_pa_tgs_req): remove old kludge for
-	secd
-	(init_tgs_req): add all supported enctypes for the keytype in
-	`in_creds->session.keytype' if it's set
-
-	* lib/krb5/crypto.c (F_PSEUDO): new flag for non-protocol
-	encryption types
-	(do_checksum): new function
-	(verify_checksum): take the checksum to use from the checksum message
-	and not from the crypto struct
-	(etypes): add F_PSEUDO flags
-	(krb5_keytype_to_enctypes): new function
-
-	* lib/krb5/auth_context.c (krb5_auth_con_init): initalize keytype
-	and cksumtype
-	(krb5_auth_setcksumtype, krb5_auth_getcksumtype): implement
-	(krb5_auth_setkeytype, krb5_auth_getkeytype): implement
-	(krb5_auth_setenctype): comment out, it's rather bogus anyway
-
-Sun Apr 25 16:55:50 1999  Johan Danielsson  <joda@pdc.kth.se>
-
-	* lib/krb5/krb5_locl.h: fix for stupid aix warnings
-
-	* lib/krb5/fcache.c (erase_file): don't malloc
-	
-Sat Apr 24 18:35:21 1999  Johan Danielsson  <joda@pdc.kth.se>
-
-	* kdc/config.c: pass context to krb5_config_file_free
-
-	* kuser/kinit.c: add `--fcache-version' to set cache version to
-	create
-
-	* kuser/klist.c: print cache version if verbose
-
-	* lib/krb5/transited.c (krb5_domain_x500_decode): don't abort
-
-	* lib/krb5/principal.c: abort -> krb5_abortx
-
-	* lib/krb5/mk_rep.c: abort -> krb5_abortx
-
-	* lib/krb5/config_file.c: abort -> krb5_abortx
-
-	* lib/krb5/context.c (init_context_from_config_file): init
-	fcache_version; add krb5_{get,set}_fcache_version
-
-	* lib/krb5/keytab.c: add support for reading (and writing?) old
-	version keytabs
-
-	* lib/krb5/cache.c: add krb5_cc_get_version
-
-	* lib/krb5/fcache.c: add support for reading and writing old
-	version cache files
-
-	* lib/krb5/store_mem.c (krb5_storage_from_mem): zero flags
-
-	* lib/krb5/store_emem.c (krb5_storage_emem): zero flags
-
-	* lib/krb5/store_fd.c (krb5_storage_from_fd): zero flags
-
-	* lib/krb5/store.c: add flags to change how various fields are
-	stored, used for old cache version support
-	
-	* lib/krb5/krb5.h: add support for reading and writing old version
-	cache files, and keytabs
-	
-Wed Apr 21 00:09:26 1999  Assar Westerlund  <assar@sics.se>
+	* kdc/hprop.h: include shadow definition of kdb Principal, so we
+	don't have to depend on any v4 libraries
 
-	* configure.in: fix test for readline.h remember to link with
- 	$LIB_tgetent when trying linking with readline
+	* lib/hdb/print.c: reduce number of memory allocations
 
-	* lib/krb5/init_creds_pw.c (get_init_creds_common): if start_time
- 	is given, request a postdated ticket.
+	* lib/hdb/mkey.c: add support for reading krb4 /.k files
 
-	* lib/krb5/data.c (krb5_data_free): free data as long as it's not
- 	NULL
+2001-01-19  Assar Westerlund  <assar@sics.se>
 
-Tue Apr 20 20:18:14 1999  Assar Westerlund  <assar@sics.se>
+	* lib/krb5/krb5.conf.5: document admin_server and kpasswd_server
+	for realms document capath better
 
-	* kpasswd/Makefile.am (kpasswdd_LDADD): add LIB_dlopen
+	* lib/krb5/krbhst.c (krb5_get_krb_changepw_hst): preferably look
+	at kpasswd_server before admin_server
 
-	* lib/krb5/krb5.h (KRB5_VERIFY_AP_REQ_IGNORE_INVALID): add
+	* lib/krb5/get_cred.c (get_cred_from_kdc_flags): look in
+	[libdefaults]capath for better hint of realm to send request to.
+	this allows the client to specify `realm routing information' in
+	case it cannot be done at the server (which is preferred)
 
-	* lib/krb5/rd_req.c (krb5_decrypt_ticket): add `flags` and
- 	KRB5_VERIFY_AP_REQ_IGNORE_INVALID for ignoring that the ticket is
- 	invalid
+	* lib/krb5/rd_priv.c (krb5_rd_priv): handle no sequence number as
+	zero when we were expecting a sequence number.  MIT krb5 cannot
+	generate a sequence number of zero, instead generating no sequence
+	number
+	* lib/krb5/rd_safe.c (krb5_rd_safe): dito
 
-Tue Apr 20 12:42:08 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+2001-01-11  Assar Westerlund  <assar@sics.se>
 
-	* kpasswd/kpasswdd.c: don't try to load library by default; get
- 	library and function name from krb5.conf
+	* kpasswd/kpasswdd.c: add --port option
 
-	* kpasswd/sample_passwd_check.c: sample password checking
- 	functions
+2001-01-10  Assar Westerlund  <assar@sics.se>
 
-Mon Apr 19 22:22:19 1999  Assar Westerlund  <assar@sics.se>
+	* lib/krb5/appdefault.c (krb5_appdefault_string): fix condition
+	just before returning
 
-	* lib/krb5/store.c (krb5_storage_to_data, krb5_ret_data): use
- 	krb5_data_alloc and be careful with checking allocation and sizes.
+2001-01-09  Assar Westerlund  <assar@sics.se>
 
-	* kuser/klist.c (--tokens): conditionalize on KRB4
+	* appl/kf/kfd.c (proto): use krb5_rd_cred2 instead of krb5_rd_cred
 
-	* kuser/kinit.c (renew_validate): set all flags
-	(main): fix cut-n-paste error when setting start-time
+2001-01-05  Johan Danielsson  <joda@pdc.kth.se>
 
-	* kdc/kerberos5.c (check_tgs_flags): starttime of a validate
- 	ticket should be > than current time
-	(*): send flags to krb5_verify_ap_req and krb5_decrypt_ticket
+	* kuser/kinit.c: call a time `time', and not `seconds'
 
-	* kuser/kinit.c (renew_validate): use the client realm instead of
- 	the local realm when renewing tickets.
+	* lib/krb5/init_creds.c: not much point in setting the anonymous
+	flag here
 
-	* lib/krb5/get_for_creds.c (krb5_fwd_tgs_creds): compat function
-	(krb5_get_forwarded_creds): correct freeing of out_creds
+	* lib/krb5/krb5_appdefault.3: document appdefault_time
 
-	* kuser/kinit.c (renew_validate): hopefully fix up freeing of
- 	memory
+2001-01-04  Johan Danielsson  <joda@pdc.kth.se>
 
-	* configure.in: do all the krb4 tests with "$krb4" != "no"
+	* lib/krb5/verify_user.c: use
+	krb5_get_init_creds_opt_set_default_flags
 
-	* lib/krb5/keyblock.c (krb5_free_keyblock_contents): don't zero
- 	keyvalue if it's NULL.  noticed by Ake Sandgren <ake@cs.umu.se>
+	* kuser/kinit.c: use krb5_get_init_creds_opt_set_default_flags
 
-	* lib/krb5/get_in_tkt.c (add_padata): loop over all enctypes
- 	instead of just taking the first one.  fix all callers.  From
- 	"Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>
+	* lib/krb5/init_creds.c: new function
+	krb5_get_init_creds_opt_set_default_flags to set options from
+	krb5.conf
 
-	* kdc/kdc_locl.h (enable_kaserver): declaration
+	* lib/krb5/rd_cred.c: make this match the MIT function
 	
-	* kdc/hprop.c (ka_convert): print the failing principal.  AFS 3.4a
- 	creates krbtgt.REALMOFCELL as NOTGS+NOSEAL, work around.  From
- 	"Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>
-
-	* kdc/hpropd.c (open_socket): stupid cast to get rid of a warning
-
-	* kdc/connect.c (add_standard_ports, process_request): look at
- 	enable_kaserver.  From "Brandon S. Allbery KF8NH"
- 	<allbery@kf8nh.apk.net>
-
-	* kdc/config.c: new flag --kaserver and config file option
- 	enable-kaserver.  From "Brandon S. Allbery KF8NH"
- 	<allbery@kf8nh.apk.net>
-
-Mon Apr 19 12:32:04 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* configure.in: check for dlopen, and dlfcn.h
-
-	* kpasswd/kpasswdd.c: add support for dlopen:ing password quality
- 	check library
-
-	* configure.in: add appl/su
-
-Sun Apr 18 15:46:53 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5/cache.c: add krb5_cc_get_type that returns type of a
- 	cache
-
-Fri Apr 16 17:58:51 1999  Assar Westerlund  <assar@sics.se>
-
-	* configure.in: LIB_kdb: -L should be before -lkdb
-	test for prototype of strsep
-	
-Thu Apr 15 11:34:38 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* lib/krb5/Makefile.am: update version
-
-	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): use
- 	ALLOC_SEQ
-
-	* lib/krb5/fcache.c: add some support for reading and writing old
- 	cache formats;
-	(fcc_store_cred): use krb5_store_creds; (fcc_read_cred): use
-	krb5_ret_creds
-
-	* lib/krb5/store_mem.c (krb5_storage_from_mem): check malloc,
- 	initialize host_byteorder
-
-	* lib/krb5/store_fd.c (krb5_storage_from_fd): initialize
- 	host_byteorder
-
-	* lib/krb5/store_emem.c (krb5_storage_emem): initialize
- 	host_byteorder
-
-	* lib/krb5/store.c (krb5_storage_set_host_byteorder): add;
-	(krb5_store_int32,krb5_ret_int32,krb5_store_int16,krb5_ret_int16):
- 	check host_byteorder flag; (krb5_store_creds): add;
- 	(krb5_ret_creds): add
-
-	* lib/krb5/krb5.h (krb5_storage): add `host_byteorder' flag for
- 	storage of numbers
-
-	* lib/krb5/heim_err.et: add `host not found' error
-
-	* kdc/connect.c: don't use data after clearing decriptor
-
-	* lib/krb5/auth_context.c: abort -> krb5_abortx
-
-	* lib/krb5/warn.c: add __attribute__; add *abort functions
-
-	* configure.in: check for __attribute__
-
-	* kdc/connect.c: log bogus requests
-
-Tue Apr 13 18:38:05 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* lib/kadm5/create_s.c (kadm5_s_create_principal): create v4 salts
- 	for all DES keys
-
-1999-04-12  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/get_cred.c (init_tgs_req): re-structure a little bit
-
-	* lib/krb5/get_cred.c (init_tgs_req): some more error checking
-
-	* lib/krb5/generate_subkey.c (krb5_generate_subkey): check return
-	value from malloc
-
-Sun Apr 11 03:47:23 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* lib/krb5/krb5.conf.5: update to reality
-
-	* lib/krb5/krb5_425_conv_principal.3: update to reality
-
-1999-04-11  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/get_host_realm.c: handle more than one realm for a host
-
-	* kpasswd/kpasswd.c (main): use krb5_program_setup and
-	print_version
-
-	* kdc/string2key.c (main): use krb5_program_setup and
-	print_version
-
-Sun Apr 11 02:35:58 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* lib/krb5/principal.c (krb5_524_conv_principal): make it actually
- 	work, and check built-in list of host-type first-components
-
-	* lib/krb5/krbhst.c: lookup SRV-records to find a kdc for a realm
-
-	* lib/krb5/context.c: add srv_* flags to context
-
-	* lib/krb5/principal.c: add default v4_name_convert entries
-
-	* lib/krb5/krb5.h: add srv_* flags to context
-
-Sat Apr 10 22:52:28 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* kadmin/kadmin.c: complain about un-recognised commands
-
-	* admin/ktutil.c: complain about un-recognised commands
-
-Sat Apr 10 15:41:49 1999  Assar Westerlund  <assar@sics.se>
-
-	* kadmin/load.c (doit): fix error message
-
-	* lib/krb5/crypto.c (encrypt_internal): free checksum if lengths
- 	fail to match.
-	(krb5_get_wrapped_length): new function
-
-	* configure.in: security/pam_modules.h: check for
-
-	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): kludge
- 	around `ret_as_reply' semantics by only freeing it when ret == 0
-
-Fri Apr  9 20:24:04 1999  Assar Westerlund  <assar@sics.se>
-
-	* kuser/klist.c (print_cred_verbose): handle the case of a bad
- 	enctype
-
-	* configure.in: test for more header files
-	(LIB_roken): set
-
-Thu Apr  8 15:01:59 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* configure.in: fixes for building w/o krb4
-
-	* ltmain.sh: update to libtool 1.2d
-
-	* ltconfig: update to libtool 1.2d
-
-Wed Apr  7 23:37:26 1999  Assar Westerlund  <assar@sics.se>
-
-	* kdc/hpropd.c: fix some error messages to be more understandable.
-
-	* kdc/hprop.c (ka_dump): remove unused variables
-
-	* appl/test/tcp_server.c: remove unused variables
-
-	* appl/test/gssapi_server.c: remove unused variables
-
-	* appl/test/gssapi_client.c: remove unused variables
-
-Wed Apr  7 14:05:15 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* lib/krb5/context.c (krb5_get_err_text): long -> krb5_error_code
-
-	* kuser/klist.c: make it compile w/o krb4
-
-	* kuser/kdestroy.c: make it compile w/o krb4
-
-	* admin/ktutil.c: fix {srv,key}2{srv,key}tab confusion; add help
- 	strings
-
-Mon Apr  5 16:13:46 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* configure.in: test for MIPS ABI; new test_package
-
-Thu Apr  1 11:00:40 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* include/Makefile.am: clean krb5-private.h
-
-	* Release 0.1d
-
-	* kpasswd/kpasswdd.c (doit): pass context to
- 	krb5_get_all_client_addrs
-
-	* kdc/connect.c (init_sockets): pass context to
- 	krb5_get_all_server_addrs
-
-	* lib/krb5/get_in_tkt.c (init_as_req): pass context to
- 	krb5_get_all_client_addrs
-
-	* lib/krb5/get_cred.c (get_cred_kdc_la): pass context to
- 	krb5_get_all_client_addrs
-
-	* lib/krb5/get_addrs.c (get_addrs_int): add extra host addresses
-
-	* lib/krb5/krb5.h: add support for adding an extra set of
- 	addresses
-
-	* lib/krb5/context.c: add support for adding an extra set of
- 	addresses
-
-	* lib/krb5/addr_families.c: add krb5_parse_address
-
-	* lib/krb5/address.c: krb5_append_addresses
-
-	* lib/krb5/config_file.c (parse_binding): don't zap everything
- 	after first whitespace
-
-	* kuser/kinit.c (renew_validate): don't allocate out
-
-	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): don't
- 	allocate out_creds
-
-	* lib/krb5/get_cred.c (get_cred_kdc, get_cred_kdc_la): make
- 	out_creds pointer;
-	(krb5_get_kdc_cred): allocate out_creds; (get_cred_from_kdc_flags):
-	free more memory
-
-	* lib/krb5/crypto.c (encrypt_internal): free checksum
-
-	* lib/krb5/convert_creds.c (krb524_convert_creds_kdc): free reply,
- 	and ticket
-
-	* kuser/Makefile.am: remove kfoo
-
-	* lib/Makefile.am: add auth
-
-	* lib/kadm5/iprop.h: getarg.h
-
-	* lib/kadm5/replay_log.c: use getarg
-
-	* lib/kadm5/ipropd_slave.c: use getarg
-
-	* lib/kadm5/ipropd_master.c: use getarg
-
-	* lib/kadm5/dump_log.c: use getarg
-
-	* kpasswd/kpasswdd.c: use getarg
-
-	* Makefile.am.common: make a more working check-local target
-
-	* lib/asn1/main.c: use getargs
-
-Mon Mar 29 20:19:57 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* kuser/klist.c (print_cred_verbose): use krb5_print_address
-
-	* lib/kadm5/server.c: k_{put,get}_int -> _krb5_{put,get}_int
-
-	* lib/krb5/addr_families.c (krb5_print_address): handle unknown
- 	address types; (ipv6_print_addr): print in 16-bit groups (as it
- 	should)
-
-	* lib/krb5/crc.c: crc_{init_table,update} ->
- 	_krb5_crc_{init_table,update}
-
-	* lib/krb5/crypto.c: k_{put,get}_int -> _krb5_{put,get}_int
- 	crc_{init_table,update} -> _krb5_crc_{init_table,update}
-
-	* lib/krb5/send_to_kdc.c: k_{put,get}_int -> _krb5_{put,get}_int
-
-	* lib/krb5/store.c: k_{put,get}_int -> _krb5_{put,get}_int
-
-	* lib/krb5/krb5_locl.h: include krb5-private.h
-
-	* kdc/connect.c (addr_to_string): use krb5_print_address
-
-	* lib/krb5/addr_families.c (krb5_print_address): int -> size_t
-
-	* lib/krb5/addr_families.c: add support for printing ipv6
- 	addresses, either with inet_ntop, or ugly for-loop
-
-	* kdc/524.c: check that the ticket came from a valid address; use
- 	the address of the connection as the address to put in the v4
- 	ticket (if this address is AF_INET)
-
-	* kdc/connect.c: pass addr to do_524
-
-	* kdc/kdc_locl.h: prototype for do_524
-
-Sat Mar 27 17:48:31 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* configure.in: check for OSF C2; bind/bitypes.h, getudbnam,
- 	setlim; check for auth modules; siad.h, getpwnam_r;
- 	lib/auth/Makefile, lib/auth/sia/Makefile
-
-	* lib/krb5/crypto.c: n_fold -> _krb5_n_fold
-
-	* lib/krb5/n-fold.c: n_fold -> _krb5_n_fold
-
-Thu Mar 25 04:35:21 1999  Assar Westerlund  <assar@sics.se>
-
-	* lib/kadm5/set_keys.c (_kadm5_set_keys): free salt when zapping
- 	it
-
-	* lib/kadm5/free.c (kadm5_free_principal_ent): free `key_data'
-
-	* lib/hdb/ndbm.c (NDBM_destroy): clear master key
-
-	* lib/hdb/db.c (DB_destroy): clear master key
-	(DB_open): check malloc
-
-	* kdc/connect.c (init_sockets): free addresses
-
-	* kadmin/kadmin.c (main): make code more consistent.  always free
- 	configuration information.
-
-	* kadmin/init.c (create_random_entry): free the entry
-
-Wed Mar 24 04:02:03 1999  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password):
- 	re-organize the code to always free `kdc_reply'
-
-	* lib/krb5/get_in_tkt.c (krb5_get_in_cred): be more careful about
- 	freeing memory
-
-	* lib/krb5/fcache.c (fcc_destroy): don't call fcc_close
-
-	* lib/krb5/crypto.c (krb5_crypto_destroy): free `crypto'
-
-	* lib/hdb/hdb_locl.h: try db_185.h first in case db.h is a DB 2.0
- 	header
-
-	* configure.in (db_185.h): check for
-
-	* admin/srvcreate.c: new file. contributed by Daniel Kouril
- 	<kouril@informatics.muni.cz>
-
-	* admin/ktutil.c: srvcreate: new command
-
-	* kuser/klist.c: add support for printing AFS tokens
-
-	* kuser/kdestroy.c: add support for destroying v4 tickets and AFS
- 	tokens.  based on code by Love <lha@stacken.kth.se>
-
-	* kuser/Makefile.am (kdestroy_LDADD, klist_LDADD): more libraries
-
-	* configure.in: sys/ioccom.h: test for
-
-	* kuser/klist.c (main): don't print `no ticket file' with --test.
-  	From: Love <lha@e.kth.se>
-
-	* kpasswd/kpasswdd.c (doit): more braces to make gcc happy
-
-	* kdc/connect.c (init_socket): get rid of a stupid warning
-
-	* include/bits.c (my_strupr): cast away some stupid warnings
-
-Tue Mar 23 14:34:44 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* lib/krb5/get_host_realm.c (krb5_get_host_realm): no infinite
- 	loops, please
-
-Tue Mar 23 00:00:45 1999  Assar Westerlund  <assar@sics.se>
-
-	* lib/kadm5/Makefile.am (install_build_headers): recover from make
- 	rewriting the names of the headers kludge to help solaris make
-
-	* lib/krb5/Makefile.am: kludge to help solaris make
-
-	* lib/hdb/Makefile.am: kludge to help solaris make
-
-	* configure.in (LIB_kdb): make sure there's a -L option in here by
- 	adding $(LIB_krb4)
-
-	* lib/asn1/gen_glue.c (generate_2int, generate_int2): int ->
- 	unsigned
-
-	* configure.in (SunOS): set to a number KRB4, KRB5 conditionals:
- 	remove the `dnl' to work around an automake flaw
-
-Sun Mar 21 15:08:49 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5/get_default_realm.c: char* -> krb5_realm
-
-Sun Mar 21 14:08:30 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* include/bits.c: <bind/bitypes.h>
-
-	* lib/krb5/Makefile.am: create krb5-private.h
-
-Sat Mar 20 00:08:59 1999  Assar Westerlund  <assar@sics.se>
-
-	* configure.in (gethostname): remove duplicate
-
-Fri Mar 19 14:48:03 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* lib/hdb/Makefile.am: add version-info
-
-	* lib/gssapi/Makefile.am: add version-info
-
-	* lib/asn1/Makefile.am: use $(x:y=z) make syntax; move check-der
- 	to check_PROGRAMS
-
-	* lib/Makefile.am: add 45
-
-	* lib/kadm5/Makefile.am: split in client and server libraries
- 	(breaks shared libraries otherwise)
-
-Thu Mar 18 11:33:30 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* include/kadm5/Makefile.am: clean a lot of header files (since
- 	automake lacks a clean-hook)
-
-	* include/Makefile.am: clean a lot of header files (since automake
- 	lacks a clean-hook)
-
-	* lib/kadm5/Makefile.am: fix build-installation of headers
-
-	* lib/krb5/Makefile.am: remove include_dir hack
-
-	* lib/hdb/Makefile.am: remove include_dir hack
-
-	* lib/asn1/Makefile.am: remove include_dir hack
-
-	* include/Makefile.am: remove include_dir hack
-
-	* doc/whatis.texi: define sub for html
-
-	* configure.in: LIB_kdb, have_err_h, have_fnmatch_h, have_glob_h
-
-	* lib/asn1/Makefile.am: der.h
-
-	* kpasswd/kpasswdd.c: admin.h -> kadm5/admin.h
-
-	* kdc/Makefile.am: remove junk
-
-	* kadmin/Makefile.am: sl.a -> sl.la
-
-	* appl/afsutil/Makefile.am: remove EXTRA_bin_PROGRAMS
-
-	* admin/Makefile.am: sl.a -> sl.la
-
-	* configure.in: condition KRB5; AC_CHECK_XAU
-
-	* Makefile.am: include Makefile.am.common
-
-	* include/kadm5/Makefile.am: include Makefile.am.common; don't
- 	install headers from here
-
-	* include/Makefile.am: include Makefile.am.common; don't install
- 	headers from here
-
-	* doc/Makefile.am: include Makefile.am.common
-
-	* lib/krb5/Makefile.am: include Makefile.am.common
-
-	* lib/kadm5/Makefile.am: include Makefile.am.common
-
-	* lib/hdb/Makefile.am: include Makefile.am.common
-
-	* lib/gssapi/Makefile.am: include Makefile.am.common
-
-	* lib/asn1/Makefile.am: include Makefile.am.common
-
-	* lib/Makefile.am: include Makefile.am.common
-
-	* lib/45/Makefile.am: include Makefile.am.common
-
-	* kuser/Makefile.am: include Makefile.am.common
-
-	* kpasswd/Makefile.am: include Makefile.am.common
-
-	* kdc/Makefile.am: include Makefile.am.common
-
-	* kadmin/Makefile.am: include Makefile.am.common
-
-	* appl/test/Makefile.am: include Makefile.am.common
-
-	* appl/afsutil/Makefile.am: include Makefile.am.common
-
-	* appl/Makefile.am: include Makefile.am.common
-
-	* admin/Makefile.am: include Makefile.am.common
-
-Wed Mar 17 03:04:38 1999  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/store.c (krb5_store_stringz): braces fix
-
-	* lib/kadm5/get_s.c (kadm5_s_get_principal): braces fix
-
-	* lib/kadm5/ent_setup.c (_kadm5_setup_entry): braces fix
-
-	* kdc/connect.c (loop): braces fix
-
-	* lib/krb5/config_file.c: cast to unsigned char to make is* happy
-
-	* lib/krb5/log.c (krb5_addlog_dest): more braces to make gcc happy
-
-	* lib/krb5/crypto.c (krb5_verify_checksum): rename C -> cksum to
- 	be consistent
-
-	* kadmin/util.c (timeval2str): more braces to make gcc happy
-
-	* kadmin/load.c: cast in is* to get rid of stupid warning
-
-	* kadmin/dump.c (append_hex): cast in isalnum to get rid of stupid
- 	warning
-
-	* kdc/kaserver.c: malloc checks and fixes
-
-	* lib/krb5/get_host_realm.c (krb5_get_host_realm): include leading
- 	dot (if any) when looking up realms.
-
-Fri Mar 12 13:57:56 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5/get_host_realm.c: add dns support
-
-	* lib/krb5/set_default_realm.c: use krb5_free_host_realm
-
-	* lib/krb5/free_host_realm.c: check for NULL realmlist
-
-	* lib/krb5/context.c: don't print warning if there is no krb5.conf
-
-Wed Mar 10 19:29:46 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* configure.in: use AC_WFLAGS
-
-Mon Mar  8 11:49:43 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* Release 0.1c
-
-	* kuser/klist.c: use print_version
-
-	* kuser/kdestroy.c: use print_version
-
-	* kdc/hpropd.c: use print_version
-
-	* kdc/hprop.c: use print_version
-
-	* kdc/config.c: use print_version
-
-	* kadmin/kadmind.c: use print_version
-
-	* kadmin/kadmin.c: use print_version
-
-	* appl/test/common.c: use print_version
-
-	* appl/afsutil/afslog.c: use print_version
-
-Mon Mar  1 10:49:14 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* lib/krb5/get_addrs.c: SOCKADDR_HAS_SA_LEN ->
- 	HAVE_STRUCT_SOCKADDR_SA_LEN
-
-	* configure.in, acconfig.h, cf/*: update to automake 1.4/autoconf 2.13
-
-Sun Feb 28 18:19:20 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* lib/asn1/gen.c: make `BIT STRING's unsigned
-
-	* lib/asn1/{symbol.h,gen.c}: add TUInteger type
-
-	* lib/krb5/verify_user.c (krb5_verify_user): pass prompter to
- 	krb5_get_init_creds_password
-
-	* lib/krb5/fcache.c (fcc_gen_new): implement
-
-Sat Feb 27 22:41:23 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* doc/install.texi: krb4 is now automatically detected
-
-	* doc/misc.texi: update procedure to set supported encryption
- 	types
-
-	* doc/setup.texi: change some silly wordings
-
-Sat Feb 27 22:17:30 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5/keytab.c (fkt_remove_entry): make this work
-
-	* admin/ktutil.c: add minimally working `get' command
-
-Sat Feb 27 19:44:49 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* lib/hdb/convert_db.c: more typos
-
-	* include/Makefile.am: remove EXTRA_DATA (as of autoconf
- 	2.13/automake 1.4)
-
-	* appl/Makefile.am: OTP_dir
-
-Fri Feb 26 17:37:00 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* doc/setup.texi: add kadmin section
-
-	* lib/asn1/check-der.c: fix printf warnings
-
-Thu Feb 25 11:16:49 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* configure.in: -O does not belong in WFLAGS
-
-Thu Feb 25 11:05:57 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/asn1/der_put.c: fix der_put_int
-
-Tue Feb 23 20:35:12 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* configure.in: use AC_BROKEN_GLOB
-
-Mon Feb 22 15:12:44 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* configure.in: check for glob
-
-Mon Feb 22 11:32:42 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* Release 0.1b
-
-Sat Feb 20 15:48:06 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/hdb/convert_db.c: convert DES3 keys to des3-cbc-sha1, and
- 	des3-cbc-md5
-
-	* lib/krb5/crypto.c (DES3_string_to_key): make this actually do
- 	what the draft said it should
-
-	* lib/hdb/convert_db.c: little program for database conversion
-
-	* lib/hdb/db.c (DB_open): try to open database w/o .db extension
-
-	* lib/hdb/ndbm.c (NDBM_open): add test for database format
-
-	* lib/hdb/db.c (DB_open): add test for database format
-
-	* lib/asn1/gen_glue.c (generate_2int): don't depend on flags being
- 	unsigned
-
-	* lib/hdb/hdb.c: change `hdb_set_master_key' to take an
- 	EncryptionKey, and add a new function `hdb_set_master_keyfile' to
- 	do what `hdb_set_master_key' used to do
-
-	* kdc/kstash.c: add `--convert-file' option to change keytype of
- 	existing master key file
-
-Fri Feb 19 07:04:14 1999  Assar Westerlund  <assar@squid.pdc.kth.se>
-
-	* Release 0.1a
-
-Sat Feb 13 17:12:53 1999  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/mk_safe.c (krb5_mk_safe): sizeof(buf) -> buf_size, buf
- 	is now a `u_char *'
-
-	* lib/krb5/get_in_tkt.c (krb5_init_etype): etypes are now `int'
-
-	* lib/krb5/get_host_realm.c (krb5_get_host_realm): constize
- 	orig_host
-
- 	(krb5_salttype_to_string): new function (RSA_MD5_DES_verify,
- 	RSA_MD5_DES3_verify): initialize ret
-
-	* lib/gssapi/init_sec_context.c (init_auth): remove unnecessary
- 	gssapi_krb5_init.  ask for KEYTYPE_DES credentials
-
-	* kadmin/get.c (print_entry_long): print the keytypes and salts
- 	available for the principal
-
-	* configure.in (WFLAGS): add `-O' to catch unitialized variables
- 	and such
-	(gethostname, mkstemp, getusershell, inet_aton): more tests
-
-	* lib/hdb/hdb.h: update prototypes
-
-	* configure.in: homogenize broken detection with krb4
-
-	* lib/kadm5/init_c.c (kadm5_c_init_with_context): remove unused
- 	`error'
-
-	* lib/asn1/Makefile.am (check-der): add
-
-	* lib/asn1/gen.c (define_type): map ASN1 Integer to `int' instead
- 	of `unsigned'
-
-	* lib/asn1/der_length.c (length_unsigned): new function
-	(length_int): handle signed integers
-
-	* lib/asn1/der_put.c (der_put_unsigned): new function
-	(der_put_int): handle signed integers
-
- 	* lib/asn1/der_get.c (der_get_unsigned): new function
- 	(der_get_int): handle signed integers
-
-	* lib/asn1/der.h: all integer functions take `int' instead of
- 	`unsigned'
-
-	* lib/asn1/lex.l (filename): unused. remove.
-
-	* lib/asn1/check-der.c: new test program for der encoding and
- 	decoding.
-
-Mon Feb  1 04:09:06 1999  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc): only call
- 	gethostbyname2 with AF_INET6 if we actually have IPv6.  From
- 	"Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>
-
- 	* lib/krb5/changepw.c (get_kdc_address): dito
-
-Sun Jan 31 06:26:36 1999  Assar Westerlund  <assar@sics.se>
-
-	* kdc/connect.c (parse_prots): always bind to AF_INET, there are
- 	v6-implementations without support for `mapped V4 addresses'.
-  	From Jun-ichiro itojun Hagino <itojun@kame.net>
-
-Sat Jan 30 22:38:27 1999  Assar Westerlund  <assar@juguete.sics.se>
-
-	* Release 0.0u
-
-Sat Jan 30 13:43:02 1999  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/Makefile.am: explicit rules for *.et files
-
- 	* lib/kadm5/init_c.c (get_kadm_ticket): only remove creds if
- 	krb5_get_credentials was succesful.
- 	(get_new_cache): return better error codes and return earlier.
- 	(get_cred_cache): only delete default_client if it's different
- 	from client
- 	(kadm5_c_init_with_context): return a more descriptive error.
-
-	* kdc/kerberos5.c (check_flags): handle NULL client or server
-
-	* lib/krb5/sendauth.c (krb5_sendauth): return the error in
- 	`ret_error' iff != NULL
-
-	* lib/krb5/rd_error.c (krb5_free_error, krb5_free_error_contents):
- 	new functions
-
-	* lib/krb5/mk_req_ext.c (krb5_mk_req_extended): more
- 	type-correctness
-
-	* lib/krb5/krb5.h (krb5_error): typedef to KRB_ERROR
-
-	* lib/krb5/init_creds_pw.c: KRB5_TGS_NAME: use
-
-	* lib/krb5/get_cred.c: KRB5_TGS_NAME: use
-
- 	* lib/kafs/afskrb5.c (afslog_uid_int): update to changes
-
-	* lib/kadm5/rename_s.c (kadm5_s_rename_principal): call remove
- 	instead of rename, but shouldn't this just call rename?
-
- 	* lib/kadm5/get_s.c (kadm5_s_get_principal): always return an
- 	error if the principal wasn't found.
-
-	* lib/hdb/ndbm.c (NDBM_seq): unseal key
-
-	* lib/hdb/db.c (DB_seq): unseal key
-
-	* lib/asn1/Makefile.am: added explicit rules for asn1_err.[ch]
-
-	* kdc/hprop.c (v4_prop): add krbtgt/THISREALM@OTHERREALM when
- 	finding cross-realm tgts in the v4 database
-
-	* kadmin/mod.c (mod_entry): check the number of arguments.  check
- 	that kadm5_get_principal worked.
-
-	* lib/krb5/keytab.c (fkt_remove_entry): remove KRB5_KT_NOTFOUND if
- 	we weren't able to remove it.
-
-	* admin/ktutil.c: less drive-by-deleting.  From Love
- 	<lha@e.kth.se>
-
-	* kdc/connect.c (parse_ports): copy the string before mishandling
- 	it with strtok_r
-
-	* kdc/kerberos5.c (tgs_rep2): print the principal with mismatching
- 	kvnos
-
-	* kadmin/kadmind.c (main): convert `debug_port' to network byte
- 	order
-
-	* kadmin/kadmin.c: allow specification of port number.
-
-	* lib/kadm5/kadm5_locl.h (kadm5_client_context): add
- 	`kadmind_port'.
-
-	* lib/kadm5/init_c.c (_kadm5_c_init_context): move up
- 	initalize_kadm5_error_table_r.
-	allow specification of port number.
-	
-  	From Love <lha@stacken.kth.se>
-
-	* kuser/klist.c: add option -t | --test
-
-Sat Dec  5 19:49:34 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* lib/krb5/context.c: remove ktype_is_etype
-
-	* lib/krb5/crypto.c, lib/krb5/krb5.h, acconfig.h: NEW_DES3_CODE
-
-	* configure.in: fix for AIX install; better tests for AIX dynamic
- 	AFS libs; `--enable-new-des3-code'
-
-Tue Dec  1 14:44:44 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* appl/afsutil/Makefile.am: link with extra libs for aix
-
-	* kuser/Makefile.am: link with extra libs for aix
-
-Sun Nov 29 01:56:21 1998  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/get_addrs.c (krb5_get_all_server_addrs): add.  almost
- 	the same as krb5_get_all_client_addrs except that it includes
- 	loopback addresses
-
-	* kdc/connect.c (init_socket): bind to a particular address
-	(init_sockets): get all local addresses and bind to them all
-
-	* lib/krb5/addr_families.c (addr2sockaddr, print_addr): new
- 	methods
-	(find_af, find_atype): new functions.  use them.
-
-	* configure.in: add hesiod
-
-Wed Nov 25 11:37:48 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* lib/krb5/krb5_err.et: add some codes from kerberos-revisions-03
-
-Mon Nov 23 12:53:48 1998  Assar Westerlund  <assar@sics.se>
-
-	* lib/kadm5/log.c: rename delete -> remove
-
-	* lib/kadm5/delete_s.c: rename delete -> remove
-
-	* lib/hdb/common.c: rename delete -> remove
-
-Sun Nov 22 12:26:26 1998  Assar Westerlund  <assar@sics.se>
-
-	* configure.in: check for environ and `struct spwd'
-
-Sun Nov 22 11:42:45 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* kdc/kerberos5.c (as_rep): set keytype to sess_ktype if
- 	ktype_is_etype
-
-	* lib/krb5/encrypt.c (krb5_keytype_to_etypes): zero terminate
- 	etypes
-	(em): sort entries
-
-Sun Nov 22 06:54:48 1998  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/init_creds_pw.c: more type correctness
-
-	* lib/krb5/get_cred.c: re-structure code.  remove limits on ASN1
- 	generated bits.
-
-Sun Nov 22 01:49:50 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* kdc/hprop.c (v4_prop): fix bogus indexing
-
-Sat Nov 21 21:39:20 1998  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/verify_init.c (fail_verify_is_ok): new function
-	(krb5_verify_init_creds): if we cannot get a ticket for
-	host/`hostname` and fail_verify_is_ok just return.  use
- 	krb5_rd_req
-
-Sat Nov 21 23:12:27 1998  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/free.c (krb5_xfree): new function
-
-	* lib/krb5/creds.c (krb5_free_creds_contents): new function
-
-	* lib/krb5/context.c: more type correctness
-
-	* lib/krb5/checksum.c: more type correctness
-
-	* lib/krb5/auth_context.c (krb5_auth_con_init): more type
- 	correctness
-
-	* lib/asn1/der_get.c (der_get_length): fix test of len
-	(der_get_tag): more type correctness
-
-	* kuser/klist.c (usage): void-ize
-
-	* admin/ktutil.c (kt_remove): some more type correctness.
-
-Sat Nov 21 16:49:20 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* kuser/klist.c: try to list enctypes as keytypes
-
-	* kuser/kinit.c: remove extra `--cache' option, add `--enctypes'
- 	to set list of enctypes to use
-
-	* kadmin/load.c: load strings as hex
-
-	* kadmin/dump.c: dump hex as string is possible
-
-	* admin/ktutil.c: use print_version()
-
-	* configure.in, acconfig.h: test for hesiod
-
-Sun Nov 15 17:28:19 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* lib/krb5/crypto.c: add some crypto debug code
-
-	* lib/krb5/get_in_tkt.c (_krb5_extract_ticket): don't use fixed
- 	buffer when encoding ticket
-
-	* lib/krb5/auth_context.c (re-)implement `krb5_auth_setenctype'
-
-	* kdc/kerberos5.c: allow mis-match of tgt session key, and service
- 	session key
-
-	* admin/ktutil.c: keytype -> enctype
-
-Fri Nov 13 05:35:48 1998  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/krb5.h (KRB5_TGS_NAME, KRB5_TGS_NAME_SIZE): added
-	
-Sat Nov  7 19:56:31 1998  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/get_cred.c (add_cred): add termination NULL pointer
-
-Mon Nov  2 01:15:06 1998  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/rd_req.c: adapt to new crypto api
-
-	* lib/krb5/rd_rep.c: adapt to new crypto api
-
-	* lib/krb5/rd_priv.c: adopt to new crypto api
-
-	* lib/krb5/rd_cred.c: adopt to new crypto api
-
-	* lib/krb5/principal.c: ENOMEM -> ERANGE
-
-	* lib/krb5/mk_safe.c: cleanup and adopt to new crypto api
-
-	* lib/krb5/mk_req_ext.c: adopt to new crypto api
-
-	* lib/krb5/mk_req.c: get enctype from auth_context keyblock
-
-	* lib/krb5/mk_rep.c: cleanup and adopt to new crypto api
-
-	* lib/krb5/mk_priv.c: adopt to new crypto api
-
-	* lib/krb5/keytab.c: adopt to new crypto api
-
-	* lib/krb5/get_in_tkt_with_skey.c: adopt to new crypto api
-
-	* lib/krb5/get_in_tkt_with_keytab.c: adopt to new crypto api
-
-	* lib/krb5/get_in_tkt_pw.c: adopt to new crypto api
-
-	* lib/krb5/get_in_tkt.c: adopt to new crypto api
-
-	* lib/krb5/get_cred.c: adopt to new crypto api
-
-	* lib/krb5/generate_subkey.c: use new crypto api
-
-	* lib/krb5/context.c: rename etype functions to enctype ditto
-
-	* lib/krb5/build_auth.c: use new crypto api
-
-	* lib/krb5/auth_context.c: remove enctype and cksumtype from
- 	auth_context
-
-Mon Nov  2 01:15:06 1998  Assar Westerlund  <assar@sics.se>
-
-	* kdc/connect.c (handle_udp, handle_tcp): correct type of `n'
-
-Tue Sep 15 18:41:38 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* admin/ktutil.c: fix printing of unrecognized keytypes
-
-Tue Sep 15 17:02:33 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
-
-	* lib/kadm5/set_keys.c: add KEYTYPE_USE_AFS3_SALT to keytype if
- 	using AFS3 salt
-
-Tue Aug 25 23:30:52 1998  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc): care about
- 	`use_admin_kdc'
-
-	* lib/krb5/changepw.c (get_kdc_address): use
- 	krb5_get_krb_admin_hst
-
-	* lib/krb5/krbhst.c (krb5_get_krb_admin_hst): new function
-
-	* lib/krb5/krb5.h (krb5_context_data): add `use_admin_kdc'
-
-	* lib/krb5/context.c (krb5_get_use_admin_kdc,
- 	krb5_set_use_admin_kdc): new functions
-
-Tue Aug 18 22:24:12 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/crypto.c: remove all calls to abort(); check return
- 	value from _key_schedule;
-	(RSA_MD[45]_DES_verify): zero tmp and res;
-	(RSA_MD5_DES3_{verify,checksum}): implement
-
-Mon Aug 17 20:18:46 1998  Assar Westerlund  <assar@sics.se>
-
-	* kdc/kerberos4.c (swap32): conditionalize
-
-	* lib/krb5/mk_req_ext.c (krb5_mk_req_internal): new function
-
-	* lib/krb5/get_host_realm.c (krb5_get_host_realm): if the hostname
- 	returned from gethostby*() isn't a FQDN, try with the original
- 	hostname
-
-	* lib/krb5/get_cred.c (make_pa_tgs_req): use krb5_mk_req_internal
- 	and correct key usage
-
-	* lib/krb5/crypto.c (verify_checksum): make static
-
-	* admin/ktutil.c (kt_list): use krb5_enctype_to_string
-
-Sun Aug 16 20:57:56 1998  Assar Westerlund  <assar@sics.se>
-
-	* kadmin/cpw.c (do_cpw_entry): use asprintf for the prompt
-
-	* kadmin/ank.c (ank): print principal name in prompt
-
-	* lib/krb5/crypto.c (hmac): always allocate space for checksum.
-  	never trust c.checksum.length
-	(_get_derived_key): try to return the derived key
-
-Sun Aug 16 19:48:42 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/crypto.c (hmac): fix some peculiarities and bugs
-	(get_checksum_key): assume usage is `formatted'
-	(create_checksum,verify_checksum): moved the guts of the krb5_*
-	functions here, both take `formatted' key-usages
-	(encrypt_internal_derived): fix various bogosities
-	(derive_key): drop key_type parameter (already given by the
-	encryption_type)
-
-	* kdc/kerberos5.c (check_flags): handle case where client is NULL
-
-	* kdc/connect.c (process_request): return zero after processing
- 	kerberos 4 request
-
-Sun Aug 16 18:38:15 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5/crypto.c: merge x-*.[ch] into one file
-
-	* lib/krb5/cache.c: remove residual from krb5_ccache_data
-
-Fri Aug 14 16:28:23 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/x-crypto.c (derive_key): move DES3 specific code to
- 	separate function (will eventually end up someplace else)
-
-	* lib/krb5/x-crypto.c (krb5_string_to_key_derived): allocate key
-
-	* configure.in, acconfig.h: test for four valued krb_put_int
-
-Thu Aug 13 23:46:29 1998  Assar Westerlund  <assar@emma.pdc.kth.se>
-
-	* Release 0.0t
-
-Thu Aug 13 22:40:17 1998  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/config_file.c (parse_binding): remove trailing
- 	whitespace
-
-Wed Aug 12 20:15:11 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/x-checksum.c (krb5_verify_checksum): pass checksum type
- 	to krb5_create_checksum
-
-	* lib/krb5/x-key.c: implement DES3_string_to_key_derived; fix a
- 	few typos
-
-Wed Aug  5 12:39:54 1998  Assar Westerlund  <assar@emma.pdc.kth.se>
-
-	* Release 0.0s
-
-Thu Jul 30 23:12:17 1998  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/mk_error.c (krb5_mk_error): realloc until you die
-
-Thu Jul 23 19:49:03 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kdc/kdc_locl.h: proto for `get_des_key'
-
-	* configure.in: test for four valued el_init
-
-	* kuser/klist.c: keytype -> enctype
-
-	* kpasswd/kpasswdd.c (change): use new `krb5_string_to_key*'
-
-	* kdc/hprop.c (v4_prop, ka_convert): convert to a set of keys
-
-	* kdc/kaserver.c: use `get_des_key'
-
-	* kdc/524.c: use new crypto api
-
-	* kdc/kerberos4.c: use new crypto api
-
-	* kdc/kerberos5.c: always treat keytypes as enctypes; use new
- 	crypto api
-
-	* kdc/kstash.c: adapt to new crypto api
-
-	* kdc/string2key.c: adapt to new crypto api
-
-	* admin/srvconvert.c: add keys for all possible enctypes
-
-	* admin/ktutil.c: keytype -> enctype
-
-	* lib/gssapi/init_sec_context.c: get enctype from auth_context
- 	keyblock
-
-	* lib/hdb/hdb.c: remove hdb_*_keytype2key
-
-	* lib/kadm5/set_keys.c: adapt to new crypto api
-
-	* lib/kadm5/rename_s.c: adapt to new crypto api
-
-	* lib/kadm5/get_s.c: adapt to new crypto api
-
-	* lib/kadm5/create_s.c: add keys for des-cbc-crc, des-cbc-md4,
- 	des-cbc-md5, and des3-cbc-sha1
-
-	* lib/krb5/heim_err.et: error message for unsupported salt
-
-	* lib/krb5/codec.c: short-circuit these functions, since they are
- 	not needed any more
-
-	* lib/krb5/rd_safe.c: cleanup and adapt to new crypto api
-
-Mon Jul 13 23:00:59 1998  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc): don't advance
- 	hostent->h_addr_list, use a copy instead
-
-Mon Jul 13 15:00:31 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/config_file.c (parse_binding, parse_section): make sure
- 	everything is ok before adding to linked list
-
-	* lib/krb5/config_file.c: skip ws before checking for comment
-
-Wed Jul  8 10:45:45 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/asn1/k5.asn1: hmac-sha1-des3 = 12
-
-Tue Jun 30 18:08:05 1998  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc): do not close the
- 	unopened file
-
-	* lib/krb5/mk_priv.c: realloc correctly
-
-	* lib/krb5/get_addrs.c (find_all_addresses): init j
-
-	* lib/krb5/context.c (krb5_init_context): print error if parsing
- 	of config file produced an error.
-
-	* lib/krb5/config_file.c (parse_list, krb5_config_parse_file):
- 	ignore more spaces
-
-	* lib/krb5/codec.c (krb5_encode_EncKrbCredPart,
- 	krb5_encode_ETYPE_INFO): initialize `ret'
-
-	* lib/krb5/build_auth.c (krb5_build_authenticator): realloc
- 	correctly
-
-	* lib/kadm5/set_keys.c (_kadm5_set_keys): initialize `ret'
-
-	* lib/kadm5/init_c.c (get_cred_cache): try to do the right thing
- 	with default_client
-
-	* kuser/kinit.c (main): initialize `ticket_life'
-
-	* kdc/kerberos5.c (get_pa_etype_info): initialize `ret'
-	(tgs_rep2): initialize `krbtgt'
-
-	* kdc/connect.c (do_request): check for errors from `sendto'
-
-	* kdc/524.c (do_524): initialize `ret'
-
-	* kadmin/util.c (foreach_principal): don't clobber `ret'
-
-	* kadmin/del.c (del_entry): don't apply on zeroth argument
-
-	* kadmin/cpw.c (do_cpw_entry): initialize `ret'
-
-Sat Jun 13 04:14:01 1998  Assar Westerlund  <assar@juguete.sics.se>
-
-	* Release 0.0r
-
-Sun Jun  7 04:13:14 1998  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/addr_families.c: fall-back definition of
- 	IN6_ADDR_V6_TO_V4
-
-	* configure.in: only set CFLAGS if it wasn't set look for
- 	dn_expand and res_search
-
-Mon Jun  1 21:28:07 1998  Assar Westerlund  <assar@sics.se>
-
-	* configure.in: remove duplicate seteuid
-
-Sat May 30 00:19:51 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/convert_creds.c: import _krb_time_to_life, to avoid
- 	runtime dependencies on libkrb with some shared library
- 	implementations
-
-Fri May 29 00:09:02 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kuser/kinit_options.c: Default options for kinit.
-
-	* kuser/kauth_options.c: Default options for kauth.
-
-	* kuser/kinit.c: Implement lots a new options.
-
-	* kdc/kerberos5.c (check_tgs_flags): make sure kdc-req-body->rtime
- 	is not NULL; set endtime to min of new starttime + old_life, and
- 	requested endtime
-
-	* lib/krb5/init_creds_pw.c (get_init_creds_common): if the
- 	forwardable or proxiable flags are set in options, set the
- 	kdc-flags to the value specified, and not always to one
-
-Thu May 28 21:28:06 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kdc/kerberos5.c: Optionally compare client address to addresses
- 	in ticket.
-
-	* kdc/connect.c: Pass client address to as_rep() and tgs_rep().
-
-	* kdc/config.c: Add check_ticket_addresses, and
- 	allow_null_ticket_addresses variables.
-
-Tue May 26 14:03:42 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/kadm5/create_s.c: possibly make DES keys version 4 salted
-
-	* lib/kadm5/set_keys.c: check config file for kadmin/use_v4_salt
- 	before zapping version 4 salts
-
-Sun May 24 05:22:17 1998  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.0q
-
-	* lib/krb5/aname_to_localname.c: new file
-
-	* lib/gssapi/init_sec_context.c (repl_mutual): no output token
-
-	* lib/gssapi/display_name.c (gss_display_name): zero terminate
- 	output.
-
-Sat May 23 19:11:07 1998  Assar Westerlund  <assar@sics.se>
-
-	* lib/gssapi/display_status.c: new file
-
-	* Makefile.am: send -I to aclocal
-
-	* configure.in: remove duplicate setenv
-
-Sat May 23 04:55:19 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kadmin/util.c (foreach_principal): Check for expression before
- 	wading through the whole database.
-
-	* kadmin/kadmin.c: Pass NULL password to
- 	kadm5_*_init_with_password.
-
-	* lib/kadm5/init_c.c: Implement init_with_{skey,creds}*. Make use
- 	of `password' parameter to init_with_password.
-
-	* lib/kadm5/init_s.c: implement init_with_{skey,creds}*
-
-	* lib/kadm5/server.c: Better arguments for
- 	kadm5_init_with_password.
-
-Sat May 16 07:10:36 1998  Assar Westerlund  <assar@sics.se>
-
-	* kdc/hprop.c: conditionalize ka-server reading support on
- 	KASERVER_DB
-
-	* configure.in: new option `--enable-kaserver-db'
-
-Fri May 15 19:39:18 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5/get_cred.c: Better error if local tgt couldn't be
- 	found.
-
-Tue May 12 21:11:02 1998  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.0p
-
-	* lib/krb5/mk_req_ext.c (krb5_mk_req_extended): only set
- 	encryption type in auth_context if it's compatible with the type
- 	of the session key
-
-Mon May 11 21:11:14 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kdc/hprop.c: add support for ka-server databases
-
-	* appl/ftp/ftpd: link with -lcrypt, if needed
-
-Fri May  1 07:29:52 1998  Assar Westerlund  <assar@sics.se>
-
-	* configure.in: don't test for winsock.h
-
-Sat Apr 18 21:43:11 1998  Johan Danielsson  <joda@puffer.pdc.kth.se>
-
-	* Release 0.0o
-
-Sat Apr 18 00:31:11 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5/sock_principal.c: Save hostname.
-
-Sun Apr  5 11:29:45 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/mk_req_ext.c: Use same enctype as in ticket.
-
-	* kdc/hprop.c (v4_prop): Check for null key.
-
-Fri Apr  3 03:54:54 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5/str2key.c: Fix DES3 string-to-key.
-
-	* lib/krb5/keytab.c: Get default keytab name from context.
-
-	* lib/krb5/context.c: Get `default_keytab_name' value.
-
-	* kadmin/util.c (foreach_principal): Print error message if
- 	`kadm5_get_principals' fails.
-
-	* kadmin/kadmind.c: Use `kadmind_loop'.
-
-	* lib/kadm5/server.c: Replace several other functions with
- 	`kadmind_loop'.
-
-Sat Mar 28 09:49:18 1998  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/keytab.c (fkt_add_entry): use an explicit seek instead
- 	of O_APPEND
-
-	* configure.in: generate ftp Makefiles
-
-	* kuser/klist.c (print_cred_verbose): print IPv4-address in a
- 	portable way.
-
-	* admin/srvconvert.c (srvconv): return 0 if successful
-
-Tue Mar 24 00:40:33 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/keytab.c: MIT compatible changes: add and use sizes to
- 	keytab entries, and change default keytab to `/etc/krb5.keytab'.
-
-Mon Mar 23 23:43:59 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/gssapi/wrap.c: Use `gss_krb5_getsomekey'.
-
-	* lib/gssapi/unwrap.c: Implement and use `gss_krb5_getsomekey'.
-  	Fix bug in checking of pad.
-
-	* lib/gssapi/{un,}wrap.c: Add support for just integrity
- 	protecting data.
- 	
-	* lib/gssapi/accept_sec_context.c: Use
- 	`gssapi_krb5_verify_8003_checksum'.
-
-	* lib/gssapi/8003.c: Implement `gssapi_krb5_verify_8003_checksum'.
-
-	* lib/gssapi/init_sec_context.c: Zero cred, and store session key
- 	properly in auth-context.
-
-Sun Mar 22 00:47:22 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/kadm5/delete_s.c: Check immutable bit.
-
-	* kadmin/kadmin.c: Pass client name to kadm5_init.
-
-	* lib/kadm5/init_c.c: Get creds for client name passed in.
-
-	* kdc/hprop.c (v4_prop): Check for `changepw.kerberos'.
-
-Sat Mar 21 22:57:13 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/mk_error.c: Verify that error_code is in the range
- 	[0,127].
-
-	* kdc/kerberos5.c: Move checking of principal flags to new
- 	function `check_flags'.
-
-Sat Mar 21 14:38:51 1998  Assar Westerlund  <assar@sics.se>
-
-	* lib/kadm5/get_s.c (kadm5_s_get_principal): handle an empty salt
-
-	* configure.in: define SunOS if running solaris
-
-Sat Mar 21 00:26:34 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/kadm5/server.c: Unifdef test for same principal when
- 	changing password.
-
-	* kadmin/util.c: If kadm5_get_principals failes, we might still be
- 	able to perform the requested opreration (for instance someone if
- 	trying to change his own password).
-
-	* lib/kadm5/init_c.c: Try to get ticket via initial request, if
- 	not possible via tgt.
-
-	* lib/kadm5/server.c: Check for principals changing their own
- 	passwords.
-
-	* kdc/kerberos5.c (tgs_rep2): check for interesting flags on
- 	involved principals.
-
-	* kadmin/util.c: Fix order of flags.
-
-Thu Mar 19 16:54:10 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kdc/kerberos4.c: Return sane error code if krb_rd_req fails.
-
-Wed Mar 18 17:11:47 1998  Assar Westerlund  <assar@sics.se>
-
-	* acconfig.h: rename HAVE_STRUCT_SOCKADDR_IN6 to HAVE_IPV6
-
-Wed Mar 18 09:58:18 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/get_in_tkt_with_keytab.c (krb5_keytab_key_proc): don't
- 	free keyseed; use correct keytab
-
-Tue Mar 10 09:56:16 1998  Assar Westerlund  <assar@sics.se>
-
-	* acinclude.m4 (AC_KRB_IPV6): rewrote to avoid false positives
-
-Mon Mar 16 23:58:23 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* Release 0.0n
-
-Fri Mar  6 00:41:30 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/gssapi/{accept_sec_context,release_cred}.c: Use
-	krb5_kt_close/krb5_kt_resolve.
-	
-	* lib/krb5/principal.c (krb5_425_conv_principal_ext): Use resolver
- 	to lookup hosts, so CNAMEs can be ignored.
-
-	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc, send_and_recv_http):
- 	Add support for using proxy.
-
-	* lib/krb5/context.c: Initialize `http_proxy' from
- 	`libdefaults/http_proxy'.
-
-	* lib/krb5/krb5.h: Add `http_proxy' to context.
-
-	* lib/krb5/send_to_kdc.c: Recognize `http/' and `udp/' as protocol
- 	specifications.
-
-Wed Mar  4 01:47:29 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* admin/ktutil.c: Implement `add' and `remove' functions. Make
- 	`--keytab' a global option.
-
-	* lib/krb5/keytab.c: Implement remove with files. Add memory
- 	operations.
-
-Tue Mar  3 20:09:59 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/keytab.c: Use function pointers.
-
-	* admin: Remove kdb_edit.
-
-Sun Mar  1 03:28:42 1998  Assar Westerlund  <assar@sics.se>
-
-	* lib/kadm5/dump_log.c: print operation names
-
-Sun Mar  1 03:04:12 1998  Assar Westerlund  <assar@sics.se>
-
-	* configure.in: add X-tests, and {bin,...}dir appl/{kx,kauth}
-	
-	* lib/krb5/build_auth.c,mk_priv.c,rd_safe.c,mk_safe.c,mk_rep.c:
- 	remove arbitrary limit
-
-	* kdc/hprop-common.c: use krb5_{read,write}_message
-
-	* lib/kadm5/ipropd_master.c (send_diffs): more careful use
- 	krb5_{write,read}_message
-
-	* lib/kadm5/ipropd_slave.c (get_creds): get credentials for
- 	`iprop/master' directly.
-	(main): use `krb5_read_message'
-
-Sun Mar  1 02:05:11 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kadmin/kadmin.c: Cleanup commands list, and add help strings.
-
-	* kadmin/get.c: Add long, short, and terse (equivalent to `list')
- 	output formats. Short is the default.
-
-	* kadmin/util.c: Add `include_time' flag to timeval2str.
-
-	* kadmin/init.c: Max-life and max-renew can, infact, be zero.
-
-	* kadmin/{cpw,del,ext,get}.c: Use `foreach_principal'.
-
-	* kadmin/util.c: Add function `foreach_principal', that loops over
- 	all principals matching an expression.
-
-	* kadmin/kadmin.c: Add usage string to `privileges'.
-
-	* lib/kadm5/get_princs_s.c: Also try to match aganist the
- 	expression appended with `@default-realm'.
-
-	* lib/krb5/principal.c: Add `krb5_unparse_name_fixed_short', that
- 	excludes the realm if it's the same as the default realm.
-
-Fri Feb 27 05:02:21 1998  Assar Westerlund  <assar@sics.se>
-
-	* configure.in: more WFLAGS and WFLAGS_NOUNUSED added missing
- 	headers and functions error -> com_err
-
- 	(krb5_get_init_creds_keytab): use krb5_keytab_key_proc
-
-	* lib/krb5/get_in_tkt_with_keytab.c: make `krb5_keytab_key_proc'
- 	global
-
-	* lib/kadm5/marshall.c (ret_principal_ent): set `n_tl_data'
-
-	* lib/hdb/ndbm.c: use `struct ndbm_db' everywhere.
-
-Fri Feb 27 04:49:24 1998  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/mk_priv.c (krb5_mk_priv): bump static limit to 10240.
-  	This should be fixed the correct way.
-
-	* lib/kadm5/ipropd_master.c (check_acl:) truncate buf correctly
-	(send_diffs): compare versions correctly
-	(main): reorder handling of events
-
-	* lib/kadm5/log.c (kadm5_log_previous): avoid bad type conversion
-
-Thu Feb 26 02:22:35 1998  Assar Westerlund  <assar@sics.se>
-
-	* lib/kadm5/ipropd_{slave,master}.c: new files
-
-	* lib/kadm5/log.c (kadm5_log_get_version): take an `fd' as
- 	argument
-
-	* lib/krb5/krb5.h (krb5_context_data): `et_list' should be `struct
- 	et_list *'
-
-	* aux/make-proto.pl: Should work with perl4
-
-Mon Feb 16 17:20:22 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/krb5_locl.h: Remove <error.h> (it gets included via
- 	{asn1,krb5}_err.h).
-
-Thu Feb 12 03:28:40 1998  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/get_in_tkt.c (_krb5_extract_ticket): if time difference
- 	is larger than max_skew, return KRB5KRB_AP_ERR_SKEW
-
-	* lib/kadm5/log.c (get_version): globalize
-
-	* lib/kadm5/kadm5_locl.h: include <sys/file.h>
-
-	* lib/asn1/Makefile.am: add PA_KEY_INFO and PA_KEY_INFO_ENTRY
-
-	* kdc/kerberos5.c (get_pa_etype_info): remove gcc-ism of
- 	initializing local struct in declaration.
-
-Sat Jan 31 17:28:58 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kdc/524.c: Use krb5_decode_EncTicketPart.
-
-	* kdc/kerberos5.c: Check at runtime whether to use enctypes
- 	instead of keytypes. If so use the same value to encrypt ticket,
- 	and kdc-rep as well as `keytype' for session key. Fix some obvious
- 	bugs with the handling of additional tickets.
-
-	* lib/krb5/rd_req.c: Use krb5_decode_EncTicketPart, and
- 	krb5_decode_Authenticator.
-
-	* lib/krb5/rd_rep.c: Use krb5_decode_EncAPRepPart.
-
-	* lib/krb5/rd_cred.c: Use krb5_decode_EncKrbCredPart.
-
-	* lib/krb5/mk_rep.c: Make sure enc_part.etype is an encryption
- 	type, and not a key type.  Use krb5_encode_EncAPRepPart.
-
-	* lib/krb5/init_creds_pw.c: Use krb5_decode_PA_KEY_INFO.
-
-	* lib/krb5/get_in_tkt.c: Use krb5_decode_Enc{AS,TGS}RepPart.
-
-	* lib/krb5/get_for_creds.c: Use krb5_encode_EncKrbCredPart.
-
-	* lib/krb5/get_cred.c: Use krb5_decode_Enc{AS,TGS}RepPart.
-
-	* lib/krb5/build_auth.c: Use krb5_encode_Authenticator.
-
-	* lib/krb5/codec.c: Enctype conversion stuff.
-
-	* lib/krb5/context.c: Ignore KRB5_CONFIG if *not* running
- 	setuid. Get configuration for libdefaults ktype_is_etype, and
- 	default_etypes.
-
-	* lib/krb5/encrypt.c: Add krb5_string_to_etype, rename
- 	krb5_convert_etype to krb5_decode_keytype, and add
- 	krb5_decode_keyblock.
-
-Fri Jan 23 00:32:09 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/{get_in_tkt,rd_req}.c: Use krb5_convert_etype.
-
-	* lib/krb5/encrypt.c: Add krb5_convert_etype function - converts
- 	from protocol keytypes (that really are enctypes) to internal
- 	representation.
-
-Thu Jan 22 21:24:36 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/asn1/k5.asn1: Add PA-KEY-INFO structure to hold information
- 	on keys in the database; and also a new `pa-key-info' padata-type.
-
-	* kdc/kerberos5.c: If pre-authentication fails, return a list of
- 	keytypes, salttypes, and salts.
-
-	* lib/krb5/init_creds_pw.c: Add better support for
- 	pre-authentication, by looking at hints from the KDC.
-
-	* lib/krb5/get_in_tkt.c: Add better support for specifying what
- 	pre-authentication to use.
-
-	* lib/krb5/str2key.c: Merge entries for KEYTYPE_DES and
- 	KEYTYPE_DES_AFS3.
-
-	* lib/krb5/krb5.h: Add pre-authentication structures.
-
-	* kdc/connect.c: Don't fail if realloc(X, 0) returns NULL.
-
-Wed Jan 21 06:20:40 1998  Assar Westerlund  <assar@sics.se>
-
-	* lib/kadm5/init_s.c (kadm5_s_init_with_password_ctx): initialize
- 	`log_context.socket_name' and `log_context.socket_fd'
-
-	* lib/kadm5/log.c (kadm5_log_flush): send a unix domain datagram
- 	to inform the possible running ipropd of an update.
-
-Wed Jan 21 01:34:09 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/get_in_tkt.c: Return error-packet to caller.
-
-	* lib/krb5/free.c (krb5_free_kdc_rep): Free krb5_kdc_rep->error.
-
-	* kdc/kerberos5.c: Add some support for using enctypes instead of
- 	keytypes.
-
-	* lib/krb5/get_cred.c: Fixes to send authorization-data to the
- 	KDC.
-
-	* lib/krb5/build_auth.c: Only generate local subkey if there is
- 	none.
-
-	* lib/krb5/krb5.h: Add krb5_authdata type.
-
-	* lib/krb5/auth_context.c: Add
- 	krb5_auth_con_set{,localsub,remotesub}key.
-
-	* lib/krb5/init_creds_pw.c: Return some error if prompter
- 	functions return failure.
-
-Wed Jan 21 01:16:13 1998  Assar Westerlund  <assar@sics.se>
-
-	* kpasswd/kpasswd.c: detect bad password.  use krb5_err.
-
-	* kadmin/util.c (edit_entry): remove unused variables
-
-Tue Jan 20 22:58:31 1998  Assar Westerlund  <assar@sics.se>
-
-	* kuser/kinit.c: rename `-s' to `-S' to be MIT-compatible.
-
-	* lib/kadm5/kadm5_locl.h: add kadm5_log_context and
- 	kadm5_log*-functions
-
-	* lib/kadm5/create_s.c (kadm5_s_create_principal): add change to
- 	log
-
-	* lib/kadm5/rename_s.c (kadm5_s_rename_principal): add change to
- 	log
-
-	* lib/kadm5/init_s.c (kadm5_s_init_with_password_ctx): initialize
- 	log_context
-
-	* lib/kadm5/delete_s.c (kadm5_s_delete_principal): add change to
- 	log
-
-	* lib/kadm5/modify_s.c (kadm5_s_modify_principal): add change to
- 	log
-
-	* lib/kadm5/randkey_s.c (kadm5_s_randkey_principal): add change to
- 	log
-
-	* lib/kadm5/chpass_s.c (kadm5_s_chpass_principal): add change to
- 	log
-
-	* lib/kadm5/Makefile.am: add log.c, dump_log and replay_log
-
-	* lib/kadm5/replay_log.c: new file
-
-	* lib/kadm5/dump_log.c: new file
-
-	* lib/kadm5/log.c: new file
-
-	* lib/krb5/str2key.c (get_str): initialize pad space to zero
-
-	* lib/krb5/config_file.c (krb5_config_vget_next): handle c == NULL
-
-	* kpasswd/kpasswdd.c: rewritten to use the kadm5 API
-
-	* kpasswd/Makefile.am: link with kadm5srv
-
-	* kdc/kerberos5.c (tgs_rep): initialize `i'
-
-	* kadmin/kadmind.c (main): use kadm5_server_{send,recv}_sp
-
-	* include/Makefile.am: added admin.h
-
-Sun Jan 18 01:41:34 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/asn1/gen_copy.c: Don't return ENOMEM if allocating 0 bytes.
-
-	* lib/krb5/mcache.c (mcc_store_cred): restore linked list if
- 	copy_creds fails.
-
-Tue Jan  6 04:17:56 1998  Assar Westerlund  <assar@sics.se>
-
-	* lib/kadm5/server.c: add kadm5_server_{send,recv}{,_sp}
-
-	* lib/kadm5/marshall.c: add kadm5_{store,ret}_principal_ent_mask.
-
-	* lib/kadm5/init_c.c (kadm5_c_init_with_password_ctx): use
- 	krb5_getportbyname
-
-	* kadmin/kadmind.c (main): htons correctly.
-	moved kadm5_server_{recv,send}
-
-	* kadmin/kadmin.c (main): only set admin_server if explicitly
- 	given
-
-Mon Jan  5 23:34:44 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/hdb/ndbm.c: Implement locking of database.
-
-	* kdc/kerberos5.c: Process AuthorizationData.
-
-Sat Jan  3 22:07:07 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* kdc/string2key.c: Use AFS string-to-key from libkrb5.
-
-	* lib/krb5/get_in_tkt.c: Handle pa-afs3-salt case.
-
-	* lib/krb5/krb5.h: Add value for AFS salts.
-
-	* lib/krb5/str2key.c: Add support for AFS string-to-key.
-
-	* lib/kadm5/rename_s.c: Use correct salt.
-
-	* lib/kadm5/ent_setup.c: Always enable client. Only set max-life
- 	and max-renew if != 0.
-
-	* lib/krb5/config_file.c: Add context to all krb5_config_*get_*.
-
-Thu Dec 25 17:03:25 1997  Assar Westerlund  <assar@sics.se>
-
-	* kadmin/ank.c (ank): don't zero password if --random-key was
- 	given.
-
-Tue Dec 23 01:56:45 1997  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.0m
-
-	* lib/kadm5/ent_setup.c (attr_to_flags): try to set `client'
-
-	* kadmin/util.c (edit_time): only set mask if != 0
-	(edit_attributes): only set mask if != 0
-
-	* kadmin/init.c (init): create `default'
-
-Sun Dec 21 09:44:05 1997  Assar Westerlund  <assar@sics.se>
-
-	* kadmin/util.c (str2deltat, str2attr, get_deltat): return value
- 	as pointer and have return value indicate success.
-	
-	(get_response): check NULL from fgets
-	
-	(edit_time, edit_attributes): new functions for reading values and
-	offering list of answers on '?'
-	
-	(edit_entry): use edit_time and edit_attributes
-
-	* kadmin/ank.c (add_new_key): test the return value of
- 	`krb5_parse_name'
-
-	* kdc/kerberos5.c (tgs_check_authenticator): RFC1510 doesn't say
- 	that the checksum has to be keyed, even though later drafts do.
-  	Accept unkeyed checksums to be compatible with MIT.
-
-	* kadmin/kadmin_locl.h: add some prototypes.
-
-	* kadmin/util.c (edit_entry): return a value
-
-	* appl/afsutil/afslog.c (main): return a exit code.
-
-	* lib/krb5/get_cred.c (init_tgs_req): use krb5_keytype_to_enctypes
-
-	* lib/krb5/encrypt.c (krb5_keytype_to_enctypes): new function.
-
-	* lib/krb5/build_auth.c (krb5_build_authenticator): use
- 	krb5_{free,copy}_keyblock instead of the _contents versions
-
-Fri Dec 12 14:20:58 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/{mk,rd}_priv.c: fix check for local/remote subkey
-
-Mon Dec  8 08:48:09 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/context.c: don't look at KRB5_CONFIG if running setuid
-
-Sat Dec  6 10:09:40 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/keyblock.c (krb5_free_keyblock): check for NULL
-	keyblock
-
-Sat Dec  6 08:26:10 1997  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.0l
-
-Thu Dec  4 03:38:12 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/send_to_kdc.c: Add TCP client support.
-
-	* lib/krb5/store.c: Add k_{put,get}_int.
-
-	* kadmin/ank.c: Set initial kvno to 1.
-
-	* kdc/connect.c: Send version 5 TCP-reply as length+data.
-
-Sat Nov 29 07:10:11 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/rd_req.c (krb5_rd_req): fixed obvious bug
-
-	* kdc/kaserver.c (create_reply_ticket): use a random nonce in the
- 	reply packet.
-
-	* kdc/connect.c (init_sockets): less reallocing.
-
-	* **/*.c: changed `struct fd_set' to `fd_set'
-
-Sat Nov 29 05:12:01 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/get_default_principal.c: More guessing.
-
-Thu Nov 20 02:55:09 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/rd_req.c: Use principal from ticket if no server is
- 	given.
-
-Tue Nov 18 02:58:02 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kuser/klist.c: Use krb5_err*().
-
-Sun Nov 16 11:57:43 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kadmin/kadmin.c: Add local `init', `load', `dump', and `merge'
- 	commands.
-
-Sun Nov 16 02:52:20 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/mk_req_ext.c (krb5_mk_req_ext): figure out the correct
- 	`enctype'
-
-	* lib/krb5/mk_req.c (krb5_mk_req): use `(*auth_context)->enctype'
- 	if set.
-
-	* lib/krb5/get_cred.c: handle the case of a specific keytype
-
-	* lib/krb5/build_auth.c (krb5_build_authenticator): enctype as a
- 	parameter instead of guessing it.
-
-	* lib/krb5/build_ap_req.c (krb5_build_ap_req): new parameter
- 	`enctype'
-
-	* appl/test/common.c (common_setup): don't use `optarg'
-
-	* lib/krb5/keytab.c (krb5_kt_copy_entry_contents): new function
-	(krb5_kt_get_entry): retrieve the latest version if kvno == 0
-
-	* lib/krb5/krb5.h: define KRB5_TC_MATCH_KEYTYPE
-
-	* lib/krb5/creds.c (krb5_compare_creds): check for
- 	KRB5_TC_MATCH_KEYTYPE
-
-	* lib/gssapi/8003.c (gssapi_krb5_create_8003_checksum): remove
- 	unused variable
-
-	* lib/krb5/creds.c (krb5_copy_creds_contents): only free the
- 	contents if we fail.
-
-Sun Nov 16 00:32:48 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kpasswd/kpasswdd.c: Get password expiration time from config
- 	file.
-
-	* lib/asn1/{der_get,gen_decode}.c: Allow passing NULL size.
-
-Wed Nov 12 02:35:57 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds):
- 	restructured and fixed.
-
-	* lib/krb5/addr_families.c (krb5_h_addr2addr): new function.
-
-Wed Nov 12 01:36:01 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/get_addrs.c: Fall back to hostname's addresses if other
- 	methods fail.
-
-Tue Nov 11 22:22:12 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kadmin/kadmin.c: Add `-l' flag to use local database.
-
-	* lib/kadm5/acl.c: Use KADM5_PRIV_ALL.
-
-	* lib/kadm5: Use function pointer trampoline for easier dual use
- 	(without radiation-hardening capability).
-
-Tue Nov 11 05:15:22 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/encrypt.c (krb5_etype_valid): new function
-
-	* lib/krb5/creds.c (krb5_copy_creds_contents): zero target
-
-	* lib/krb5/context.c (valid_etype): remove
-
-	* lib/krb5/checksum.c: remove dead code
-
-	* lib/krb5/changepw.c (send_request): free memory on error.
-
-	* lib/krb5/build_ap_req.c (krb5_build_ap_req): check return value
- 	from malloc.
-
-	* lib/krb5/auth_context.c (krb5_auth_con_init): free memory on
- 	failure correctly.
-	(krb5_auth_con_setaddrs_from_fd): return error correctly.
-
-	* lib/krb5/get_in_tkt_with_{keytab,skey}.c: new files
-
-Tue Nov 11 02:53:19 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/auth_context.c: Implement auth_con_setuserkey.
-
-	* lib/gssapi/init_sec_context.c: Use krb5_auth_con_getkey.
-
-	* lib/krb5/keyblock.c: Rename krb5_free_keyblock to
- 	krb5_free_keyblock_contents, and reimplement krb5_free_keyblock.
-
-	* lib/krb5/rd_req.c: Use auth_context->keyblock if
- 	ap_options.use_session_key.
-
-Tue Nov 11 02:35:17 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/net_{read,write}.c: change `int fd' to `void *p_fd'.
-	fix callers.
-
-	* lib/krb5/krb5_locl.h: include <asn1.h> and <der.h>
-
-	* include/Makefile.am: add xdbm.h
-
-Tue Nov 11 01:58:22 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/get_cred.c: Implement krb5_get_cred_from_kdc.
-
-Mon Nov 10 22:41:53 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/ticket.c: Implement copy_ticket.
-
-	* lib/krb5/get_in_tkt.c: Make `options' parameter MIT-compatible.
-
-	* lib/krb5/data.c: Implement free_data and copy_data.
-
-Sun Nov  9 02:17:27 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/kadm5: Implement kadm5_get_privs, and kadm5_get_principals.
-
-	* kadmin/kadmin.c: Add get_privileges function.
-
-	* lib/kadm5: Rename KADM5_ACL_* -> KADM5_PRIV_* to conform with
- 	specification.
-
-	* kdc/connect.c: Exit if no sockets could be bound.
-
-	* kadmin/kadmind.c: Check return value from krb5_net_read().
-
-	* lib/kadm5,kadmin: Fix memory leaks.
-
-Fri Nov  7 02:45:26 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/kadm5/create_s.c: Get some default values from `default'
- 	principal.
-
-	* lib/kadm5/ent_setup.c: Add optional default entry to get some
- 	values from.
-
-Thu Nov  6 00:20:41 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/error/compile_et.awk: Remove generated destroy_*_error_table
- 	prototype
-
-	* kadmin/kadmind.c: Crude admin server.
-
-	* kadmin/kadmin.c: Update to use remote protocol.
-
-	* kadmin/get.c: Fix principal formatting.
-
-	* lib/kadm5: Add client support.
-
-	* lib/kadm5/error.c: Error code mapping.
-
-	* lib/kadm5/server.c: Kadmind support function.
-
-	* lib/kadm5/marshall.c: Kadm5 marshalling.
-
-	* lib/kadm5/acl.c: Simple acl system.
-
-	* lib/kadm5/kadm5_locl.h: Add client stuff.
-
-	* lib/kadm5/init_s.c: Initialize acl.
-
-	* lib/kadm5/*:  Return values.
-
-	* lib/kadm5/create_s.c: Correct kvno.
-
-Wed Nov  5 22:06:50 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/log.c: Fix parsing of log destinations.
-
-Mon Nov  3 20:33:55 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/principal.c: Reduce number of reallocs in unparse_name.
-
-Sat Nov  1 01:40:53 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kadmin: Simple kadmin utility.
-
-	* admin/ktutil.c: Print keytype.
-
-	* lib/kadm5/get_s.c: Set correct n_key_data.
-
-	* lib/kadm5/init_s.c: Add kadm5_s_init_with_password_ctx. Use
- 	master key.
-
-	* lib/kadm5/destroy_s.c: Check for allocated context.
-
-	* lib/kadm5/{create,chpass}_s.c: Use _kadm5_set_keys().
-
-Sat Nov  1 00:21:00 1997  Assar Westerlund  <assar@sics.se>
-
-	* configure.in: test for readv, writev
-
-Wed Oct 29 23:41:26 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/warn.c (_warnerr): handle the case of an illegal error
- 	code
-
-	* kdc/kerberos5.c (encode_reply): return success
-
-Wed Oct 29 18:01:59 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kdc/kerberos5.c (find_etype) Return correct index of selected
- 	etype.
-
-Wed Oct 29 04:07:06 1997  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.0k
-
-	* lib/krb5/context.c (krb5_init_context): support `KRB5_CONFIG'
- 	environment variable
-
-	* *: use the roken_get*-macros from roken.h for the benefit of
- 	Crays.
-
-	* configure.in: add --{enable,disable}-otp.  check for compatible
- 	prototypes for gethostbyname, gethostbyaddr, getservbyname, and
- 	openlog (they have strange prototypes on Crays)
-
-	* acinclude.m4: new macro `AC_PROTO_COMPAT'
-
-Tue Oct 28 00:11:22 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kdc/connect.c: Log bad requests.
-
-	* kdc/kerberos5.c: Move stuff that's in common between as_rep and
- 	tgs_rep to separate functions.
-
-	* kdc/kerberos5.c: Fix user-to-user authentication.
-
-	* lib/krb5/get_cred.c: Some restructuring of krb5_get_credentials:
- 	  - add a kdc-options argument to krb5_get_credentials, and rename
-	    it to krb5_get_credentials_with_flags
-	  - honour the KRB5_GC_CACHED, and KRB5_GC_USER_USER options
-	  - add some more user-to-user glue
-
-	* lib/krb5/rd_req.c: Move parts of krb5_verify_ap_req into a new
- 	function, krb5_decrypt_ticket, so it is easier to decrypt and
- 	check a ticket without having an ap-req.
-
-	* lib/krb5/krb5.h: Add KRB5_GC_CACHED, and KRB5_GC_USER_USER
- 	flags.
-
-	* lib/krb5/crc.c (crc_init_table): Check if table is already
- 	inited.
-
-Sun Oct 26 04:51:02 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/asn1/der_get.c (der_get_length, fix_dce): Special-case
- 	indefinite encoding.
-
-	* lib/asn1/gen_glue.c (generate_units): Check for empty
- 	member-list.
-
-Sat Oct 25 07:24:57 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/error/compile_et.awk: Allow specifying table-base.
-
-Tue Oct 21 20:21:40 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kdc/kerberos5.c: Check version number of krbtgt.
-
-Mon Oct 20 01:14:53 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/prompter_posix.c (krb5_prompter_posix): implement the
- 	case of unhidden prompts.
-
-	* lib/krb5/str2key.c (string_to_key_internal): return error
- 	instead of aborting.  always free memory
-
-	* admin/ktutil.c: add `help' command
-
-	* admin/kdb_edit.c: implement new commands: add_random_key(ark),
- 	change_password(cpw), change_random_key(crk)
-
-Thu Oct 16 05:16:36 1997  Assar Westerlund  <assar@sics.se>
-
-	* kpasswd/kpasswdd.c: change all the keys in the database
-
-	* kdc: removed all unsealing, now done by the hdb layer
-
-	* lib/hdb/hdb.c: new functions `hdb_create', `hdb_set_master_key'
- 	and `hdb_clear_master_key'
-
-	* admin/misc.c: removed
-
-Wed Oct 15 22:47:31 1997  Assar Westerlund  <assar@sics.se>
-
-	* kuser/klist.c: print year as YYYY iff verbose
-
-Wed Oct 15 20:02:13 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kuser/klist.c: print etype from ticket
-
-Mon Oct 13 17:18:57 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* Release 0.0j
-
-	* lib/krb5/get_cred.c: Get the subkey from mk_req so it can be
- 	used to decrypt the reply from DCE secds.
-
-	* lib/krb5/auth_context.c: Add {get,set}enctype.
-
-	* lib/krb5/get_cred.c: Fix for DCE secd.
-
-	* lib/krb5/store.c: Store keytype twice, as MIT does.
-
-	* lib/krb5/get_in_tkt.c: Use etype from reply.
-
-Fri Oct 10 00:39:48 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kdc/connect.c: check for leading '/' in http request
-
-Tue Sep 30 21:50:18 1997  Assar Westerlund  <assar@assaris.pdc.kth.se>
-
-	* Release 0.0i
-
-Mon Sep 29 15:58:43 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/rd_req.c (krb5_rd_req): redone because we don't know
- 	the kvno or keytype before receiving the AP-REQ
-
-	* lib/krb5/mk_safe.c (krb5_mk_safe): figure out what cksumtype to
- 	use from the keytype.
-
-	* lib/krb5/mk_req_ext.c (krb5_mk_req_extended): figure out what
- 	cksumtype to use from the keytype.
-
-	* lib/krb5/mk_priv.c (krb5_mk_priv): figure out what etype to use
- 	from the keytype.
-
-	* lib/krb5/keytab.c (krb5_kt_get_entry): check the keytype
-
-	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): figure out
- 	what etype to use from the keytype.
-
-	* lib/krb5/generate_seq_number.c (krb5_generate_seq_number):
- 	handle other key types than DES
-
-	* lib/krb5/encrypt.c (key_type): add `best_cksumtype'
-	(krb5_keytype_to_cksumtype): new function
-
-	* lib/krb5/build_auth.c (krb5_build_authenticator): figure out
- 	what etype to use from the keytype.
-
-	* lib/krb5/auth_context.c (krb5_auth_con_init): set `cksumtype'
- 	and `enctype' to 0
-
-	* admin/extkeytab.c (ext_keytab): extract all keys
-
-	* appl/telnet/telnet/commands.c: INET6_ADDRSTRLEN kludge
-
-	* configure.in: check for <netinet6/in6.h>. check for -linet6
-	
-Tue Sep 23 03:00:53 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/encrypt.c: fix checksumtype for des3-cbc-sha1
-
-	* lib/krb5/rd_safe.c: fix check for keyed and collision-proof
- 	checksum
-
-	* lib/krb5/context.c (valid_etype): remove hard-coded constants
-	(default_etypes): include DES3
-
-	* kdc/kerberos5.c: fix check for keyed and collision-proof
- 	checksum
-
-	* admin/util.c (init_des_key, set_password): DES3 keys also
-
- 	* lib/krb/send_to_kdc.c (krb5_sendto_kdc): no data returned means
- 	no contact?
-
-	* lib/krb5/addr_families.c: fix typo in `ipv6_anyaddr'
-
-Mon Sep 22 11:44:27 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* kdc/kerberos5.c: Somewhat fix the etype usage. The list sent by
- 	the client is used to select wich key to encrypt the kdc rep with
- 	(in case of as-req), and with the server info to select the
- 	session key type. The server key the ticket is encrypted is based
- 	purely on the keys in the database.
-
-	* kdc/string2key.c: Add keytype support. Default to version 5
- 	keys.
-
-	* lib/krb5/get_in_tkt.c: Fix a lot of etype/keytype misuse.
-
-	* lib/krb5/encrypt.c: Add des3-cbc-md5, and des3-cbc-sha1. Add
- 	many *_to_* functions.
-
-	* lib/krb5/str2key.c: Add des3 string-to-key. Add ktype argument
- 	to krb5_string_to_key().
-
-	* lib/krb5/checksum.c: Some cleanup, and added: 
-	  - rsa-md5-des3 
-	  - hmac-sha1-des3 
-	  - keyed and collision proof flags to each checksum method
-	  - checksum<->string functions.
-
-	* lib/krb5/generate_subkey.c: Use krb5_generate_random_keyblock.
-
-Sun Sep 21 15:19:23 1997  Assar Westerlund  <assar@sics.se>
-
-	* kdc/connect.c: use new addr_families functions
-
-	* kpasswd/kpasswdd.c: use new addr_families functions.  Now works
- 	over IPv6
-
-	* kuser/klist.c: use correct symbols for address families
-
-	* lib/krb5/sock_principal.c: use new addr_families functions
-
-	* lib/krb5/send_to_kdc.c: use new addr_families functions
-
-	* lib/krb5/krb5.h: add KRB5_ADDRESS_INET6
-
-	* lib/krb5/get_addrs.c: use new addr_families functions
-
-	* lib/krb5/changepw.c: use new addr_families functions.  Now works
- 	over IPv6
-
-	* lib/krb5/auth_context.c: use new addr_families functions
-
-	* lib/krb5/addr_families.c: new file
-
-	* acconfig.h: AC_SOCKADDR_IN6 -> AC_STRUCT_SOCKADDR_IN6.  Updated
- 	uses.
-
-	* acinclude.m4: new macro `AC_KRB_IPV6'.  Use it.
-
-Sat Sep 13 23:04:23 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kdc/hprop.c: Don't encrypt twice. Complain on non-convertable
- 	principals.
-
-Sat Sep 13 00:59:36 1997  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.0h
-	
-	* appl/telnet/telnet/commands.c: AF_INET6 support
-
-	* admin/misc.c: new file
-
-	* lib/krb5/context.c: new configuration variable `max_retries'
-
-	* lib/krb5/get_addrs.c: fixes and better #ifdef's
-
-	* lib/krb5/config_file.c: implement krb5_config_get_int
-
-	* lib/krb5/auth_context.c, send_to_kdc.c, sock_principal.c:
- 	AF_INET6 support
-
-	* kuser/klist.c: support for printing IPv6-addresses
-
-	* kdc/connect.c: support AF_INET6
-
-	* configure.in: test for gethostbyname2 and struct sockaddr_in6
-
-Thu Sep 11 07:25:28 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/asn1/k5.asn1: Use `METHOD-DATA' instead of `SEQUENCE OF
- 	PA-DATA'
-
-Wed Sep 10 21:20:17 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kdc/kerberos5.c: Fixes for cross-realm, including (but not
- 	limited to):
-	  - allow client to be non-existant (should probably check for
-	    "local realm")
-	  - if server isn't found and it is a request for a krbtgt, try to
- 	    find a realm on the way to the requested realm
-	  - update the transited encoding iff 
-	    client-realm != server-realm != tgt-realm
-
-	* lib/krb5/get_cred.c: Several fixes for cross-realm.
-
-Tue Sep  9 15:59:20 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kdc/string2key.c: Fix password handling.
-
-	* lib/krb5/encrypt.c: krb5_key_to_string
-
-Tue Sep  9 07:46:05 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/get_addrs.c: rewrote.  Now should be able to handle
- 	aliases and IPv6 addresses
-
-	* kuser/klist.c: try printing IPv6 addresses
-
-	* kdc/kerberos5.c: increase the arbitrary limit from 1024 to 8192
-
-	* configure.in: check for <netinet/in6_var.h>
-
-Mon Sep  8 02:57:14 1997  Assar Westerlund  <assar@sics.se>
-
-	* doc: fixes
-
-	* admin/util.c (init_des_key): increase kvno
-	(set_password): return -1 if `des_read_pw_string' failed
-
-	* admin/mod.c (doit2): check the return value from `set_password'
-
-	* admin/ank.c (doit): don't add a new entry if `set_password'
- 	failed
-
-Mon Sep  8 02:20:16 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5/verify_init.c: fix ap_req_nofail semantics
-
-	* lib/krb5/transited.c: something that might resemble
- 	domain-x500-compress
-
-Mon Sep  8 01:24:42 1997  Assar Westerlund  <assar@sics.se>
-
-	* kdc/hpropd.c (main): check number of arguments
-
-	* appl/popper/pop_init.c (pop_init): check number of arguments
-
-	* kpasswd/kpasswd.c (main): check number of arguments
-
-	* kdc/string2key.c (main): check number of arguments
-
-	* kuser/kdestroy.c (main): check number of arguments
-
-	* kuser/kinit.c (main): check number of arguments
-
-	* kpasswd/kpasswdd.c (main): use sigaction without SA_RESTART to
- 	break out of select when a signal arrives
-
-	* kdc/main.c (main): use sigaction without SA_RESTART to break out
- 	of select when a signal arrives
-
-	* kdc/kstash.c: default to HDB_DB_DIR "/m-key"
-
-	* kdc/config.c (configure): add `--version'.  Check the number of
- 	arguments. Handle the case of there being no specification of port
- 	numbers.
-
-	* admin/util.c: seal and unseal key at appropriate places
-
-	* admin/kdb_edit.c (main): parse arguments, config file and read
- 	master key iff there's one.
-
-	* admin/extkeytab.c (ext_keytab): unseal key while extracting
-
-Sun Sep  7 20:41:01 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/roken/roken.h: include <fcntl.h>
-
-	* kdc/kerberos5.c (set_salt_padata): new function
-
-	* appl/telnet/telnetd/telnetd.c: Rename some variables that
- 	conflict with cpp symbols on HP-UX 10.20
-
-	* change all calls of `gethostbyaddr' to cast argument 1 to `const
- 	char *'
-
-	* acconfig.h: only use SGTTY on nextstep
-
-Sun Sep  7 14:33:50 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kdc/kerberos5.c: Check invalid flag.
-
-Fri Sep  5 14:19:38 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/verify_user.c: Use get_init_creds/verify_init_creds.
-
-	* lib/kafs: Move functions common to krb/krb5 modules to new file,
- 	and make things more modular.
-
-	* lib/krb5/krb5.h: rename STRING -> krb5_config_string, and LIST
- 	-> krb5_config_list
-
-Thu Sep  4 23:39:43 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5/get_addrs.c: Fix loopback test.
-
-Thu Sep  4 04:45:49 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/roken/roken.h: fallback definition of `O_ACCMODE'
-
-	* lib/krb5/get_in_tkt.c (krb5_get_in_cred): be more careful when
- 	checking for a v4 reply
-
-Wed Sep  3 18:20:14 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kdc/hprop.c: Add `--decrypt' and `--encrypt' flags.
-
-	* lib/hdb/hdb.c: new {seal,unseal}_keys functions
-
-	* kdc/{hprop,hpropd}.c: Add support to dump database to stdout.
-
-	* kdc/hprop.c: Don't use same master key as version 4.
-
-	* admin/util.c: Don't dump core if no `default' is found.
-
-Wed Sep  3 16:01:07 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* kdc/connect.c: Allow run time port specification.
-
-	* kdc/config.c: Add flags for http support, and port
- 	specifications.
-
-Tue Sep  2 02:00:03 1997  Assar Westerlund  <assar@sics.se>
-
-	* include/bits.c: Don't generate ifndef's in bits.h.  Instead, use
- 	them when building the program.  This makes it possible to include
- 	bits.h without having defined all HAVE_INT17_T symbols.
-	
-	* configure.in: test for sigaction
-
-	* doc: updated documentation.
-	
-Tue Sep  2 00:20:31 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* Release 0.0g
-
-Mon Sep  1 17:42:14 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/data.c: don't return ENOMEM if len == 0
-
-Sun Aug 31 17:15:49 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/hdb/hdb.asn1: Include salt type in salt.
-
-	* kdc/hprop.h: Change port to 754.
-
-	* kdc/hpropd.c: Verify who tries to transmit a database.
-
-	* appl/popper: Use getarg and krb5_log.
-
-	* lib/krb5/get_port.c: Add context parameter. Now takes port in
- 	host byte order.
-
-Sat Aug 30 18:48:19 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kdc/connect.c: Add timeout to select, and log about expired tcp
- 	connections.
-
-	* kdc/config.c: Add `database' option.
-
-	* kdc/hpropd.c: Log about duplicate entries.
-
-	* lib/hdb/{db,ndbm}.c: Use common routines.
-
-	* lib/hdb/common.c: Implement more generic fetch/store/delete
- 	functions.
-
-	* lib/hdb/hdb.h: Add `replace' parameter to store.
-	
-	* kdc/connect.c: Set filedecriptor to -1 on allocated decriptor
- 	entries.
-
-Fri Aug 29 03:13:23 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/get_in_tkt.c: extract_ticket -> _krb5_extract_ticket
-
-	* aux/make-proto.pl: fix __P for stone age mode
-
-Fri Aug 29 02:45:46 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/45/mk_req.c: implementation of krb_mk_req that uses 524
- 	protocol
-
-	* lib/krb5/init_creds_pw.c: make change_password and
- 	get_init_creds_common static
-
-	* lib/krb5/krb5.h: Merge stuff from removed headerfiles.
-
-	* lib/krb5/fcache.c: fcc_ops -> krb5_fcc_ops
-
-	* lib/krb5/mcache.c: mcc_ops -> krb5_mcc_ops
-
-Fri Aug 29 01:45:25 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5/krb5.h: Remove all prototypes.
-
-	* lib/krb5/convert_creds.c: Use `struct credentials' instead of
- 	`CREDENTIALS'.
-
-Fri Aug 29 00:08:18 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/asn1/gen_glue.c: new file. generates 2int and int2 functions
-	and units for bit strings.
-
-	* admin/util.c: flags2int, int2flags, and flag_units are now
- 	generated by asn1_compile
-
-	* lib/roken/parse_units.c: generalised `parse_units' and
- 	`unparse_units' and added new functions `parse_flags' and
- 	`unparse_flags' that use these
-
-	* lib/krb5/krb5_locl.h: moved krb5_data* functions to krb5.h
-
-	* admin/util.c: Use {un,}parse_flags for printing and parsing
- 	hdbflags.
-
-Thu Aug 28 03:26:12 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/get_addrs.c: restructured
-
-	* lib/krb5/warn.c (_warnerr): leak less memory
-
-	* lib/hdb/hdb.c (hdb_free_entry): zero keys
-	(hdb_check_db_format): leak less memory
-
-	* lib/hdb/ndbm.c (NDBM_seq): check for valid hdb_entries implement
- 	NDBM__get, NDBM__put
-
-	* lib/hdb/db.c (DB_seq): check for valid hdb_entries
-
-Thu Aug 28 02:06:58 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/send_to_kdc.c: Don't use sendto on connected sockets.
-
-Thu Aug 28 01:13:17 1997  Assar Westerlund  <assar@sics.se>
-
-	* kuser/kinit.1, klist.1, kdestroy.1: new man pages
-
-	* kpasswd/kpasswd.1, kpasswdd.8: new man pages
-
-	* kdc/kstash.8, hprop.8, hpropd.8: new man pages
-
-	* admin/ktutil.8, admin/kdb_edit.8: new man pages
-
-	* admin/mod.c: new file
-
-	* admin/life.c: renamed gettime and puttime to getlife and putlife
-	and moved them to life.c
-
-	* admin/util.c: add print_flags, parse_flags, init_entry,
- 	set_created_by, set_modified_by, edit_entry, set_password.  Use
- 	them.
-
-	* admin/get.c: use print_flags
-
-	* admin: removed unused stuff.  use krb5_{warn,err}*
-
-	* admin/ank.c: re-organized and abstracted.
-
-	* admin/gettime.c: removed
-
-Thu Aug 28 00:37:39 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/{get_cred,get_in_tkt}.c: Check for v4 reply.
-
-	* lib/roken/base64.c: Add base64 functions.
-
-	* kdc/connect.c lib/krb5/send_to_kdc.c: Add http support.
-
-Wed Aug 27 00:29:20 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* include/Makefile.am: Don't make links to built files.
-
-	* admin/kdb_edit.c: Add command to set the database path.
-
-	* lib/hdb: Include version number in database.
-
-Tue Aug 26 20:14:54 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* admin/ktutil: Merged v4 srvtab conversion.
-
-Mon Aug 25 23:02:18 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/roken/roken.h: add F_OK
-
-	* lib/gssapi/acquire_creds.c: fix typo
-
-	* configure.in: call AC_TYPE_MODE_T
-
-	* acinclude.m4: Add AC_TYPE_MODE_T
-
-Sun Aug 24 16:46:53 1997  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.0f
-
-Sun Aug 24 08:06:54 1997  Assar Westerlund  <assar@sics.se>
-
-	* appl/popper/pop_pass.c: log poppers
-
-	* kdc/kaserver.c: some more checks
-
-	* kpasswd/kpasswd.c: removed `-p'
-
-	* kuser/kinit.c: removed `-p'
-
-	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): If
- 	KDC_ERR_PREUATH_REQUIRED, add preauthentication and try again.
-
-	* lib/krb5/get_in_tkt.c (krb5_get_in_cred): don't print out
- 	krb-error text
-
-	* lib/gssapi/import_name.c (input_name): more names types.
-
-	* admin/load.c (parse_keys): handle the case of an empty salt
-
-	* kdc/kaserver.c: fix up memory deallocation
-
-	* kdc/kaserver.c: quick hack at talking kaserver protocol
-
-	* kdc/kerberos4.c: Make `db-fetch4' global
-
-	* configure.in: add --enable-kaserver
-
-	* kdc/rx.h, kdc/kerberos4.h: new header files
-
-	* lib/krb5/principal.c: fix krb5_build_principal_ext & c:o
-
-Sun Aug 24 03:52:44 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/{get_in_tkt,mk_safe,mk_priv}.c: Fix some Cray specific
- 	type conflicts.
-
-	* lib/krb5/{get_cred,get_in_tkt}.c: Mask nonce to 32 bits.
-
-	* lib/des/{md4,md5,sha}.c: Now works on Crays.
-
-Sat Aug 23 18:15:01 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* appl/afsutil/afslog.c: If no cells or files specified, get
- 	tokens for all local cells. Better test for files.
-
-Thu Aug 21 23:33:38 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/gssapi/v1.c: new file with v1 compatibility functions.
-
-Thu Aug 21 20:36:13 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/kafs/afskrb5.c: Don't check ticket file for afs ticket.
-
-	* kdc/kerberos4.c: Check database when converting v4 principals.
-
-	* kdc/kerberos5.c: Include kvno in Ticket.
-
-	* lib/krb5/encrypt.c: Add kvno parameter to encrypt_EncryptedData.
-
-	* kuser/klist.c: Print version number of ticket, include more
- 	flags.
-
-Wed Aug 20 21:26:58 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/kafs/afskrb5.c (get_cred): Check cached afs tickets for
- 	expiration.
-
-Wed Aug 20 17:40:31 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/recvauth.c (krb5_recvauth): Send a KRB-ERROR iff
- 	there's an error.
-
-	* lib/krb5/sendauth.c (krb5_sendauth): correct the protocol
- 	documentation and process KRB-ERROR's
-
-Tue Aug 19 20:41:30 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kdc/kerberos4.c: Fix memory leak in v4 protocol handler.
-
-Mon Aug 18 05:15:09 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/gssapi/accept_sec_context.c: Added
- 	`gsskrb5_register_acceptor_identity'
-
-Sun Aug 17 01:40:20 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/gssapi/accept_sec_context.c (gss_accept_sec_context): don't
- 	always pass server == NULL to krb5_rd_req.
-
-	* lib/gssapi: new files: canonicalize_name.c export_name.c
- 	context_time.c compare_name.c release_cred.c acquire_cred.c
- 	inquire_cred.c, from Luke Howard <lukeh@xedoc.com.au>
-
-	* lib/krb5/config_file.c: Add netinfo support from Luke Howard
- 	<lukeh@xedoc.com.au>
-
-	* lib/editline/sysunix.c: sgtty-support from Luke Howard
- 	<lukeh@xedoc.com.au>
-
-	* lib/krb5/principal.c: krb5_sname_to_principal fix from Luke
- 	Howard <lukeh@xedoc.com.au>
-
-Sat Aug 16 00:44:47 1997  Assar Westerlund  <assar@koi.pdc.kth.se>
-
-	* Release 0.0e
-
-Sat Aug 16 00:23:46 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* appl/afsutil/afslog.c: Use new libkafs.
-
-	* lib/kafs/afskrb5.c: Get AFS tokens via 524 protocol.
-
-	* lib/krb5/warn.c: Fix format string for *x type.
-
-Fri Aug 15 22:15:01 1997  Assar Westerlund  <assar@sics.se>
-
-	* admin/get.c (get_entry): print more information about the entry
-
-	* lib/des/Makefile.am: build destest, mdtest, des, rpw, speed
-
-	* lib/krb5/config_file.c: new functions `krb5_config_get_time' and
- 	`krb5_config_vget_time'.  Use them.
-
-Fri Aug 15 00:09:37 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* admin/ktutil.c: Keytab manipulation program.
-
-	* lib/krb5/keytab.c: Return sane values from resolve and
- 	start_seq_get.
-
-	* kdc/kerberos5.c: Fix for old clients passing 0 for `no endtime'.
-
-	* lib/45/get_ad_tkt.c: Kerberos 4 get_ad_tkt using
- 	krb524_convert_creds_kdc.
-
-	* lib/krb5/convert_creds.c: Implementation of
- 	krb524_convert_creds_kdc.
-
-	* lib/asn1/k5.asn1: Make kdc-req-body.till OPTIONAL
-
-	* kdc/524.c: A somewhat working 524-protocol module.
-
-	* kdc/kerberos4.c: Add version 4 ticket encoding and encryption
- 	functions.
-
-	* lib/krb5/context.c: Fix kdc_timeout.
-
-	* lib/hdb/{ndbm,db}.c: Free name in close.
-
-	* kdc/kerberos5.c (tgs_check_autenticator): Return error code
-
-Thu Aug 14 21:29:03 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kdc/kerberos5.c (tgs_make_reply): Fix endtime in reply.
-
-	* lib/krb5/store_emem.c: Fix reallocation bug.
-
-Tue Aug 12 01:29:46 1997  Assar Westerlund  <assar@sics.se>
-
-	* appl/telnet/libtelnet/kerberos5.c, appl/popper/pop_init.c: Use
- 	`krb5_sock_to_principal'.  Send server parameter to
- 	krb5_rd_req/krb5_recvauth.  Set addresses in auth_context.
-
-	* lib/krb5/recvauth.c: Set addresses in auth_context if there
- 	aren't any
-
-	* lib/krb5/auth_context.c: New function
- 	`krb5_auth_con_setaddrs_from_fd'
-
-	* lib/krb5/sock_principal.c: new function
-	`krb5_sock_to_principal'
-	
-	* lib/krb5/time.c: new file with `krb5_timeofday' and
- 	`krb5_us_timeofday'.  Use these functions.
-
-	* kuser/klist.c: print KDC offset iff verbose
-
-	* lib/krb5/get_in_tkt.c: implement KDC time offset and use it if
- 	[libdefaults]kdc_timesync is set.
-	
-	* lib/krb5/fcache.c: Implement version 4 of the ccache format.
-
-Mon Aug 11 05:34:43 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/rd_rep.c (krb5_free_ap_rep_enc_part): free all memory
-
-	* lib/krb5/principal.c (krb5_unparse_name): allocate memory
- 	properly
-
-	* kpasswd/kpasswd.c: Use `krb5_change_password'
-
-	* lib/krb5/init_creds_pw.c (init_cred): set realm of server
- 	correctly.
-
-	* lib/krb5/init_creds_pw.c: support changing of password when it
- 	has expired
-
-	* lib/krb5/changepw.c: new file
-
-	* kuser/klist.c: use getarg
-
-	* admin/init.c (init): add `kadmin/changepw'
-
-Mon Aug 11 04:30:47 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/get_cred.c: Make get_credentials handle cross-realm.
-
-Mon Aug 11 00:03:24 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/config_file.c: implement support for #-comments
-
-Sat Aug  9 02:21:46 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kdc/hprop*.c: Add database propagation programs.
-
-	* kdc/connect.c: Max request size.
-
-Sat Aug  9 00:47:28 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/otp: resurrected from krb4
-
-	* appl/push: new program for fetching mail with POP.
-
-	* appl/popper/popper.h: new include files.  new fields in `POP'
-
-	* appl/popper/pop_pass.c: Implement both v4 and v5.
-
-	* appl/popper/pop_init.c: Implement both v4 and v5.
-
-	* appl/popper/pop_debug.c: use getarg.  Talk both v4 and v5
-
-	* appl/popper: Popper from krb4.
-
-	* configure.in: check for inline and <netinet/tcp.h> generate
- 	files in appl/popper, appl/push, and lib/otp
-
-Fri Aug  8 05:51:02 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/get_cred.c: clean-up and try to free memory even when
- 	there're errors
-
-	* lib/krb5/get_cred.c: adapt to new `extract_ticket'
-
-	* lib/krb5/get_in_tkt.c: reorganize.  check everything and try to
- 	return memory even if there are errors.
-
-	* kuser/kverify.c: new file
-
-	* lib/krb5/free_host_realm.c: new file
-
-	* lib/krb5/principal.c (krb5_sname_to_principal): implement
- 	different nametypes.  Also free memory.
-
-	* lib/krb5/verify_init.c: more functionality
-
-	* lib/krb5/mk_req_ext.c (krb5_mk_req_extended): free the checksum
-
-	* lib/krb5/get_in_tkt.c (extract_ticket): don't copy over the
- 	principals in creds.  Should also compare them with that received
- 	from the KDC
-
-	* lib/krb5/cache.c (krb5_cc_gen_new): copy the newly allocated
- 	krb5_ccache
-	(krb5_cc_destroy): call krb5_cc_close
-	(krb5_cc_retrieve_cred): delete the unused creds
-
-Fri Aug  8 02:30:40 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/log.c: Allow better control of destinations of logging
- 	(like passing explicit destinations, and log-functions).
-
-Fri Aug  8 01:20:39 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/get_default_principal.c: new file
-
-	* kpasswd/kpasswdd.c: use krb5_log*
-
-Fri Aug  8 00:37:47 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/init_creds_pw.c: Implement krb5_get_init_creds_keytab.
-
-Fri Aug  8 00:37:17 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/init_creds_pw.c: Use `krb5_get_default_principal'.
-  	Print password expire information.
-
-	* kdc/config.c: new variable `kdc_warn_pwexpire'
-
-	* kpasswd/kpasswd.c: converted to getarg and get_init_creds
-
-Thu Aug  7 22:17:09 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/mcache.c: new file
-
-	* admin/gettime.c: new function puttime.  Use it.
-
-	* lib/krb5/keyblock.c: Added krb5_free_keyblock and
- 	krb5_copy_keyblock
-
-	* lib/krb5/init_creds_pw.c: more functionality
-
-	* lib/krb5/creds.c: Added krb5_free_creds_contents and
- 	krb5_copy_creds.  Changed callers.
-
-	* lib/krb5/config_file.c: new functions krb5_config_get and
- 	krb5_config_vget
-
-	* lib/krb5/cache.c: cleanup added mcache
-	
-	* kdc/kerberos5.c: include last-req's of type 6 and 7, if
- 	applicable
-
-Wed Aug  6 20:38:23 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/log.c: New parameter `log-level'. Default to `SYSLOG'.
-
-Tue Aug  5 22:53:54 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/verify_init.c, init_creds_pw.c, init_creds.c,
-	prompter_posix.c: the beginning of an implementation of the cygnus
-	initial-ticket API.
-
-	* lib/krb5/get_in_tkt_pw.c: make `krb5_password_key_proc' global
-
-	* lib/krb5/get_in_tkt.c (krb5_get_in_cred): new function that is
- 	almost krb5_get_in_tkt but doesn't write the creds to the ccache.
-  	Small fixes in krb5_get_in_tkt
-
-	* lib/krb5/get_addrs.c (krb5_get_all_client_addrs): don't include
- 	loopback.
-
-Mon Aug  4 20:20:48 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kdc: Make context global.
-
-Fri Aug  1 17:23:56 1997  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.0d
-
-	* lib/roken/flock.c: new file
-
-	* kuser/kinit.c: check for and print expiry information in the
- 	`kdc_rep'
-
-	* lib/krb5/get_in_tkt.c: Set `ret_as_reply' if != NULL
-
-	* kdc/kerberos5.c: Check the valid times on client and server.
-  	Check the password expiration.
-	Check the require_preauth flag.
-  	Send an lr_type == 6 with pw_end.
-	Set key.expiration to min(valid_end, pw_end)
-	
-	* lib/hdb/hdb.asn1: new flags `require_preauth' and `change_pw'
-
-	* admin/util.c, admin/load.c: handle the new flags.
-
-Fri Aug  1 16:56:12 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/hdb: Add some simple locking.
-
-Sun Jul 27 04:44:31 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5/log.c: Add some general logging functions.
-
-	* kdc/kerberos4.c: Add version 4 protocol handler. The requrement
- 	for this to work is that all involved principals has a des key in
- 	the database, and that the client has a version 4 (un-)salted
- 	key. Furthermore krb5_425_conv_principal has to do it's job, as
- 	present it's not very clever.
-
-	* lib/krb5/principal.c: Quick patch to make 425_conv work
- 	somewhat.
-
-	* lib/hdb/hdb.c: Add keytype->key and next key functions.
-
-Fri Jul 25 17:32:12 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/build_auth.c (krb5_build_authenticator): don't free
- 	`cksum'.  It's allocated and freed by the caller
-
-	* lib/krb5/get_cred.c (krb5_get_kdc_cred): Don't free `addresses'.
-
-	* kdc/kerberos5.c (tgs_rep2): make sure we also have an defined
- 	`client' to return as part of the KRB-ERROR
-
-Thu Jul 24 08:13:59 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kdc/kerberos5.c: Unseal keys from database before use.
-
-	* kdc/misc.c: New functions set_master_key, unseal_key and
- 	free_key.
-
-	* lib/roken/getarg.c: Handle `-f arg' correctly.
-
-Thu Jul 24 01:54:43 1997  Assar Westerlund  <assar@sics.se>
-
-	* kuser/kinit.c: implement `-l' aka `--lifetime'
-
-	* lib/roken/parse_units.c, parse_time.c: new files
-
-	* admin/gettime.c (gettime): use `parse_time'
-
-	* kdc/kerberos5.c (as_rep): Use `METHOD-DATA' when sending
- 	KRB5KDC_ERR_PREAUTH_REQUIRED, not PA-DATA.
-
-	* kpasswd/kpasswdd.c: fix freeing bug use sequence numbers set
- 	addresses in auth_context bind one socket per interface.
-	
-	* kpasswd/kpasswd.c: use sequence numbers
-
-	* lib/krb5/rd_req.c (krb5_verify_ap_req): do abs when verifying
- 	the timestamps
-
-	* lib/krb5/rd_priv.c (krb5_rd_priv): Fetch the correct session key
- 	from auth_context
-
-	* lib/krb5/mk_priv.c (krb5_mk_priv): Fetch the correct session key
- 	from auth_context
-
-	* lib/krb5/mk_error.c (krb5_mk_error): return an error number and
- 	not a comerr'd number.
-
-	* lib/krb5/get_in_tkt.c (krb5_get_in_tkt): interpret the error
- 	number in KRB-ERROR correctly.
-
-	* lib/krb5/get_cred.c (krb5_get_kdc_cred): interpret the error
- 	number in KRB-ERROR correctly.
-
-	* lib/asn1/k5.asn1: Add `METHOD-DATA'
-
-	* removed some memory leaks.
-
-Wed Jul 23 07:53:18 1997  Assar Westerlund  <assar@sics.se>
-
-	* Release 0.0c
-
-	* lib/krb5/rd_cred.c, get_for_creds.c: new files
-
-	* lib/krb5/get_host_realm.c: try default realm as last chance
-
-	* kpasswd/kpasswdd.c: updated to hdb changes
-
-	* appl/telnet/libtelnet/kerberos5.c: Implement forwarding
-
-	* appl/telnet/libtelnet: removed totally unused files
-
-	* admin/ank.c: fix prompts and generation of random keys
-
-Wed Jul 23 04:02:32 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* admin/dump.c: Include salt in dump.
-
-	* admin: Mostly updated for new db-format.
-
-	* kdc/kerberos5.c: Update to use new db format. Better checking of
- 	flags and such. More logging.
-
-	* lib/hdb/hdb.c: Use generated encode and decode functions.
-
-	* lib/hdb/hdb.h: Get hdb_entry from ASN.1 generated code.
-
-	* lib/krb5/get_cred.c: Get addresses from krbtgt if there are none
- 	in the reply.
-
-Sun Jul 20 16:22:30 1997  Assar Westerlund  <assar@sics.se>
-
-	* kuser/kinit.c: break if des_read_pw_string() != 0
-
-	* kpasswd/kpasswdd.c: send a reply
-
-	* kpasswd/kpasswd.c: restructured code.  better report on
- 	krb-error break if des_read_pw_string() != 0
-
-	* kdc/kerberos5.c: Check `require_enc_timestamp' malloc space for
- 	starttime and renew_till
-
-	* appl/telnet/libtelnet/kerberos5.c (kerberos5_is): Send a
- 	keyblock to krb5_verify_chekcsum
-
-Sun Jul 20 06:35:46 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* Release 0.0b
-
-	* kpasswd/kpasswd.c: Avoid using non-standard struct names.
-
-Sat Jul 19 19:26:23 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/keytab.c (krb5_kt_get_entry): check return from
- 	`krb5_kt_start_seq_get'.  From <map@stacken.kth.se>
-
-Sat Jul 19 04:07:39 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/asn1/k5.asn1: Update with more pa-data types from
- 	draft-ietf-cat-kerberos-revisions-00.txt
-
-	* admin/load.c: Update to match current db-format.
-
-	* kdc/kerberos5.c (as_rep): Try all valid pa-datas before giving
- 	up. Send back an empty pa-data if the client has the v4 flag set.
-
-	* lib/krb5/get_in_tkt.c: Pass both version5 and version4 salted
- 	pa-data. DTRT if there is any pa-data in the reply.
-
-	* lib/krb5/str2key.c: XOR with some sane value.
-
-	* lib/hdb/hdb.h: Add `version 4 salted key' flag.
-
-	* kuser/kinit.c: Ask for password before calling get_in_tkt. This
- 	makes it possible to call key_proc more than once.
-
-	* kdc/string2key.c: Add flags to output version 5 (DES only),
- 	version 4, and AFS string-to-key of a password.
-
-	* lib/asn1/gen_copy.c: copy_* functions now returns an int (0 or
- 	ENOMEM).
-
-Fri Jul 18 02:54:58 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/get_host_realm.c (krb5_get_host_realm): do the
- 	name2name thing
-
-	* kdc/misc.c: check result of hdb_open
-
-	* admin/kdb_edit: updated to new sl
-
-	* lib/sl: sl_func now returns an int. != 0 means to exit.
-
-	* kpasswd/kpasswdd: A crude (but somewhat working) implementation
- 	of `draft-ietf-cat-kerb-chg-password-00.txt'
-
-Fri Jul 18 00:55:39 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* kuser/krenew.c: Crude ticket renewing program.
-
-	* kdc/kerberos5.c: Rewritten flags parsing, it now might work to
- 	get forwarded and renewed tickets.
-
-	* kuser/kinit.c: Add `-r' flag.
-
-	* lib/krb5/get_cred.c: Move most of contents of get_creds to new
- 	function get_kdc_cred, that always contacts the kdc and doesn't
- 	save in the cache. This is a hack.
-
-	* lib/krb5/get_in_tkt.c: Pass starttime and renew_till in request
- 	(a bit kludgy).
-
-	* lib/krb5/mk_req_ext.c: Make an auth_context if none passed in.
-
-	* lib/krb5/send_to_kdc.c: Get timeout from context.
-
-	* lib/krb5/context.c: Add kdc_timeout to context struct.
-
-Thu Jul 17 20:35:45 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* kuser/klist.c: Print start time of ticket if available.
-
-	* lib/krb5/get_host_realm.c: Return error if no realm was found.
-
-Thu Jul 17 20:28:21 1997  Assar Westerlund  <assar@sics.se>
-
-	* kpasswd: non-working kpasswd added
-
-Thu Jul 17 00:21:22 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* Release 0.0a
-
-	* kdc/main.c: Add -p flag to disable pa-enc-timestamp requirement.
-
-Wed Jul 16 03:37:41 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kdc/kerberos5.c (tgs_rep2): Free ticket and ap_req.
-
-	* lib/krb5/auth_context.c (krb5_auth_con_free): Free remote
- 	subkey.
-
-	* lib/krb5/principal.c (krb5_free_principal): Check for NULL.
-
-	* lib/krb5/send_to_kdc.c: Check for NULL return from
- 	gethostbyname.
-
-	* lib/krb5/set_default_realm.c: Try to get realm of local host if
- 	no default realm is available.
-
-	* Remove non ASN.1 principal code.
-
-Wed Jul 16 03:17:30 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* kdc/kerberos5.c: Split tgs_rep in smaller functions. Add better
- 	error handing. Do some logging.
-
-	* kdc/log.c: Some simple logging facilities.
-
-	* kdc/misc.c (db_fetch): Take a krb5_principal.
-
-	* kdc/connect.c: Pass address of request to as_rep and
- 	tgs_rep. Send KRB-ERROR.
-
-	* lib/krb5/mk_error.c: Add more fields.
-
-	* lib/krb5/get_cred.c: Print normal error code if no e_text is
- 	available.
-
-Wed Jul 16 03:07:50 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/get_in_tkt.c: implement `krb5_init_etype'.
- 	Change encryption type of pa_enc_timestamp to DES-CBC-MD5
-
-	* lib/krb5/context.c: recognize all encryption types actually
- 	implemented
-
-	* lib/krb5/auth_context.c (krb5_auth_con_init): Change default
- 	encryption type to `DES_CBC_MD5'
-
-	*  lib/krb5/read_message.c, write_message.c: new files
-
-Tue Jul 15 17:14:21 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/asn1: replaced asn1_locl.h by `der_locl.h' and `gen_locl.h'.
-
-	* lib/error/compile_et.awk: generate a prototype for the
- 	`destroy_foo_error_table' function.
-
-Mon Jul 14 12:24:40 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/krbhst.c (krb5_get_krbhst): Get all kdc's and try also
- 	with `kerberos.REALM'
-
-	* kdc/kerberos5.c, lib/krb5/rd_priv.c, lib/krb5/rd_safe.c: use
- 	`max_skew'
-
-	* lib/krb5/rd_req.c (krb5_verify_ap_req): record authenticator
- 	subkey
-
-	* lib/krb5/build_auth.c (krb5_build_authenticator): always
- 	generate a subkey.
-
-	* lib/krb5/address.c: implement `krb5_address_order'
-
-	* lib/gssapi/import_name.c: Implement `gss_import_name'
-
-	* lib/gssapi/external.c: Use new OID
-
-	* lib/gssapi/encapsulate.c: New functions
- 	`gssapi_krb5_encap_length' and `gssapi_krb5_make_header'.  Changed
-	callers.
-
-	* lib/gssapi/decapsulate.c: New function
- 	`gssaspi_krb5_verify_header'.  Changed callers.
-
-	* lib/asn1/gen*.c: Give tags to generated structs.
-	Use `err' and `asprintf'
-
-	* appl/test/gss_common.c: new file
-
-	* appl/test/gssapi_server.c: removed all krb5 calls
-
-	* appl/telnet/libtelnet/kerberos5.c: Add support for genering and
- 	verifying checksums.  Also start using session subkeys.
-
-Mon Jul 14 12:08:25 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5/rd_req.c (krb5_rd_req_with_keyblock): Split up.
-
-Sun Jul 13 03:07:44 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/rd_safe.c, mk_safe.c: made bug-compatible with MIT
-
-	* lib/krb5/encrypt.c: new functions `DES_encrypt_null_ivec' and
- 	`DES_encrypt_key_ivec'
-
-	* lib/krb5/checksum.c: implement rsa-md4-des and rsa-md5-des
-
-	* kdc/kerberos5.c (tgs_rep): support keyed checksums
-
-	* lib/krb5/creds.c: new file
-
-	* lib/krb5/get_in_tkt.c: better freeing
-
-	* lib/krb5/context.c (krb5_free_context): more freeing
-
-	* lib/krb5/config_file.c: New function `krb5_config_file_free'
-
-	* lib/error/compile_et.awk: Generate a `destroy_' function.
-
-	* kuser/kinit.c, klist.c: Don't leak memory.
-
-Sun Jul 13 02:46:27 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kdc/connect.c: Check filedescriptor in select.
-
-	* kdc/kerberos5.c: Remove most of the most common memory leaks.
-
-	* lib/krb5/rd_req.c: Free allocated data.
-
-	* lib/krb5/auth_context.c (krb5_auth_con_free): Free a lot of
- 	fields.
-
-Sun Jul 13 00:32:16 1997  Assar Westerlund  <assar@sics.se>
-
-	* appl/telnet: Conditionalize the krb4-support.
-
-	* configure.in: Test for krb4
-
-Sat Jul 12 17:14:12 1997  Assar Westerlund  <assar@sics.se>
-
-	* kdc/kerberos5.c: check if the pre-auth was decrypted properly.
-  	set the `pre_authent' flag
-
-	* lib/krb5/get_cred.c, lib/krb5/get_in_tkt.c: generate a random nonce.
-
-	* lib/krb5/encrypt.c: Made `generate_random_block' global.
-
-	* appl/test: Added gssapi_client and gssapi_server.
-
-	* lib/krb5/data.c: Add `krb5_data_zero'
-
-	* appl/test/tcp_client.c: try `mk_safe' and `mk_priv'
-
-	* appl/test/tcp_server.c: try `rd_safe' and `rd_priv'
-
-Sat Jul 12 16:45:58 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/get_addrs.c: Fix for systems that has sa_len, but
- 	returns zero length from SIOCGIFCONF.
-
-Sat Jul 12 16:38:34 1997  Assar Westerlund  <assar@sics.se>
-
-	* appl/test: new programs
-	
-	* lib/krb5/rd_req.c: add address compare
-
-	* lib/krb5/mk_req_ext.c: allow no checksum
-
-	* lib/krb5/keytab.c (krb5_kt_ret_string): 0-terminate string
-
-	* lib/krb5/address.c: fix `krb5_address_compare'
-
-Sat Jul 12 15:03:16 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5/get_addrs.c: Fix ip4 address extraction.
-
-	* kuser/klist.c: Add verbose flag, and split main into smaller
- 	pieces.
-
-	* lib/krb5/fcache.c: Save ticket flags.
-
-	* lib/krb5/get_in_tkt.c (extract_ticket): Extract addresses and
- 	flags.
-
-	* lib/krb5/krb5.h: Add ticket_flags to krb5_creds.
-
-Sat Jul 12 13:12:48 1997  Assar Westerlund  <assar@sics.se>
-
-	* configure.in: Call `AC_KRB_PROG_LN_S'
-
-	* acinclude.m4: Add `AC_KRB_PROG_LN_S' from krb4
-
-Sat Jul 12 00:57:01 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5/get_in_tkt.c: Use union of krb5_flags and KDCOptions to
- 	pass options.
-
-Fri Jul 11 15:04:22 1997  Assar Westerlund  <assar@sics.se>
-
-	* appl/telnet: telnet & telnetd seems to be working.
-	
-	* lib/krb5/config_file.c: Added krb5_config_v?get_list Fixed
- 	krb5_config_vget_next
-
-	* appl/telnet/libtelnet/kerberos5.c: update to current API
-
-Thu Jul 10 14:54:39 1997  Assar Westerlund  <assar@sics.se>
-
-	* appl/telnet/libtelnet/kerberos5.c (kerberos5_status): call
- 	`krb5_kuserok'
-
-	* appl/telnet: Added.
-
-Thu Jul 10 05:09:25 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/error/compile_et.awk: Remove usage of sub, gsub, and
- 	functions for compatibility with awk.
-
-	* include/bits.c: Must use signed char.
-
-	* lib/krb5/context.c: Move krb5_get_err_text, and krb5_init_ets
- 	here.
-
-	* lib/error/error.c: Replace krb5_get_err_text with new function
- 	com_right.
-
-	* lib/error/compile_et.awk: Avoid using static variables.
-
-	* lib/error/error.c: Don't use krb5_locl.h
-
-	* lib/error/error.h: Move definitions of error_table and
- 	error_list from krb5.h.
-
-	* lib/error: Moved from lib/krb5.
-
-Wed Jul  9 07:42:04 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5/encrypt.c: Temporary hack to avoid des_rand_data.
-
-Wed Jul  9 06:58:00 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/{rd,mk}_{*}.c: more checking for addresses and stuff
-	according to pseudocode from 1510
-
-Wed Jul  9 06:06:06 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/hdb/hdb.c: Add hdb_etype2key.
-
-	* kdc/kerberos5.c: Check authenticator. Use more general etype
- 	functions.
-	
-Wed Jul  9 03:51:12 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/asn1/k5.asn1: Made all `s_address' OPTIONAL according to
- 	draft-ietf-cat-kerberos-r-00.txt
-
-	* lib/krb5/principal.c (krb5_parse_name): default to local realm
- 	if none given
-	
-	* kuser/kinit.c: New option `-p' and prompt
-
-Wed Jul  9 02:30:06 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5/keyblock.c: Keyblock generation functions.
-
-	* lib/krb5/encrypt.c: Use functions from checksum.c.
-
-	* lib/krb5/checksum.c: Move checksum functions here. Add
- 	krb5_cksumsize function.
-
-Wed Jul  9 01:15:38 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/get_host_realm.c: implemented
-
-	* lib/krb5/config_file.c: Redid part.  New functions:
- 	krb5_config_v?get_next
-
-	* kuser/kdestroy.c: new program
-
-	* kuser/kinit.c: new flag `-f'
-
-	* lib/asn1/k5.asn1: Made HostAddresses = SEQUENCE OF HostAddress
-
-	* acinclude.m4: Added AC_KRB_STRUCT_SOCKADDR_SA_LEN
-
-	* lib/krb5/krb5.h: krb5_addresses == HostAddresses.  Changed all
- 	users.
-
-	* lib/krb5/get_addrs.c: figure out all local addresses, possibly
- 	even IPv6!
-
-	* lib/krb5/checksum.c: table-driven checksum
-
-Mon Jul  7 21:13:28 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5/encrypt.c: Make krb5_decrypt use the same struct as
- 	krb5_encrypt.
-
-Mon Jul  7 11:15:51 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/roken/vsyslog.c: new file
-
-	* lib/krb5/encrypt.c: add des-cbc-md4.
-	adjust krb5_encrypt and krb5_decrypt to reality
-
-Mon Jul  7 02:46:31 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5/encrypt.c: Implement as a vector of function pointers.
-
-	* lib/krb5/{decrypt,encrypt}.c: Implement des-cbc-crc, and
- 	des-cbc-md5 in separate functions.
-
-	* lib/krb5/krb5.h: Add more checksum and encryption types.
-
-	* lib/krb5/krb5_locl.h: Add etype to krb5_decrypt.
-
-Sun Jul  6 23:02:59 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/[gs]et_default_realm.c, kuserok.c: new files
-
-	* lib/krb5/config_file.[ch]: new c-based configuration reading
- 	stuff
-
-Wed Jul  2 23:12:56 1997  Assar Westerlund  <assar@sics.se>
-
-	* configure.in: Set WFLAGS if using gcc
-
-Wed Jul  2 17:47:03 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/asn1/der_put.c (der_put_int): Return size correctly.
-
-	* admin/ank.c: Be compatible with the asn1 principal format.
-
-Wed Jul  1 23:52:20 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/asn1: Now all decode_* and encode_* functions now take a
- 	final size_t* argument, that they return the size in. Return
- 	values are zero for success, and anything else (such as some
- 	ASN1_* constant) for error.
-
-Mon Jun 30 06:08:14 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/keytab.c (krb5_kt_add_entry): change open mode to
- 	O_WRONLY | O_APPEND
-
-	* lib/krb5/get_cred.c: removed stale prototype for
- 	`extract_ticket' and corrected call.
-
-	* lib/asn1/gen_length.c (length_type): Make the length functions
- 	for SequenceOf non-destructive
-
-	* admin/ank.c (doit): Fix reading of `y/n'.
-
-Mon Jun 16 05:41:43 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/gssapi/wrap.c, unwrap.c: do encrypt and add sequence number
-
-	* lib/gssapi/get_mic.c, verify_mic.c: Add sequence number.
-
-	* lib/gssapi/accept_sec_context.c (gss_accept_sec_context): Set
- 	KRB5_AUTH_CONTEXT_DO_SEQUENCE.  Verify 8003 checksum.
-
-	* lib/gssapi/8003.c: New file.
-
-	* lib/krb/krb5.h: Define a `krb_authenticator' as an ASN.1
- 	Authenticator.
-
-	* lib/krb5/auth_context.c: New functions
- 	`krb5_auth_setlocalseqnumber' and `krb5_auth_setremoteseqnumber'
-
-Tue Jun 10 00:35:54 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5: Preapre for use of some asn1-types.
-
-	* lib/asn1/*.c (copy_*): Constness.
-
-	* lib/krb5/krb5.h: Include asn1.h; krb5_data is now an
- 	octet_string.
-
-	* lib/asn1/der*,gen.c: krb5_data -> octet_string, char * ->
- 	general_string
-
-	* lib/asn1/libasn1.h: Moved stuff from asn1_locl.h that doesn't
- 	have anything to do with asn1_compile.
-
-	* lib/asn1/asn1_locl.h: Remove der.h. Add some prototypes.
-
-Sun Jun  8 03:51:55 1997  Assar Westerlund  <assar@sics.se>
-
-	* kdc/kerberos5.c: Fix PA-ENC-TS-ENC
-
- 	* kdc/connect.c(process_request): Set `new'
-	
-	* lib/krb5/get_in_tkt.c: Do PA-ENC-TS-ENC the correct way.
-
-	* lib: Added editline,sl,roken.
-
-Mon Jun  2 00:37:48 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5/fcache.c: Move file cache from cache.c.
-
-	* lib/krb5/cache.c: Allow more than one cache type.
-
-Sun Jun  1 23:45:33 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* admin/extkeytab.c: Merged with kdb_edit.
-
-Sun Jun  1 23:23:08 1997  Assar Westerlund  <assar@sics.se>
-
-	* kdc/kdc.c: more support for ENC-TS-ENC
-
-	* lib/krb5/get_in_tkt.c: redone to enable pre-authentication
-
-Sun Jun  1 22:45:11 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/hdb/db.c: Merge fetch and store.
-
-	* admin: Merge to one program.
-
-	* lib/krb5/str2key.c: Fill in keytype and length.
-
-Sun Jun  1 16:31:23 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/rd_safe.c, lib/krb5/rd_priv.c, lib/krb5/mk_rep.c,
- 	lib/krb5/mk_priv.c, lib/krb5/build_auth.c: Some support for
- 	KRB5_AUTH_CONTEXT_DO_SEQUENCE
-
-	* lib/krb5/get_in_tkt.c (get_in_tkt): be prepared to parse an
- 	KRB_ERROR.  Some support for PA_ENC_TS_ENC.
-
-	* lib/krb5/auth_context.c: implemented seq_number functions
-
-	* lib/krb5/generate_subkey.c, generate_seq_number.c: new files
-
-	* lib/gssapi/gssapi.h: avoid including <krb5.h>
-
-	* lib/asn1/Makefile.am: SUFFIXES as a variable to make automake
- 	happy
-
-	* kdc/kdc.c: preliminary PREAUTH_ENC_TIMESTAMP
-
-	* configure.in: adapted to automake 1.1p
-
-Mon May 26 22:26:21 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5/principal.c: Add contexts to many functions.
-
-Thu May 15 20:25:37 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/verify_user.c: First stab at a verify user.
-
-	* lib/auth/sia/sia5.c: SIA module for Kerberos 5.
-
-Mon Apr 14 00:09:03 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/gssapi: Enough of a gssapi-over-krb5 implementation to be
-	able to (mostly) run gss-client and gss-server.
-	
-	* lib/krb5/keytab.c: implemented krb5_kt_add_entry,
- 	krb5_kt_store_principal, krb5_kt_store_keyblock
-
-	* lib/des/md5.[ch], sha.[ch]: new files
-
-	* lib/asn1/der_get.c (generalizedtime2time): use `timegm'
-
-	* lib/asn1/timegm.c: new file
-
-	* admin/extkeytab.c: new program
-
-	* admin/admin_locl.h: new file
-
-	* admin/Makefile.am: Added extkeytab
-
-	* configure.in: moved config to include
-	removed timezone garbage
-	added lib/gssapi and admin
-
-	* Makefile.am: Added admin
-
-Mon Mar 17 11:34:05 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* kdc/kdc.c: Use new copying functions, and free some data.
-
-	* lib/asn1/Makefile.am: Try to not always rebuild generated files.
-
-	* lib/asn1/der_put.c: Add fix_dce().
-
-	* lib/asn1/der_{get,length,put}.c: Fix include files.
-
-	* lib/asn1/der_free.c: Remove unused functions.
-	
-	* lib/asn1/gen.c: Split into gen_encode, gen_decode, gen_free,
- 	gen_length, and gen_copy.
-
-Sun Mar 16 18:13:52 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/sendauth.c: implemented functionality
-
-	* lib/krb5/rd_rep.c: Use `krb5_decrypt'
-
-	* lib/krb5/cache.c (krb5_cc_get_name): return default if `id' ==
- 	NULL
-
-	* lib/krb5/principal.c (krb5_free_principal): added `context'
- 	argument.  Changed all callers.
-	
-	(krb5_sname_to_principal): new function
-
-	* lib/krb5/auth_context.c (krb5_free_authenticator): add `context'
- 	argument.  Changed all callers
-
-	* lib/krb5/{net_write.c,net_read.c,recvauth.c}: new files
-
-	* lib/asn1/gen.c: Fix encoding and decoding of BitStrings
-
-Fri Mar 14 11:29:00 1997  Assar Westerlund  <assar@sics.se>
-
-	* configure.in: look for *dbm?
-
-	* lib/asn1/gen.c: Fix filename in generated files. Check fopens.
-  	Put trailing newline in asn1_files.
-
-Fri Mar 14 05:06:44 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/get_in_tkt.c: Fix some memory leaks.
-
-	* lib/krb5/krbhst.c: Properly free hostlist.
-
-	* lib/krb5/decrypt.c: CRCs are 32 bits.
-
-Fri Mar 14 04:39:15 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/asn1/gen.c: Generate one file for each type.
-
-Fri Mar 14 04:13:47 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/asn1/gen.c: Generate `length_FOO' functions
-
-	* lib/asn1/der_length.c: new file
-
-	* kuser/klist.c: renamed stime -> printable_time to avoid conflict
- 	on HP/UX
-
-Fri Mar 14 03:37:23 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/hdb/ndbm.c: Return NOENTRY if fetch fails. Don't free
- 	datums. Don't add .db to filename.
-
-Fri Mar 14 02:49:51 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* kdc/dump.c: Database dump program.
-
-	* kdc/ank.c: Trivial database editing program.
-
-	* kdc/{kdc.c, load.c}: Use libhdb.
-
-	* lib/hdb: New database routine library.
-
-	* lib/krb5/error/Makefile.am: Add hdb_err.
-
-Wed Mar 12 17:41:14 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* kdc/kdc.c: Rewritten AS, and somewhat more working TGS support.
-
-	* lib/asn1/gen.c: Generate free functions.
-
-	* Some specific free functions.
-
-Wed Mar 12 12:30:13 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/krb5_mk_req_ext.c: new file
-
-	* lib/asn1/gen.c: optimize the case with a simple type
-
-	* lib/krb5/get_cred.c (krb5_get_credentials): Use
- 	`mk_req_extended' and remove old code.
-
-	* lib/krb5/get_in_tkt.c (decrypt_tkt): First try with an
- 	EncASRepPart, then with an EncTGSRepPart.
-
-Wed Mar 12 08:26:04 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5/store_emem.c: New resizable memory storage.
-
-	* lib/krb5/{store.c, store_fd.c, store_mem.c}: Split of store.c
-
-	* lib/krb5/krb5.h: Add free entry to krb5_storage.
-
-	* lib/krb5/decrypt.c: Make keyblock const.
-
-Tue Mar 11 20:22:17 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5/krb5.h: Add EncTicketPart to krb5_ticket.
-
-	* lib/krb5/rd_req.c: Return whole asn.1 ticket in
- 	krb5_ticket->tkt.
-
-	* lib/krb5/get_in_tkt.c: TGS -> AS
-
-	* kuser/kfoo.c: Print error string rather than number.
-
-	* kdc/kdc.c: Some kind of non-working TGS support.
-
-Mon Mar 10 01:43:22 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/asn1/gen.c: reduced generated code by 1/5
-
- 	* lib/asn1/der_put.c: (der_put_length_and_tag): new function
-
-	* lib/asn1/der_get.c (der_match_tag_and_length): new function
-
-	* lib/asn1/der.h: added prototypes
-
-Mon Mar 10 01:15:43 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5/krb5.h: Include <asn1_err.h>. Add prototype for
- 	krb5_rd_req_with_keyblock.
-
-	* lib/krb5/rd_req.c: Add function krb5_rd_req_with_keyblock that
- 	takes a precomputed keyblock.
-
-	* lib/krb5/get_cred.c: Use krb5_mk_req rather than inlined code.
-
-	* lib/krb5/mk_req.c: Calculate checksum of in_data.
-
-Sun Mar  9 21:17:58 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5/error/compile_et.awk: Add a declaration of struct
- 	error_list, and multiple inclusion block to header files.
-
-Sun Mar  9 21:01:12 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/rd_req.c: do some checks on times
-
-	* lib/krb/{mk_priv.c, rd_priv.c, sendauth.c, decrypt.c,
-	address.c}: new files
-
-	* lib/krb5/auth_context.c: more code
-
-	* configure.in: try to figure out timezone
-
-Sat Mar  8 11:41:07 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5/error/error.c: Try strerror if error code wasn't found.
-
-	* lib/krb5/get_in_tkt.c: Remove realm parameter from
- 	krb5_get_salt.
-
-	* lib/krb5/context.c: Initialize error table.
-
-	* kdc: The beginnings of a kdc.
-
-Sat Mar  8 08:16:28 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/rd_safe.c: new file
-
-	* lib/krb5/checksum.c (krb5_verify_checksum): New function
-
-	* lib/krb5/get_cred.c: use krb5_create_checksum
-
-	* lib/krb5/checksum.c: new file
-
-	* lib/krb5/store.c: no more arithmetic with void*
-
-	* lib/krb5/cache.c: now seems to work again
-
-Sat Mar  8 06:58:09 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5/Makefile.am: Add asn1_glue.c and error/*.c to libkrb5.
-
-	* lib/krb5/get_in_tkt.c: Moved some functions to asn1_glue.c.
-
-	* lib/krb5/asn1_glue.c: Moved some asn1-stuff here.
-	
-	* lib/krb5/{cache,keytab}.c: Use new storage functions.
-
-	* lib/krb5/krb5.h: Protypes for new storage functions.
-
-	* lib/krb5/krb5.h: Make krb5_{ret,store}_* functions able to write
- 	data to more than file descriptors.
-
-Sat Mar  8 01:01:17 1997  Assar Westerlund  <assar@sics.se>
-
-	* lib/krb5/encrypt.c: New file.
-
-	* lib/krb5/Makefile.am: More -I
-
-	* configure.in: Test for big endian, random, rand, setitimer
-
-	* lib/asn1/gen.c: perhaps even decodes bitstrings
-
-Thu Mar  6 19:05:29 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
-
-	* lib/krb5/config_file.y: Better return values on error.
-
-Sat Feb  8 15:59:56 1997  Assar Westerlund  <assar@pdc.kth.se>
-
-	* lib/asn1/parse.y: ifdef HAVE_STRDUP
-
-	* lib/asn1/lex.l: ifdef strdup
-	brange-dead version of list of special characters to make stupid
- 	lex accept it.
-
-	* lib/asn1/gen.c: A DER integer should really be a `unsigned'
-
-	* lib/asn1/der_put.c: A DER integer should really be a `unsigned'
-
-	* lib/asn1/der_get.c: A DER integer should really be a `unsigned'
-
-	* lib/krb5/error/Makefile.am: It seems "$(SHELL) ./compile_et" is
- 	needed.
-
-	* lib/krb/mk_rep.c, lib/krb/rd_req.c, lib/krb/store.c,
- 	lib/krb/store.h: new files.
-
-	* lib/krb5/keytab.c: now even with some functionality.
-
-	* lib/asn1/gen.c: changed paramater from void * to Foo *
-
-	* lib/asn1/der_get.c (der_get_octet_string): Fixed bug with empty
- 	string.
-
-Sun Jan 19 06:17:39 1997  Assar Westerlund  <assar@pdc.kth.se>
-
-	* lib/krb5/get_cred.c (krb5_get_credentials): Check for creds in
- 	cc before getting new ones.
-
-	* lib/krb5/krb5.h (krb5_free_keyblock): Fix prototype.
-
-	* lib/krb5/build_auth.c (krb5_build_authenticator): It seems the
- 	CRC should be stored LSW first. (?)
-
-	* lib/krb5/auth_context.c: Implement `krb5_auth_con_getkey' and
- 	`krb5_free_keyblock'
-
-	* lib/**/Makefile.am: Rename foo libfoo.a
-
-	* include/Makefile.in: Use test instead of [
-	-e does not work with /bin/sh on psoriasis
-
-	* configure.in: Search for awk
-	create lib/krb/error/compile_et
-	
-Tue Jan 14 03:46:26 1997  Assar Westerlund  <assar@pdc.kth.se>
-
-	* lib/krb5/Makefile.am: replaced mit-crc.c by crc.c
-
-Wed Dec 18 00:53:55 1996  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* kuser/kinit.c: Guess principal.
-
-	* lib/krb5/error/compile_et.awk: Don't include krb5.h. Fix some
- 	warnings.
-
-	* lib/krb5/error/asn1_err.et: Add ASN.1 error messages.
-
-	* lib/krb5/mk_req.c: Get client from cache.
-
-	* lib/krb5/cache.c: Add better error checking some useful return
- 	values.
-
-	* lib/krb5/krb5.h: Fix krb5_auth_context.
-
-	* lib/asn1/der.h: Make krb5_data compatible with krb5.h
-
-Tue Dec 17 01:32:36 1996  Johan Danielsson  <joda@emma.pdc.kth.se>
-
-	* lib/krb5/error: Add primitive error library.
-
-Mon Dec 16 16:30:20 1996  Johan Danielsson  <joda@emma.pdc.kth.se>
+	* lib/krb5/appdefault.c (krb5_appdefault_string): handle NULL
+	def_val
+	(krb5_appdefault_time): new function
 
-	* lib/krb5/cache.c: Get correct address type from cache.
+2001-01-03  Assar Westerlund  <assar@sics.se>
 
-	* lib/krb5/krb5.h: Change int16 to int to be compatible with asn1.
+	* kdc/hpropd.c (main): handle EOF when reading from stdin
 
diff --git a/crypto/heimdal/ChangeLog.1998 b/crypto/heimdal/ChangeLog.1998
new file mode 100644
index 0000000..f26dba7
--- /dev/null
+++ b/crypto/heimdal/ChangeLog.1998
@@ -0,0 +1,3201 @@
+Sat Dec  5 19:49:34 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/krb5/context.c: remove ktype_is_etype
+
+	* lib/krb5/crypto.c, lib/krb5/krb5.h, acconfig.h: NEW_DES3_CODE
+
+	* configure.in: fix for AIX install; better tests for AIX dynamic
+ 	AFS libs; `--enable-new-des3-code'
+
+Tue Dec  1 14:44:44 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* appl/afsutil/Makefile.am: link with extra libs for aix
+
+	* kuser/Makefile.am: link with extra libs for aix
+
+Sun Nov 29 01:56:21 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_addrs.c (krb5_get_all_server_addrs): add.  almost
+ 	the same as krb5_get_all_client_addrs except that it includes
+ 	loopback addresses
+
+	* kdc/connect.c (init_socket): bind to a particular address
+	(init_sockets): get all local addresses and bind to them all
+
+	* lib/krb5/addr_families.c (addr2sockaddr, print_addr): new
+ 	methods
+	(find_af, find_atype): new functions.  use them.
+
+	* configure.in: add hesiod
+
+Wed Nov 25 11:37:48 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/krb5/krb5_err.et: add some codes from kerberos-revisions-03
+
+Mon Nov 23 12:53:48 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/kadm5/log.c: rename delete -> remove
+
+	* lib/kadm5/delete_s.c: rename delete -> remove
+
+	* lib/hdb/common.c: rename delete -> remove
+
+Sun Nov 22 12:26:26 1998  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: check for environ and `struct spwd'
+
+Sun Nov 22 11:42:45 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kdc/kerberos5.c (as_rep): set keytype to sess_ktype if
+ 	ktype_is_etype
+
+	* lib/krb5/encrypt.c (krb5_keytype_to_etypes): zero terminate
+ 	etypes
+	(em): sort entries
+
+Sun Nov 22 06:54:48 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/init_creds_pw.c: more type correctness
+
+	* lib/krb5/get_cred.c: re-structure code.  remove limits on ASN1
+ 	generated bits.
+
+Sun Nov 22 01:49:50 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* kdc/hprop.c (v4_prop): fix bogus indexing
+
+Sat Nov 21 21:39:20 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/verify_init.c (fail_verify_is_ok): new function
+	(krb5_verify_init_creds): if we cannot get a ticket for
+	host/`hostname` and fail_verify_is_ok just return.  use
+ 	krb5_rd_req
+
+Sat Nov 21 23:12:27 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/free.c (krb5_xfree): new function
+
+	* lib/krb5/creds.c (krb5_free_creds_contents): new function
+
+	* lib/krb5/context.c: more type correctness
+
+	* lib/krb5/checksum.c: more type correctness
+
+	* lib/krb5/auth_context.c (krb5_auth_con_init): more type
+ 	correctness
+
+	* lib/asn1/der_get.c (der_get_length): fix test of len
+	(der_get_tag): more type correctness
+
+	* kuser/klist.c (usage): void-ize
+
+	* admin/ktutil.c (kt_remove): some more type correctness.
+
+Sat Nov 21 16:49:20 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* kuser/klist.c: try to list enctypes as keytypes
+
+	* kuser/kinit.c: remove extra `--cache' option, add `--enctypes'
+ 	to set list of enctypes to use
+
+	* kadmin/load.c: load strings as hex
+
+	* kadmin/dump.c: dump hex as string is possible
+
+	* admin/ktutil.c: use print_version()
+
+	* configure.in, acconfig.h: test for hesiod
+
+Sun Nov 15 17:28:19 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/krb5/crypto.c: add some crypto debug code
+
+	* lib/krb5/get_in_tkt.c (_krb5_extract_ticket): don't use fixed
+ 	buffer when encoding ticket
+
+	* lib/krb5/auth_context.c (re-)implement `krb5_auth_setenctype'
+
+	* kdc/kerberos5.c: allow mis-match of tgt session key, and service
+ 	session key
+
+	* admin/ktutil.c: keytype -> enctype
+
+Fri Nov 13 05:35:48 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krb5.h (KRB5_TGS_NAME, KRB5_TGS_NAME_SIZE): added
+	
+Sat Nov  7 19:56:31 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_cred.c (add_cred): add termination NULL pointer
+
+Mon Nov  2 01:15:06 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_req.c: adapt to new crypto api
+
+	* lib/krb5/rd_rep.c: adapt to new crypto api
+
+	* lib/krb5/rd_priv.c: adopt to new crypto api
+
+	* lib/krb5/rd_cred.c: adopt to new crypto api
+
+	* lib/krb5/principal.c: ENOMEM -> ERANGE
+
+	* lib/krb5/mk_safe.c: cleanup and adopt to new crypto api
+
+	* lib/krb5/mk_req_ext.c: adopt to new crypto api
+
+	* lib/krb5/mk_req.c: get enctype from auth_context keyblock
+
+	* lib/krb5/mk_rep.c: cleanup and adopt to new crypto api
+
+	* lib/krb5/mk_priv.c: adopt to new crypto api
+
+	* lib/krb5/keytab.c: adopt to new crypto api
+
+	* lib/krb5/get_in_tkt_with_skey.c: adopt to new crypto api
+
+	* lib/krb5/get_in_tkt_with_keytab.c: adopt to new crypto api
+
+	* lib/krb5/get_in_tkt_pw.c: adopt to new crypto api
+
+	* lib/krb5/get_in_tkt.c: adopt to new crypto api
+
+	* lib/krb5/get_cred.c: adopt to new crypto api
+
+	* lib/krb5/generate_subkey.c: use new crypto api
+
+	* lib/krb5/context.c: rename etype functions to enctype ditto
+
+	* lib/krb5/build_auth.c: use new crypto api
+
+	* lib/krb5/auth_context.c: remove enctype and cksumtype from
+ 	auth_context
+
+Mon Nov  2 01:15:06 1998  Assar Westerlund  <assar@sics.se>
+
+	* kdc/connect.c (handle_udp, handle_tcp): correct type of `n'
+
+Tue Sep 15 18:41:38 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* admin/ktutil.c: fix printing of unrecognized keytypes
+
+Tue Sep 15 17:02:33 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/kadm5/set_keys.c: add KEYTYPE_USE_AFS3_SALT to keytype if
+ 	using AFS3 salt
+
+Tue Aug 25 23:30:52 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc): care about
+ 	`use_admin_kdc'
+
+	* lib/krb5/changepw.c (get_kdc_address): use
+ 	krb5_get_krb_admin_hst
+
+	* lib/krb5/krbhst.c (krb5_get_krb_admin_hst): new function
+
+	* lib/krb5/krb5.h (krb5_context_data): add `use_admin_kdc'
+
+	* lib/krb5/context.c (krb5_get_use_admin_kdc,
+ 	krb5_set_use_admin_kdc): new functions
+
+Tue Aug 18 22:24:12 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/crypto.c: remove all calls to abort(); check return
+ 	value from _key_schedule;
+	(RSA_MD[45]_DES_verify): zero tmp and res;
+	(RSA_MD5_DES3_{verify,checksum}): implement
+
+Mon Aug 17 20:18:46 1998  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kerberos4.c (swap32): conditionalize
+
+	* lib/krb5/mk_req_ext.c (krb5_mk_req_internal): new function
+
+	* lib/krb5/get_host_realm.c (krb5_get_host_realm): if the hostname
+ 	returned from gethostby*() isn't a FQDN, try with the original
+ 	hostname
+
+	* lib/krb5/get_cred.c (make_pa_tgs_req): use krb5_mk_req_internal
+ 	and correct key usage
+
+	* lib/krb5/crypto.c (verify_checksum): make static
+
+	* admin/ktutil.c (kt_list): use krb5_enctype_to_string
+
+Sun Aug 16 20:57:56 1998  Assar Westerlund  <assar@sics.se>
+
+	* kadmin/cpw.c (do_cpw_entry): use asprintf for the prompt
+
+	* kadmin/ank.c (ank): print principal name in prompt
+
+	* lib/krb5/crypto.c (hmac): always allocate space for checksum.
+  	never trust c.checksum.length
+	(_get_derived_key): try to return the derived key
+
+Sun Aug 16 19:48:42 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/crypto.c (hmac): fix some peculiarities and bugs
+	(get_checksum_key): assume usage is `formatted'
+	(create_checksum,verify_checksum): moved the guts of the krb5_*
+	functions here, both take `formatted' key-usages
+	(encrypt_internal_derived): fix various bogosities
+	(derive_key): drop key_type parameter (already given by the
+	encryption_type)
+
+	* kdc/kerberos5.c (check_flags): handle case where client is NULL
+
+	* kdc/connect.c (process_request): return zero after processing
+ 	kerberos 4 request
+
+Sun Aug 16 18:38:15 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/crypto.c: merge x-*.[ch] into one file
+
+	* lib/krb5/cache.c: remove residual from krb5_ccache_data
+
+Fri Aug 14 16:28:23 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/x-crypto.c (derive_key): move DES3 specific code to
+ 	separate function (will eventually end up someplace else)
+
+	* lib/krb5/x-crypto.c (krb5_string_to_key_derived): allocate key
+
+	* configure.in, acconfig.h: test for four valued krb_put_int
+
+Thu Aug 13 23:46:29 1998  Assar Westerlund  <assar@emma.pdc.kth.se>
+
+	* Release 0.0t
+
+Thu Aug 13 22:40:17 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/config_file.c (parse_binding): remove trailing
+ 	whitespace
+
+Wed Aug 12 20:15:11 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/x-checksum.c (krb5_verify_checksum): pass checksum type
+ 	to krb5_create_checksum
+
+	* lib/krb5/x-key.c: implement DES3_string_to_key_derived; fix a
+ 	few typos
+
+Wed Aug  5 12:39:54 1998  Assar Westerlund  <assar@emma.pdc.kth.se>
+
+	* Release 0.0s
+
+Thu Jul 30 23:12:17 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/mk_error.c (krb5_mk_error): realloc until you die
+
+Thu Jul 23 19:49:03 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kdc_locl.h: proto for `get_des_key'
+
+	* configure.in: test for four valued el_init
+
+	* kuser/klist.c: keytype -> enctype
+
+	* kpasswd/kpasswdd.c (change): use new `krb5_string_to_key*'
+
+	* kdc/hprop.c (v4_prop, ka_convert): convert to a set of keys
+
+	* kdc/kaserver.c: use `get_des_key'
+
+	* kdc/524.c: use new crypto api
+
+	* kdc/kerberos4.c: use new crypto api
+
+	* kdc/kerberos5.c: always treat keytypes as enctypes; use new
+ 	crypto api
+
+	* kdc/kstash.c: adapt to new crypto api
+
+	* kdc/string2key.c: adapt to new crypto api
+
+	* admin/srvconvert.c: add keys for all possible enctypes
+
+	* admin/ktutil.c: keytype -> enctype
+
+	* lib/gssapi/init_sec_context.c: get enctype from auth_context
+ 	keyblock
+
+	* lib/hdb/hdb.c: remove hdb_*_keytype2key
+
+	* lib/kadm5/set_keys.c: adapt to new crypto api
+
+	* lib/kadm5/rename_s.c: adapt to new crypto api
+
+	* lib/kadm5/get_s.c: adapt to new crypto api
+
+	* lib/kadm5/create_s.c: add keys for des-cbc-crc, des-cbc-md4,
+ 	des-cbc-md5, and des3-cbc-sha1
+
+	* lib/krb5/heim_err.et: error message for unsupported salt
+
+	* lib/krb5/codec.c: short-circuit these functions, since they are
+ 	not needed any more
+
+	* lib/krb5/rd_safe.c: cleanup and adapt to new crypto api
+
+Mon Jul 13 23:00:59 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc): don't advance
+ 	hostent->h_addr_list, use a copy instead
+
+Mon Jul 13 15:00:31 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/config_file.c (parse_binding, parse_section): make sure
+ 	everything is ok before adding to linked list
+
+	* lib/krb5/config_file.c: skip ws before checking for comment
+
+Wed Jul  8 10:45:45 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/asn1/k5.asn1: hmac-sha1-des3 = 12
+
+Tue Jun 30 18:08:05 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc): do not close the
+ 	unopened file
+
+	* lib/krb5/mk_priv.c: realloc correctly
+
+	* lib/krb5/get_addrs.c (find_all_addresses): init j
+
+	* lib/krb5/context.c (krb5_init_context): print error if parsing
+ 	of config file produced an error.
+
+	* lib/krb5/config_file.c (parse_list, krb5_config_parse_file):
+ 	ignore more spaces
+
+	* lib/krb5/codec.c (krb5_encode_EncKrbCredPart,
+ 	krb5_encode_ETYPE_INFO): initialize `ret'
+
+	* lib/krb5/build_auth.c (krb5_build_authenticator): realloc
+ 	correctly
+
+	* lib/kadm5/set_keys.c (_kadm5_set_keys): initialize `ret'
+
+	* lib/kadm5/init_c.c (get_cred_cache): try to do the right thing
+ 	with default_client
+
+	* kuser/kinit.c (main): initialize `ticket_life'
+
+	* kdc/kerberos5.c (get_pa_etype_info): initialize `ret'
+	(tgs_rep2): initialize `krbtgt'
+
+	* kdc/connect.c (do_request): check for errors from `sendto'
+
+	* kdc/524.c (do_524): initialize `ret'
+
+	* kadmin/util.c (foreach_principal): don't clobber `ret'
+
+	* kadmin/del.c (del_entry): don't apply on zeroth argument
+
+	* kadmin/cpw.c (do_cpw_entry): initialize `ret'
+
+Sat Jun 13 04:14:01 1998  Assar Westerlund  <assar@juguete.sics.se>
+
+	* Release 0.0r
+
+Sun Jun  7 04:13:14 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/addr_families.c: fall-back definition of
+ 	IN6_ADDR_V6_TO_V4
+
+	* configure.in: only set CFLAGS if it wasn't set look for
+ 	dn_expand and res_search
+
+Mon Jun  1 21:28:07 1998  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: remove duplicate seteuid
+
+Sat May 30 00:19:51 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/convert_creds.c: import _krb_time_to_life, to avoid
+ 	runtime dependencies on libkrb with some shared library
+ 	implementations
+
+Fri May 29 00:09:02 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kuser/kinit_options.c: Default options for kinit.
+
+	* kuser/kauth_options.c: Default options for kauth.
+
+	* kuser/kinit.c: Implement lots a new options.
+
+	* kdc/kerberos5.c (check_tgs_flags): make sure kdc-req-body->rtime
+ 	is not NULL; set endtime to min of new starttime + old_life, and
+ 	requested endtime
+
+	* lib/krb5/init_creds_pw.c (get_init_creds_common): if the
+ 	forwardable or proxiable flags are set in options, set the
+ 	kdc-flags to the value specified, and not always to one
+
+Thu May 28 21:28:06 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos5.c: Optionally compare client address to addresses
+ 	in ticket.
+
+	* kdc/connect.c: Pass client address to as_rep() and tgs_rep().
+
+	* kdc/config.c: Add check_ticket_addresses, and
+ 	allow_null_ticket_addresses variables.
+
+Tue May 26 14:03:42 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/kadm5/create_s.c: possibly make DES keys version 4 salted
+
+	* lib/kadm5/set_keys.c: check config file for kadmin/use_v4_salt
+ 	before zapping version 4 salts
+
+Sun May 24 05:22:17 1998  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.0q
+
+	* lib/krb5/aname_to_localname.c: new file
+
+	* lib/gssapi/init_sec_context.c (repl_mutual): no output token
+
+	* lib/gssapi/display_name.c (gss_display_name): zero terminate
+ 	output.
+
+Sat May 23 19:11:07 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/gssapi/display_status.c: new file
+
+	* Makefile.am: send -I to aclocal
+
+	* configure.in: remove duplicate setenv
+
+Sat May 23 04:55:19 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kadmin/util.c (foreach_principal): Check for expression before
+ 	wading through the whole database.
+
+	* kadmin/kadmin.c: Pass NULL password to
+ 	kadm5_*_init_with_password.
+
+	* lib/kadm5/init_c.c: Implement init_with_{skey,creds}*. Make use
+ 	of `password' parameter to init_with_password.
+
+	* lib/kadm5/init_s.c: implement init_with_{skey,creds}*
+
+	* lib/kadm5/server.c: Better arguments for
+ 	kadm5_init_with_password.
+
+Sat May 16 07:10:36 1998  Assar Westerlund  <assar@sics.se>
+
+	* kdc/hprop.c: conditionalize ka-server reading support on
+ 	KASERVER_DB
+
+	* configure.in: new option `--enable-kaserver-db'
+
+Fri May 15 19:39:18 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/get_cred.c: Better error if local tgt couldn't be
+ 	found.
+
+Tue May 12 21:11:02 1998  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.0p
+
+	* lib/krb5/mk_req_ext.c (krb5_mk_req_extended): only set
+ 	encryption type in auth_context if it's compatible with the type
+ 	of the session key
+
+Mon May 11 21:11:14 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/hprop.c: add support for ka-server databases
+
+	* appl/ftp/ftpd: link with -lcrypt, if needed
+
+Fri May  1 07:29:52 1998  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: don't test for winsock.h
+
+Sat Apr 18 21:43:11 1998  Johan Danielsson  <joda@puffer.pdc.kth.se>
+
+	* Release 0.0o
+
+Sat Apr 18 00:31:11 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/sock_principal.c: Save hostname.
+
+Sun Apr  5 11:29:45 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/mk_req_ext.c: Use same enctype as in ticket.
+
+	* kdc/hprop.c (v4_prop): Check for null key.
+
+Fri Apr  3 03:54:54 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/str2key.c: Fix DES3 string-to-key.
+
+	* lib/krb5/keytab.c: Get default keytab name from context.
+
+	* lib/krb5/context.c: Get `default_keytab_name' value.
+
+	* kadmin/util.c (foreach_principal): Print error message if
+ 	`kadm5_get_principals' fails.
+
+	* kadmin/kadmind.c: Use `kadmind_loop'.
+
+	* lib/kadm5/server.c: Replace several other functions with
+ 	`kadmind_loop'.
+
+Sat Mar 28 09:49:18 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/keytab.c (fkt_add_entry): use an explicit seek instead
+ 	of O_APPEND
+
+	* configure.in: generate ftp Makefiles
+
+	* kuser/klist.c (print_cred_verbose): print IPv4-address in a
+ 	portable way.
+
+	* admin/srvconvert.c (srvconv): return 0 if successful
+
+Tue Mar 24 00:40:33 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/keytab.c: MIT compatible changes: add and use sizes to
+ 	keytab entries, and change default keytab to `/etc/krb5.keytab'.
+
+Mon Mar 23 23:43:59 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/gssapi/wrap.c: Use `gss_krb5_getsomekey'.
+
+	* lib/gssapi/unwrap.c: Implement and use `gss_krb5_getsomekey'.
+  	Fix bug in checking of pad.
+
+	* lib/gssapi/{un,}wrap.c: Add support for just integrity
+ 	protecting data.
+ 	
+	* lib/gssapi/accept_sec_context.c: Use
+ 	`gssapi_krb5_verify_8003_checksum'.
+
+	* lib/gssapi/8003.c: Implement `gssapi_krb5_verify_8003_checksum'.
+
+	* lib/gssapi/init_sec_context.c: Zero cred, and store session key
+ 	properly in auth-context.
+
+Sun Mar 22 00:47:22 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/kadm5/delete_s.c: Check immutable bit.
+
+	* kadmin/kadmin.c: Pass client name to kadm5_init.
+
+	* lib/kadm5/init_c.c: Get creds for client name passed in.
+
+	* kdc/hprop.c (v4_prop): Check for `changepw.kerberos'.
+
+Sat Mar 21 22:57:13 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/mk_error.c: Verify that error_code is in the range
+ 	[0,127].
+
+	* kdc/kerberos5.c: Move checking of principal flags to new
+ 	function `check_flags'.
+
+Sat Mar 21 14:38:51 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/kadm5/get_s.c (kadm5_s_get_principal): handle an empty salt
+
+	* configure.in: define SunOS if running solaris
+
+Sat Mar 21 00:26:34 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/kadm5/server.c: Unifdef test for same principal when
+ 	changing password.
+
+	* kadmin/util.c: If kadm5_get_principals failes, we might still be
+ 	able to perform the requested opreration (for instance someone if
+ 	trying to change his own password).
+
+	* lib/kadm5/init_c.c: Try to get ticket via initial request, if
+ 	not possible via tgt.
+
+	* lib/kadm5/server.c: Check for principals changing their own
+ 	passwords.
+
+	* kdc/kerberos5.c (tgs_rep2): check for interesting flags on
+ 	involved principals.
+
+	* kadmin/util.c: Fix order of flags.
+
+Thu Mar 19 16:54:10 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos4.c: Return sane error code if krb_rd_req fails.
+
+Wed Mar 18 17:11:47 1998  Assar Westerlund  <assar@sics.se>
+
+	* acconfig.h: rename HAVE_STRUCT_SOCKADDR_IN6 to HAVE_IPV6
+
+Wed Mar 18 09:58:18 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/get_in_tkt_with_keytab.c (krb5_keytab_key_proc): don't
+ 	free keyseed; use correct keytab
+
+Tue Mar 10 09:56:16 1998  Assar Westerlund  <assar@sics.se>
+
+	* acinclude.m4 (AC_KRB_IPV6): rewrote to avoid false positives
+
+Mon Mar 16 23:58:23 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Release 0.0n
+
+Fri Mar  6 00:41:30 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/gssapi/{accept_sec_context,release_cred}.c: Use
+	krb5_kt_close/krb5_kt_resolve.
+	
+	* lib/krb5/principal.c (krb5_425_conv_principal_ext): Use resolver
+ 	to lookup hosts, so CNAMEs can be ignored.
+
+	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc, send_and_recv_http):
+ 	Add support for using proxy.
+
+	* lib/krb5/context.c: Initialize `http_proxy' from
+ 	`libdefaults/http_proxy'.
+
+	* lib/krb5/krb5.h: Add `http_proxy' to context.
+
+	* lib/krb5/send_to_kdc.c: Recognize `http/' and `udp/' as protocol
+ 	specifications.
+
+Wed Mar  4 01:47:29 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* admin/ktutil.c: Implement `add' and `remove' functions. Make
+ 	`--keytab' a global option.
+
+	* lib/krb5/keytab.c: Implement remove with files. Add memory
+ 	operations.
+
+Tue Mar  3 20:09:59 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/keytab.c: Use function pointers.
+
+	* admin: Remove kdb_edit.
+
+Sun Mar  1 03:28:42 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/kadm5/dump_log.c: print operation names
+
+Sun Mar  1 03:04:12 1998  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: add X-tests, and {bin,...}dir appl/{kx,kauth}
+	
+	* lib/krb5/build_auth.c,mk_priv.c,rd_safe.c,mk_safe.c,mk_rep.c:
+ 	remove arbitrary limit
+
+	* kdc/hprop-common.c: use krb5_{read,write}_message
+
+	* lib/kadm5/ipropd_master.c (send_diffs): more careful use
+ 	krb5_{write,read}_message
+
+	* lib/kadm5/ipropd_slave.c (get_creds): get credentials for
+ 	`iprop/master' directly.
+	(main): use `krb5_read_message'
+
+Sun Mar  1 02:05:11 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kadmin/kadmin.c: Cleanup commands list, and add help strings.
+
+	* kadmin/get.c: Add long, short, and terse (equivalent to `list')
+ 	output formats. Short is the default.
+
+	* kadmin/util.c: Add `include_time' flag to timeval2str.
+
+	* kadmin/init.c: Max-life and max-renew can, infact, be zero.
+
+	* kadmin/{cpw,del,ext,get}.c: Use `foreach_principal'.
+
+	* kadmin/util.c: Add function `foreach_principal', that loops over
+ 	all principals matching an expression.
+
+	* kadmin/kadmin.c: Add usage string to `privileges'.
+
+	* lib/kadm5/get_princs_s.c: Also try to match aganist the
+ 	expression appended with `@default-realm'.
+
+	* lib/krb5/principal.c: Add `krb5_unparse_name_fixed_short', that
+ 	excludes the realm if it's the same as the default realm.
+
+Fri Feb 27 05:02:21 1998  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: more WFLAGS and WFLAGS_NOUNUSED added missing
+ 	headers and functions error -> com_err
+
+ 	(krb5_get_init_creds_keytab): use krb5_keytab_key_proc
+
+	* lib/krb5/get_in_tkt_with_keytab.c: make `krb5_keytab_key_proc'
+ 	global
+
+	* lib/kadm5/marshall.c (ret_principal_ent): set `n_tl_data'
+
+	* lib/hdb/ndbm.c: use `struct ndbm_db' everywhere.
+
+Fri Feb 27 04:49:24 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/mk_priv.c (krb5_mk_priv): bump static limit to 10240.
+  	This should be fixed the correct way.
+
+	* lib/kadm5/ipropd_master.c (check_acl:) truncate buf correctly
+	(send_diffs): compare versions correctly
+	(main): reorder handling of events
+
+	* lib/kadm5/log.c (kadm5_log_previous): avoid bad type conversion
+
+Thu Feb 26 02:22:35 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/kadm5/ipropd_{slave,master}.c: new files
+
+	* lib/kadm5/log.c (kadm5_log_get_version): take an `fd' as
+ 	argument
+
+	* lib/krb5/krb5.h (krb5_context_data): `et_list' should be `struct
+ 	et_list *'
+
+	* aux/make-proto.pl: Should work with perl4
+
+Mon Feb 16 17:20:22 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/krb5_locl.h: Remove <error.h> (it gets included via
+ 	{asn1,krb5}_err.h).
+
+Thu Feb 12 03:28:40 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_in_tkt.c (_krb5_extract_ticket): if time difference
+ 	is larger than max_skew, return KRB5KRB_AP_ERR_SKEW
+
+	* lib/kadm5/log.c (get_version): globalize
+
+	* lib/kadm5/kadm5_locl.h: include <sys/file.h>
+
+	* lib/asn1/Makefile.am: add PA_KEY_INFO and PA_KEY_INFO_ENTRY
+
+	* kdc/kerberos5.c (get_pa_etype_info): remove gcc-ism of
+ 	initializing local struct in declaration.
+
+Sat Jan 31 17:28:58 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/524.c: Use krb5_decode_EncTicketPart.
+
+	* kdc/kerberos5.c: Check at runtime whether to use enctypes
+ 	instead of keytypes. If so use the same value to encrypt ticket,
+ 	and kdc-rep as well as `keytype' for session key. Fix some obvious
+ 	bugs with the handling of additional tickets.
+
+	* lib/krb5/rd_req.c: Use krb5_decode_EncTicketPart, and
+ 	krb5_decode_Authenticator.
+
+	* lib/krb5/rd_rep.c: Use krb5_decode_EncAPRepPart.
+
+	* lib/krb5/rd_cred.c: Use krb5_decode_EncKrbCredPart.
+
+	* lib/krb5/mk_rep.c: Make sure enc_part.etype is an encryption
+ 	type, and not a key type.  Use krb5_encode_EncAPRepPart.
+
+	* lib/krb5/init_creds_pw.c: Use krb5_decode_PA_KEY_INFO.
+
+	* lib/krb5/get_in_tkt.c: Use krb5_decode_Enc{AS,TGS}RepPart.
+
+	* lib/krb5/get_for_creds.c: Use krb5_encode_EncKrbCredPart.
+
+	* lib/krb5/get_cred.c: Use krb5_decode_Enc{AS,TGS}RepPart.
+
+	* lib/krb5/build_auth.c: Use krb5_encode_Authenticator.
+
+	* lib/krb5/codec.c: Enctype conversion stuff.
+
+	* lib/krb5/context.c: Ignore KRB5_CONFIG if *not* running
+ 	setuid. Get configuration for libdefaults ktype_is_etype, and
+ 	default_etypes.
+
+	* lib/krb5/encrypt.c: Add krb5_string_to_etype, rename
+ 	krb5_convert_etype to krb5_decode_keytype, and add
+ 	krb5_decode_keyblock.
+
+Fri Jan 23 00:32:09 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/{get_in_tkt,rd_req}.c: Use krb5_convert_etype.
+
+	* lib/krb5/encrypt.c: Add krb5_convert_etype function - converts
+ 	from protocol keytypes (that really are enctypes) to internal
+ 	representation.
+
+Thu Jan 22 21:24:36 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/asn1/k5.asn1: Add PA-KEY-INFO structure to hold information
+ 	on keys in the database; and also a new `pa-key-info' padata-type.
+
+	* kdc/kerberos5.c: If pre-authentication fails, return a list of
+ 	keytypes, salttypes, and salts.
+
+	* lib/krb5/init_creds_pw.c: Add better support for
+ 	pre-authentication, by looking at hints from the KDC.
+
+	* lib/krb5/get_in_tkt.c: Add better support for specifying what
+ 	pre-authentication to use.
+
+	* lib/krb5/str2key.c: Merge entries for KEYTYPE_DES and
+ 	KEYTYPE_DES_AFS3.
+
+	* lib/krb5/krb5.h: Add pre-authentication structures.
+
+	* kdc/connect.c: Don't fail if realloc(X, 0) returns NULL.
+
+Wed Jan 21 06:20:40 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/kadm5/init_s.c (kadm5_s_init_with_password_ctx): initialize
+ 	`log_context.socket_name' and `log_context.socket_fd'
+
+	* lib/kadm5/log.c (kadm5_log_flush): send a unix domain datagram
+ 	to inform the possible running ipropd of an update.
+
+Wed Jan 21 01:34:09 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/get_in_tkt.c: Return error-packet to caller.
+
+	* lib/krb5/free.c (krb5_free_kdc_rep): Free krb5_kdc_rep->error.
+
+	* kdc/kerberos5.c: Add some support for using enctypes instead of
+ 	keytypes.
+
+	* lib/krb5/get_cred.c: Fixes to send authorization-data to the
+ 	KDC.
+
+	* lib/krb5/build_auth.c: Only generate local subkey if there is
+ 	none.
+
+	* lib/krb5/krb5.h: Add krb5_authdata type.
+
+	* lib/krb5/auth_context.c: Add
+ 	krb5_auth_con_set{,localsub,remotesub}key.
+
+	* lib/krb5/init_creds_pw.c: Return some error if prompter
+ 	functions return failure.
+
+Wed Jan 21 01:16:13 1998  Assar Westerlund  <assar@sics.se>
+
+	* kpasswd/kpasswd.c: detect bad password.  use krb5_err.
+
+	* kadmin/util.c (edit_entry): remove unused variables
+
+Tue Jan 20 22:58:31 1998  Assar Westerlund  <assar@sics.se>
+
+	* kuser/kinit.c: rename `-s' to `-S' to be MIT-compatible.
+
+	* lib/kadm5/kadm5_locl.h: add kadm5_log_context and
+ 	kadm5_log*-functions
+
+	* lib/kadm5/create_s.c (kadm5_s_create_principal): add change to
+ 	log
+
+	* lib/kadm5/rename_s.c (kadm5_s_rename_principal): add change to
+ 	log
+
+	* lib/kadm5/init_s.c (kadm5_s_init_with_password_ctx): initialize
+ 	log_context
+
+	* lib/kadm5/delete_s.c (kadm5_s_delete_principal): add change to
+ 	log
+
+	* lib/kadm5/modify_s.c (kadm5_s_modify_principal): add change to
+ 	log
+
+	* lib/kadm5/randkey_s.c (kadm5_s_randkey_principal): add change to
+ 	log
+
+	* lib/kadm5/chpass_s.c (kadm5_s_chpass_principal): add change to
+ 	log
+
+	* lib/kadm5/Makefile.am: add log.c, dump_log and replay_log
+
+	* lib/kadm5/replay_log.c: new file
+
+	* lib/kadm5/dump_log.c: new file
+
+	* lib/kadm5/log.c: new file
+
+	* lib/krb5/str2key.c (get_str): initialize pad space to zero
+
+	* lib/krb5/config_file.c (krb5_config_vget_next): handle c == NULL
+
+	* kpasswd/kpasswdd.c: rewritten to use the kadm5 API
+
+	* kpasswd/Makefile.am: link with kadm5srv
+
+	* kdc/kerberos5.c (tgs_rep): initialize `i'
+
+	* kadmin/kadmind.c (main): use kadm5_server_{send,recv}_sp
+
+	* include/Makefile.am: added admin.h
+
+Sun Jan 18 01:41:34 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/asn1/gen_copy.c: Don't return ENOMEM if allocating 0 bytes.
+
+	* lib/krb5/mcache.c (mcc_store_cred): restore linked list if
+ 	copy_creds fails.
+
+Tue Jan  6 04:17:56 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/kadm5/server.c: add kadm5_server_{send,recv}{,_sp}
+
+	* lib/kadm5/marshall.c: add kadm5_{store,ret}_principal_ent_mask.
+
+	* lib/kadm5/init_c.c (kadm5_c_init_with_password_ctx): use
+ 	krb5_getportbyname
+
+	* kadmin/kadmind.c (main): htons correctly.
+	moved kadm5_server_{recv,send}
+
+	* kadmin/kadmin.c (main): only set admin_server if explicitly
+ 	given
+
+Mon Jan  5 23:34:44 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/hdb/ndbm.c: Implement locking of database.
+
+	* kdc/kerberos5.c: Process AuthorizationData.
+
+Sat Jan  3 22:07:07 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kdc/string2key.c: Use AFS string-to-key from libkrb5.
+
+	* lib/krb5/get_in_tkt.c: Handle pa-afs3-salt case.
+
+	* lib/krb5/krb5.h: Add value for AFS salts.
+
+	* lib/krb5/str2key.c: Add support for AFS string-to-key.
+
+	* lib/kadm5/rename_s.c: Use correct salt.
+
+	* lib/kadm5/ent_setup.c: Always enable client. Only set max-life
+ 	and max-renew if != 0.
+
+	* lib/krb5/config_file.c: Add context to all krb5_config_*get_*.
+
+Thu Dec 25 17:03:25 1997  Assar Westerlund  <assar@sics.se>
+
+	* kadmin/ank.c (ank): don't zero password if --random-key was
+ 	given.
+
+Tue Dec 23 01:56:45 1997  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.0m
+
+	* lib/kadm5/ent_setup.c (attr_to_flags): try to set `client'
+
+	* kadmin/util.c (edit_time): only set mask if != 0
+	(edit_attributes): only set mask if != 0
+
+	* kadmin/init.c (init): create `default'
+
+Sun Dec 21 09:44:05 1997  Assar Westerlund  <assar@sics.se>
+
+	* kadmin/util.c (str2deltat, str2attr, get_deltat): return value
+ 	as pointer and have return value indicate success.
+	
+	(get_response): check NULL from fgets
+	
+	(edit_time, edit_attributes): new functions for reading values and
+	offering list of answers on '?'
+	
+	(edit_entry): use edit_time and edit_attributes
+
+	* kadmin/ank.c (add_new_key): test the return value of
+ 	`krb5_parse_name'
+
+	* kdc/kerberos5.c (tgs_check_authenticator): RFC1510 doesn't say
+ 	that the checksum has to be keyed, even though later drafts do.
+  	Accept unkeyed checksums to be compatible with MIT.
+
+	* kadmin/kadmin_locl.h: add some prototypes.
+
+	* kadmin/util.c (edit_entry): return a value
+
+	* appl/afsutil/afslog.c (main): return a exit code.
+
+	* lib/krb5/get_cred.c (init_tgs_req): use krb5_keytype_to_enctypes
+
+	* lib/krb5/encrypt.c (krb5_keytype_to_enctypes): new function.
+
+	* lib/krb5/build_auth.c (krb5_build_authenticator): use
+ 	krb5_{free,copy}_keyblock instead of the _contents versions
+
+Fri Dec 12 14:20:58 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/{mk,rd}_priv.c: fix check for local/remote subkey
+
+Mon Dec  8 08:48:09 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/context.c: don't look at KRB5_CONFIG if running setuid
+
+Sat Dec  6 10:09:40 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/keyblock.c (krb5_free_keyblock): check for NULL
+	keyblock
+
+Sat Dec  6 08:26:10 1997  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.0l
+
+Thu Dec  4 03:38:12 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/send_to_kdc.c: Add TCP client support.
+
+	* lib/krb5/store.c: Add k_{put,get}_int.
+
+	* kadmin/ank.c: Set initial kvno to 1.
+
+	* kdc/connect.c: Send version 5 TCP-reply as length+data.
+
+Sat Nov 29 07:10:11 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_req.c (krb5_rd_req): fixed obvious bug
+
+	* kdc/kaserver.c (create_reply_ticket): use a random nonce in the
+ 	reply packet.
+
+	* kdc/connect.c (init_sockets): less reallocing.
+
+	* **/*.c: changed `struct fd_set' to `fd_set'
+
+Sat Nov 29 05:12:01 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/get_default_principal.c: More guessing.
+
+Thu Nov 20 02:55:09 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/rd_req.c: Use principal from ticket if no server is
+ 	given.
+
+Tue Nov 18 02:58:02 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kuser/klist.c: Use krb5_err*().
+
+Sun Nov 16 11:57:43 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kadmin/kadmin.c: Add local `init', `load', `dump', and `merge'
+ 	commands.
+
+Sun Nov 16 02:52:20 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/mk_req_ext.c (krb5_mk_req_ext): figure out the correct
+ 	`enctype'
+
+	* lib/krb5/mk_req.c (krb5_mk_req): use `(*auth_context)->enctype'
+ 	if set.
+
+	* lib/krb5/get_cred.c: handle the case of a specific keytype
+
+	* lib/krb5/build_auth.c (krb5_build_authenticator): enctype as a
+ 	parameter instead of guessing it.
+
+	* lib/krb5/build_ap_req.c (krb5_build_ap_req): new parameter
+ 	`enctype'
+
+	* appl/test/common.c (common_setup): don't use `optarg'
+
+	* lib/krb5/keytab.c (krb5_kt_copy_entry_contents): new function
+	(krb5_kt_get_entry): retrieve the latest version if kvno == 0
+
+	* lib/krb5/krb5.h: define KRB5_TC_MATCH_KEYTYPE
+
+	* lib/krb5/creds.c (krb5_compare_creds): check for
+ 	KRB5_TC_MATCH_KEYTYPE
+
+	* lib/gssapi/8003.c (gssapi_krb5_create_8003_checksum): remove
+ 	unused variable
+
+	* lib/krb5/creds.c (krb5_copy_creds_contents): only free the
+ 	contents if we fail.
+
+Sun Nov 16 00:32:48 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kpasswd/kpasswdd.c: Get password expiration time from config
+ 	file.
+
+	* lib/asn1/{der_get,gen_decode}.c: Allow passing NULL size.
+
+Wed Nov 12 02:35:57 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds):
+ 	restructured and fixed.
+
+	* lib/krb5/addr_families.c (krb5_h_addr2addr): new function.
+
+Wed Nov 12 01:36:01 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/get_addrs.c: Fall back to hostname's addresses if other
+ 	methods fail.
+
+Tue Nov 11 22:22:12 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kadmin/kadmin.c: Add `-l' flag to use local database.
+
+	* lib/kadm5/acl.c: Use KADM5_PRIV_ALL.
+
+	* lib/kadm5: Use function pointer trampoline for easier dual use
+ 	(without radiation-hardening capability).
+
+Tue Nov 11 05:15:22 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/encrypt.c (krb5_etype_valid): new function
+
+	* lib/krb5/creds.c (krb5_copy_creds_contents): zero target
+
+	* lib/krb5/context.c (valid_etype): remove
+
+	* lib/krb5/checksum.c: remove dead code
+
+	* lib/krb5/changepw.c (send_request): free memory on error.
+
+	* lib/krb5/build_ap_req.c (krb5_build_ap_req): check return value
+ 	from malloc.
+
+	* lib/krb5/auth_context.c (krb5_auth_con_init): free memory on
+ 	failure correctly.
+	(krb5_auth_con_setaddrs_from_fd): return error correctly.
+
+	* lib/krb5/get_in_tkt_with_{keytab,skey}.c: new files
+
+Tue Nov 11 02:53:19 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/auth_context.c: Implement auth_con_setuserkey.
+
+	* lib/gssapi/init_sec_context.c: Use krb5_auth_con_getkey.
+
+	* lib/krb5/keyblock.c: Rename krb5_free_keyblock to
+ 	krb5_free_keyblock_contents, and reimplement krb5_free_keyblock.
+
+	* lib/krb5/rd_req.c: Use auth_context->keyblock if
+ 	ap_options.use_session_key.
+
+Tue Nov 11 02:35:17 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/net_{read,write}.c: change `int fd' to `void *p_fd'.
+	fix callers.
+
+	* lib/krb5/krb5_locl.h: include <asn1.h> and <der.h>
+
+	* include/Makefile.am: add xdbm.h
+
+Tue Nov 11 01:58:22 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/get_cred.c: Implement krb5_get_cred_from_kdc.
+
+Mon Nov 10 22:41:53 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/ticket.c: Implement copy_ticket.
+
+	* lib/krb5/get_in_tkt.c: Make `options' parameter MIT-compatible.
+
+	* lib/krb5/data.c: Implement free_data and copy_data.
+
+Sun Nov  9 02:17:27 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/kadm5: Implement kadm5_get_privs, and kadm5_get_principals.
+
+	* kadmin/kadmin.c: Add get_privileges function.
+
+	* lib/kadm5: Rename KADM5_ACL_* -> KADM5_PRIV_* to conform with
+ 	specification.
+
+	* kdc/connect.c: Exit if no sockets could be bound.
+
+	* kadmin/kadmind.c: Check return value from krb5_net_read().
+
+	* lib/kadm5,kadmin: Fix memory leaks.
+
+Fri Nov  7 02:45:26 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/kadm5/create_s.c: Get some default values from `default'
+ 	principal.
+
+	* lib/kadm5/ent_setup.c: Add optional default entry to get some
+ 	values from.
+
+Thu Nov  6 00:20:41 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/error/compile_et.awk: Remove generated destroy_*_error_table
+ 	prototype
+
+	* kadmin/kadmind.c: Crude admin server.
+
+	* kadmin/kadmin.c: Update to use remote protocol.
+
+	* kadmin/get.c: Fix principal formatting.
+
+	* lib/kadm5: Add client support.
+
+	* lib/kadm5/error.c: Error code mapping.
+
+	* lib/kadm5/server.c: Kadmind support function.
+
+	* lib/kadm5/marshall.c: Kadm5 marshalling.
+
+	* lib/kadm5/acl.c: Simple acl system.
+
+	* lib/kadm5/kadm5_locl.h: Add client stuff.
+
+	* lib/kadm5/init_s.c: Initialize acl.
+
+	* lib/kadm5/*:  Return values.
+
+	* lib/kadm5/create_s.c: Correct kvno.
+
+Wed Nov  5 22:06:50 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/log.c: Fix parsing of log destinations.
+
+Mon Nov  3 20:33:55 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/principal.c: Reduce number of reallocs in unparse_name.
+
+Sat Nov  1 01:40:53 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kadmin: Simple kadmin utility.
+
+	* admin/ktutil.c: Print keytype.
+
+	* lib/kadm5/get_s.c: Set correct n_key_data.
+
+	* lib/kadm5/init_s.c: Add kadm5_s_init_with_password_ctx. Use
+ 	master key.
+
+	* lib/kadm5/destroy_s.c: Check for allocated context.
+
+	* lib/kadm5/{create,chpass}_s.c: Use _kadm5_set_keys().
+
+Sat Nov  1 00:21:00 1997  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: test for readv, writev
+
+Wed Oct 29 23:41:26 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/warn.c (_warnerr): handle the case of an illegal error
+ 	code
+
+	* kdc/kerberos5.c (encode_reply): return success
+
+Wed Oct 29 18:01:59 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos5.c (find_etype) Return correct index of selected
+ 	etype.
+
+Wed Oct 29 04:07:06 1997  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.0k
+
+	* lib/krb5/context.c (krb5_init_context): support `KRB5_CONFIG'
+ 	environment variable
+
+	* *: use the roken_get*-macros from roken.h for the benefit of
+ 	Crays.
+
+	* configure.in: add --{enable,disable}-otp.  check for compatible
+ 	prototypes for gethostbyname, gethostbyaddr, getservbyname, and
+ 	openlog (they have strange prototypes on Crays)
+
+	* acinclude.m4: new macro `AC_PROTO_COMPAT'
+
+Tue Oct 28 00:11:22 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/connect.c: Log bad requests.
+
+	* kdc/kerberos5.c: Move stuff that's in common between as_rep and
+ 	tgs_rep to separate functions.
+
+	* kdc/kerberos5.c: Fix user-to-user authentication.
+
+	* lib/krb5/get_cred.c: Some restructuring of krb5_get_credentials:
+ 	  - add a kdc-options argument to krb5_get_credentials, and rename
+	    it to krb5_get_credentials_with_flags
+	  - honour the KRB5_GC_CACHED, and KRB5_GC_USER_USER options
+	  - add some more user-to-user glue
+
+	* lib/krb5/rd_req.c: Move parts of krb5_verify_ap_req into a new
+ 	function, krb5_decrypt_ticket, so it is easier to decrypt and
+ 	check a ticket without having an ap-req.
+
+	* lib/krb5/krb5.h: Add KRB5_GC_CACHED, and KRB5_GC_USER_USER
+ 	flags.
+
+	* lib/krb5/crc.c (crc_init_table): Check if table is already
+ 	inited.
+
+Sun Oct 26 04:51:02 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/asn1/der_get.c (der_get_length, fix_dce): Special-case
+ 	indefinite encoding.
+
+	* lib/asn1/gen_glue.c (generate_units): Check for empty
+ 	member-list.
+
+Sat Oct 25 07:24:57 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/error/compile_et.awk: Allow specifying table-base.
+
+Tue Oct 21 20:21:40 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos5.c: Check version number of krbtgt.
+
+Mon Oct 20 01:14:53 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/prompter_posix.c (krb5_prompter_posix): implement the
+ 	case of unhidden prompts.
+
+	* lib/krb5/str2key.c (string_to_key_internal): return error
+ 	instead of aborting.  always free memory
+
+	* admin/ktutil.c: add `help' command
+
+	* admin/kdb_edit.c: implement new commands: add_random_key(ark),
+ 	change_password(cpw), change_random_key(crk)
+
+Thu Oct 16 05:16:36 1997  Assar Westerlund  <assar@sics.se>
+
+	* kpasswd/kpasswdd.c: change all the keys in the database
+
+	* kdc: removed all unsealing, now done by the hdb layer
+
+	* lib/hdb/hdb.c: new functions `hdb_create', `hdb_set_master_key'
+ 	and `hdb_clear_master_key'
+
+	* admin/misc.c: removed
+
+Wed Oct 15 22:47:31 1997  Assar Westerlund  <assar@sics.se>
+
+	* kuser/klist.c: print year as YYYY iff verbose
+
+Wed Oct 15 20:02:13 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kuser/klist.c: print etype from ticket
+
+Mon Oct 13 17:18:57 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Release 0.0j
+
+	* lib/krb5/get_cred.c: Get the subkey from mk_req so it can be
+ 	used to decrypt the reply from DCE secds.
+
+	* lib/krb5/auth_context.c: Add {get,set}enctype.
+
+	* lib/krb5/get_cred.c: Fix for DCE secd.
+
+	* lib/krb5/store.c: Store keytype twice, as MIT does.
+
+	* lib/krb5/get_in_tkt.c: Use etype from reply.
+
+Fri Oct 10 00:39:48 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/connect.c: check for leading '/' in http request
+
+Tue Sep 30 21:50:18 1997  Assar Westerlund  <assar@assaris.pdc.kth.se>
+
+	* Release 0.0i
+
+Mon Sep 29 15:58:43 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_req.c (krb5_rd_req): redone because we don't know
+ 	the kvno or keytype before receiving the AP-REQ
+
+	* lib/krb5/mk_safe.c (krb5_mk_safe): figure out what cksumtype to
+ 	use from the keytype.
+
+	* lib/krb5/mk_req_ext.c (krb5_mk_req_extended): figure out what
+ 	cksumtype to use from the keytype.
+
+	* lib/krb5/mk_priv.c (krb5_mk_priv): figure out what etype to use
+ 	from the keytype.
+
+	* lib/krb5/keytab.c (krb5_kt_get_entry): check the keytype
+
+	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): figure out
+ 	what etype to use from the keytype.
+
+	* lib/krb5/generate_seq_number.c (krb5_generate_seq_number):
+ 	handle other key types than DES
+
+	* lib/krb5/encrypt.c (key_type): add `best_cksumtype'
+	(krb5_keytype_to_cksumtype): new function
+
+	* lib/krb5/build_auth.c (krb5_build_authenticator): figure out
+ 	what etype to use from the keytype.
+
+	* lib/krb5/auth_context.c (krb5_auth_con_init): set `cksumtype'
+ 	and `enctype' to 0
+
+	* admin/extkeytab.c (ext_keytab): extract all keys
+
+	* appl/telnet/telnet/commands.c: INET6_ADDRSTRLEN kludge
+
+	* configure.in: check for <netinet6/in6.h>. check for -linet6
+	
+Tue Sep 23 03:00:53 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/encrypt.c: fix checksumtype for des3-cbc-sha1
+
+	* lib/krb5/rd_safe.c: fix check for keyed and collision-proof
+ 	checksum
+
+	* lib/krb5/context.c (valid_etype): remove hard-coded constants
+	(default_etypes): include DES3
+
+	* kdc/kerberos5.c: fix check for keyed and collision-proof
+ 	checksum
+
+	* admin/util.c (init_des_key, set_password): DES3 keys also
+
+ 	* lib/krb/send_to_kdc.c (krb5_sendto_kdc): no data returned means
+ 	no contact?
+
+	* lib/krb5/addr_families.c: fix typo in `ipv6_anyaddr'
+
+Mon Sep 22 11:44:27 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kdc/kerberos5.c: Somewhat fix the etype usage. The list sent by
+ 	the client is used to select wich key to encrypt the kdc rep with
+ 	(in case of as-req), and with the server info to select the
+ 	session key type. The server key the ticket is encrypted is based
+ 	purely on the keys in the database.
+
+	* kdc/string2key.c: Add keytype support. Default to version 5
+ 	keys.
+
+	* lib/krb5/get_in_tkt.c: Fix a lot of etype/keytype misuse.
+
+	* lib/krb5/encrypt.c: Add des3-cbc-md5, and des3-cbc-sha1. Add
+ 	many *_to_* functions.
+
+	* lib/krb5/str2key.c: Add des3 string-to-key. Add ktype argument
+ 	to krb5_string_to_key().
+
+	* lib/krb5/checksum.c: Some cleanup, and added: 
+	  - rsa-md5-des3 
+	  - hmac-sha1-des3 
+	  - keyed and collision proof flags to each checksum method
+	  - checksum<->string functions.
+
+	* lib/krb5/generate_subkey.c: Use krb5_generate_random_keyblock.
+
+Sun Sep 21 15:19:23 1997  Assar Westerlund  <assar@sics.se>
+
+	* kdc/connect.c: use new addr_families functions
+
+	* kpasswd/kpasswdd.c: use new addr_families functions.  Now works
+ 	over IPv6
+
+	* kuser/klist.c: use correct symbols for address families
+
+	* lib/krb5/sock_principal.c: use new addr_families functions
+
+	* lib/krb5/send_to_kdc.c: use new addr_families functions
+
+	* lib/krb5/krb5.h: add KRB5_ADDRESS_INET6
+
+	* lib/krb5/get_addrs.c: use new addr_families functions
+
+	* lib/krb5/changepw.c: use new addr_families functions.  Now works
+ 	over IPv6
+
+	* lib/krb5/auth_context.c: use new addr_families functions
+
+	* lib/krb5/addr_families.c: new file
+
+	* acconfig.h: AC_SOCKADDR_IN6 -> AC_STRUCT_SOCKADDR_IN6.  Updated
+ 	uses.
+
+	* acinclude.m4: new macro `AC_KRB_IPV6'.  Use it.
+
+Sat Sep 13 23:04:23 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/hprop.c: Don't encrypt twice. Complain on non-convertable
+ 	principals.
+
+Sat Sep 13 00:59:36 1997  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.0h
+	
+	* appl/telnet/telnet/commands.c: AF_INET6 support
+
+	* admin/misc.c: new file
+
+	* lib/krb5/context.c: new configuration variable `max_retries'
+
+	* lib/krb5/get_addrs.c: fixes and better #ifdef's
+
+	* lib/krb5/config_file.c: implement krb5_config_get_int
+
+	* lib/krb5/auth_context.c, send_to_kdc.c, sock_principal.c:
+ 	AF_INET6 support
+
+	* kuser/klist.c: support for printing IPv6-addresses
+
+	* kdc/connect.c: support AF_INET6
+
+	* configure.in: test for gethostbyname2 and struct sockaddr_in6
+
+Thu Sep 11 07:25:28 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/k5.asn1: Use `METHOD-DATA' instead of `SEQUENCE OF
+ 	PA-DATA'
+
+Wed Sep 10 21:20:17 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos5.c: Fixes for cross-realm, including (but not
+ 	limited to):
+	  - allow client to be non-existant (should probably check for
+	    "local realm")
+	  - if server isn't found and it is a request for a krbtgt, try to
+ 	    find a realm on the way to the requested realm
+	  - update the transited encoding iff 
+	    client-realm != server-realm != tgt-realm
+
+	* lib/krb5/get_cred.c: Several fixes for cross-realm.
+
+Tue Sep  9 15:59:20 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/string2key.c: Fix password handling.
+
+	* lib/krb5/encrypt.c: krb5_key_to_string
+
+Tue Sep  9 07:46:05 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_addrs.c: rewrote.  Now should be able to handle
+ 	aliases and IPv6 addresses
+
+	* kuser/klist.c: try printing IPv6 addresses
+
+	* kdc/kerberos5.c: increase the arbitrary limit from 1024 to 8192
+
+	* configure.in: check for <netinet/in6_var.h>
+
+Mon Sep  8 02:57:14 1997  Assar Westerlund  <assar@sics.se>
+
+	* doc: fixes
+
+	* admin/util.c (init_des_key): increase kvno
+	(set_password): return -1 if `des_read_pw_string' failed
+
+	* admin/mod.c (doit2): check the return value from `set_password'
+
+	* admin/ank.c (doit): don't add a new entry if `set_password'
+ 	failed
+
+Mon Sep  8 02:20:16 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/verify_init.c: fix ap_req_nofail semantics
+
+	* lib/krb5/transited.c: something that might resemble
+ 	domain-x500-compress
+
+Mon Sep  8 01:24:42 1997  Assar Westerlund  <assar@sics.se>
+
+	* kdc/hpropd.c (main): check number of arguments
+
+	* appl/popper/pop_init.c (pop_init): check number of arguments
+
+	* kpasswd/kpasswd.c (main): check number of arguments
+
+	* kdc/string2key.c (main): check number of arguments
+
+	* kuser/kdestroy.c (main): check number of arguments
+
+	* kuser/kinit.c (main): check number of arguments
+
+	* kpasswd/kpasswdd.c (main): use sigaction without SA_RESTART to
+ 	break out of select when a signal arrives
+
+	* kdc/main.c (main): use sigaction without SA_RESTART to break out
+ 	of select when a signal arrives
+
+	* kdc/kstash.c: default to HDB_DB_DIR "/m-key"
+
+	* kdc/config.c (configure): add `--version'.  Check the number of
+ 	arguments. Handle the case of there being no specification of port
+ 	numbers.
+
+	* admin/util.c: seal and unseal key at appropriate places
+
+	* admin/kdb_edit.c (main): parse arguments, config file and read
+ 	master key iff there's one.
+
+	* admin/extkeytab.c (ext_keytab): unseal key while extracting
+
+Sun Sep  7 20:41:01 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/roken/roken.h: include <fcntl.h>
+
+	* kdc/kerberos5.c (set_salt_padata): new function
+
+	* appl/telnet/telnetd/telnetd.c: Rename some variables that
+ 	conflict with cpp symbols on HP-UX 10.20
+
+	* change all calls of `gethostbyaddr' to cast argument 1 to `const
+ 	char *'
+
+	* acconfig.h: only use SGTTY on nextstep
+
+Sun Sep  7 14:33:50 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos5.c: Check invalid flag.
+
+Fri Sep  5 14:19:38 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/verify_user.c: Use get_init_creds/verify_init_creds.
+
+	* lib/kafs: Move functions common to krb/krb5 modules to new file,
+ 	and make things more modular.
+
+	* lib/krb5/krb5.h: rename STRING -> krb5_config_string, and LIST
+ 	-> krb5_config_list
+
+Thu Sep  4 23:39:43 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/get_addrs.c: Fix loopback test.
+
+Thu Sep  4 04:45:49 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/roken/roken.h: fallback definition of `O_ACCMODE'
+
+	* lib/krb5/get_in_tkt.c (krb5_get_in_cred): be more careful when
+ 	checking for a v4 reply
+
+Wed Sep  3 18:20:14 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/hprop.c: Add `--decrypt' and `--encrypt' flags.
+
+	* lib/hdb/hdb.c: new {seal,unseal}_keys functions
+
+	* kdc/{hprop,hpropd}.c: Add support to dump database to stdout.
+
+	* kdc/hprop.c: Don't use same master key as version 4.
+
+	* admin/util.c: Don't dump core if no `default' is found.
+
+Wed Sep  3 16:01:07 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kdc/connect.c: Allow run time port specification.
+
+	* kdc/config.c: Add flags for http support, and port
+ 	specifications.
+
+Tue Sep  2 02:00:03 1997  Assar Westerlund  <assar@sics.se>
+
+	* include/bits.c: Don't generate ifndef's in bits.h.  Instead, use
+ 	them when building the program.  This makes it possible to include
+ 	bits.h without having defined all HAVE_INT17_T symbols.
+	
+	* configure.in: test for sigaction
+
+	* doc: updated documentation.
+	
+Tue Sep  2 00:20:31 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Release 0.0g
+
+Mon Sep  1 17:42:14 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/data.c: don't return ENOMEM if len == 0
+
+Sun Aug 31 17:15:49 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/hdb/hdb.asn1: Include salt type in salt.
+
+	* kdc/hprop.h: Change port to 754.
+
+	* kdc/hpropd.c: Verify who tries to transmit a database.
+
+	* appl/popper: Use getarg and krb5_log.
+
+	* lib/krb5/get_port.c: Add context parameter. Now takes port in
+ 	host byte order.
+
+Sat Aug 30 18:48:19 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/connect.c: Add timeout to select, and log about expired tcp
+ 	connections.
+
+	* kdc/config.c: Add `database' option.
+
+	* kdc/hpropd.c: Log about duplicate entries.
+
+	* lib/hdb/{db,ndbm}.c: Use common routines.
+
+	* lib/hdb/common.c: Implement more generic fetch/store/delete
+ 	functions.
+
+	* lib/hdb/hdb.h: Add `replace' parameter to store.
+	
+	* kdc/connect.c: Set filedecriptor to -1 on allocated decriptor
+ 	entries.
+
+Fri Aug 29 03:13:23 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_in_tkt.c: extract_ticket -> _krb5_extract_ticket
+
+	* aux/make-proto.pl: fix __P for stone age mode
+
+Fri Aug 29 02:45:46 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/45/mk_req.c: implementation of krb_mk_req that uses 524
+ 	protocol
+
+	* lib/krb5/init_creds_pw.c: make change_password and
+ 	get_init_creds_common static
+
+	* lib/krb5/krb5.h: Merge stuff from removed headerfiles.
+
+	* lib/krb5/fcache.c: fcc_ops -> krb5_fcc_ops
+
+	* lib/krb5/mcache.c: mcc_ops -> krb5_mcc_ops
+
+Fri Aug 29 01:45:25 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/krb5.h: Remove all prototypes.
+
+	* lib/krb5/convert_creds.c: Use `struct credentials' instead of
+ 	`CREDENTIALS'.
+
+Fri Aug 29 00:08:18 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/gen_glue.c: new file. generates 2int and int2 functions
+	and units for bit strings.
+
+	* admin/util.c: flags2int, int2flags, and flag_units are now
+ 	generated by asn1_compile
+
+	* lib/roken/parse_units.c: generalised `parse_units' and
+ 	`unparse_units' and added new functions `parse_flags' and
+ 	`unparse_flags' that use these
+
+	* lib/krb5/krb5_locl.h: moved krb5_data* functions to krb5.h
+
+	* admin/util.c: Use {un,}parse_flags for printing and parsing
+ 	hdbflags.
+
+Thu Aug 28 03:26:12 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_addrs.c: restructured
+
+	* lib/krb5/warn.c (_warnerr): leak less memory
+
+	* lib/hdb/hdb.c (hdb_free_entry): zero keys
+	(hdb_check_db_format): leak less memory
+
+	* lib/hdb/ndbm.c (NDBM_seq): check for valid hdb_entries implement
+ 	NDBM__get, NDBM__put
+
+	* lib/hdb/db.c (DB_seq): check for valid hdb_entries
+
+Thu Aug 28 02:06:58 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/send_to_kdc.c: Don't use sendto on connected sockets.
+
+Thu Aug 28 01:13:17 1997  Assar Westerlund  <assar@sics.se>
+
+	* kuser/kinit.1, klist.1, kdestroy.1: new man pages
+
+	* kpasswd/kpasswd.1, kpasswdd.8: new man pages
+
+	* kdc/kstash.8, hprop.8, hpropd.8: new man pages
+
+	* admin/ktutil.8, admin/kdb_edit.8: new man pages
+
+	* admin/mod.c: new file
+
+	* admin/life.c: renamed gettime and puttime to getlife and putlife
+	and moved them to life.c
+
+	* admin/util.c: add print_flags, parse_flags, init_entry,
+ 	set_created_by, set_modified_by, edit_entry, set_password.  Use
+ 	them.
+
+	* admin/get.c: use print_flags
+
+	* admin: removed unused stuff.  use krb5_{warn,err}*
+
+	* admin/ank.c: re-organized and abstracted.
+
+	* admin/gettime.c: removed
+
+Thu Aug 28 00:37:39 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/{get_cred,get_in_tkt}.c: Check for v4 reply.
+
+	* lib/roken/base64.c: Add base64 functions.
+
+	* kdc/connect.c lib/krb5/send_to_kdc.c: Add http support.
+
+Wed Aug 27 00:29:20 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* include/Makefile.am: Don't make links to built files.
+
+	* admin/kdb_edit.c: Add command to set the database path.
+
+	* lib/hdb: Include version number in database.
+
+Tue Aug 26 20:14:54 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* admin/ktutil: Merged v4 srvtab conversion.
+
+Mon Aug 25 23:02:18 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/roken/roken.h: add F_OK
+
+	* lib/gssapi/acquire_creds.c: fix typo
+
+	* configure.in: call AC_TYPE_MODE_T
+
+	* acinclude.m4: Add AC_TYPE_MODE_T
+
+Sun Aug 24 16:46:53 1997  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.0f
+
+Sun Aug 24 08:06:54 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/popper/pop_pass.c: log poppers
+
+	* kdc/kaserver.c: some more checks
+
+	* kpasswd/kpasswd.c: removed `-p'
+
+	* kuser/kinit.c: removed `-p'
+
+	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): If
+ 	KDC_ERR_PREUATH_REQUIRED, add preauthentication and try again.
+
+	* lib/krb5/get_in_tkt.c (krb5_get_in_cred): don't print out
+ 	krb-error text
+
+	* lib/gssapi/import_name.c (input_name): more names types.
+
+	* admin/load.c (parse_keys): handle the case of an empty salt
+
+	* kdc/kaserver.c: fix up memory deallocation
+
+	* kdc/kaserver.c: quick hack at talking kaserver protocol
+
+	* kdc/kerberos4.c: Make `db-fetch4' global
+
+	* configure.in: add --enable-kaserver
+
+	* kdc/rx.h, kdc/kerberos4.h: new header files
+
+	* lib/krb5/principal.c: fix krb5_build_principal_ext & c:o
+
+Sun Aug 24 03:52:44 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/{get_in_tkt,mk_safe,mk_priv}.c: Fix some Cray specific
+ 	type conflicts.
+
+	* lib/krb5/{get_cred,get_in_tkt}.c: Mask nonce to 32 bits.
+
+	* lib/des/{md4,md5,sha}.c: Now works on Crays.
+
+Sat Aug 23 18:15:01 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* appl/afsutil/afslog.c: If no cells or files specified, get
+ 	tokens for all local cells. Better test for files.
+
+Thu Aug 21 23:33:38 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/gssapi/v1.c: new file with v1 compatibility functions.
+
+Thu Aug 21 20:36:13 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/kafs/afskrb5.c: Don't check ticket file for afs ticket.
+
+	* kdc/kerberos4.c: Check database when converting v4 principals.
+
+	* kdc/kerberos5.c: Include kvno in Ticket.
+
+	* lib/krb5/encrypt.c: Add kvno parameter to encrypt_EncryptedData.
+
+	* kuser/klist.c: Print version number of ticket, include more
+ 	flags.
+
+Wed Aug 20 21:26:58 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/kafs/afskrb5.c (get_cred): Check cached afs tickets for
+ 	expiration.
+
+Wed Aug 20 17:40:31 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/recvauth.c (krb5_recvauth): Send a KRB-ERROR iff
+ 	there's an error.
+
+	* lib/krb5/sendauth.c (krb5_sendauth): correct the protocol
+ 	documentation and process KRB-ERROR's
+
+Tue Aug 19 20:41:30 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos4.c: Fix memory leak in v4 protocol handler.
+
+Mon Aug 18 05:15:09 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/gssapi/accept_sec_context.c: Added
+ 	`gsskrb5_register_acceptor_identity'
+
+Sun Aug 17 01:40:20 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/gssapi/accept_sec_context.c (gss_accept_sec_context): don't
+ 	always pass server == NULL to krb5_rd_req.
+
+	* lib/gssapi: new files: canonicalize_name.c export_name.c
+ 	context_time.c compare_name.c release_cred.c acquire_cred.c
+ 	inquire_cred.c, from Luke Howard <lukeh@xedoc.com.au>
+
+	* lib/krb5/config_file.c: Add netinfo support from Luke Howard
+ 	<lukeh@xedoc.com.au>
+
+	* lib/editline/sysunix.c: sgtty-support from Luke Howard
+ 	<lukeh@xedoc.com.au>
+
+	* lib/krb5/principal.c: krb5_sname_to_principal fix from Luke
+ 	Howard <lukeh@xedoc.com.au>
+
+Sat Aug 16 00:44:47 1997  Assar Westerlund  <assar@koi.pdc.kth.se>
+
+	* Release 0.0e
+
+Sat Aug 16 00:23:46 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* appl/afsutil/afslog.c: Use new libkafs.
+
+	* lib/kafs/afskrb5.c: Get AFS tokens via 524 protocol.
+
+	* lib/krb5/warn.c: Fix format string for *x type.
+
+Fri Aug 15 22:15:01 1997  Assar Westerlund  <assar@sics.se>
+
+	* admin/get.c (get_entry): print more information about the entry
+
+	* lib/des/Makefile.am: build destest, mdtest, des, rpw, speed
+
+	* lib/krb5/config_file.c: new functions `krb5_config_get_time' and
+ 	`krb5_config_vget_time'.  Use them.
+
+Fri Aug 15 00:09:37 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* admin/ktutil.c: Keytab manipulation program.
+
+	* lib/krb5/keytab.c: Return sane values from resolve and
+ 	start_seq_get.
+
+	* kdc/kerberos5.c: Fix for old clients passing 0 for `no endtime'.
+
+	* lib/45/get_ad_tkt.c: Kerberos 4 get_ad_tkt using
+ 	krb524_convert_creds_kdc.
+
+	* lib/krb5/convert_creds.c: Implementation of
+ 	krb524_convert_creds_kdc.
+
+	* lib/asn1/k5.asn1: Make kdc-req-body.till OPTIONAL
+
+	* kdc/524.c: A somewhat working 524-protocol module.
+
+	* kdc/kerberos4.c: Add version 4 ticket encoding and encryption
+ 	functions.
+
+	* lib/krb5/context.c: Fix kdc_timeout.
+
+	* lib/hdb/{ndbm,db}.c: Free name in close.
+
+	* kdc/kerberos5.c (tgs_check_autenticator): Return error code
+
+Thu Aug 14 21:29:03 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos5.c (tgs_make_reply): Fix endtime in reply.
+
+	* lib/krb5/store_emem.c: Fix reallocation bug.
+
+Tue Aug 12 01:29:46 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/telnet/libtelnet/kerberos5.c, appl/popper/pop_init.c: Use
+ 	`krb5_sock_to_principal'.  Send server parameter to
+ 	krb5_rd_req/krb5_recvauth.  Set addresses in auth_context.
+
+	* lib/krb5/recvauth.c: Set addresses in auth_context if there
+ 	aren't any
+
+	* lib/krb5/auth_context.c: New function
+ 	`krb5_auth_con_setaddrs_from_fd'
+
+	* lib/krb5/sock_principal.c: new function
+	`krb5_sock_to_principal'
+	
+	* lib/krb5/time.c: new file with `krb5_timeofday' and
+ 	`krb5_us_timeofday'.  Use these functions.
+
+	* kuser/klist.c: print KDC offset iff verbose
+
+	* lib/krb5/get_in_tkt.c: implement KDC time offset and use it if
+ 	[libdefaults]kdc_timesync is set.
+	
+	* lib/krb5/fcache.c: Implement version 4 of the ccache format.
+
+Mon Aug 11 05:34:43 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_rep.c (krb5_free_ap_rep_enc_part): free all memory
+
+	* lib/krb5/principal.c (krb5_unparse_name): allocate memory
+ 	properly
+
+	* kpasswd/kpasswd.c: Use `krb5_change_password'
+
+	* lib/krb5/init_creds_pw.c (init_cred): set realm of server
+ 	correctly.
+
+	* lib/krb5/init_creds_pw.c: support changing of password when it
+ 	has expired
+
+	* lib/krb5/changepw.c: new file
+
+	* kuser/klist.c: use getarg
+
+	* admin/init.c (init): add `kadmin/changepw'
+
+Mon Aug 11 04:30:47 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/get_cred.c: Make get_credentials handle cross-realm.
+
+Mon Aug 11 00:03:24 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/config_file.c: implement support for #-comments
+
+Sat Aug  9 02:21:46 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/hprop*.c: Add database propagation programs.
+
+	* kdc/connect.c: Max request size.
+
+Sat Aug  9 00:47:28 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/otp: resurrected from krb4
+
+	* appl/push: new program for fetching mail with POP.
+
+	* appl/popper/popper.h: new include files.  new fields in `POP'
+
+	* appl/popper/pop_pass.c: Implement both v4 and v5.
+
+	* appl/popper/pop_init.c: Implement both v4 and v5.
+
+	* appl/popper/pop_debug.c: use getarg.  Talk both v4 and v5
+
+	* appl/popper: Popper from krb4.
+
+	* configure.in: check for inline and <netinet/tcp.h> generate
+ 	files in appl/popper, appl/push, and lib/otp
+
+Fri Aug  8 05:51:02 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_cred.c: clean-up and try to free memory even when
+ 	there're errors
+
+	* lib/krb5/get_cred.c: adapt to new `extract_ticket'
+
+	* lib/krb5/get_in_tkt.c: reorganize.  check everything and try to
+ 	return memory even if there are errors.
+
+	* kuser/kverify.c: new file
+
+	* lib/krb5/free_host_realm.c: new file
+
+	* lib/krb5/principal.c (krb5_sname_to_principal): implement
+ 	different nametypes.  Also free memory.
+
+	* lib/krb5/verify_init.c: more functionality
+
+	* lib/krb5/mk_req_ext.c (krb5_mk_req_extended): free the checksum
+
+	* lib/krb5/get_in_tkt.c (extract_ticket): don't copy over the
+ 	principals in creds.  Should also compare them with that received
+ 	from the KDC
+
+	* lib/krb5/cache.c (krb5_cc_gen_new): copy the newly allocated
+ 	krb5_ccache
+	(krb5_cc_destroy): call krb5_cc_close
+	(krb5_cc_retrieve_cred): delete the unused creds
+
+Fri Aug  8 02:30:40 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/log.c: Allow better control of destinations of logging
+ 	(like passing explicit destinations, and log-functions).
+
+Fri Aug  8 01:20:39 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_default_principal.c: new file
+
+	* kpasswd/kpasswdd.c: use krb5_log*
+
+Fri Aug  8 00:37:47 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/init_creds_pw.c: Implement krb5_get_init_creds_keytab.
+
+Fri Aug  8 00:37:17 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/init_creds_pw.c: Use `krb5_get_default_principal'.
+  	Print password expire information.
+
+	* kdc/config.c: new variable `kdc_warn_pwexpire'
+
+	* kpasswd/kpasswd.c: converted to getarg and get_init_creds
+
+Thu Aug  7 22:17:09 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/mcache.c: new file
+
+	* admin/gettime.c: new function puttime.  Use it.
+
+	* lib/krb5/keyblock.c: Added krb5_free_keyblock and
+ 	krb5_copy_keyblock
+
+	* lib/krb5/init_creds_pw.c: more functionality
+
+	* lib/krb5/creds.c: Added krb5_free_creds_contents and
+ 	krb5_copy_creds.  Changed callers.
+
+	* lib/krb5/config_file.c: new functions krb5_config_get and
+ 	krb5_config_vget
+
+	* lib/krb5/cache.c: cleanup added mcache
+	
+	* kdc/kerberos5.c: include last-req's of type 6 and 7, if
+ 	applicable
+
+Wed Aug  6 20:38:23 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/log.c: New parameter `log-level'. Default to `SYSLOG'.
+
+Tue Aug  5 22:53:54 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/verify_init.c, init_creds_pw.c, init_creds.c,
+	prompter_posix.c: the beginning of an implementation of the cygnus
+	initial-ticket API.
+
+	* lib/krb5/get_in_tkt_pw.c: make `krb5_password_key_proc' global
+
+	* lib/krb5/get_in_tkt.c (krb5_get_in_cred): new function that is
+ 	almost krb5_get_in_tkt but doesn't write the creds to the ccache.
+  	Small fixes in krb5_get_in_tkt
+
+	* lib/krb5/get_addrs.c (krb5_get_all_client_addrs): don't include
+ 	loopback.
+
+Mon Aug  4 20:20:48 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc: Make context global.
+
+Fri Aug  1 17:23:56 1997  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.0d
+
+	* lib/roken/flock.c: new file
+
+	* kuser/kinit.c: check for and print expiry information in the
+ 	`kdc_rep'
+
+	* lib/krb5/get_in_tkt.c: Set `ret_as_reply' if != NULL
+
+	* kdc/kerberos5.c: Check the valid times on client and server.
+  	Check the password expiration.
+	Check the require_preauth flag.
+  	Send an lr_type == 6 with pw_end.
+	Set key.expiration to min(valid_end, pw_end)
+	
+	* lib/hdb/hdb.asn1: new flags `require_preauth' and `change_pw'
+
+	* admin/util.c, admin/load.c: handle the new flags.
+
+Fri Aug  1 16:56:12 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/hdb: Add some simple locking.
+
+Sun Jul 27 04:44:31 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/log.c: Add some general logging functions.
+
+	* kdc/kerberos4.c: Add version 4 protocol handler. The requrement
+ 	for this to work is that all involved principals has a des key in
+ 	the database, and that the client has a version 4 (un-)salted
+ 	key. Furthermore krb5_425_conv_principal has to do it's job, as
+ 	present it's not very clever.
+
+	* lib/krb5/principal.c: Quick patch to make 425_conv work
+ 	somewhat.
+
+	* lib/hdb/hdb.c: Add keytype->key and next key functions.
+
+Fri Jul 25 17:32:12 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/build_auth.c (krb5_build_authenticator): don't free
+ 	`cksum'.  It's allocated and freed by the caller
+
+	* lib/krb5/get_cred.c (krb5_get_kdc_cred): Don't free `addresses'.
+
+	* kdc/kerberos5.c (tgs_rep2): make sure we also have an defined
+ 	`client' to return as part of the KRB-ERROR
+
+Thu Jul 24 08:13:59 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos5.c: Unseal keys from database before use.
+
+	* kdc/misc.c: New functions set_master_key, unseal_key and
+ 	free_key.
+
+	* lib/roken/getarg.c: Handle `-f arg' correctly.
+
+Thu Jul 24 01:54:43 1997  Assar Westerlund  <assar@sics.se>
+
+	* kuser/kinit.c: implement `-l' aka `--lifetime'
+
+	* lib/roken/parse_units.c, parse_time.c: new files
+
+	* admin/gettime.c (gettime): use `parse_time'
+
+	* kdc/kerberos5.c (as_rep): Use `METHOD-DATA' when sending
+ 	KRB5KDC_ERR_PREAUTH_REQUIRED, not PA-DATA.
+
+	* kpasswd/kpasswdd.c: fix freeing bug use sequence numbers set
+ 	addresses in auth_context bind one socket per interface.
+	
+	* kpasswd/kpasswd.c: use sequence numbers
+
+	* lib/krb5/rd_req.c (krb5_verify_ap_req): do abs when verifying
+ 	the timestamps
+
+	* lib/krb5/rd_priv.c (krb5_rd_priv): Fetch the correct session key
+ 	from auth_context
+
+	* lib/krb5/mk_priv.c (krb5_mk_priv): Fetch the correct session key
+ 	from auth_context
+
+	* lib/krb5/mk_error.c (krb5_mk_error): return an error number and
+ 	not a comerr'd number.
+
+	* lib/krb5/get_in_tkt.c (krb5_get_in_tkt): interpret the error
+ 	number in KRB-ERROR correctly.
+
+	* lib/krb5/get_cred.c (krb5_get_kdc_cred): interpret the error
+ 	number in KRB-ERROR correctly.
+
+	* lib/asn1/k5.asn1: Add `METHOD-DATA'
+
+	* removed some memory leaks.
+
+Wed Jul 23 07:53:18 1997  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.0c
+
+	* lib/krb5/rd_cred.c, get_for_creds.c: new files
+
+	* lib/krb5/get_host_realm.c: try default realm as last chance
+
+	* kpasswd/kpasswdd.c: updated to hdb changes
+
+	* appl/telnet/libtelnet/kerberos5.c: Implement forwarding
+
+	* appl/telnet/libtelnet: removed totally unused files
+
+	* admin/ank.c: fix prompts and generation of random keys
+
+Wed Jul 23 04:02:32 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* admin/dump.c: Include salt in dump.
+
+	* admin: Mostly updated for new db-format.
+
+	* kdc/kerberos5.c: Update to use new db format. Better checking of
+ 	flags and such. More logging.
+
+	* lib/hdb/hdb.c: Use generated encode and decode functions.
+
+	* lib/hdb/hdb.h: Get hdb_entry from ASN.1 generated code.
+
+	* lib/krb5/get_cred.c: Get addresses from krbtgt if there are none
+ 	in the reply.
+
+Sun Jul 20 16:22:30 1997  Assar Westerlund  <assar@sics.se>
+
+	* kuser/kinit.c: break if des_read_pw_string() != 0
+
+	* kpasswd/kpasswdd.c: send a reply
+
+	* kpasswd/kpasswd.c: restructured code.  better report on
+ 	krb-error break if des_read_pw_string() != 0
+
+	* kdc/kerberos5.c: Check `require_enc_timestamp' malloc space for
+ 	starttime and renew_till
+
+	* appl/telnet/libtelnet/kerberos5.c (kerberos5_is): Send a
+ 	keyblock to krb5_verify_chekcsum
+
+Sun Jul 20 06:35:46 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Release 0.0b
+
+	* kpasswd/kpasswd.c: Avoid using non-standard struct names.
+
+Sat Jul 19 19:26:23 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/keytab.c (krb5_kt_get_entry): check return from
+ 	`krb5_kt_start_seq_get'.  From <map@stacken.kth.se>
+
+Sat Jul 19 04:07:39 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/asn1/k5.asn1: Update with more pa-data types from
+ 	draft-ietf-cat-kerberos-revisions-00.txt
+
+	* admin/load.c: Update to match current db-format.
+
+	* kdc/kerberos5.c (as_rep): Try all valid pa-datas before giving
+ 	up. Send back an empty pa-data if the client has the v4 flag set.
+
+	* lib/krb5/get_in_tkt.c: Pass both version5 and version4 salted
+ 	pa-data. DTRT if there is any pa-data in the reply.
+
+	* lib/krb5/str2key.c: XOR with some sane value.
+
+	* lib/hdb/hdb.h: Add `version 4 salted key' flag.
+
+	* kuser/kinit.c: Ask for password before calling get_in_tkt. This
+ 	makes it possible to call key_proc more than once.
+
+	* kdc/string2key.c: Add flags to output version 5 (DES only),
+ 	version 4, and AFS string-to-key of a password.
+
+	* lib/asn1/gen_copy.c: copy_* functions now returns an int (0 or
+ 	ENOMEM).
+
+Fri Jul 18 02:54:58 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_host_realm.c (krb5_get_host_realm): do the
+ 	name2name thing
+
+	* kdc/misc.c: check result of hdb_open
+
+	* admin/kdb_edit: updated to new sl
+
+	* lib/sl: sl_func now returns an int. != 0 means to exit.
+
+	* kpasswd/kpasswdd: A crude (but somewhat working) implementation
+ 	of `draft-ietf-cat-kerb-chg-password-00.txt'
+
+Fri Jul 18 00:55:39 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kuser/krenew.c: Crude ticket renewing program.
+
+	* kdc/kerberos5.c: Rewritten flags parsing, it now might work to
+ 	get forwarded and renewed tickets.
+
+	* kuser/kinit.c: Add `-r' flag.
+
+	* lib/krb5/get_cred.c: Move most of contents of get_creds to new
+ 	function get_kdc_cred, that always contacts the kdc and doesn't
+ 	save in the cache. This is a hack.
+
+	* lib/krb5/get_in_tkt.c: Pass starttime and renew_till in request
+ 	(a bit kludgy).
+
+	* lib/krb5/mk_req_ext.c: Make an auth_context if none passed in.
+
+	* lib/krb5/send_to_kdc.c: Get timeout from context.
+
+	* lib/krb5/context.c: Add kdc_timeout to context struct.
+
+Thu Jul 17 20:35:45 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kuser/klist.c: Print start time of ticket if available.
+
+	* lib/krb5/get_host_realm.c: Return error if no realm was found.
+
+Thu Jul 17 20:28:21 1997  Assar Westerlund  <assar@sics.se>
+
+	* kpasswd: non-working kpasswd added
+
+Thu Jul 17 00:21:22 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* Release 0.0a
+
+	* kdc/main.c: Add -p flag to disable pa-enc-timestamp requirement.
+
+Wed Jul 16 03:37:41 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos5.c (tgs_rep2): Free ticket and ap_req.
+
+	* lib/krb5/auth_context.c (krb5_auth_con_free): Free remote
+ 	subkey.
+
+	* lib/krb5/principal.c (krb5_free_principal): Check for NULL.
+
+	* lib/krb5/send_to_kdc.c: Check for NULL return from
+ 	gethostbyname.
+
+	* lib/krb5/set_default_realm.c: Try to get realm of local host if
+ 	no default realm is available.
+
+	* Remove non ASN.1 principal code.
+
+Wed Jul 16 03:17:30 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kdc/kerberos5.c: Split tgs_rep in smaller functions. Add better
+ 	error handing. Do some logging.
+
+	* kdc/log.c: Some simple logging facilities.
+
+	* kdc/misc.c (db_fetch): Take a krb5_principal.
+
+	* kdc/connect.c: Pass address of request to as_rep and
+ 	tgs_rep. Send KRB-ERROR.
+
+	* lib/krb5/mk_error.c: Add more fields.
+
+	* lib/krb5/get_cred.c: Print normal error code if no e_text is
+ 	available.
+
+Wed Jul 16 03:07:50 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_in_tkt.c: implement `krb5_init_etype'.
+ 	Change encryption type of pa_enc_timestamp to DES-CBC-MD5
+
+	* lib/krb5/context.c: recognize all encryption types actually
+ 	implemented
+
+	* lib/krb5/auth_context.c (krb5_auth_con_init): Change default
+ 	encryption type to `DES_CBC_MD5'
+
+	*  lib/krb5/read_message.c, write_message.c: new files
+
+Tue Jul 15 17:14:21 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1: replaced asn1_locl.h by `der_locl.h' and `gen_locl.h'.
+
+	* lib/error/compile_et.awk: generate a prototype for the
+ 	`destroy_foo_error_table' function.
+
+Mon Jul 14 12:24:40 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krbhst.c (krb5_get_krbhst): Get all kdc's and try also
+ 	with `kerberos.REALM'
+
+	* kdc/kerberos5.c, lib/krb5/rd_priv.c, lib/krb5/rd_safe.c: use
+ 	`max_skew'
+
+	* lib/krb5/rd_req.c (krb5_verify_ap_req): record authenticator
+ 	subkey
+
+	* lib/krb5/build_auth.c (krb5_build_authenticator): always
+ 	generate a subkey.
+
+	* lib/krb5/address.c: implement `krb5_address_order'
+
+	* lib/gssapi/import_name.c: Implement `gss_import_name'
+
+	* lib/gssapi/external.c: Use new OID
+
+	* lib/gssapi/encapsulate.c: New functions
+ 	`gssapi_krb5_encap_length' and `gssapi_krb5_make_header'.  Changed
+	callers.
+
+	* lib/gssapi/decapsulate.c: New function
+ 	`gssaspi_krb5_verify_header'.  Changed callers.
+
+	* lib/asn1/gen*.c: Give tags to generated structs.
+	Use `err' and `asprintf'
+
+	* appl/test/gss_common.c: new file
+
+	* appl/test/gssapi_server.c: removed all krb5 calls
+
+	* appl/telnet/libtelnet/kerberos5.c: Add support for genering and
+ 	verifying checksums.  Also start using session subkeys.
+
+Mon Jul 14 12:08:25 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/rd_req.c (krb5_rd_req_with_keyblock): Split up.
+
+Sun Jul 13 03:07:44 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_safe.c, mk_safe.c: made bug-compatible with MIT
+
+	* lib/krb5/encrypt.c: new functions `DES_encrypt_null_ivec' and
+ 	`DES_encrypt_key_ivec'
+
+	* lib/krb5/checksum.c: implement rsa-md4-des and rsa-md5-des
+
+	* kdc/kerberos5.c (tgs_rep): support keyed checksums
+
+	* lib/krb5/creds.c: new file
+
+	* lib/krb5/get_in_tkt.c: better freeing
+
+	* lib/krb5/context.c (krb5_free_context): more freeing
+
+	* lib/krb5/config_file.c: New function `krb5_config_file_free'
+
+	* lib/error/compile_et.awk: Generate a `destroy_' function.
+
+	* kuser/kinit.c, klist.c: Don't leak memory.
+
+Sun Jul 13 02:46:27 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/connect.c: Check filedescriptor in select.
+
+	* kdc/kerberos5.c: Remove most of the most common memory leaks.
+
+	* lib/krb5/rd_req.c: Free allocated data.
+
+	* lib/krb5/auth_context.c (krb5_auth_con_free): Free a lot of
+ 	fields.
+
+Sun Jul 13 00:32:16 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/telnet: Conditionalize the krb4-support.
+
+	* configure.in: Test for krb4
+
+Sat Jul 12 17:14:12 1997  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kerberos5.c: check if the pre-auth was decrypted properly.
+  	set the `pre_authent' flag
+
+	* lib/krb5/get_cred.c, lib/krb5/get_in_tkt.c: generate a random nonce.
+
+	* lib/krb5/encrypt.c: Made `generate_random_block' global.
+
+	* appl/test: Added gssapi_client and gssapi_server.
+
+	* lib/krb5/data.c: Add `krb5_data_zero'
+
+	* appl/test/tcp_client.c: try `mk_safe' and `mk_priv'
+
+	* appl/test/tcp_server.c: try `rd_safe' and `rd_priv'
+
+Sat Jul 12 16:45:58 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/get_addrs.c: Fix for systems that has sa_len, but
+ 	returns zero length from SIOCGIFCONF.
+
+Sat Jul 12 16:38:34 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/test: new programs
+	
+	* lib/krb5/rd_req.c: add address compare
+
+	* lib/krb5/mk_req_ext.c: allow no checksum
+
+	* lib/krb5/keytab.c (krb5_kt_ret_string): 0-terminate string
+
+	* lib/krb5/address.c: fix `krb5_address_compare'
+
+Sat Jul 12 15:03:16 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/get_addrs.c: Fix ip4 address extraction.
+
+	* kuser/klist.c: Add verbose flag, and split main into smaller
+ 	pieces.
+
+	* lib/krb5/fcache.c: Save ticket flags.
+
+	* lib/krb5/get_in_tkt.c (extract_ticket): Extract addresses and
+ 	flags.
+
+	* lib/krb5/krb5.h: Add ticket_flags to krb5_creds.
+
+Sat Jul 12 13:12:48 1997  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: Call `AC_KRB_PROG_LN_S'
+
+	* acinclude.m4: Add `AC_KRB_PROG_LN_S' from krb4
+
+Sat Jul 12 00:57:01 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/get_in_tkt.c: Use union of krb5_flags and KDCOptions to
+ 	pass options.
+
+Fri Jul 11 15:04:22 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/telnet: telnet & telnetd seems to be working.
+	
+	* lib/krb5/config_file.c: Added krb5_config_v?get_list Fixed
+ 	krb5_config_vget_next
+
+	* appl/telnet/libtelnet/kerberos5.c: update to current API
+
+Thu Jul 10 14:54:39 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/telnet/libtelnet/kerberos5.c (kerberos5_status): call
+ 	`krb5_kuserok'
+
+	* appl/telnet: Added.
+
+Thu Jul 10 05:09:25 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/error/compile_et.awk: Remove usage of sub, gsub, and
+ 	functions for compatibility with awk.
+
+	* include/bits.c: Must use signed char.
+
+	* lib/krb5/context.c: Move krb5_get_err_text, and krb5_init_ets
+ 	here.
+
+	* lib/error/error.c: Replace krb5_get_err_text with new function
+ 	com_right.
+
+	* lib/error/compile_et.awk: Avoid using static variables.
+
+	* lib/error/error.c: Don't use krb5_locl.h
+
+	* lib/error/error.h: Move definitions of error_table and
+ 	error_list from krb5.h.
+
+	* lib/error: Moved from lib/krb5.
+
+Wed Jul  9 07:42:04 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/encrypt.c: Temporary hack to avoid des_rand_data.
+
+Wed Jul  9 06:58:00 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/{rd,mk}_{*}.c: more checking for addresses and stuff
+	according to pseudocode from 1510
+
+Wed Jul  9 06:06:06 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/hdb/hdb.c: Add hdb_etype2key.
+
+	* kdc/kerberos5.c: Check authenticator. Use more general etype
+ 	functions.
+	
+Wed Jul  9 03:51:12 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/k5.asn1: Made all `s_address' OPTIONAL according to
+ 	draft-ietf-cat-kerberos-r-00.txt
+
+	* lib/krb5/principal.c (krb5_parse_name): default to local realm
+ 	if none given
+	
+	* kuser/kinit.c: New option `-p' and prompt
+
+Wed Jul  9 02:30:06 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/keyblock.c: Keyblock generation functions.
+
+	* lib/krb5/encrypt.c: Use functions from checksum.c.
+
+	* lib/krb5/checksum.c: Move checksum functions here. Add
+ 	krb5_cksumsize function.
+
+Wed Jul  9 01:15:38 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_host_realm.c: implemented
+
+	* lib/krb5/config_file.c: Redid part.  New functions:
+ 	krb5_config_v?get_next
+
+	* kuser/kdestroy.c: new program
+
+	* kuser/kinit.c: new flag `-f'
+
+	* lib/asn1/k5.asn1: Made HostAddresses = SEQUENCE OF HostAddress
+
+	* acinclude.m4: Added AC_KRB_STRUCT_SOCKADDR_SA_LEN
+
+	* lib/krb5/krb5.h: krb5_addresses == HostAddresses.  Changed all
+ 	users.
+
+	* lib/krb5/get_addrs.c: figure out all local addresses, possibly
+ 	even IPv6!
+
+	* lib/krb5/checksum.c: table-driven checksum
+
+Mon Jul  7 21:13:28 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/encrypt.c: Make krb5_decrypt use the same struct as
+ 	krb5_encrypt.
+
+Mon Jul  7 11:15:51 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/roken/vsyslog.c: new file
+
+	* lib/krb5/encrypt.c: add des-cbc-md4.
+	adjust krb5_encrypt and krb5_decrypt to reality
+
+Mon Jul  7 02:46:31 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/encrypt.c: Implement as a vector of function pointers.
+
+	* lib/krb5/{decrypt,encrypt}.c: Implement des-cbc-crc, and
+ 	des-cbc-md5 in separate functions.
+
+	* lib/krb5/krb5.h: Add more checksum and encryption types.
+
+	* lib/krb5/krb5_locl.h: Add etype to krb5_decrypt.
+
+Sun Jul  6 23:02:59 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/[gs]et_default_realm.c, kuserok.c: new files
+
+	* lib/krb5/config_file.[ch]: new c-based configuration reading
+ 	stuff
+
+Wed Jul  2 23:12:56 1997  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: Set WFLAGS if using gcc
+
+Wed Jul  2 17:47:03 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/asn1/der_put.c (der_put_int): Return size correctly.
+
+	* admin/ank.c: Be compatible with the asn1 principal format.
+
+Wed Jul  1 23:52:20 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/asn1: Now all decode_* and encode_* functions now take a
+ 	final size_t* argument, that they return the size in. Return
+ 	values are zero for success, and anything else (such as some
+ 	ASN1_* constant) for error.
+
+Mon Jun 30 06:08:14 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/keytab.c (krb5_kt_add_entry): change open mode to
+ 	O_WRONLY | O_APPEND
+
+	* lib/krb5/get_cred.c: removed stale prototype for
+ 	`extract_ticket' and corrected call.
+
+	* lib/asn1/gen_length.c (length_type): Make the length functions
+ 	for SequenceOf non-destructive
+
+	* admin/ank.c (doit): Fix reading of `y/n'.
+
+Mon Jun 16 05:41:43 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/gssapi/wrap.c, unwrap.c: do encrypt and add sequence number
+
+	* lib/gssapi/get_mic.c, verify_mic.c: Add sequence number.
+
+	* lib/gssapi/accept_sec_context.c (gss_accept_sec_context): Set
+ 	KRB5_AUTH_CONTEXT_DO_SEQUENCE.  Verify 8003 checksum.
+
+	* lib/gssapi/8003.c: New file.
+
+	* lib/krb/krb5.h: Define a `krb_authenticator' as an ASN.1
+ 	Authenticator.
+
+	* lib/krb5/auth_context.c: New functions
+ 	`krb5_auth_setlocalseqnumber' and `krb5_auth_setremoteseqnumber'
+
+Tue Jun 10 00:35:54 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5: Preapre for use of some asn1-types.
+
+	* lib/asn1/*.c (copy_*): Constness.
+
+	* lib/krb5/krb5.h: Include asn1.h; krb5_data is now an
+ 	octet_string.
+
+	* lib/asn1/der*,gen.c: krb5_data -> octet_string, char * ->
+ 	general_string
+
+	* lib/asn1/libasn1.h: Moved stuff from asn1_locl.h that doesn't
+ 	have anything to do with asn1_compile.
+
+	* lib/asn1/asn1_locl.h: Remove der.h. Add some prototypes.
+
+Sun Jun  8 03:51:55 1997  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kerberos5.c: Fix PA-ENC-TS-ENC
+
+ 	* kdc/connect.c(process_request): Set `new'
+	
+	* lib/krb5/get_in_tkt.c: Do PA-ENC-TS-ENC the correct way.
+
+	* lib: Added editline,sl,roken.
+
+Mon Jun  2 00:37:48 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/fcache.c: Move file cache from cache.c.
+
+	* lib/krb5/cache.c: Allow more than one cache type.
+
+Sun Jun  1 23:45:33 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* admin/extkeytab.c: Merged with kdb_edit.
+
+Sun Jun  1 23:23:08 1997  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kdc.c: more support for ENC-TS-ENC
+
+	* lib/krb5/get_in_tkt.c: redone to enable pre-authentication
+
+Sun Jun  1 22:45:11 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/hdb/db.c: Merge fetch and store.
+
+	* admin: Merge to one program.
+
+	* lib/krb5/str2key.c: Fill in keytype and length.
+
+Sun Jun  1 16:31:23 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_safe.c, lib/krb5/rd_priv.c, lib/krb5/mk_rep.c,
+ 	lib/krb5/mk_priv.c, lib/krb5/build_auth.c: Some support for
+ 	KRB5_AUTH_CONTEXT_DO_SEQUENCE
+
+	* lib/krb5/get_in_tkt.c (get_in_tkt): be prepared to parse an
+ 	KRB_ERROR.  Some support for PA_ENC_TS_ENC.
+
+	* lib/krb5/auth_context.c: implemented seq_number functions
+
+	* lib/krb5/generate_subkey.c, generate_seq_number.c: new files
+
+	* lib/gssapi/gssapi.h: avoid including <krb5.h>
+
+	* lib/asn1/Makefile.am: SUFFIXES as a variable to make automake
+ 	happy
+
+	* kdc/kdc.c: preliminary PREAUTH_ENC_TIMESTAMP
+
+	* configure.in: adapted to automake 1.1p
+
+Mon May 26 22:26:21 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/principal.c: Add contexts to many functions.
+
+Thu May 15 20:25:37 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/verify_user.c: First stab at a verify user.
+
+	* lib/auth/sia/sia5.c: SIA module for Kerberos 5.
+
+Mon Apr 14 00:09:03 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/gssapi: Enough of a gssapi-over-krb5 implementation to be
+	able to (mostly) run gss-client and gss-server.
+	
+	* lib/krb5/keytab.c: implemented krb5_kt_add_entry,
+ 	krb5_kt_store_principal, krb5_kt_store_keyblock
+
+	* lib/des/md5.[ch], sha.[ch]: new files
+
+	* lib/asn1/der_get.c (generalizedtime2time): use `timegm'
+
+	* lib/asn1/timegm.c: new file
+
+	* admin/extkeytab.c: new program
+
+	* admin/admin_locl.h: new file
+
+	* admin/Makefile.am: Added extkeytab
+
+	* configure.in: moved config to include
+	removed timezone garbage
+	added lib/gssapi and admin
+
+	* Makefile.am: Added admin
+
+Mon Mar 17 11:34:05 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kdc/kdc.c: Use new copying functions, and free some data.
+
+	* lib/asn1/Makefile.am: Try to not always rebuild generated files.
+
+	* lib/asn1/der_put.c: Add fix_dce().
+
+	* lib/asn1/der_{get,length,put}.c: Fix include files.
+
+	* lib/asn1/der_free.c: Remove unused functions.
+	
+	* lib/asn1/gen.c: Split into gen_encode, gen_decode, gen_free,
+ 	gen_length, and gen_copy.
+
+Sun Mar 16 18:13:52 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/sendauth.c: implemented functionality
+
+	* lib/krb5/rd_rep.c: Use `krb5_decrypt'
+
+	* lib/krb5/cache.c (krb5_cc_get_name): return default if `id' ==
+ 	NULL
+
+	* lib/krb5/principal.c (krb5_free_principal): added `context'
+ 	argument.  Changed all callers.
+	
+	(krb5_sname_to_principal): new function
+
+	* lib/krb5/auth_context.c (krb5_free_authenticator): add `context'
+ 	argument.  Changed all callers
+
+	* lib/krb5/{net_write.c,net_read.c,recvauth.c}: new files
+
+	* lib/asn1/gen.c: Fix encoding and decoding of BitStrings
+
+Fri Mar 14 11:29:00 1997  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: look for *dbm?
+
+	* lib/asn1/gen.c: Fix filename in generated files. Check fopens.
+  	Put trailing newline in asn1_files.
+
+Fri Mar 14 05:06:44 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/get_in_tkt.c: Fix some memory leaks.
+
+	* lib/krb5/krbhst.c: Properly free hostlist.
+
+	* lib/krb5/decrypt.c: CRCs are 32 bits.
+
+Fri Mar 14 04:39:15 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/asn1/gen.c: Generate one file for each type.
+
+Fri Mar 14 04:13:47 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/gen.c: Generate `length_FOO' functions
+
+	* lib/asn1/der_length.c: new file
+
+	* kuser/klist.c: renamed stime -> printable_time to avoid conflict
+ 	on HP/UX
+
+Fri Mar 14 03:37:23 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/hdb/ndbm.c: Return NOENTRY if fetch fails. Don't free
+ 	datums. Don't add .db to filename.
+
+Fri Mar 14 02:49:51 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kdc/dump.c: Database dump program.
+
+	* kdc/ank.c: Trivial database editing program.
+
+	* kdc/{kdc.c, load.c}: Use libhdb.
+
+	* lib/hdb: New database routine library.
+
+	* lib/krb5/error/Makefile.am: Add hdb_err.
+
+Wed Mar 12 17:41:14 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kdc/kdc.c: Rewritten AS, and somewhat more working TGS support.
+
+	* lib/asn1/gen.c: Generate free functions.
+
+	* Some specific free functions.
+
+Wed Mar 12 12:30:13 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krb5_mk_req_ext.c: new file
+
+	* lib/asn1/gen.c: optimize the case with a simple type
+
+	* lib/krb5/get_cred.c (krb5_get_credentials): Use
+ 	`mk_req_extended' and remove old code.
+
+	* lib/krb5/get_in_tkt.c (decrypt_tkt): First try with an
+ 	EncASRepPart, then with an EncTGSRepPart.
+
+Wed Mar 12 08:26:04 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/store_emem.c: New resizable memory storage.
+
+	* lib/krb5/{store.c, store_fd.c, store_mem.c}: Split of store.c
+
+	* lib/krb5/krb5.h: Add free entry to krb5_storage.
+
+	* lib/krb5/decrypt.c: Make keyblock const.
+
+Tue Mar 11 20:22:17 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/krb5.h: Add EncTicketPart to krb5_ticket.
+
+	* lib/krb5/rd_req.c: Return whole asn.1 ticket in
+ 	krb5_ticket->tkt.
+
+	* lib/krb5/get_in_tkt.c: TGS -> AS
+
+	* kuser/kfoo.c: Print error string rather than number.
+
+	* kdc/kdc.c: Some kind of non-working TGS support.
+
+Mon Mar 10 01:43:22 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/gen.c: reduced generated code by 1/5
+
+ 	* lib/asn1/der_put.c: (der_put_length_and_tag): new function
+
+	* lib/asn1/der_get.c (der_match_tag_and_length): new function
+
+	* lib/asn1/der.h: added prototypes
+
+Mon Mar 10 01:15:43 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/krb5.h: Include <asn1_err.h>. Add prototype for
+ 	krb5_rd_req_with_keyblock.
+
+	* lib/krb5/rd_req.c: Add function krb5_rd_req_with_keyblock that
+ 	takes a precomputed keyblock.
+
+	* lib/krb5/get_cred.c: Use krb5_mk_req rather than inlined code.
+
+	* lib/krb5/mk_req.c: Calculate checksum of in_data.
+
+Sun Mar  9 21:17:58 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/error/compile_et.awk: Add a declaration of struct
+ 	error_list, and multiple inclusion block to header files.
+
+Sun Mar  9 21:01:12 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_req.c: do some checks on times
+
+	* lib/krb/{mk_priv.c, rd_priv.c, sendauth.c, decrypt.c,
+	address.c}: new files
+
+	* lib/krb5/auth_context.c: more code
+
+	* configure.in: try to figure out timezone
+
+Sat Mar  8 11:41:07 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/error/error.c: Try strerror if error code wasn't found.
+
+	* lib/krb5/get_in_tkt.c: Remove realm parameter from
+ 	krb5_get_salt.
+
+	* lib/krb5/context.c: Initialize error table.
+
+	* kdc: The beginnings of a kdc.
+
+Sat Mar  8 08:16:28 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_safe.c: new file
+
+	* lib/krb5/checksum.c (krb5_verify_checksum): New function
+
+	* lib/krb5/get_cred.c: use krb5_create_checksum
+
+	* lib/krb5/checksum.c: new file
+
+	* lib/krb5/store.c: no more arithmetic with void*
+
+	* lib/krb5/cache.c: now seems to work again
+
+Sat Mar  8 06:58:09 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/Makefile.am: Add asn1_glue.c and error/*.c to libkrb5.
+
+	* lib/krb5/get_in_tkt.c: Moved some functions to asn1_glue.c.
+
+	* lib/krb5/asn1_glue.c: Moved some asn1-stuff here.
+	
+	* lib/krb5/{cache,keytab}.c: Use new storage functions.
+
+	* lib/krb5/krb5.h: Protypes for new storage functions.
+
+	* lib/krb5/krb5.h: Make krb5_{ret,store}_* functions able to write
+ 	data to more than file descriptors.
+
+Sat Mar  8 01:01:17 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/encrypt.c: New file.
+
+	* lib/krb5/Makefile.am: More -I
+
+	* configure.in: Test for big endian, random, rand, setitimer
+
+	* lib/asn1/gen.c: perhaps even decodes bitstrings
+
+Thu Mar  6 19:05:29 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/config_file.y: Better return values on error.
+
+Sat Feb  8 15:59:56 1997  Assar Westerlund  <assar@pdc.kth.se>
+
+	* lib/asn1/parse.y: ifdef HAVE_STRDUP
+
+	* lib/asn1/lex.l: ifdef strdup
+	brange-dead version of list of special characters to make stupid
+ 	lex accept it.
+
+	* lib/asn1/gen.c: A DER integer should really be a `unsigned'
+
+	* lib/asn1/der_put.c: A DER integer should really be a `unsigned'
+
+	* lib/asn1/der_get.c: A DER integer should really be a `unsigned'
+
+	* lib/krb5/error/Makefile.am: It seems "$(SHELL) ./compile_et" is
+ 	needed.
+
+	* lib/krb/mk_rep.c, lib/krb/rd_req.c, lib/krb/store.c,
+ 	lib/krb/store.h: new files.
+
+	* lib/krb5/keytab.c: now even with some functionality.
+
+	* lib/asn1/gen.c: changed paramater from void * to Foo *
+
+	* lib/asn1/der_get.c (der_get_octet_string): Fixed bug with empty
+ 	string.
+
+Sun Jan 19 06:17:39 1997  Assar Westerlund  <assar@pdc.kth.se>
+
+	* lib/krb5/get_cred.c (krb5_get_credentials): Check for creds in
+ 	cc before getting new ones.
+
+	* lib/krb5/krb5.h (krb5_free_keyblock): Fix prototype.
+
+	* lib/krb5/build_auth.c (krb5_build_authenticator): It seems the
+ 	CRC should be stored LSW first. (?)
+
+	* lib/krb5/auth_context.c: Implement `krb5_auth_con_getkey' and
+ 	`krb5_free_keyblock'
+
+	* lib/**/Makefile.am: Rename foo libfoo.a
+
+	* include/Makefile.in: Use test instead of [
+	-e does not work with /bin/sh on psoriasis
+
+	* configure.in: Search for awk
+	create lib/krb/error/compile_et
+	
+Tue Jan 14 03:46:26 1997  Assar Westerlund  <assar@pdc.kth.se>
+
+	* lib/krb5/Makefile.am: replaced mit-crc.c by crc.c
+
+Wed Dec 18 00:53:55 1996  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kuser/kinit.c: Guess principal.
+
+	* lib/krb5/error/compile_et.awk: Don't include krb5.h. Fix some
+ 	warnings.
+
+	* lib/krb5/error/asn1_err.et: Add ASN.1 error messages.
+
+	* lib/krb5/mk_req.c: Get client from cache.
+
+	* lib/krb5/cache.c: Add better error checking some useful return
+ 	values.
+
+	* lib/krb5/krb5.h: Fix krb5_auth_context.
+
+	* lib/asn1/der.h: Make krb5_data compatible with krb5.h
+
+Tue Dec 17 01:32:36 1996  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/error: Add primitive error library.
+
+Mon Dec 16 16:30:20 1996  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/cache.c: Get correct address type from cache.
+
+	* lib/krb5/krb5.h: Change int16 to int to be compatible with asn1.
+
diff --git a/crypto/heimdal/ChangeLog.1999 b/crypto/heimdal/ChangeLog.1999
new file mode 100644
index 0000000..e022b96
--- /dev/null
+++ b/crypto/heimdal/ChangeLog.1999
@@ -0,0 +1,2194 @@
+1999-12-30  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (krb4): use `-ldes' in tests
+
+1999-12-26  Assar Westerlund  <assar@sics.se>
+
+	* lib/hdb/print.c (event2string): handle events without principal.
+  	From Luke Howard <lukeh@PADL.COM>
+
+1999-12-25  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2j
+
+Tue Dec 21 18:03:17 1999  Assar Westerlund  <assar@sics.se>
+
+	* lib/hdb/Makefile.am (asn1_files): add $(EXEEXT) for cygwin and
+ 	related systems
+
+	* lib/asn1/Makefile.am (asn1_files): add $(EXEEXT) for cygwin and
+ 	related systems
+
+	* include/Makefile.am (krb5-types.h): add $(EXEEXT) for cygwin and
+ 	related systems
+
+1999-12-20  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2i
+
+1999-12-20  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to 6:3:1
+
+	* lib/krb5/send_to_kdc.c (send_via_proxy): free data
+	* lib/krb5/send_to_kdc.c (send_via_proxy): new function use
+	getaddrinfo instead of gethostbyname{,2}
+	* lib/krb5/get_for_creds.c: use getaddrinfo instead of
+	getnodebyname{,2}
+
+1999-12-17  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2h
+
+1999-12-17  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2g
+
+1999-12-16  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: bump version to 6:2:1
+
+	* lib/krb5/principal.c (krb5_sname_to_principal): handle
+	ai_canonname not being set
+	* lib/krb5/expand_hostname.c (krb5_expand_hostname): handle
+	ai_canonname not being set
+
+	* appl/test/uu_server.c: print messages to stderr
+	* appl/test/tcp_server.c: print messages to stderr
+	* appl/test/nt_gss_server.c: print messages to stderr
+	* appl/test/gssapi_server.c: print messages to stderr
+
+	* appl/test/tcp_client.c (proto): remove shadowing `context'
+	* appl/test/common.c (client_doit): add forgotten ntohs
+
+1999-12-13  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (VERISON): bump to 0.2g-pre
+
+1999-12-12  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/principal.c (krb5_425_conv_principal_ext): be more
+ 	robust and handle extra dot at the beginning of default_domain
+
+1999-12-12  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2f
+
+1999-12-12  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: bump version to 6:1:1
+	
+	* lib/krb5/changepw.c (get_kdc_address): use
+ 	`krb5_get_krb_changepw_hst'
+
+	* lib/krb5/krbhst.c (krb5_get_krb_changepw_hst): add
+
+	* lib/krb5/get_host_realm.c: add support for _kerberos.domain
+ 	(according to draft-ietf-cat-krb-dns-locate-01.txt)
+
+1999-12-06  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2e
+
+1999-12-06  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/changepw.c (krb5_change_password): use the correct
+ 	address
+
+	* lib/krb5/Makefile.am: bump version to 6:0:1
+
+	* lib/asn1/Makefile.am: bump version to 1:4:0
+
+1999-12-04  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: move AC_KRB_IPv6 to make sure it's performed
+ 	before AC_BROKEN
+	(el_init): use new feature of AC_FIND_FUNC_NO_LIBS
+
+	* appl/test/uu_client.c: use client_doit
+	* appl/test/test_locl.h (client_doit): add prototype
+	* appl/test/tcp_client.c: use client_doit
+	* appl/test/nt_gss_client.c: use client_doit
+	* appl/test/gssapi_client.c: use client_doit
+	* appl/test/common.c (client_doit): move identical code here and
+	start using getaddrinfo
+
+	* appl/kf/kf.c (doit): rewrite to use getaddrinfo
+	* kdc/hprop.c: re-write to use getaddrinfo
+	* lib/krb5/principal.c (krb5_sname_to_principal): use getaddrinfo
+	* lib/krb5/expand_hostname.c (krb5_expand_hostname): use
+	getaddrinfo
+	* lib/krb5/changepw.c: re-write to use getaddrinfo
+	* lib/krb5/addr_families.c (krb5_parse_address): use getaddrinfo
+
+1999-12-03  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (BROKEN): check for freeaddrinfo, getaddrinfo,
+	getnameinfo, gai_strerror
+	(socklen_t): check for
+
+1999-12-02  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/crypto.c: ARCFOUR_set_key -> RC4_set_key
+
+1999-11-23  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/crypto.c (ARCFOUR_string_to_key): change order of bytes
+ 	within unicode characters.  this should probably be done in some
+ 	arbitrarly complex way to do it properly and you would have to
+ 	know what character encoding was used for the password and salt
+ 	string.
+
+	* lib/krb5/addr_families.c (ipv4_uninteresting): ignore 0.0.0.0
+	(INADDR_ANY)
+	(ipv6_uninteresting): remove unused macro
+
+1999-11-22  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/krb5.h: rc4->arcfour
+
+	* lib/krb5/crypto.c: rc4->arcfour
+
+1999-11-17  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krb5_locl.h: add <rc4.h>
+	* lib/krb5/krb5.h (krb5_keytype): add KEYTYPE_RC4
+	* lib/krb5/crypto.c: some code for doing RC4/MD5/HMAC which might
+	not be totally different from some small company up in the
+	north-west corner of the US
+
+	* lib/krb5/get_addrs.c (find_all_addresses): change code to
+ 	actually increment buf_size
+
+1999-11-14  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krb5.h (krb5_context_data): add `scan_interfaces'
+	* lib/krb5/get_addrs.c (krb5_get_all_client_addrs): make interaces
+ 	scanning optional
+	* lib/krb5/context.c (init_context_from_config_file): set
+ 	`scan_interfaces'
+
+	* lib/krb5/Makefile.am (libkrb5_la_SOURCES): add add_et_list.c
+	* lib/krb5/add_et_list.c (krb5_add_et_list): new function
+
+1999-11-12  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_default_realm.c (krb5_get_default_realm,
+	krb5_get_default_realms): set realms if they were unset
+	* lib/krb5/context.c (init_context_from_config_file): don't
+	initialize default realms here.  it's done lazily instead.
+	
+	* lib/krb5/krb5.h (KRB5_TC_*): make constants unsigned
+	* lib/asn1/gen_glue.c (generate_2int, generate_units): make sure
+	bit constants are unsigned
+	* lib/asn1/gen.c (define_type): make length in sequences be
+	unsigned.
+
+	* configure.in: remove duplicate test for setsockopt test for
+	struct tm.tm_isdst
+
+	* lib/krb5/get_in_tkt.c (krb5_get_in_cred): generate
+	preauthentication information if we get back ERR_PREAUTH_REQUIRED
+	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): remove
+	preauthentication generation code.  it's now in krb5_get_in_cred
+	
+	* configure.in (AC_BROKEN_SNPRINTF): add strptime check for struct
+	tm.tm_gmtoff and timezone
+	
+1999-11-11  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/main.c: make this work with multi-db
+
+	* kdc/kdc_locl.h: make this work with multi-db
+
+	* kdc/config.c: make this work with multi-db
+
+1999-11-09  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/misc.c: update for multi-database code
+
+	* kdc/main.c: update for multi-database code
+
+	* kdc/kdc_locl.h: update
+
+	* kdc/config.c: allow us to have more than one database
+
+1999-11-04  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2d
+
+	* lib/krb5/Makefile.am: bump version to 5:0:0 to be safe
+ 	(krb5_context_data has changed and some code do (might) access
+ 	fields directly)
+
+	* lib/krb5/krb5.h (krb5_context_data): add `etypes_des'
+
+	* lib/krb5/get_cred.c (init_tgs_req): use
+ 	krb5_keytype_to_enctypes_default
+
+	* lib/krb5/crypto.c (krb5_keytype_to_enctypes_default): new
+ 	function
+
+	* lib/krb5/context.c (set_etypes): new function
+	(init_context_from_config_file): set both `etypes' and `etypes_des'
+
+1999-11-02  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (VERSION): bump to 0.2d-pre
+
+1999-10-29  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/principal.c (krb5_parse_name): check memory allocations
+
+1999-10-28  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2c
+
+	* lib/krb5/dump_config.c (print_tree): check for empty tree
+
+	* lib/krb5/string-to-key-test.c (tests): update the test cases
+ 	with empty principals so that they actually use an empty realm and
+ 	not the default.  use the correct etype for 3DES
+
+	* lib/krb5/Makefile.am: bump version to 4:1:0
+
+	* kdc/config.c (configure): more careful with the port string
+
+1999-10-26  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2b
+
+1999-10-20  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: bump version to 4:0:0
+ 	(krb524_convert_creds_kdc and potentially some other functions
+ 	have changed prototypes)
+
+	* lib/hdb/Makefile.am: bump version to 4:0:1
+
+	* lib/asn1/Makefile.am: bump version to 1:3:0
+
+	* configure.in (LIB_roken): add dbopen.  getcap in roken
+ 	references dbopen and with shared libraries we need to add this
+ 	dependency.
+
+	* lib/krb5/verify_krb5_conf.c (main): support speicifying the
+ 	configuration file to test on the command line
+
+	* lib/krb5/config_file.c (parse_binding): handle line with no
+ 	whitespace before =
+	(krb5_config_parse_file_debug): set lineno earlier so that we don't
+	use it unitialized
+
+	* configure.in (AM_INIT_AUTOMAKE): bump to 0.2b-pre opt*: need
+ 	more include files for these tests
+
+	* lib/krb5/set_default_realm.c (krb5_set_default_realm): use
+ 	krb5_config_get_strings, which means that your configuration file
+ 	should look like:
+	
+	[libdefaults]
+	  default_realm = realm1 realm2 realm3
+
+	* lib/krb5/set_default_realm.c (config_binding_to_list): fix
+ 	copy-o.  From Michal Vocu <michal@karlin.mff.cuni.cz>
+
+	* kdc/config.c (configure): add a missing strdup.  From Michal
+ 	Vocu <michal@karlin.mff.cuni.cz>
+
+1999-10-17  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2a
+
+	* configure.in: only test for db.h with using berkeley_db. remember
+ 	to link with LIB_tgetent when checking for el_init. add xnlock
+
+	* appl/Makefile.am: add xnlock
+
+	* kdc/kerberos5.c (find_etype): support null keys
+
+	* kdc/kerberos4.c (get_des_key): support null keys
+
+	* lib/krb5/crypto.c (krb5_get_wrapped_length): more correct
+ 	calculation
+
+1999-10-16  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kuser/kinit.c (main): pass ccache to krb524_convert_creds_kdc
+
+1999-10-12  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/crypto.c (krb5_enctype_to_keytype): remove warning
+
+1999-10-10  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/mk_req.c (krb5_mk_req): use krb5_free_host_realm
+
+	* lib/krb5/krb5.h (krb5_ccache_data): make `ops' const
+
+	* lib/krb5/crypto.c (krb5_string_to_salttype): new function
+
+	* **/*.[ch]: const-ize
+
+1999-10-06  Assar Westerlund  <assar@sics.se>
+	
+	* lib/krb5/creds.c (krb5_compare_creds): const-ify
+	
+	* lib/krb5/cache.c: clean-up and comment-up
+
+	* lib/krb5/copy_host_realm.c (krb5_copy_host_realm): copy all the
+ 	strings
+
+	* lib/krb5/verify_user.c (krb5_verify_user_lrealm): free the
+ 	correct realm part
+
+	* kdc/connect.c (handle_tcp): things work much better when ret is
+ 	initialized
+
+1999-10-03  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/convert_creds.c (krb524_convert_creds_kdc): look at the
+ 	type of the session key
+
+	* lib/krb5/crypto.c (krb5_enctypes_compatible_keys): spell
+ 	correctly
+
+	* lib/krb5/creds.c (krb5_compare_creds): fix spelling of
+ 	krb5_enctypes_compatible_keys
+
+	* lib/krb5/convert_creds.c (krb524_convert_creds_kdc): get new
+ 	credentials from the KDC if the existing one doesn't have a DES
+ 	session key.
+
+	* lib/45/get_ad_tkt.c (get_ad_tkt): update to new
+ 	krb524_convert_creds_kdc
+
+1999-10-03  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/keytab_keyfile.c: make krb5_akf_ops const
+
+	* lib/krb5/keytab_memory.c: make krb5_mkt_ops const
+
+	* lib/krb5/keytab_file.c: make krb5_fkt_ops const
+
+1999-10-01  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/config_file.c: rewritten to allow error messages
+
+	* lib/krb5/Makefile.am (bin_PROGRAMS): add verify_krb5_conf
+	(libkrb5_la_SOURCES): add config_file_netinfo.c
+
+	* lib/krb5/verify_krb5_conf.c: new program for verifying that
+	krb5.conf is corret
+
+	* lib/krb5/config_file_netinfo.c: moved netinfo code here from
+ 	config_file.c
+
+1999-09-28  Assar Westerlund  <assar@sics.se>
+
+	* kdc/hpropd.c (dump_krb4): kludge default_realm
+
+	* lib/asn1/check-der.c: add test cases for Generalized time and
+ 	make sure we return the correct value
+
+	* lib/asn1/der_put.c: simplify by using der_put_length_and_tag
+
+	* lib/krb5/verify_user.c (krb5_verify_user_lrealm): ariant of
+ 	krb5_verify_user that tries in all the local realms
+
+	* lib/krb5/set_default_realm.c: add support for having several
+ 	default realms
+
+	* lib/krb5/kuserok.c (krb5_kuserok): use `krb5_get_default_realms'
+
+	* lib/krb5/get_default_realm.c (krb5_get_default_realms): add
+
+	* lib/krb5/krb5.h (krb5_context_data): change `default_realm' to
+ 	`default_realms'
+
+	* lib/krb5/context.c: change from `default_realm' to
+ 	`default_realms'
+
+	* lib/krb5/aname_to_localname.c (krb5_aname_to_localname): use
+ 	krb5_get_default_realms
+
+	* lib/krb5/Makefile.am (libkrb5_la_SOURCES): add copy_host_realm.c
+
+	* lib/krb5/copy_host_realm.c: new file
+
+1999-09-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/asn1/der_put.c (encode_generalized_time): encode length
+
+	* lib/krb5/recvauth.c: new function `krb5_recvauth_match_version'
+	that allows more intelligent matching of the application version
+
+1999-09-26  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/asn1_print.c: add err.h
+
+	* kdc/config.c (configure): use parse_bytes
+
+	* appl/test/nt_gss_common.c: use the correct header file
+
+1999-09-24  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kuser/klist.c: add a `--cache' flag
+
+	* kuser/kinit.c (main): only get default value for `get_v4_tgt' if
+	it's explicitly set in krb5.conf
+
+1999-09-23  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/asn1_print.c (tag_names); add another univeral tag
+
+	* lib/asn1/der.h: update universal tags
+
+1999-09-22  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/asn1_print.c (loop): print length of octet string
+
+1999-09-21  Johan Danielsson  <joda@pdc.kth.se>
+
+	* admin/ktutil.c (kt_get): add `--help'
+
+1999-09-21  Assar Westerlund  <assar@sics.se>
+
+	* kuser/Makefile.am: add kdecode_ticket
+
+	* kuser/kdecode_ticket.c: new debug program
+
+	* appl/test/nt_gss_server.c: new program to test against `Sample *
+ 	SSPI Code' in Windows 2000 RC1 SDK.
+
+	* appl/test/Makefile.am: add nt_gss_client and nt_gss_server
+
+	* lib/asn1/der_get.c (decode_general_string): remember to advance
+ 	ret over the length-len
+
+	* lib/asn1/Makefile.am: add asn1_print
+
+	* lib/asn1/asn1_print.c: new program for printing DER-structures
+
+	* lib/asn1/der_put.c: make functions more consistent
+
+	* lib/asn1/der_get.c: make functions more consistent
+
+1999-09-20  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/kerberos5.c: be more informative in pa-data error messages
+
+1999-09-16  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: test for strlcpy, strlcat
+
+1999-09-14  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): return
+ 	KRB5_LIBOS_PWDINTR when interrupted
+
+	* lib/krb5/get_in_tkt_pw.c (krb5_password_key_proc): check return
+ 	value from des_read_pw_string
+
+	* kuser/kinit.c (main): don't print any error if reading the
+ 	password was interrupted
+
+	* kpasswd/kpasswd.c (main): don't print any error if reading the
+ 	password was interrupted
+
+	* kdc/string2key.c (main): check the return value from fgets
+
+	* kdc/kstash.c (main): check return value from des_read_pw_string
+
+	* admin/ktutil.c (kt_add): check the return-value from fgets and
+ 	overwrite the password for paranoid reasons
+
+	* lib/krb5/keytab_keyfile.c (get_cell_and_realm): only remove the
+ 	newline if it's there
+
+1999-09-13  Assar Westerlund  <assar@sics.se>
+
+	* kdc/hpropd.c (main): remove bogus error with `--print'.  remove
+ 	sysloging of number of principals transferred
+
+	* kdc/hprop.c (ka_convert): set flags correctly for krbtgt/CELL
+ 	principals
+	(main): get rid of bogus opening of hdb database when propagating
+	ka-server database
+
+1999-09-12  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krb5_locl.h (O_BINARY): add fallback definition
+
+	* lib/krb5/krb5.h (krb5_context_data): add keytab types
+
+	* configure.in: revert back awk test, not worked around in
+ 	roken.awk
+
+	* lib/krb5/keytab_krb4.c: remove O_BINARY
+
+	* lib/krb5/keytab_keyfile.c: some support for AFS KeyFile's.  From
+	Love <lha@e.kth.se>
+
+	* lib/krb5/keytab_file.c: remove O_BINARY
+
+	* lib/krb5/keytab.c: move the list of keytab types to the context
+
+	* lib/krb5/fcache.c: remove O_BINARY
+
+	* lib/krb5/context.c (init_context_from_config_file): register all
+ 	standard cache and keytab types
+	(krb5_free_context): free `kt_types'
+
+	* lib/krb5/cache.c (krb5_cc_resolve): move the registration of the
+ 	standard types of credential caches to context
+
+	* lib/krb5/Makefile.am (libkrb5_la_SOURCES): add keytab_keyfile.c
+
+1999-09-10  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/keytab.c: add comments and clean-up
+
+	* admin/ktutil.c: add `ktutil copy'
+
+	* lib/krb5/keytab_krb4.c: new file
+
+	* lib/krb5/krb5.h (krb5_kt_cursor): add a `data' field
+
+	* lib/krb5/Makefile.am: add keytab_krb4.c
+
+	* lib/krb5/keytab.c: add krb4 and correct some if's
+
+	* admin/srvconvert.c (srvconv): move common code
+
+	* lib/krb5/krb5.h (krb5_fkt_ops, krb5_mkt_ops): new variables
+
+	* lib/krb5/keytab.c: move out file and memory functions
+
+	* lib/krb5/Makefile.am (libkrb5_la_SOURCES): add keytab_file.c,
+ 	keytab_memory.c
+
+	* lib/krb5/keytab_memory.c: new file
+
+	* lib/krb5/keytab_file.c: new file
+
+	* kpasswd/kpasswdd.c: move out password quality functions
+
+1999-09-07  Assar Westerlund  <assar@sics.se>
+
+	* lib/hdb/Makefile.am (libhdb_la_SOURCES): add keytab.c.  From
+ 	Love <lha@e.kth.se>
+
+	* lib/krb5/convert_creds.c (krb524_convert_creds_kdc): check
+ 	return value from `krb5_sendto_kdc'
+
+1999-09-06  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/send_to_kdc.c (send_and_recv): rename to recv_loop and
+ 	remove the sending of data.  add a parameter `limit'.  let callers
+ 	send the date themselves (and preferably with net_write on tcp
+ 	sockets)
+	(send_and_recv_tcp): read first the length field and then only that
+	many bytes
+
+1999-09-05  Assar Westerlund  <assar@sics.se>
+
+	* kdc/connect.c (handle_tcp): try to print warning `TCP data of
+ 	strange type' less often
+
+	* lib/krb5/send_to_kdc.c (send_and_recv): handle EINTR properly.
+  	return on EOF.  always free data.  check return value from
+ 	realloc.
+	(send_and_recv_tcp, send_and_recv_http): check advertised length
+	against actual length
+
+1999-09-01  Johan Danielsson  <joda@pdc.kth.se>
+
+	* configure.in: check for sgi capabilities
+
+1999-08-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/get_addrs.c: krb5_get_all_server_addrs shouldn't return
+	extra addresses
+
+	* kpasswd/kpasswdd.c: use HDB keytabs; change some error messages;
+	add --realm flag
+
+	* lib/krb5/address.c (krb5_append_addresses): remove duplicates
+
+1999-08-26  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/hdb/keytab.c: HDB keytab backend
+
+1999-08-25  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/keytab.c
+	(krb5_kt_{start_seq_get,next_entry,end_seq_get}): check for NULL
+	pointer
+
+1999-08-24  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kpasswd/kpasswdd.c: add `--keytab' flag
+
+1999-08-23  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/addr_families.c (IN6_ADDR_V6_TO_V4): use `s6_addr'
+ 	instead of the non-standard `s6_addr32'.  From Yoshinobu Inoue
+ 	<shin@kame.net> by way of the KAME repository
+
+1999-08-18  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (--enable-new-des3-code): remove check for `struct
+ 	addrinfo'
+
+	* lib/krb5/crypto.c (etypes): remove NEW_DES3_CODE, enable
+ 	des3-cbc-sha1 and keep old-des3-cbc-sha1 for backwards
+ 	compatability
+
+	* lib/krb5/krb5.h (krb5_enctype): des3-cbc-sha1 (with key
+ 	derivation) just got assigned etype 16 by <bcn@isi.edu>.  keep the
+ 	old etype at 7.
+
+1999-08-16  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/sendauth.c (krb5_sendauth): only look at errno if
+ 	krb5_net_read actually returns -1
+
+	* lib/krb5/recvauth.c (krb5_recvauth): only look at errno if
+ 	krb5_net_read actually returns -1
+
+	* appl/kf/kf.c (proto): don't trust errno if krb5_net_read hasn't
+ 	returned -1
+
+	* appl/test/tcp_server.c (proto): only trust errno if
+ 	krb5_net_read actually returns -1
+
+	* appl/kf/kfd.c (proto): be more careful with the return value
+ 	from krb5_net_read
+
+1999-08-13  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_addrs.c (get_addrs_int): try the different ways
+ 	sequentially instead of just one.  this helps if your heimdal was
+ 	built with v6-support but your kernel doesn't have it, for
+ 	example.
+
+1999-08-12  Assar Westerlund  <assar@sics.se>
+
+	* kdc/hpropd.c: add inetd flag.  default means try to figure out
+ 	if stdin is a socket or not.
+
+	* Makefile.am (ACLOCAL): just use `cf', this variable is only used
+ 	when the current directory is $(top_srcdir) anyways and having
+ 	$(top_srcdir) there breaks if it's a relative path
+
+1999-08-09  Johan Danielsson  <joda@pdc.kth.se>
+
+	* configure.in: check for setproctitle
+
+1999-08-05  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/principal.c (krb5_sname_to_principal): remember to call
+ 	freehostent
+
+	* appl/test/tcp_client.c: call freehostent
+
+	* appl/kf/kf.c (doit): call freehostent
+
+	* appl/kf/kf.c: make v6 friendly and simplify
+
+	* appl/kf/kfd.c: make v6 friendly and simplify
+
+	* appl/test/tcp_server.c: simplify by using krb5_err instead of
+ 	errx
+	
+	* appl/test/tcp_client.c: simplify by using krb5_err instead of
+ 	errx
+
+	* appl/test/tcp_server.c: make v6 friendly and simplify
+
+	* appl/test/tcp_client.c: make v6 friendly and simplify
+
+1999-08-04  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.1m
+
+1999-08-04  Assar Westerlund  <assar@sics.se>
+
+	* kuser/kinit.c (main): some more KRB4-conditionalizing
+
+	* lib/krb5/get_in_tkt.c: type correctness
+
+	* lib/krb5/get_for_creds.c (krb5_fwd_tgs_creds): set forwarded in
+ 	flags.  From Miroslav Ruda <ruda@ics.muni.cz>
+
+	* kuser/kinit.c (main): add config file support for forwardable
+ 	and krb4 support.  From Miroslav Ruda <ruda@ics.muni.cz>
+
+	* kdc/kerberos5.c (as_rep): add an empty X500-compress string as
+ 	transited.
+	(fix_transited_encoding): check length.
+	From Miroslav Ruda <ruda@ics.muni.cz>
+
+	* kdc/hpropd.c (dump_krb4): check the realm so that we don't dump
+ 	principals in some other realm. From Miroslav Ruda
+ 	<ruda@ics.muni.cz>
+	(main): rename sa_len -> sin_len, sa_lan is a define on some
+	platforms.
+
+	* appl/kf/kfd.c: add regpag support. From Miroslav Ruda
+ 	<ruda@ics.muni.cz>
+
+	* appl/kf/kf.c: add `-G' and forwardable option in krb5.conf.
+  	From Miroslav Ruda <ruda@ics.muni.cz>
+
+	* lib/krb5/config_file.c (parse_list): don't run past end of line
+
+	* appl/test/gss_common.h: new prototypes
+
+	* appl/test/gssapi_client.c: use gss_err instead of abort
+
+	* appl/test/gss_common.c (gss_verr, gss_err): add
+
+1999-08-03  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am (n_fold_test_LDADD): need to set this
+ 	otherwise it doesn't build with shared libraries
+
+	* kdc/hpropd.c: v6-ify
+
+	* kdc/hprop.c: v6-ify
+
+1999-08-01  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/mk_req.c (krb5_mk_req): use krb5_expand_hostname
+
+1999-07-31  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_host_realm.c (krb5_get_host_realm_int): new
+ 	function that takes a FQDN
+
+	* lib/krb5/Makefile.am (libkrb5_la_SOURCES): add exapnd_hostname.c
+
+	* lib/krb5/expand_hostname.c: new file
+
+1999-07-28  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.1l
+
+1999-07-28  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/Makefile.am: bump version to 1:2:0
+
+	* lib/krb5/Makefile.am: bump version to 3:1:0
+
+	* configure.in: more inet_pton to roken
+
+	* lib/krb5/principal.c (krb5_sname_to_principal): use
+ 	getipnodebyname
+
+1999-07-26  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.1k
+
+1999-07-26  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/Makefile.am: bump version number (changed function
+	signatures)
+
+	* lib/hdb/Makefile.am: bump version number (changes to some
+	function signatures)
+
+1999-07-26  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: bump version to 3:0:2
+
+	* lib/hdb/Makefile.am: bump version to 2:1:0
+
+	* lib/asn1/Makefile.am: bump version to 1:1:0
+
+1999-07-26  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.1j
+
+1999-07-26  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: rokenize inet_ntop
+
+	* lib/krb5/store_fd.c: lots of changes from size_t to ssize_t
+	
+	* lib/krb5/store_mem.c: lots of changes from size_t to ssize_t
+	
+	* lib/krb5/store_emem.c: lots of changes from size_t to ssize_t
+	
+	* lib/krb5/store.c: lots of changes from size_t to ssize_t
+	(krb5_ret_stringz): check return value from realloc
+
+	* lib/krb5/mk_safe.c: some type correctness
+	
+	* lib/krb5/mk_priv.c: some type correctness
+	
+	* lib/krb5/krb5.h (krb5_storage): change return values of
+	functions from size_t to ssize_t
+	
+1999-07-24  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.1i
+
+	* configure.in (AC_PROG_AWK): disable. mawk seems to mishandle \#
+ 	in lib/roken/roken.awk
+
+	* lib/krb5/get_addrs.c (find_all_addresses): try to use SA_LEN to
+ 	step over addresses if there's no `sa_lan' field
+
+	* lib/krb5/sock_principal.c (krb5_sock_to_principal): simplify by
+ 	using `struct sockaddr_storage'
+
+	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc): simplify by using
+ 	`struct sockaddr_storage'
+
+	* lib/krb5/changepw.c (krb5_change_password): simplify by using
+ 	`struct sockaddr_storage'
+
+	* lib/krb5/auth_context.c (krb5_auth_con_setaddrs_from_fd):
+ 	simplify by using `struct sockaddr_storage'
+
+	* kpasswd/kpasswdd.c (*): simplify by using `struct
+ 	sockaddr_storage'
+
+	* kdc/connect.c (*): simplify by using `struct sockaddr_storage'
+
+	* configure.in (sa_family_t): just test for existence
+	(sockaddr_storage): also specify include file
+
+	* configure.in (AM_INIT_AUTOMAKE): bump version to 0.1i
+	(sa_family_t): test for
+	(struct	sockaddr_storage): test for
+
+	* kdc/hprop.c (propagate_database): typo, NULL should be
+ 	auth_context
+
+	* lib/krb5/get_addrs.c: conditionalize on HAVE_IPV6 instead of
+ 	AF_INET6
+
+	* appl/kf/kf.c (main): use warnx
+
+	* appl/kf/kf.c (proto): remove shadowing context
+
+	* lib/krb5/get_addrs.c (find_all_addresses): try to handle the
+ 	case of getting back an `sockaddr_in6' address when sizeof(struct
+ 	sockaddr_in6) > sizeof(struct sockaddr) and we have no sa_len to
+ 	tell us how large the address is.  This obviously doesn't work
+ 	with unknown protocol types.
+
+1999-07-24  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.1h
+
+1999-07-23  Assar Westerlund  <assar@sics.se>
+
+	* appl/kf/kfd.c: clean-up and more paranoia
+
+	* etc/services.append: add kf
+
+	* appl/kf/kf.c: rename tk_file to ccache for consistency.  clean-up
+
+1999-07-22  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/n-fold-test.c (main): print the correct data
+
+	* appl/Makefile.am (SUBDIRS): add kf
+
+	* appl/kf: new program.  From Miroslav Ruda <ruda@ics.muni.cz>
+
+	* kdc/hprop.c: declare some variables unconditionally to simplify
+ 	things
+
+	* kpasswd/kpasswdd.c: initialize kadm5 connection for every change
+ 	(otherwise the modifier in the database doesn't get set)
+
+	* kdc/hpropd.c: clean-up and re-organize
+
+	* kdc/hprop.c: clean-up and re-organize
+
+ 	* configure.in (SunOS): define to xy for SunOS x.y
+
+1999-07-19  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (AC_BROKEN): test for copyhostent, freehostent,
+ 	getipnodebyaddr, getipnodebyname
+
+1999-07-15  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/check-der.c: more test cases for integers
+
+	* lib/asn1/der_length.c (length_int): handle the case of the
+ 	largest negative integer by not calling abs
+
+1999-07-14  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/check-der.c (generic_test): check malloc return value
+ 	properly
+
+	* lib/krb5/Makefile.am: add string_to_key_test
+
+	* lib/krb5/prog_setup.c (krb5_program_setup): always initialize
+ 	the context
+
+	* lib/krb5/n-fold-test.c (main): return a relevant return value
+
+	* lib/krb5/krbhst.c: do SRV lookups for admin server as well.
+  	some clean-up.
+
+1999-07-12  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: handle not building X programs
+
+1999-07-06  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/addr_families.c (ipv6_parse_addr): remove duplicate
+ 	variable
+	(ipv6_sockaddr2port): fix typo
+
+	* etc/services.append: beginning of a file with services
+
+	* lib/krb5/cache.c (krb5_cc_resolve): fall-back to files if
+ 	there's no prefix.  also clean-up a little bit.
+
+	* kdc/hprop.c (--kaspecials): new flag for handling special KA
+ 	server entries.  From "Brandon S. Allbery KF8NH"
+ 	<allbery@kf8nh.apk.net>
+
+1999-07-05  Assar Westerlund  <assar@sics.se>
+
+	* kdc/connect.c (handle_tcp): make sure we have data before
+ 	starting to look for HTTP
+
+	* kdc/connect.c (handle_tcp): always do getpeername, we can't
+ 	trust recvfrom to return anything sensible
+
+1999-07-04  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_in_tkt.c (add_padat): encrypt pre-auth data with
+ 	all enctypes
+
+	* kpasswd/kpasswdd.c (change): fetch the salt-type from the entry
+
+	* admin/srvconvert.c (srvconv): better error messages
+
+1999-07-03  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/principal.c (unparse_name): error check malloc properly
+
+	* lib/krb5/get_in_tkt.c (krb5_init_etype): error check malloc
+ 	properly
+
+	* lib/krb5/crypto.c (*): do some malloc return-value checks
+ 	properly
+
+	* lib/hdb/hdb.c (hdb_process_master_key): simplify by using
+ 	krb5_data_alloc
+
+	* lib/hdb/hdb.c (hdb_process_master_key): check return value from
+ 	malloc
+
+	* lib/asn1/gen_decode.c (decode_type): fix generation of decoding
+ 	information for TSequenceOf.
+
+	* kdc/kerberos5.c (get_pa_etype_info): check return value from
+ 	malloc
+
+1999-07-02  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/der_copy.c (copy_octet_string): don't fail if length ==
+ 	0 and malloc returns NULL
+
+1999-06-29  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/addr_families.c (ipv6_parse_addr): implement
+
+1999-06-24  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_cred.c (krb5_rd_cred): compare the sender's address
+ 	as an addrport one
+
+	* lib/krb5/krb5.h (KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_IPPORT):
+ 	add
+	(krb5_auth_context): add local and remote port
+
+	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): get the
+ 	local and remote address and add them to the krb-cred packet
+
+	* lib/krb5/auth_context.c: save the local and remove ports in the
+ 	auth_context
+
+	* lib/krb5/address.c (krb5_make_addrport): create an address of
+ 	type KRB5_ADDRESS_ADDRPORT from (addr, port)
+
+	* lib/krb5/addr_families.c (krb5_sockaddr2port): new function for
+ 	grabbing the port number out of the sockaddr
+
+1999-06-23  Assar Westerlund  <assar@sics.se>
+
+	* admin/srvcreate.c (srvcreate): always take the DES-CBC-MD5 key.
+  	increase possible verbosity.
+
+	* lib/krb5/config_file.c (parse_list): handle blank lines at
+ 	another place
+	
+	* kdc/connect.c (add_port_string): don't return a value
+
+ 	* lib/kadm5/init_c.c (get_cred_cache): you cannot reuse the cred
+ 	cache if the principals are different.  close and NULL the old one
+ 	so that we create a new one.
+
+	* configure.in: move around cgywin et al
+	(LIB_kdb): set at the end of krb4-block
+	(krb4): test for krb_enable_debug and krb_disable_debug
+
+1999-06-16  Assar Westerlund  <assar@sics.se>
+
+	* kuser/kdestroy.c (main): try to destroy v4 ticket even if the
+ 	destruction of the v5 one fails
+
+	* lib/krb5/crypto.c (DES3_postproc): new version that does the
+ 	right thing
+	(*): don't put and recover length in 3DES encoding
+	other small fixes
+
+1999-06-15  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_default_principal.c: rewrite to use
+ 	get_default_username
+
+	* lib/krb5/Makefile.am: add n-fold-test
+
+	* kdc/connect.c: add fallbacks for all lookups by service name
+	(handle_tcp): break-up and clean-up
+
+1999-06-09  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/addr_families.c (ipv6_uninteresting): don't consider
+ 	the loopback address as uninteresting
+
+	* lib/krb5/get_addrs.c: new magic flag to get loopback address if
+ 	there are no other addresses.
+	(krb5_get_all_client_addrs): use that flag
+
+1999-06-04  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/crypto.c (HMAC_SHA1_DES3_checksum): don't include the
+ 	length
+	(checksum_sha1, checksum_hmac_sha1_des3): blocksize should be 64
+	(encrypt_internal_derived): don't include the length and don't
+	decrease by the checksum size twice
+	(_get_derived_key): the constant should be 5 bytes
+
+1999-06-02  Johan Danielsson  <joda@pdc.kth.se>
+
+	* configure.in: use KRB_CHECK_X
+	
+	* configure.in: check for netinet/ip.h
+	
+1999-05-31  Assar Westerlund  <assar@sics.se>
+
+	* kpasswd/kpasswdd.c (setup_passwd_quality_check): conditionalize
+ 	on RTLD_NOW
+
+1999-05-23  Assar Westerlund  <assar@sics.se>
+
+	* appl/test/uu_server.c: removed unused stuff
+
+	* appl/test/uu_client.c: removed unused stuff
+
+1999-05-21  Assar Westerlund  <assar@sics.se>
+
+	* kuser/kgetcred.c (main): correct error message
+
+	* lib/krb5/crypto.c (verify_checksum): call (*ct->checksum)
+ 	directly, avoiding redundant lookups and memory leaks
+
+	* lib/krb5/auth_context.c (krb5_auth_con_setaddrs_from_fd): free
+ 	local and remote addresses
+
+	* lib/krb5/get_default_principal.c (get_logname): also try
+ 	$USERNAME
+	
+	* lib/asn1/Makefile.am (asn1_files): add $(EXEEXT)
+
+	* lib/krb5/principal.c (USE_RESOLVER): try to define only if we
+	have a libresolv (currently by checking for res_search)
+
+1999-05-18  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/connect.c (handle_tcp): remove %-escapes in request
+
+1999-05-14  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.1g
+
+	* admin/ktutil.c (kt_remove): -t should be -e
+
+	* configure.in (CHECK_NETINET_IP_AND_TCP): use
+
+	* kdc/hpropd.c: support for dumping to krb4.  From Miroslav Ruda
+ 	<ruda@ics.muni.cz>
+
+	* admin/ktutil.c (kt_add): new option `--no-salt'.  From Miroslav
+ 	Ruda <ruda@ics.muni.cz>
+
+	* configure.in: add cygwin and DOS tests replace sendmsg, recvmsg,
+ 	and innetgr with roken versions
+
+	* kuser/kgetcred.c: new program
+
+Tue May 11 14:09:33 1999  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/mcache.c: fix paste-o
+	
+1999-05-10  Johan Danielsson  <joda@pdc.kth.se>
+
+	* configure.in: don't use uname
+
+1999-05-10  Assar Westerlund  <assar@sics.se>
+
+	* acconfig.h (KRB_PUT_INT): if we don't have KRB4 use four
+	arguments :-)
+
+	* appl/test/uu_server.c (setsockopt): cast to get rid of a warning
+	
+	* appl/test/tcp_server.c (setsockopt): cast to get rid of a
+	warning
+
+	* appl/test/tcp_client.c (proto): call krb5_sendauth with ccache
+	== NULL
+
+	* appl/test/gssapi_server.c (setsockopt): cast to get rid of a
+	warning
+
+	* lib/krb5/sendauth.c (krb5_sendauth): handle ccache == NULL by
+	setting the default ccache.
+
+	* configure.in (getsockopt, setsockopt): test for
+	(AM_INIT_AUTOMAKE): bump version to 0.1g
+
+	* appl/Makefile.am (SUBDIRS): add kx
+	
+	* lib/hdb/convert_db.c (main): handle the case of no master key
+	
+1999-05-09  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.1f
+
+	* kuser/kinit.c: add --noaddresses
+	
+	* lib/krb5/get_in_tkt.c (init_as_req): interpret `addrs' being an
+	empty sit of list as to not ask for any addresses.
+	
+1999-05-08  Assar Westerlund  <assar@sics.se>
+
+	* acconfig.h (_GNU_SOURCE): define this to enable (used)
+ 	extensions on glibc-based systems such as linux
+
+1999-05-03  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_cred.c (get_cred_from_kdc_flags): allocate and free
+	`*out_creds' properly
+
+	* lib/krb5/creds.c (krb5_compare_creds): just verify that the
+	keytypes/enctypes are compatible, not that they are the same
+
+	* kuser/kdestroy.c (cache): const-correctness
+
+1999-05-03  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/hdb/hdb.c (hdb_set_master_key): initialise master key
+	version
+
+	* lib/hdb/convert_db.c: add support for upgrading database
+	versions
+
+	* kdc/misc.c: add flags to fetch
+
+	* kdc/kstash.c: unlink keyfile on failure, chmod to 400
+
+	* kdc/hpropd.c: add --print option
+
+	* kdc/hprop.c: pass flags to hdb_foreach
+
+	* lib/hdb/convert_db.c: add some flags
+
+	* lib/hdb/Makefile.am: remove extra LDFLAGS, update version to 2;
+	build prototype headers
+	
+	* lib/hdb/hdb_locl.h: update prototypes
+
+	* lib/hdb/print.c: move printable version of entry from kadmin
+
+	* lib/hdb/hdb.c: change hdb_{seal,unseal}_* to check if the key is
+	sealed or not; add flags to hdb_foreach
+
+	* lib/hdb/ndbm.c: add flags to NDBM_seq, NDBM_firstkey, and
+	NDBM_nextkey
+
+	* lib/hdb/db.c: add flags to DB_seq, DB_firstkey, and DB_nextkey
+
+	* lib/hdb/common.c: add flags to _hdb_{fetch,store}
+
+	* lib/hdb/hdb.h: add master_key_version to struct hdb, update
+	prototypes
+
+	* lib/hdb/hdb.asn1: make mkvno optional, update version to 2
+
+	* configure.in: --enable-netinfo
+
+	* lib/krb5/config_file.c: HAVE_NETINFO_NI_H -> HAVE_NETINFO
+
+	* config.sub: fix for crays
+
+	* config.guess: new version from automake 1.4
+	
+	* config.sub: new version from automake 1.4
+
+Wed Apr 28 00:21:17 1999  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.1e
+
+	* lib/krb5/mcache.c (mcc_get_next): get the current cursor
+ 	correctly
+
+	* acconfig.h: correct definition of KRB_PUT_INT for old krb4 code.
+  	From Ake Sandgren <ake@cs.umu.se>
+
+1999-04-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/kerberos5.c: fix arguments to decrypt_ticket
+	
+1999-04-25  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/mk_req_ext.c (krb5_mk_req_internal): try to handle old
+	DCE secd's that are not able to handle MD5 checksums by defaulting
+	to MD4 if the keytype was DES-CBC-CRC
+	
+	* lib/krb5/mk_req.c (krb5_mk_req): use auth_context->keytype
+	
+	* lib/krb5/krb5.h (krb5_auth_context_data): add `keytype' and
+	`cksumtype'
+
+	* lib/krb5/get_cred.c (make_pa_tgs_req): remove old kludge for
+	secd
+	(init_tgs_req): add all supported enctypes for the keytype in
+	`in_creds->session.keytype' if it's set
+
+	* lib/krb5/crypto.c (F_PSEUDO): new flag for non-protocol
+	encryption types
+	(do_checksum): new function
+	(verify_checksum): take the checksum to use from the checksum message
+	and not from the crypto struct
+	(etypes): add F_PSEUDO flags
+	(krb5_keytype_to_enctypes): new function
+
+	* lib/krb5/auth_context.c (krb5_auth_con_init): initalize keytype
+	and cksumtype
+	(krb5_auth_setcksumtype, krb5_auth_getcksumtype): implement
+	(krb5_auth_setkeytype, krb5_auth_getkeytype): implement
+	(krb5_auth_setenctype): comment out, it's rather bogus anyway
+
+Sun Apr 25 16:55:50 1999  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/krb5_locl.h: fix for stupid aix warnings
+
+	* lib/krb5/fcache.c (erase_file): don't malloc
+	
+Sat Apr 24 18:35:21 1999  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/config.c: pass context to krb5_config_file_free
+
+	* kuser/kinit.c: add `--fcache-version' to set cache version to
+	create
+
+	* kuser/klist.c: print cache version if verbose
+
+	* lib/krb5/transited.c (krb5_domain_x500_decode): don't abort
+
+	* lib/krb5/principal.c: abort -> krb5_abortx
+
+	* lib/krb5/mk_rep.c: abort -> krb5_abortx
+
+	* lib/krb5/config_file.c: abort -> krb5_abortx
+
+	* lib/krb5/context.c (init_context_from_config_file): init
+	fcache_version; add krb5_{get,set}_fcache_version
+
+	* lib/krb5/keytab.c: add support for reading (and writing?) old
+	version keytabs
+
+	* lib/krb5/cache.c: add krb5_cc_get_version
+
+	* lib/krb5/fcache.c: add support for reading and writing old
+	version cache files
+
+	* lib/krb5/store_mem.c (krb5_storage_from_mem): zero flags
+
+	* lib/krb5/store_emem.c (krb5_storage_emem): zero flags
+
+	* lib/krb5/store_fd.c (krb5_storage_from_fd): zero flags
+
+	* lib/krb5/store.c: add flags to change how various fields are
+	stored, used for old cache version support
+	
+	* lib/krb5/krb5.h: add support for reading and writing old version
+	cache files, and keytabs
+	
+Wed Apr 21 00:09:26 1999  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: fix test for readline.h remember to link with
+ 	$LIB_tgetent when trying linking with readline
+
+	* lib/krb5/init_creds_pw.c (get_init_creds_common): if start_time
+ 	is given, request a postdated ticket.
+
+	* lib/krb5/data.c (krb5_data_free): free data as long as it's not
+ 	NULL
+
+Tue Apr 20 20:18:14 1999  Assar Westerlund  <assar@sics.se>
+
+	* kpasswd/Makefile.am (kpasswdd_LDADD): add LIB_dlopen
+
+	* lib/krb5/krb5.h (KRB5_VERIFY_AP_REQ_IGNORE_INVALID): add
+
+	* lib/krb5/rd_req.c (krb5_decrypt_ticket): add `flags` and
+ 	KRB5_VERIFY_AP_REQ_IGNORE_INVALID for ignoring that the ticket is
+ 	invalid
+
+Tue Apr 20 12:42:08 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* kpasswd/kpasswdd.c: don't try to load library by default; get
+ 	library and function name from krb5.conf
+
+	* kpasswd/sample_passwd_check.c: sample password checking
+ 	functions
+
+Mon Apr 19 22:22:19 1999  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/store.c (krb5_storage_to_data, krb5_ret_data): use
+ 	krb5_data_alloc and be careful with checking allocation and sizes.
+
+	* kuser/klist.c (--tokens): conditionalize on KRB4
+
+	* kuser/kinit.c (renew_validate): set all flags
+	(main): fix cut-n-paste error when setting start-time
+
+	* kdc/kerberos5.c (check_tgs_flags): starttime of a validate
+ 	ticket should be > than current time
+	(*): send flags to krb5_verify_ap_req and krb5_decrypt_ticket
+
+	* kuser/kinit.c (renew_validate): use the client realm instead of
+ 	the local realm when renewing tickets.
+
+	* lib/krb5/get_for_creds.c (krb5_fwd_tgs_creds): compat function
+	(krb5_get_forwarded_creds): correct freeing of out_creds
+
+	* kuser/kinit.c (renew_validate): hopefully fix up freeing of
+ 	memory
+
+	* configure.in: do all the krb4 tests with "$krb4" != "no"
+
+	* lib/krb5/keyblock.c (krb5_free_keyblock_contents): don't zero
+ 	keyvalue if it's NULL.  noticed by Ake Sandgren <ake@cs.umu.se>
+
+	* lib/krb5/get_in_tkt.c (add_padata): loop over all enctypes
+ 	instead of just taking the first one.  fix all callers.  From
+ 	"Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>
+
+	* kdc/kdc_locl.h (enable_kaserver): declaration
+	
+	* kdc/hprop.c (ka_convert): print the failing principal.  AFS 3.4a
+ 	creates krbtgt.REALMOFCELL as NOTGS+NOSEAL, work around.  From
+ 	"Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>
+
+	* kdc/hpropd.c (open_socket): stupid cast to get rid of a warning
+
+	* kdc/connect.c (add_standard_ports, process_request): look at
+ 	enable_kaserver.  From "Brandon S. Allbery KF8NH"
+ 	<allbery@kf8nh.apk.net>
+
+	* kdc/config.c: new flag --kaserver and config file option
+ 	enable-kaserver.  From "Brandon S. Allbery KF8NH"
+ 	<allbery@kf8nh.apk.net>
+
+Mon Apr 19 12:32:04 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* configure.in: check for dlopen, and dlfcn.h
+
+	* kpasswd/kpasswdd.c: add support for dlopen:ing password quality
+ 	check library
+
+	* configure.in: add appl/su
+
+Sun Apr 18 15:46:53 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/cache.c: add krb5_cc_get_type that returns type of a
+ 	cache
+
+Fri Apr 16 17:58:51 1999  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: LIB_kdb: -L should be before -lkdb
+	test for prototype of strsep
+	
+Thu Apr 15 11:34:38 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/krb5/Makefile.am: update version
+
+	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): use
+ 	ALLOC_SEQ
+
+	* lib/krb5/fcache.c: add some support for reading and writing old
+ 	cache formats;
+	(fcc_store_cred): use krb5_store_creds; (fcc_read_cred): use
+	krb5_ret_creds
+
+	* lib/krb5/store_mem.c (krb5_storage_from_mem): check malloc,
+ 	initialize host_byteorder
+
+	* lib/krb5/store_fd.c (krb5_storage_from_fd): initialize
+ 	host_byteorder
+
+	* lib/krb5/store_emem.c (krb5_storage_emem): initialize
+ 	host_byteorder
+
+	* lib/krb5/store.c (krb5_storage_set_host_byteorder): add;
+	(krb5_store_int32,krb5_ret_int32,krb5_store_int16,krb5_ret_int16):
+ 	check host_byteorder flag; (krb5_store_creds): add;
+ 	(krb5_ret_creds): add
+
+	* lib/krb5/krb5.h (krb5_storage): add `host_byteorder' flag for
+ 	storage of numbers
+
+	* lib/krb5/heim_err.et: add `host not found' error
+
+	* kdc/connect.c: don't use data after clearing decriptor
+
+	* lib/krb5/auth_context.c: abort -> krb5_abortx
+
+	* lib/krb5/warn.c: add __attribute__; add *abort functions
+
+	* configure.in: check for __attribute__
+
+	* kdc/connect.c: log bogus requests
+
+Tue Apr 13 18:38:05 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/kadm5/create_s.c (kadm5_s_create_principal): create v4 salts
+ 	for all DES keys
+
+1999-04-12  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_cred.c (init_tgs_req): re-structure a little bit
+
+	* lib/krb5/get_cred.c (init_tgs_req): some more error checking
+
+	* lib/krb5/generate_subkey.c (krb5_generate_subkey): check return
+	value from malloc
+
+Sun Apr 11 03:47:23 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/krb5/krb5.conf.5: update to reality
+
+	* lib/krb5/krb5_425_conv_principal.3: update to reality
+
+1999-04-11  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_host_realm.c: handle more than one realm for a host
+
+	* kpasswd/kpasswd.c (main): use krb5_program_setup and
+	print_version
+
+	* kdc/string2key.c (main): use krb5_program_setup and
+	print_version
+
+Sun Apr 11 02:35:58 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/krb5/principal.c (krb5_524_conv_principal): make it actually
+ 	work, and check built-in list of host-type first-components
+
+	* lib/krb5/krbhst.c: lookup SRV-records to find a kdc for a realm
+
+	* lib/krb5/context.c: add srv_* flags to context
+
+	* lib/krb5/principal.c: add default v4_name_convert entries
+
+	* lib/krb5/krb5.h: add srv_* flags to context
+
+Sat Apr 10 22:52:28 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* kadmin/kadmin.c: complain about un-recognised commands
+
+	* admin/ktutil.c: complain about un-recognised commands
+
+Sat Apr 10 15:41:49 1999  Assar Westerlund  <assar@sics.se>
+
+	* kadmin/load.c (doit): fix error message
+
+	* lib/krb5/crypto.c (encrypt_internal): free checksum if lengths
+ 	fail to match.
+	(krb5_get_wrapped_length): new function
+
+	* configure.in: security/pam_modules.h: check for
+
+	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): kludge
+ 	around `ret_as_reply' semantics by only freeing it when ret == 0
+
+Fri Apr  9 20:24:04 1999  Assar Westerlund  <assar@sics.se>
+
+	* kuser/klist.c (print_cred_verbose): handle the case of a bad
+ 	enctype
+
+	* configure.in: test for more header files
+	(LIB_roken): set
+
+Thu Apr  8 15:01:59 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* configure.in: fixes for building w/o krb4
+
+	* ltmain.sh: update to libtool 1.2d
+
+	* ltconfig: update to libtool 1.2d
+
+Wed Apr  7 23:37:26 1999  Assar Westerlund  <assar@sics.se>
+
+	* kdc/hpropd.c: fix some error messages to be more understandable.
+
+	* kdc/hprop.c (ka_dump): remove unused variables
+
+	* appl/test/tcp_server.c: remove unused variables
+
+	* appl/test/gssapi_server.c: remove unused variables
+
+	* appl/test/gssapi_client.c: remove unused variables
+
+Wed Apr  7 14:05:15 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/krb5/context.c (krb5_get_err_text): long -> krb5_error_code
+
+	* kuser/klist.c: make it compile w/o krb4
+
+	* kuser/kdestroy.c: make it compile w/o krb4
+
+	* admin/ktutil.c: fix {srv,key}2{srv,key}tab confusion; add help
+ 	strings
+
+Mon Apr  5 16:13:46 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* configure.in: test for MIPS ABI; new test_package
+
+Thu Apr  1 11:00:40 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* include/Makefile.am: clean krb5-private.h
+
+	* Release 0.1d
+
+	* kpasswd/kpasswdd.c (doit): pass context to
+ 	krb5_get_all_client_addrs
+
+	* kdc/connect.c (init_sockets): pass context to
+ 	krb5_get_all_server_addrs
+
+	* lib/krb5/get_in_tkt.c (init_as_req): pass context to
+ 	krb5_get_all_client_addrs
+
+	* lib/krb5/get_cred.c (get_cred_kdc_la): pass context to
+ 	krb5_get_all_client_addrs
+
+	* lib/krb5/get_addrs.c (get_addrs_int): add extra host addresses
+
+	* lib/krb5/krb5.h: add support for adding an extra set of
+ 	addresses
+
+	* lib/krb5/context.c: add support for adding an extra set of
+ 	addresses
+
+	* lib/krb5/addr_families.c: add krb5_parse_address
+
+	* lib/krb5/address.c: krb5_append_addresses
+
+	* lib/krb5/config_file.c (parse_binding): don't zap everything
+ 	after first whitespace
+
+	* kuser/kinit.c (renew_validate): don't allocate out
+
+	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): don't
+ 	allocate out_creds
+
+	* lib/krb5/get_cred.c (get_cred_kdc, get_cred_kdc_la): make
+ 	out_creds pointer;
+	(krb5_get_kdc_cred): allocate out_creds; (get_cred_from_kdc_flags):
+	free more memory
+
+	* lib/krb5/crypto.c (encrypt_internal): free checksum
+
+	* lib/krb5/convert_creds.c (krb524_convert_creds_kdc): free reply,
+ 	and ticket
+
+	* kuser/Makefile.am: remove kfoo
+
+	* lib/Makefile.am: add auth
+
+	* lib/kadm5/iprop.h: getarg.h
+
+	* lib/kadm5/replay_log.c: use getarg
+
+	* lib/kadm5/ipropd_slave.c: use getarg
+
+	* lib/kadm5/ipropd_master.c: use getarg
+
+	* lib/kadm5/dump_log.c: use getarg
+
+	* kpasswd/kpasswdd.c: use getarg
+
+	* Makefile.am.common: make a more working check-local target
+
+	* lib/asn1/main.c: use getargs
+
+Mon Mar 29 20:19:57 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* kuser/klist.c (print_cred_verbose): use krb5_print_address
+
+	* lib/kadm5/server.c: k_{put,get}_int -> _krb5_{put,get}_int
+
+	* lib/krb5/addr_families.c (krb5_print_address): handle unknown
+ 	address types; (ipv6_print_addr): print in 16-bit groups (as it
+ 	should)
+
+	* lib/krb5/crc.c: crc_{init_table,update} ->
+ 	_krb5_crc_{init_table,update}
+
+	* lib/krb5/crypto.c: k_{put,get}_int -> _krb5_{put,get}_int
+ 	crc_{init_table,update} -> _krb5_crc_{init_table,update}
+
+	* lib/krb5/send_to_kdc.c: k_{put,get}_int -> _krb5_{put,get}_int
+
+	* lib/krb5/store.c: k_{put,get}_int -> _krb5_{put,get}_int
+
+	* lib/krb5/krb5_locl.h: include krb5-private.h
+
+	* kdc/connect.c (addr_to_string): use krb5_print_address
+
+	* lib/krb5/addr_families.c (krb5_print_address): int -> size_t
+
+	* lib/krb5/addr_families.c: add support for printing ipv6
+ 	addresses, either with inet_ntop, or ugly for-loop
+
+	* kdc/524.c: check that the ticket came from a valid address; use
+ 	the address of the connection as the address to put in the v4
+ 	ticket (if this address is AF_INET)
+
+	* kdc/connect.c: pass addr to do_524
+
+	* kdc/kdc_locl.h: prototype for do_524
+
+Sat Mar 27 17:48:31 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* configure.in: check for OSF C2; bind/bitypes.h, getudbnam,
+ 	setlim; check for auth modules; siad.h, getpwnam_r;
+ 	lib/auth/Makefile, lib/auth/sia/Makefile
+
+	* lib/krb5/crypto.c: n_fold -> _krb5_n_fold
+
+	* lib/krb5/n-fold.c: n_fold -> _krb5_n_fold
+
+Thu Mar 25 04:35:21 1999  Assar Westerlund  <assar@sics.se>
+
+	* lib/kadm5/set_keys.c (_kadm5_set_keys): free salt when zapping
+ 	it
+
+	* lib/kadm5/free.c (kadm5_free_principal_ent): free `key_data'
+
+	* lib/hdb/ndbm.c (NDBM_destroy): clear master key
+
+	* lib/hdb/db.c (DB_destroy): clear master key
+	(DB_open): check malloc
+
+	* kdc/connect.c (init_sockets): free addresses
+
+	* kadmin/kadmin.c (main): make code more consistent.  always free
+ 	configuration information.
+
+	* kadmin/init.c (create_random_entry): free the entry
+
+Wed Mar 24 04:02:03 1999  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password):
+ 	re-organize the code to always free `kdc_reply'
+
+	* lib/krb5/get_in_tkt.c (krb5_get_in_cred): be more careful about
+ 	freeing memory
+
+	* lib/krb5/fcache.c (fcc_destroy): don't call fcc_close
+
+	* lib/krb5/crypto.c (krb5_crypto_destroy): free `crypto'
+
+	* lib/hdb/hdb_locl.h: try db_185.h first in case db.h is a DB 2.0
+ 	header
+
+	* configure.in (db_185.h): check for
+
+	* admin/srvcreate.c: new file. contributed by Daniel Kouril
+ 	<kouril@informatics.muni.cz>
+
+	* admin/ktutil.c: srvcreate: new command
+
+	* kuser/klist.c: add support for printing AFS tokens
+
+	* kuser/kdestroy.c: add support for destroying v4 tickets and AFS
+ 	tokens.  based on code by Love <lha@stacken.kth.se>
+
+	* kuser/Makefile.am (kdestroy_LDADD, klist_LDADD): more libraries
+
+	* configure.in: sys/ioccom.h: test for
+
+	* kuser/klist.c (main): don't print `no ticket file' with --test.
+  	From: Love <lha@e.kth.se>
+
+	* kpasswd/kpasswdd.c (doit): more braces to make gcc happy
+
+	* kdc/connect.c (init_socket): get rid of a stupid warning
+
+	* include/bits.c (my_strupr): cast away some stupid warnings
+
+Tue Mar 23 14:34:44 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/krb5/get_host_realm.c (krb5_get_host_realm): no infinite
+ 	loops, please
+
+Tue Mar 23 00:00:45 1999  Assar Westerlund  <assar@sics.se>
+
+	* lib/kadm5/Makefile.am (install_build_headers): recover from make
+ 	rewriting the names of the headers kludge to help solaris make
+
+	* lib/krb5/Makefile.am: kludge to help solaris make
+
+	* lib/hdb/Makefile.am: kludge to help solaris make
+
+	* configure.in (LIB_kdb): make sure there's a -L option in here by
+ 	adding $(LIB_krb4)
+
+	* lib/asn1/gen_glue.c (generate_2int, generate_int2): int ->
+ 	unsigned
+
+	* configure.in (SunOS): set to a number KRB4, KRB5 conditionals:
+ 	remove the `dnl' to work around an automake flaw
+
+Sun Mar 21 15:08:49 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/get_default_realm.c: char* -> krb5_realm
+
+Sun Mar 21 14:08:30 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* include/bits.c: <bind/bitypes.h>
+
+	* lib/krb5/Makefile.am: create krb5-private.h
+
+Sat Mar 20 00:08:59 1999  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (gethostname): remove duplicate
+
+Fri Mar 19 14:48:03 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/hdb/Makefile.am: add version-info
+
+	* lib/gssapi/Makefile.am: add version-info
+
+	* lib/asn1/Makefile.am: use $(x:y=z) make syntax; move check-der
+ 	to check_PROGRAMS
+
+	* lib/Makefile.am: add 45
+
+	* lib/kadm5/Makefile.am: split in client and server libraries
+ 	(breaks shared libraries otherwise)
+
+Thu Mar 18 11:33:30 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* include/kadm5/Makefile.am: clean a lot of header files (since
+ 	automake lacks a clean-hook)
+
+	* include/Makefile.am: clean a lot of header files (since automake
+ 	lacks a clean-hook)
+
+	* lib/kadm5/Makefile.am: fix build-installation of headers
+
+	* lib/krb5/Makefile.am: remove include_dir hack
+
+	* lib/hdb/Makefile.am: remove include_dir hack
+
+	* lib/asn1/Makefile.am: remove include_dir hack
+
+	* include/Makefile.am: remove include_dir hack
+
+	* doc/whatis.texi: define sub for html
+
+	* configure.in: LIB_kdb, have_err_h, have_fnmatch_h, have_glob_h
+
+	* lib/asn1/Makefile.am: der.h
+
+	* kpasswd/kpasswdd.c: admin.h -> kadm5/admin.h
+
+	* kdc/Makefile.am: remove junk
+
+	* kadmin/Makefile.am: sl.a -> sl.la
+
+	* appl/afsutil/Makefile.am: remove EXTRA_bin_PROGRAMS
+
+	* admin/Makefile.am: sl.a -> sl.la
+
+	* configure.in: condition KRB5; AC_CHECK_XAU
+
+	* Makefile.am: include Makefile.am.common
+
+	* include/kadm5/Makefile.am: include Makefile.am.common; don't
+ 	install headers from here
+
+	* include/Makefile.am: include Makefile.am.common; don't install
+ 	headers from here
+
+	* doc/Makefile.am: include Makefile.am.common
+
+	* lib/krb5/Makefile.am: include Makefile.am.common
+
+	* lib/kadm5/Makefile.am: include Makefile.am.common
+
+	* lib/hdb/Makefile.am: include Makefile.am.common
+
+	* lib/gssapi/Makefile.am: include Makefile.am.common
+
+	* lib/asn1/Makefile.am: include Makefile.am.common
+
+	* lib/Makefile.am: include Makefile.am.common
+
+	* lib/45/Makefile.am: include Makefile.am.common
+
+	* kuser/Makefile.am: include Makefile.am.common
+
+	* kpasswd/Makefile.am: include Makefile.am.common
+
+	* kdc/Makefile.am: include Makefile.am.common
+
+	* kadmin/Makefile.am: include Makefile.am.common
+
+	* appl/test/Makefile.am: include Makefile.am.common
+
+	* appl/afsutil/Makefile.am: include Makefile.am.common
+
+	* appl/Makefile.am: include Makefile.am.common
+
+	* admin/Makefile.am: include Makefile.am.common
+
+Wed Mar 17 03:04:38 1999  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/store.c (krb5_store_stringz): braces fix
+
+	* lib/kadm5/get_s.c (kadm5_s_get_principal): braces fix
+
+	* lib/kadm5/ent_setup.c (_kadm5_setup_entry): braces fix
+
+	* kdc/connect.c (loop): braces fix
+
+	* lib/krb5/config_file.c: cast to unsigned char to make is* happy
+
+	* lib/krb5/log.c (krb5_addlog_dest): more braces to make gcc happy
+
+	* lib/krb5/crypto.c (krb5_verify_checksum): rename C -> cksum to
+ 	be consistent
+
+	* kadmin/util.c (timeval2str): more braces to make gcc happy
+
+	* kadmin/load.c: cast in is* to get rid of stupid warning
+
+	* kadmin/dump.c (append_hex): cast in isalnum to get rid of stupid
+ 	warning
+
+	* kdc/kaserver.c: malloc checks and fixes
+
+	* lib/krb5/get_host_realm.c (krb5_get_host_realm): include leading
+ 	dot (if any) when looking up realms.
+
+Fri Mar 12 13:57:56 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/get_host_realm.c: add dns support
+
+	* lib/krb5/set_default_realm.c: use krb5_free_host_realm
+
+	* lib/krb5/free_host_realm.c: check for NULL realmlist
+
+	* lib/krb5/context.c: don't print warning if there is no krb5.conf
+
+Wed Mar 10 19:29:46 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* configure.in: use AC_WFLAGS
+
+Mon Mar  8 11:49:43 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Release 0.1c
+
+	* kuser/klist.c: use print_version
+
+	* kuser/kdestroy.c: use print_version
+
+	* kdc/hpropd.c: use print_version
+
+	* kdc/hprop.c: use print_version
+
+	* kdc/config.c: use print_version
+
+	* kadmin/kadmind.c: use print_version
+
+	* kadmin/kadmin.c: use print_version
+
+	* appl/test/common.c: use print_version
+
+	* appl/afsutil/afslog.c: use print_version
+
+Mon Mar  1 10:49:14 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/krb5/get_addrs.c: SOCKADDR_HAS_SA_LEN ->
+ 	HAVE_STRUCT_SOCKADDR_SA_LEN
+
+	* configure.in, acconfig.h, cf/*: update to automake 1.4/autoconf 2.13
+
+Sun Feb 28 18:19:20 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/asn1/gen.c: make `BIT STRING's unsigned
+
+	* lib/asn1/{symbol.h,gen.c}: add TUInteger type
+
+	* lib/krb5/verify_user.c (krb5_verify_user): pass prompter to
+ 	krb5_get_init_creds_password
+
+	* lib/krb5/fcache.c (fcc_gen_new): implement
+
+Sat Feb 27 22:41:23 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* doc/install.texi: krb4 is now automatically detected
+
+	* doc/misc.texi: update procedure to set supported encryption
+ 	types
+
+	* doc/setup.texi: change some silly wordings
+
+Sat Feb 27 22:17:30 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/keytab.c (fkt_remove_entry): make this work
+
+	* admin/ktutil.c: add minimally working `get' command
+
+Sat Feb 27 19:44:49 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/hdb/convert_db.c: more typos
+
+	* include/Makefile.am: remove EXTRA_DATA (as of autoconf
+ 	2.13/automake 1.4)
+
+	* appl/Makefile.am: OTP_dir
+
+Fri Feb 26 17:37:00 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* doc/setup.texi: add kadmin section
+
+	* lib/asn1/check-der.c: fix printf warnings
+
+Thu Feb 25 11:16:49 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* configure.in: -O does not belong in WFLAGS
+
+Thu Feb 25 11:05:57 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/asn1/der_put.c: fix der_put_int
+
+Tue Feb 23 20:35:12 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* configure.in: use AC_BROKEN_GLOB
+
+Mon Feb 22 15:12:44 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* configure.in: check for glob
+
+Mon Feb 22 11:32:42 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Release 0.1b
+
+Sat Feb 20 15:48:06 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/hdb/convert_db.c: convert DES3 keys to des3-cbc-sha1, and
+ 	des3-cbc-md5
+
+	* lib/krb5/crypto.c (DES3_string_to_key): make this actually do
+ 	what the draft said it should
+
+	* lib/hdb/convert_db.c: little program for database conversion
+
+	* lib/hdb/db.c (DB_open): try to open database w/o .db extension
+
+	* lib/hdb/ndbm.c (NDBM_open): add test for database format
+
+	* lib/hdb/db.c (DB_open): add test for database format
+
+	* lib/asn1/gen_glue.c (generate_2int): don't depend on flags being
+ 	unsigned
+
+	* lib/hdb/hdb.c: change `hdb_set_master_key' to take an
+ 	EncryptionKey, and add a new function `hdb_set_master_keyfile' to
+ 	do what `hdb_set_master_key' used to do
+
+	* kdc/kstash.c: add `--convert-file' option to change keytype of
+ 	existing master key file
+
+Fri Feb 19 07:04:14 1999  Assar Westerlund  <assar@squid.pdc.kth.se>
+
+	* Release 0.1a
+
+Sat Feb 13 17:12:53 1999  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/mk_safe.c (krb5_mk_safe): sizeof(buf) -> buf_size, buf
+ 	is now a `u_char *'
+
+	* lib/krb5/get_in_tkt.c (krb5_init_etype): etypes are now `int'
+
+	* lib/krb5/get_host_realm.c (krb5_get_host_realm): constize
+ 	orig_host
+
+ 	(krb5_salttype_to_string): new function (RSA_MD5_DES_verify,
+ 	RSA_MD5_DES3_verify): initialize ret
+
+	* lib/gssapi/init_sec_context.c (init_auth): remove unnecessary
+ 	gssapi_krb5_init.  ask for KEYTYPE_DES credentials
+
+	* kadmin/get.c (print_entry_long): print the keytypes and salts
+ 	available for the principal
+
+	* configure.in (WFLAGS): add `-O' to catch unitialized variables
+ 	and such
+	(gethostname, mkstemp, getusershell, inet_aton): more tests
+
+	* lib/hdb/hdb.h: update prototypes
+
+	* configure.in: homogenize broken detection with krb4
+
+	* lib/kadm5/init_c.c (kadm5_c_init_with_context): remove unused
+ 	`error'
+
+	* lib/asn1/Makefile.am (check-der): add
+
+	* lib/asn1/gen.c (define_type): map ASN1 Integer to `int' instead
+ 	of `unsigned'
+
+	* lib/asn1/der_length.c (length_unsigned): new function
+	(length_int): handle signed integers
+
+	* lib/asn1/der_put.c (der_put_unsigned): new function
+	(der_put_int): handle signed integers
+
+ 	* lib/asn1/der_get.c (der_get_unsigned): new function
+ 	(der_get_int): handle signed integers
+
+	* lib/asn1/der.h: all integer functions take `int' instead of
+ 	`unsigned'
+
+	* lib/asn1/lex.l (filename): unused. remove.
+
+	* lib/asn1/check-der.c: new test program for der encoding and
+ 	decoding.
+
+Mon Feb  1 04:09:06 1999  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc): only call
+ 	gethostbyname2 with AF_INET6 if we actually have IPv6.  From
+ 	"Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>
+
+ 	* lib/krb5/changepw.c (get_kdc_address): dito
+
+Sun Jan 31 06:26:36 1999  Assar Westerlund  <assar@sics.se>
+
+	* kdc/connect.c (parse_prots): always bind to AF_INET, there are
+ 	v6-implementations without support for `mapped V4 addresses'.
+  	From Jun-ichiro itojun Hagino <itojun@kame.net>
+
+Sat Jan 30 22:38:27 1999  Assar Westerlund  <assar@juguete.sics.se>
+
+	* Release 0.0u
+
+Sat Jan 30 13:43:02 1999  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: explicit rules for *.et files
+
+ 	* lib/kadm5/init_c.c (get_kadm_ticket): only remove creds if
+ 	krb5_get_credentials was succesful.
+ 	(get_new_cache): return better error codes and return earlier.
+ 	(get_cred_cache): only delete default_client if it's different
+ 	from client
+ 	(kadm5_c_init_with_context): return a more descriptive error.
+
+	* kdc/kerberos5.c (check_flags): handle NULL client or server
+
+	* lib/krb5/sendauth.c (krb5_sendauth): return the error in
+ 	`ret_error' iff != NULL
+
+	* lib/krb5/rd_error.c (krb5_free_error, krb5_free_error_contents):
+ 	new functions
+
+	* lib/krb5/mk_req_ext.c (krb5_mk_req_extended): more
+ 	type-correctness
+
+	* lib/krb5/krb5.h (krb5_error): typedef to KRB_ERROR
+
+	* lib/krb5/init_creds_pw.c: KRB5_TGS_NAME: use
+
+	* lib/krb5/get_cred.c: KRB5_TGS_NAME: use
+
+ 	* lib/kafs/afskrb5.c (afslog_uid_int): update to changes
+
+	* lib/kadm5/rename_s.c (kadm5_s_rename_principal): call remove
+ 	instead of rename, but shouldn't this just call rename?
+
+ 	* lib/kadm5/get_s.c (kadm5_s_get_principal): always return an
+ 	error if the principal wasn't found.
+
+	* lib/hdb/ndbm.c (NDBM_seq): unseal key
+
+	* lib/hdb/db.c (DB_seq): unseal key
+
+	* lib/asn1/Makefile.am: added explicit rules for asn1_err.[ch]
+
+	* kdc/hprop.c (v4_prop): add krbtgt/THISREALM@OTHERREALM when
+ 	finding cross-realm tgts in the v4 database
+
+	* kadmin/mod.c (mod_entry): check the number of arguments.  check
+ 	that kadm5_get_principal worked.
+
+	* lib/krb5/keytab.c (fkt_remove_entry): remove KRB5_KT_NOTFOUND if
+ 	we weren't able to remove it.
+
+	* admin/ktutil.c: less drive-by-deleting.  From Love
+ 	<lha@e.kth.se>
+
+	* kdc/connect.c (parse_ports): copy the string before mishandling
+ 	it with strtok_r
+
+	* kdc/kerberos5.c (tgs_rep2): print the principal with mismatching
+ 	kvnos
+
+	* kadmin/kadmind.c (main): convert `debug_port' to network byte
+ 	order
+
+	* kadmin/kadmin.c: allow specification of port number.
+
+	* lib/kadm5/kadm5_locl.h (kadm5_client_context): add
+ 	`kadmind_port'.
+
+	* lib/kadm5/init_c.c (_kadm5_c_init_context): move up
+ 	initalize_kadm5_error_table_r.
+	allow specification of port number.
+	
+  	From Love <lha@stacken.kth.se>
+
+	* kuser/klist.c: add option -t | --test
+
diff --git a/crypto/heimdal/ChangeLog.2000 b/crypto/heimdal/ChangeLog.2000
new file mode 100644
index 0000000..a1cb687
--- /dev/null
+++ b/crypto/heimdal/ChangeLog.2000
@@ -0,0 +1,1320 @@
+2000-12-31  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/test_get_addrs.c (main): handle krb5_init_context
+	failure consistently
+	* lib/krb5/string-to-key-test.c (main): handle krb5_init_context
+	failure consistently
+	* lib/krb5/prog_setup.c (krb5_program_setup): handle
+	krb5_init_context failure consistently
+	* lib/hdb/convert_db.c (main): handle krb5_init_context failure
+	consistently
+	* kuser/kverify.c (main): handle krb5_init_context failure
+	consistently
+	* kuser/klist.c (main): handle krb5_init_context failure
+	consistently
+	* kuser/kinit.c (main): handle krb5_init_context failure
+	consistently
+	* kuser/kgetcred.c (main): handle krb5_init_context failure
+	consistently
+	* kuser/kdestroy.c (main): handle krb5_init_context failure
+	consistently
+	* kuser/kdecode_ticket.c (main): handle krb5_init_context failure
+	consistently
+	* kuser/generate-requests.c (generate_requests): handle
+	krb5_init_context failure consistently
+	* kpasswd/kpasswd.c (main): handle krb5_init_context failure
+	consistently
+	* kpasswd/kpasswd-generator.c (generate_requests): handle
+	krb5_init_context failure consistently
+	* kdc/main.c (main): handle krb5_init_context failure consistently
+	* appl/test/uu_client.c (proto): handle krb5_init_context failure
+	consistently
+	* appl/kf/kf.c (main): handle krb5_init_context failure
+	consistently
+	* admin/ktutil.c (main): handle krb5_init_context failure
+	consistently
+
+	* admin/get.c (kt_get): more error checking
+
+2000-12-29  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/asn1_print.c (loop): check for length longer than data.
+	inspired by lha@stacken.kth.se
+
+2000-12-16  Johan Danielsson  <joda@pdc.kth.se>
+
+	* admin/ktutil.8: reflect recent changes
+
+	* admin/copy.c: don't copy an entry that already exists in the
+	keytab, and warn if the keyblock differs
+
+2000-12-15  Johan Danielsson  <joda@pdc.kth.se>
+
+	* admin/Makefile.am: merge srvconvert and srvcreate with copy
+
+	* admin/copy.c: merge srvconvert and srvcreate with copy
+
+	* lib/krb5/Makefile.am: always build keytab_krb4.c
+
+	* lib/krb5/context.c: always register the krb4 keytab functions
+
+	* lib/krb5/krb5.h: declare krb4_ftk_ops
+
+	* lib/krb5/keytab_krb4.c: We don't really need to include krb.h
+	here, since we only use the principal size macros, so define these
+	here. Theoretically someone could have a krb4 system where these
+	values are != 40, but this is unlikely, and
+	krb5_524_conv_principal also assume they are 40.
+
+2000-12-13  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/krb5.h: s/krb5_donot_reply/krb5_donot_replay/
+
+	* lib/krb5/replay.c: fix query-replace-o from MD5 API change, and
+	the struct is called krb5_donot_replay
+
+2000-12-12  Assar Westerlund  <assar@sics.se>
+
+	* admin/srvconvert.c (srvconvert): do not use data after free:ing
+	it
+
+2000-12-11  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.3d
+
+2000-12-11  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): set version to 14:0:0
+	* lib/hdb/Makefile.am (libhdb_la_LDFLAGS): update to 6:3:0
+	* lib/krb5/Makefile.am (libkrb5_la_LIBADD): add library
+	dependencies
+
+2000-12-10  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/auth_context.c: implement krb5_auth_con_{get,set}rcache
+
+2000-12-08  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krb5.h (krb5_enctype): add ETYPE_DES3_CBC_NONE_IVEC as
+	a new pseudo-type
+
+	* lib/krb5/crypto.c (DES_AFS3_CMU_string_to_key): always treat
+	cell names as lower case
+	(krb5_encrypt_ivec, krb5_decrypt_ivec): new functions that allow an
+	explicit ivec to be specified.  fix all sub-functions.
+	(DES3_CBC_encrypt_ivec): new function that takes an explicit ivec
+
+2000-12-06  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/Makefile.am: actually build replay cache code
+
+	* lib/krb5/replay.c: implement krb5_get_server_rcache
+
+	* kpasswd/kpasswdd.c: de-pointerise auth_context parameter to
+	krb5_mk_rep
+
+	* lib/krb5/recvauth.c: de-pointerise auth_context parameter to
+	krb5_mk_rep
+
+	* lib/krb5/mk_rep.c: auth_context should not be a pointer
+
+	* lib/krb5/auth_context.c: implement krb5_auth_con_genaddrs, and
+	make setaddrs_from_fd use that
+
+	* lib/krb5/krb5.h: add some more KRB5_AUTH_CONTEXT_* flags
+
+2000-12-05  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/Makefile.am: add kerberos.8 manpage
+
+	* lib/krb5/cache.c: check for NULL remove_cred function
+
+	* lib/krb5/fcache.c: pretend that empty files are non-existant
+
+	* lib/krb5/get_addrs.c (find_all_addresses): use getifaddrs, from
+	Jason Thorpe <thorpej@netbsd.org>
+
+2000-12-01  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: remove configure-time generation of krb5-config
+	* tools/Makefile.am: add generation of krb5-config at make-time
+	instead of configure-time
+
+	* tools/krb5-config.in: add --prefix and --exec-prefix
+
+2000-11-30  Assar Westerlund  <assar@sics.se>
+
+	* tools/Makefile.am: add krb5-config.1
+	* tools/krb5-config.in: add kadm-client and kadm5-server as
+	libraries
+
+2000-11-29  Assar Westerlund  <assar@sics.se>
+
+	* tools/krb5-config.in: add --prefix, --exec-prefix and gssapi
+
+2000-11-29  Johan Danielsson  <joda@pdc.kth.se>
+
+	* configure.in: add roken/Makefile here, since it can't live in
+	rk_ROKEN
+
+2000-11-16  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: use the libtool -rpath, do not rely on ld
+	understanding -rpath
+
+	* configure.in: fix the -Wl stuff for krb4 linking add some
+	gratuitous extra options when linking with an existing libdes
+
+2000-11-15  Assar Westerlund  <assar@sics.se>
+
+	* lib/hdb/hdb.c (hdb_next_enctype2key): const-ize a little bit
+	* lib/Makefile.am (SUBDIRS): try to only build des when needed
+	* kuser/klist.c: print key versions numbers of v4 tickets in
+	verbose mode
+
+	* kdc/kerberos5.c (tgs_rep2): adapt to new krb5_verify_ap_req2
+	* appl/test/gss_common.c (read_token): remove unused variable
+
+	* configure.in (krb4): add -Wl
+	(MD4Init et al): look for these in more libraries
+	(getmsg): only run test if we have the function
+	(AC_OUTPUT): create tools/krb5-config
+
+	* tools/krb5-config.in: new script for storing flags to use
+	* Makefile.am (SUBDIRS): add tools
+
+	* lib/krb5/get_cred.c (make_pa_tgs_req): update to new
+	krb5_mk_req_internal
+	* lib/krb5/mk_req_ext.c (krb5_mk_req_internal): allow different
+	usages for the encryption.  change callers
+	* lib/krb5/rd_req.c (decrypt_authenticator): add an encryption
+	`usage'.  also try the old
+	(and wrong) usage of KRB5_KU_AP_REQ_AUTH for backwards compatibility
+	(krb5_verify_ap_req2): new function for specifying the usage different
+	from the default (KRB5_KU_AP_REQ_AUTH)
+	* lib/krb5/build_auth.c (krb5_build_authenticator): add a `usage'
+	parameter to permit the generation of authenticators with
+	different crypto usage
+
+	* lib/krb5/mk_req.c (krb5_mk_req_exact): new function that takes a
+	krb5_principal
+	(krb5_mk_req): use krb5_mk_req_exact
+
+	* lib/krb5/mcache.c (mcc_close): free data
+	(mcc_destroy): don't free data
+
+2000-11-13  Assar Westerlund  <assar@sics.se>
+
+	* lib/hdb/ndbm.c: handle both ndbm.h and gdbm/ndbm.h
+	* lib/hdb/hdb.c: handle both ndbm.h and gdbm/ndbm.h
+
+2000-11-12  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/hpropd.8: remove extra .Xc
+
+2000-10-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kuser/kinit.c: fix v4 fallback lifetime calculation
+
+2000-10-10  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/524.c: fix log messge
+
+2000-10-08  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/changepw.c (krb5_change_password): check for fd's being
+	too large to select on
+	* kpasswd/kpasswdd.c (add_new_tcp): check for the socket fd being
+	too large to select on
+	* kdc/connect.c (add_new_tcp): check for the socket fd being too
+	large to selct on
+	* kdc/connect.c (loop): check that the socket fd is not too large
+	to select on
+	* lib/krb5/send_to_kdc.c (recv_loop): check `fd' for being too
+	large to be able to select on
+
+	* kdc/kaserver.c (do_authenticate): check for time skew
+
+2000-10-01  Assar Westerlund  <assar@sics.se>
+
+	* kdc/524.c (set_address): allocate memory for storing addresses
+	in if the original request had an empty set of addresses
+	* kdc/524.c (set_address): fix bad return of pointer to automatic
+	data
+
+	* config.sub: update to version 2000-09-11 (aka 1.181) from
+	subversions.gnu.org
+
+	* config.guess: update to version 2000-09-05 (aka 1.156) from
+	subversions.gnu.org plus some minor tweaks
+
+2000-09-20  Assar Westerlund  <assar@juguete.sics.se>
+
+	* Release 0.3c
+
+2000-09-19  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to
+	13:1:0
+
+	* lib/hdb/Makefile.am (libhdb_la_LDFLAGS): bump version to 6:2:0
+
+2000-09-17  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_req.c (krb5_decrypt_ticket): plug some memory leak
+	(krb5_rd_req): try not to return an allocated auth_context on error
+
+	* lib/krb5/log.c (krb5_vlog_msg): fix const-ness
+
+2000-09-10  Assar Westerlund  <assar@sics.se>
+
+	* kdc/524.c: re-organize
+	* kdc/kerberos5.c (tgs_rep2): try to avoid leaking auth_context
+	* kdc/kerberos4.c (valid_princ): check return value of functions
+	(encode_v4_ticket): add some const
+	* kdc/misc.c (db_fetch): check malloc
+	(free_ent): new function
+
+	* lib/krb5/log.c (krb5_vlog_msg): log just the format string it we
+	fail to allocate the actual string to log, should at least provide
+	some hint as to where things went wrong
+
+2000-09-10  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/log.c: use DEFAULT_LOG_DEST
+
+	* kdc/config.c: use _PATH_KDC_CONF
+
+	* kdc/kdc_locl.h: add macro constants for kdc.conf, and kdc.log
+
+2000-09-09  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/crypto.c (_key_schedule): re-use an existing schedule
+
+2000-09-06  Johan Danielsson  <joda@pdc.kth.se>
+
+	* configure.in: fix dpagaix test
+
+2000-09-05  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: with_dce -> enable_dce.  noticed by Ake Sandgren
+ 	<ake@cs.umu.se>
+
+2000-09-01  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/kstash.8: update manual page
+
+	* kdc/kstash.c: fix typo, and remove unused option
+
+	* lib/krb5/kerberos.7: short kerberos intro page
+
+2000-08-27  Assar Westerlund  <assar@sics.se>
+
+	* include/bits.c: add __attribute__ for gcc's pleasure
+	* lib/hdb/keytab.c: re-write to delay the opening of the database
+	till it's known which principal is being sought, thereby allowing
+	the usage of multiple databases, however they need to be specified
+	in /etc/krb5.conf since all the programs using this keytab do not
+	read kdc.conf
+
+	* appl/test/test_locl.h (keytab): add
+	* appl/test/common.c: add --keytab
+	* lib/krb5/crypto.c: remove trailing commas
+	(KRB5_KU_USAGE_SEQ): renamed from KRB5_KU_USAGE_MIC
+
+2000-08-26  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/send_to_kdc.c (send_via_proxy): handle `http://' at the
+	beginning of the proxy specification.  use getaddrinfo correctly
+	(krb5_sendto): always return a return code
+
+	* lib/krb5/krb5.h (KRB5_KU_USAGE_MIC): rename to KRB5_KU_USAGE_SEQ
+	* lib/krb5/auth_context.c (krb5_auth_con_free): handle
+	auth_context == NULL
+
+2000-08-23  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kerberos5.c (find_type): make sure of always setting
+	`ret_etype' correctly.  clean-up structure some
+
+2000-08-23  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/mcache.c: implement resolve
+
+2000-08-18  Assar Westerlund  <assar@sics.se>
+
+	* kuser/kdecode_ticket.c: check return value from krb5_crypto_init
+	* kdc/kerberos5.c, kdc/524.c: check return value from krb5_crypto_init
+	* lib/krb5/*.c: check return value from krb5_crypto_init
+
+2000-08-16  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.3b
+
+2000-08-16  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: bump version to 13:0:0
+
+	* lib/hdb/Makefile.am: set version to 6:1:0
+
+	* configure.in: do getmsg testing the same way as in krb4
+
+	* lib/krb5/config_file.c (krb5_config_parse_file_debug): make sure
+ 	of closing the file on error
+
+	* lib/krb5/crypto.c (encrypt_internal_derived): free the checksum
+ 	after use
+
+	* lib/krb5/warn.c (_warnerr): initialize args to make third,
+ 	purify et al happy
+
+2000-08-13  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kerberos5.c: re-write search for keys code.  loop over all
+	supported enctypes in order, looping over all keys of each type,
+	and picking the one with the v5 default salt preferably
+
+2000-08-10  Assar Westerlund  <assar@sics.se>
+
+	* appl/test/gss_common.c (enet_read): add and use
+	* lib/krb5/krb5.h (heimdal_version, heimdal_long_version): make
+	const
+
+	* lib/krb5/mk_req_ext.c (krb5_mk_req_internal): add comment on
+	checksum type selection
+
+	* lib/krb5/context.c (krb5_init_context): do not leak memory on
+	failure
+	(default_etypes): prefer arcfour-hmac-md5 to des-cbc-md5
+
+	* lib/krb5/principal.c: add fnmatch.h
+
+2000-08-09  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: call AC_PROG_CC and AC_PROG_CPP to make sure later
+	checks that should require them don't fail
+	* acconfig.h: add HAVE_UINT17_T
+
+2000-08-09  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/mit_dump.c: handle all sorts of weird MIT salt types
+
+2000-08-08  Johan Danielsson  <joda@pdc.kth.se>
+
+	* doc/setup.texi: port 212 -> 2121
+
+	* lib/krb5/principal.c: krb5_principal_match
+
+2000-08-04  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/asn1/der_get.c: add comment on *why* DCE sometimes used BER
+	encoding
+
+	* kpasswd/Makefile.am: link with pidfile library
+
+	* kpasswd/kpasswdd.c: write a pid file
+
+	* kpasswd/kpasswd_locl.h: util.h
+
+	* kdc/Makefile.am: link with pidfile library
+
+	* kdc/main.c: write a pid file
+
+	* kdc/headers.h: util.h
+
+2000-08-04  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/principal.c (krb5_425_conv_principal_ext): always put
+	hostnames in lower case
+	(default_v4_name_convert): add imap
+
+2000-08-03  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/crc.c (_krb5_crc_update): const-ize (finally)
+
+2000-07-31  Johan Danielsson  <joda@pdc.kth.se>
+
+	* configure.in: check for uint*_t
+	* include/bits.c: define uint*_t
+	
+2000-07-29  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kerberos5.c (check_tgs_flags): set endtime correctly when
+	renewing, From Derrick J Brashear <shadow@dementia.org>
+
+2000-07-28  Assar Westerlund  <assar@juguete.sics.se>
+
+	* Release 0.3a
+
+2000-07-27  Assar Westerlund  <assar@sics.se>
+
+	* kdc/hprop.c (dump_database): write an empty message to signal
+	end of dump
+
+2000-07-26  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/changepw.c (krb5_change_password): try to be more
+	careful when not to resend
+
+	* lib/hdb/db3.c: always create a cursor with db3.  From Derrick J
+	Brashear <shadow@dementia.org>
+
+2000-07-25  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/hdb/Makefile.am: bump version to 6:0:0
+
+	* lib/asn1/Makefile.am: bump version to 3:0:1
+
+	* lib/krb5/Makefile.am: bump version to 12:0:1
+
+	* lib/krb5/krb5_config.3: manpage
+
+	* lib/krb5/krb5_appdefault.3: manpage
+
+	* lib/krb5/appdefault.c: implementation of the krb5_appdefault set
+	of functions
+
+2000-07-23  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/init_creds_pw.c (change_password): reset forwardable
+	and proxiable.  copy preauthentication list correctly from
+	supplied options
+
+	* kdc/hpropd.c (main): check that the ticket was for `hprop/' for
+	paranoid reasons
+
+	* lib/krb5/sock_principal.c (krb5_sock_to_principal): look in
+	aliases for the real name
+
+2000-07-22  Johan Danielsson  <joda@pdc.kth.se>
+
+	* doc/setup.texi: say something about starting kadmind from the
+	command line
+
+2000-07-22  Assar Westerlund  <assar@sics.se>
+
+	* kpasswd/kpasswdd.c: use kadm5_s_chpass_principal_cond instead of
+	mis-doing it here
+
+	* lib/krb5/changepw.c (krb5_change_password): make timeout 1 +
+	2^{0,1,...}.  also keep track if we got an old packet back and
+	then just wait without sending a new packet
+	* lib/krb5/changepw.c: use a datagram socket and remove the
+	sequence numbers
+	* lib/krb5/changepw.c (krb5_change_password): clarify an
+	expression, avoiding a warning
+
+2000-07-22  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kuser/klist.c: make -a and -n aliases for -v
+
+	* lib/krb5/write_message.c: ws
+
+	* kdc/hprop-common.c: nuke extra definitions of
+	krb5_read_priv_message et.al
+
+	* lib/krb5/read_message.c (krb5_read_message): return error if EOF
+
+2000-07-20  Assar Westerlund  <assar@sics.se>
+
+	* kpasswd/kpasswd.c: print usage consistently
+	* kdc/hprop.h (HPROP_KEYTAB): use HDB for the keytab
+	* kdc/hpropd.c: add --keytab
+	* kdc/hpropd.c: don't care what principal we recvauth as
+
+	* lib/krb5/get_cred.c: be more careful of not returning creds at
+	all when an error is returned
+	* lib/krb5/fcache.c (fcc_gen_new): do mkstemp correctly
+
+2000-07-19  Johan Danielsson  <joda@pdc.kth.se>
+
+	* fix-export: use autoreconf
+
+	* configure.in: remove stuff that belong in roken, and remove some
+	obsolete constructs
+
+2000-07-18  Johan Danielsson  <joda@pdc.kth.se>
+
+	* configure.in: fix some typos
+
+	* appl/Makefile.am: dceutil*s*
+
+	* missing: update to missing from automake 1.4a
+
+2000-07-17  Johan Danielsson  <joda@pdc.kth.se>
+
+	* configure.in: try to get xlc flags from ibmcxx.cfg use
+	conditional for X use readline cf macro
+
+	* configure.in: subst AIX compiler flags
+
+2000-07-15  Johan Danielsson  <joda@pdc.kth.se>
+
+	* configure.in: pass sixth parameter to test-package; use some
+	newer autoconf constructs
+
+	* ltmain.sh: update to libtool 1.3c
+
+	* ltconfig: update to libtool 1.3c
+
+	* configure.in: update this to newer auto*/libtool
+
+	* appl/Makefile.am: use conditional for dce
+	
+	* lib/Makefile.am: use conditional for dce
+	
+2000-07-11  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/write_message.c: krb5_write_{priv,save}_message
+	* lib/krb5/read_message.c: krb5_read_{priv,save}_message
+	* lib/krb5/convert_creds.c: try port kerberos/88 if no response on
+	krb524/4444
+
+	* lib/krb5/convert_creds.c: use krb5_sendto
+
+	* lib/krb5/send_to_kdc.c: add more generic krb5_sendto that send
+	to a port at arbitrary list of hosts
+
+2000-07-10  Johan Danielsson  <joda@pdc.kth.se>
+
+	* doc/misc.texi: language; say something about kadmin del_enctype
+
+2000-07-10  Assar Westerlund  <assar@sics.se>
+
+	* appl/kf/Makefile.am: actually install
+
+2000-07-08  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (AM_INIT_AUTOMAKE): bump to 0.3a-pre
+	(AC_ROKEN): roken is now at 10
+
+	* lib/krb5/string-to-key-test.c: add a arcfour-hmac-md5 test case
+	* kdc/Makefile.am (INCLUDES): add ../lib/krb5
+	* configure.in: update for standalone roken
+	* lib/Makefile.am (SUBDIRS): make roken conditional
+	* kdc/hprop.c: update to new hdb_seal_keys_mkey
+	* lib/hdb/mkey.c (_hdb_unseal_keys_int, _hdb_seal_keys_int):
+	rename and export them
+
+	* kdc/headers.h: add krb5_locl.h (since we just use some stuff
+	from there)
+
+2000-07-08  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kuser/klist.1: update for -f and add some more text for -v
+
+	* kuser/klist.c: use rtbl to format cred listing, add -f and -s
+
+	* lib/krb5/crypto.c: fix type in des3-cbc-none
+
+	* lib/hdb/mkey.c: add key usage
+
+	* kdc/kstash.c: remove writing of old keyfile, and treat
+	--convert-file as just reading and writing the keyfile without
+	asking for a new key
+	
+	* lib/hdb/mkey.c (read_master_encryptionkey): handle old keytype
+	based files, and convert the key to cfb64
+
+	* lib/hdb/mkey.c (hdb_read_master_key): set mkey to NULL before
+	doing anything else
+
+	* lib/krb5/send_to_kdc.c: use krb5_eai_to_heim_errno
+
+	* lib/krb5/get_for_creds.c: use krb5_eai_to_heim_errno
+
+	* lib/krb5/changepw.c: use krb5_eai_to_heim_errno
+
+	* lib/krb5/addr_families.c: use krb5_eai_to_heim_errno
+
+	* lib/krb5/eai_to_heim_errno.c: convert getaddrinfo error codes to
+	something that can be passed to get_err_text
+
+2000-07-07  Assar Westerlund  <assar@sics.se>
+
+	* lib/hdb/hdb.c (hdb_next_enctype2key): make sure of skipping
+	`*key'
+
+	* kdc/kerberos4.c (get_des_key): rewrite some, be more careful
+
+2000-07-06  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kerberos5.c (as_rep): be careful as to now overflowing when
+	calculating the end of lifetime of a ticket.
+
+	* lib/krb5/context.c (default_etypes): add ETYPE_ARCFOUR_HMAC_MD5
+
+	* lib/hdb/db3.c: only use a cursor when needed, from Derrick J
+	Brashear <shadow@dementia.org>
+
+	* lib/krb5/crypto.c: introduce the `special' encryption methods
+	that are not like all other encryption methods and implement
+	arcfour-hmac-md5
+
+2000-07-05  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/mit_dump.c: set initial master key version number to 0
+	instead of 1; if we lated bump the mkvno we don't risk using the
+	wrong key to decrypt
+
+	* kdc/hprop.c: only get master key if we're actually going to use
+	it; enable reading of MIT krb5 dump files
+	
+	* kdc/mit_dump.c: read MIT krb5 dump files
+	
+	* lib/hdb/mkey.c (read_master_mit): fix this
+	
+	* kdc/kstash.c: make this work with the new mkey code
+	
+	* lib/hdb/Makefile.am: add mkey.c, and bump version number
+	
+	* lib/hdb/hdb.h: rewrite master key handling
+	
+	* lib/hdb/mkey.c: rewrite master key handling
+	
+	* lib/krb5/crypto.c: add some more pseudo crypto types
+	
+	* lib/krb5/krb5.h: change some funny etypes to use negative
+	numbers, and add some more
+
+2000-07-04  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krbhst.c (get_krbhst): only try SRV lookup if there are
+	none in the configuration file
+
+2000-07-02  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/keytab_keyfile.c (akf_add_entry): remove unused
+	variable
+
+	* kpasswd/kpasswd-generator.c: new test program
+	* kpasswd/Makefile.am: add kpasswd-generator
+
+	* include/Makefile.am (CLEANFILES): add rc4.h
+
+	* kuser/generate-requests.c: new test program
+	* kuser/Makefile.am (noinst_PROGRAMS): add generate-requests
+
+2000-07-01  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: add --enable-dce and related stuff
+	* appl/Makefile.am (SUBDIRS): add $(APPL_dce)
+
+2000-06-29  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kerberos4.c (get_des_key): fix thinkos/typos
+
+2000-06-29  Johan Danielsson  <joda@pdc.kth.se>
+
+	* admin/purge.c: use parse_time to parse age
+
+	* lib/krb5/log.c (krb5_vlog_msg): use krb5_format_time
+
+	* admin/list.c: add printing of timestamp and key data; some
+	cleanup
+
+	* lib/krb5/time.c (krb5_format_time): new function to format time
+
+	* lib/krb5/context.c (init_context_from_config_file): init
+	date_fmt, also do some cleanup
+
+	* lib/krb5/krb5.h: add date_fmt to context
+
+2000-06-28  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/{kerberos4,kaserver,524}.c (get_des_key): change to return
+	v4 or afs keys if possible
+
+2000-06-25  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/hprop.c (ka_convert): allow using null salt, and treat 0
+	pw_expire as never (from Derrick Brashear)
+
+2000-06-24  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/connect.c (add_standard_ports): only listen to port 750 if
+	serving v4 requests
+
+2000-06-22  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/lex.l: fix includes, and lex stuff
+	* lib/asn1/lex.h (error_message): update prototype
+	(yylex): add
+	* lib/asn1/gen_length.c (length_type): fail on malloc error
+	* lib/asn1/gen_decode.c (decode_type): fail on malloc error
+
+2000-06-21  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_for_creds.c: be more compatible with MIT code.
+	From Daniel Kouril <kouril@ics.muni.cz>
+	* lib/krb5/rd_cred.c: be more compatible with MIT code.  From
+	Daniel Kouril <kouril@ics.muni.cz>
+	* kdc/kerberos5.c (get_pa_etype_info): do not set salttype if it's
+	vanilla pw-salt, that keeps win2k happy.  also do the malloc check
+	correctly.  From Daniel Kouril <kouril@ics.muni.cz>
+
+2000-06-21  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/hprop.c: add hdb keytabs
+
+2000-06-20  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/principal.c: back out rev. 1.64
+
+2000-06-19  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/kerberos5.c: pa_* -> KRB5_PADATA_*
+
+	* kdc/hpropd.c: add realm override flag
+	
+	* kdc/v4_dump.c: code for reading krb4 dump files
+	
+	* kdc/hprop.c: generalize source database handing, add support for
+	non-standard local realms (from by Daniel Kouril
+	<kouril@ics.muni.cz> and Miroslav Ruda <ruda@ics.muni.cz>), and
+	support for using different ports (requested by the Czechs, but
+	implemented differently)
+
+	* lib/krb5/get_cred.c: pa_* -> KRB5_PADATA_*
+	
+	* lib/krb5/get_in_tkt.c: pa_* -> KRB5_PADATA_*
+	
+	* lib/krb5/krb5.h: use some definitions from asn1.h
+
+	* lib/hdb/hdb.asn1: use new import syntax
+	
+	* lib/asn1/k5.asn1: use distinguished value integers
+	
+	* lib/asn1/gen_length.c: support for distinguished value integers
+	
+	* lib/asn1/gen_encode.c: support for distinguished value integers
+	
+	* lib/asn1/gen_decode.c: support for distinguished value integers
+	
+	* lib/asn1/gen.c: support for distinguished value integers
+
+	* lib/asn1/lex.l: add support for more standards like import
+	statements
+
+	* lib/asn1/parse.y: add support for more standards like import
+	statements, and distinguished value integers
+	
+2000-06-11  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_for_creds.c (add_addrs): ignore addresses of
+	unknown type
+	* lib/krb5/get_for_creds.c (add_addrs): zero memory before
+	starting to copy memory
+
+2000-06-10  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/test_get_addrs.c: test program for get_addrs
+	* lib/krb5/get_addrs.c (find_all_addresses): remember to add in
+ 	the size of ifr->ifr_name when using SA_LEN.  noticed by Ken
+ 	Raeburn <raeburn@MIT.EDU>
+
+2000-06-07  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: add db3 detection stuff do not use streamsptys on
+	HP-UX 11
+	* lib/hdb/hdb.h (HDB): add dbc for db3
+	* kdc/connect.c (add_standard_ports): also listen on krb524 aka
+	4444
+	* etc/services.append (krb524): add
+	* lib/hdb/db3.c: add berkeley db3 interface.  contributed by
+	Derrick J Brashear <shadow@dementia.org>
+	* lib/hdb/hdb.h (struct HDB): add
+
+2000-06-07  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/524.c: if 524 is not enabled, just generate error reply and
+	exit
+
+	* kdc/kerberos4.c: if v4 is not enabled, just generate error reply
+	and exit
+
+	* kdc/connect.c: only listen to port 4444 if 524 is enabled
+	
+	* kdc/config.c: add options to enable/disable v4 and 524 requests
+	
+2000-06-06  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/524.c: handle non-existant server principals (from Daniel
+	Kouril)
+
+2000-06-03  Assar Westerlund  <assar@sics.se>
+
+	* admin/ktutil.c: print name when failing to open keytab
+
+	* kuser/kinit.c: try also to fallback to v4 when no KDC is found
+
+2000-05-28  Assar Westerlund  <assar@sics.se>
+
+	* kuser/klist.c: continue even we have no v5 ccache.  make showing
+	your krb4 tickets the default (if build with krb4 support)
+	* kuser/kinit.c: add a fallback that tries to get a v4 ticket if
+	built with krb4 support and we got back a version error from the
+	KDC
+
+2000-05-23  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/keytab_keyfile.c: make this actually work
+
+2000-05-19  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/store_emem.c (emem_store): make it write-compatible
+	* lib/krb5/store_fd.c (fd_store): make it write-compatible
+	* lib/krb5/store_mem.c (mem_store): make it write-compatible
+	* lib/krb5/krb5.h (krb5_storage): make store write-compatible
+
+2000-05-18  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: add stdio.h in dbopen test
+
+2000-05-16  Assar Westerlund  <assar@assaris.sics.se>
+
+	* Release 0.2t
+
+2000-05-16  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): set version to 11:1:0
+	* lib/krb5/fcache.c: fix second lseek
+	* lib/krb5/principal.c (krb5_524_conv_principal): fix typo
+
+2000-05-15  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2s
+
+2000-05-15  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): set version to 11:0:0
+	* lib/hdb/Makefile.am (libhdb_la_LDFLAGS): set version to 4:2:1
+	* lib/asn1/Makefile.am (libasn1_la_LDFLAGS): bump to 2:0:0
+	* lib/krb5/principal.c (krb5_524_conv_principal): comment-ize, and
+	simplify string copying
+
+2000-05-12  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/fcache.c (scrub_file): new function
+	(erase_file): re-write, use scrub_file
+	* lib/krb5/krb5.h (KRB5_DEFAULT_CCFILE_ROOT): add
+
+	* configure.in (dbopen): add header files
+
+	* lib/krb5/krb5.h (krb5_key_usage): add some more
+	* lib/krb5/fcache.c (erase_file): try to detect symlink games.
+	also call revoke.
+	* lib/krb5/changepw.c (krb5_change_password): remember to close
+	the socket on error
+
+	* kdc/main.c (main): also call sigterm on SIGTERM
+
+2000-05-06  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/config_file.c (krb5_config_vget_string_default,
+ 	krb5_config_get_string_default): add
+
+2000-04-25  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/fcache.c (fcc_initialize): just forget about
+	over-writing the old cred cache.  it's too much of a hazzle trying
+	to do this safely.
+
+2000-04-11  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/crypto.c (krb5_get_wrapped_length): rewrite into
+	different parts for the derived and non-derived cases
+	* lib/krb5/crypto.c (krb5_get_wrapped_length): the padding should
+	be done after having added confounder and checksum
+
+2000-04-09  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_addrs.c (find_all_addresses): apperently solaris
+	can return EINVAL when the buffer is too small.  cope.
+	* lib/asn1/Makefile.am (gen_files): add asn1_UNSIGNED.x
+	* lib/asn1/gen_locl.h (filename): add prototype
+	(init_generate): const-ize
+	* lib/asn1/gen.c (filename): new function clean-up a little bit.
+	* lib/asn1/parse.y: be more tolerant in ranges
+	* lib/asn1/lex.l: count lines correctly.
+	(error_message): print filename in messages
+
+2000-04-08  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_safe.c (krb5_rd_safe): increment sequence number
+	after comparing
+	* lib/krb5/rd_priv.c (krb5_rd_priv): increment sequence number
+	after comparing
+	* lib/krb5/mk_safe.c (krb5_mk_safe): make `tmp_seq' unsigned
+	* lib/krb5/mk_priv.c (krb5_mk_priv): make `tmp_seq' unsigned
+	* lib/krb5/generate_seq_number.c (krb5_generate_seq_number): make
+	`seqno' be unsigned
+	* lib/krb5/mk_safe.c (krb5_mk_safe): increment local sequence
+	number after the fact and only increment it if we were successful
+	* lib/krb5/mk_priv.c (krb5_mk_priv): increment local sequence
+	number after the fact and only increment it if we were successful
+	* lib/krb5/krb5.h (krb5_auth_context_data): make sequence number
+	unsigned
+
+	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password):
+	`in_tkt_service' can be NULL
+
+2000-04-06  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/parse.y: regonize INTEGER (0..UNIT_MAX).
+	(DOTDOT): add
+	* lib/asn1/lex.l (DOTDOT): add
+	* lib/asn1/k5.asn1 (UNSIGNED): add.  use UNSIGNED for all sequence
+	numbers.
+	* lib/asn1/gen_length.c (length_type): add TUInteger
+	* lib/asn1/gen_free.c (free_type): add TUInteger
+	* lib/asn1/gen_encode.c (encode_type, generate_type_encode): add
+	TUInteger
+	* lib/asn1/gen_decode.c (decode_type, generate_type_decode): add
+	TUInteger
+	* lib/asn1/gen_copy.c (copy_type): add TUInteger
+	* lib/asn1/gen.c (define_asn1): add TUInteger
+	* lib/asn1/der_put.c (encode_unsigned): add
+	* lib/asn1/der_length.c (length_unsigned): add
+	* lib/asn1/der_get.c (decode_unsigned): add
+	* lib/asn1/der.h (decode_unsigned, encode_unsigned,
+	length_unsigned): add prototypes
+
+	* lib/asn1/k5.asn1: update pre-authentication types
+	* lib/krb5/krb5_err.et: add some error codes from pkinit
+
+2000-04-05  Assar Westerlund  <assar@sics.se>
+
+	* lib/hdb/hdb.c: add support for hdb methods (aka back-ends).
+	include ldap.
+	* lib/hdb/hdb-ldap.c: tweak the ifdef to OPENLDAP
+	* lib/hdb/Makefile.am: add hdb-ldap.c and openldap
+	* kdc/Makefile.am, kpasswd/Makefile.am, kadmin/Makefile.am: add
+	* configure.in: bump version to 0.2s-pre add options and testing
+	for (open)ldap
+
+2000-04-04  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (krb4): fix the krb_mk_req test
+
+2000-04-03  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (krb4): add test for const arguments to krb_mk_req
+	* lib/45/mk_req.c (krb_mk_req): conditionalize const-ness of
+	arguments
+
+2000-04-03  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2r
+
+2000-04-03  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: set version to 10:0:0
+	* lib/45/mk_req.c (krb_mk_req): const-ize the arguments
+	
+2000-03-30  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/principal.c (krb5_425_conv_principal_ext): add some
+	comments.  add fall-back on adding the realm name in lower case.
+
+2000-03-29  Assar Westerlund  <assar@sics.se>
+
+	* kdc/connect.c: remember to repoint all descr->sa to _ss after
+	realloc as this might have moved the memory around.  problem
+	discovered and diagnosed by Brandon S. Allbery
+
+2000-03-27  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: recognize solaris 2.8
+	* config.guess, config.sub: update to current version from
+	:pserver:anoncvs@subversions.gnu.org:/home/cvs
+
+	* lib/krb5/init_creds_pw.c (print_expire): do not assume anything
+	about the size of time_t, i.e. make it 64-bit happy
+
+2000-03-13  Assar Westerlund  <assar@sics.se>
+
+	* kuser/klist.c: add support for display v4 tickets
+
+2000-03-11  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kaserver.c (do_authenticate, do_getticket): call check_flags
+	* kdc/kerberos4.c (do_version4): call check_flags.
+	* kdc/kerberos5.c (check_flags): make global
+
+2000-03-10  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): evil
+	hack to avoid recursion
+
+2000-03-04  Assar Westerlund  <assar@sics.se>
+
+	* kuser/kinit.c: add `krb4_get_tickets' per realm. add --anonymous
+	* lib/krb5/krb5.h (krb5_get_init_creds_opt): add `anonymous' and
+	KRB5_GET_INIT_CREDS_OPT_ANONYMOUS
+	* lib/krb5/init_creds_pw.c (get_init_creds_common): set
+	request_anonymous flag appropriatly
+	* lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_anonymous):
+	add
+
+	* lib/krb5/get_in_tkt.c (_krb5_extract_ticket): new parameter to
+	determine whetever to ignore client name of not.  always copy
+	client name from kdc.  fix callers.
+
+	* kdc: add support for anonymous tickets
+
+	* kdc/string2key.8: add man-page for string2key
+
+2000-03-03  Assar Westerlund  <assar@sics.se>
+
+	* kdc/hpropd.c (dump_krb4): get expiration date from `valid_end'
+	and not `pw_end'
+
+	* kdc/kadb.h (ka_entry): fix name pw_end -> valid_end.  add some
+	more fields
+
+	* kdc/hprop.c (v4_prop): set the `valid_end' from the v4
+	expiration date instead of the `pw_expire'
+	(ka_convert): set `valid_end' from ka expiration data and `pw_expire'
+	from pw_change + pw_expire
+	(main): add a default database for ka dumping
+
+2000-02-28  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/context.c (init_context_from_config_file): change
+	rfc2052 default to no.  2782 says that underscore should be used.
+
+2000-02-24  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/fcache.c (fcc_initialize, fcc_store_cred): verify that
+	stores and close succeed
+	* lib/krb5/store.c (krb5_store_creds): check to see that the
+	stores are succesful.
+
+2000-02-23  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2q
+
+2000-02-22  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: set version to 9:2:0
+	
+	* lib/krb5/expand_hostname.c (krb5_expand_hostname_realms): copy
+	the correct hostname
+
+	* kdc/connect.c (add_new_tcp): use the correct entries in the
+	descriptor table
+	* kdc/connect.c: initialize `descr' uniformly and correctly
+
+2000-02-20  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2p
+
+2000-02-19  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: set version to 9:1:0
+	
+	* lib/krb5/expand_hostname.c (krb5_expand_hostname): make sure
+	that realms is filled in even when getaddrinfo fails or does not
+	return any canonical name
+
+	* kdc/connect.c (descr): add sockaddr and string representation
+	(*): re-write to use the above mentioned
+
+2000-02-16  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/addr_families.c (krb5_parse_address): use
+	krb5_sockaddr2address to copy the result from getaddrinfo.
+
+2000-02-14  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2o
+
+2000-02-13  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: set version to 9:0:0
+
+	* kdc/kaserver.c (do_authenticate): return the kvno of the server
+	and not the client.  Thanks to Brandon S. Allbery KF8NH
+	<allbery@kf8nh.apk.net> and Chaskiel M Grundman
+	<cg2v@andrew.cmu.edu> for debugging.
+
+	* kdc/kerberos4.c (do_version4): if an tgs-req is received with an
+	old kvno, return an error reply and write a message in the log.
+	
+2000-02-12  Assar Westerlund  <assar@sics.se>
+
+	* appl/test/gssapi_server.c (proto): with `--fork', create a child
+	and send over/receive creds with export/import_sec_context
+	* appl/test/gssapi_client.c (proto): with `--fork', create a child
+	and send over/receive creds with export/import_sec_context
+	* appl/test/common.c: add `--fork' / `-f' (only used by gssapi)
+
+2000-02-11  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kdc_locl.h: remove keyfile add explicit_addresses
+	* kdc/connect.c (init_sockets): pay attention to
+	explicit_addresses some more comments.  better error messages.
+	* kdc/config.c: add some comments.
+	remove --key-file.
+	add --addresses.
+
+	* lib/krb5/context.c (krb5_set_extra_addresses): const-ize and use
+	proper abstraction
+
+2000-02-07  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/changepw.c: use roken_getaddrinfo_hostspec
+
+2000-02-07  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2n
+
+2000-02-07  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: set version to 8:0:0
+	* lib/krb5/keytab.c (krb5_kt_default_name): use strlcpy
+	(krb5_kt_add_entry): set timestamp
+
+2000-02-06  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krb5.h: add macros for accessing krb5_realm
+	* lib/krb5/time.c (krb5_timeofday): use `krb5_timestamp' instead
+	of `int32_t'
+
+	* lib/krb5/replay.c (checksum_authenticator): update to new API
+	for md5
+
+	* lib/krb5/krb5.h: remove des.h, it's not needed and applications
+	should not have to make sure to find it.
+
+2000-02-03  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_req.c (get_key_from_keytab): rename parameter to
+	`out_key' to avoid conflicting with label.  reported by Sean Doran
+	<smd@ebone.net>
+
+2000-02-02  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/expand_hostname.c: remember to lower-case host names.
+	bug reported by <amu@mit.edu>
+
+	* kdc/kerberos4.c (do_version4): look at check_ticket_addresses
+	and emulate that by setting krb_ignore_ip_address (not a great
+	interface but it doesn't seem like the time to go around fixing
+	libkrb stuff now)
+
+2000-02-01  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kuser/kinit.c: change --noaddresses into --no-addresses
+
+2000-01-28  Assar Westerlund  <assar@sics.se>
+
+	* kpasswd/kpasswd.c (main): make sure the ticket is not
+	forwardable and not proxiable
+
+2000-01-26  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/crypto.c: update to pseudo-standard APIs for
+	md4,md5,sha.  some changes to libdes calls to make them more
+	portable.
+
+2000-01-21  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/verify_init.c (krb5_verify_init_creds): make sure to
+ 	clean up the correct creds.
+
+2000-01-16  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/principal.c (append_component): change parameter to
+	`const char *'.  check malloc
+	* lib/krb5/principal.c (append_component, va_ext_princ, va_princ):
+	const-ize
+	* lib/krb5/mk_req.c (krb5_mk_req): make `service' and `hostname'
+	const
+	* lib/krb5/principal.c (replace_chars): also add space here
+	* lib/krb5/principal.c: (quotable_chars): add space
+
+2000-01-12  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kerberos4.c (do_version4): check if preauth was required and
+	bail-out if so since there's no way that could be done in v4.
+	Return NULL_KEY as an error to the client (which is non-obvious,
+	but what can you do?)
+
+2000-01-09  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/principal.c (krb5_sname_to_principal): use
+	krb5_expand_hostname_realms
+	* lib/krb5/mk_req.c (krb5_km_req): use krb5_expand_hostname_realms
+	* lib/krb5/expand_hostname.c (krb5_expand_hostname_realms): new
+	variant of krb5_expand_hostname that tries until it expands into
+	something that's digestable by krb5_get_host_realm, returning also
+	the result from that function.
+
+2000-01-08  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2m
+
+2000-01-08  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: replace AC_C_BIGENDIAN with KRB_C_BIGENDIAN
+
+	* lib/krb5/Makefile.am: bump version to 7:1:0
+
+	* lib/krb5/principal.c (krb5_sname_to_principal): use
+	krb5_expand_hostname
+	* lib/krb5/expand_hostname.c (krb5_expand_hostname): handle
+	ai_canonname being set in any of the addresses returnedby
+	getaddrinfo.  glibc apparently returns the reverse lookup of every
+	address in ai_canonname.
+
+2000-01-06  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2l
+
+2000-01-06  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: set version to 7:0:0
+	* lib/krb5/principal.c (krb5_sname_to_principal): remove `hp'
+
+	* lib/hdb/Makefile.am: set version to 4:1:1
+
+	* kdc/hpropd.c (dump_krb4): use `krb5_get_default_realms'
+	* lib/krb5/get_in_tkt.c (add_padata): change types to make
+	everything work out
+	(krb5_get_in_cred): remove const to make types match
+	* lib/krb5/crypto.c (ARCFOUR_string_to_key): correct signature
+	* lib/krb5/principal.c (krb5_sname_to_principal): handle not
+	getting back a canonname
+
+2000-01-06  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2k
+
+2000-01-06  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc): advance colon so that
+	we actually parse the port number.  based on a patch from Leif
+	Johansson <leifj@it.su.se>
+
+2000-01-02  Assar Westerlund  <assar@sics.se>
+
+	* admin/purge.c: remove all non-current and old entries from a
+	keytab
+
+	* admin: break up ktutil.c into files
+
+	* admin/ktutil.c (list): support --verbose (also listning time
+	stamps)
+	(kt_add, kt_get): set timestamp in newly created entries
+	(kt_change): add `change' command
+
+	* admin/srvconvert.c (srvconv): set timestamp in newly created
+	entries
+	* lib/krb5/keytab_keyfile.c (akf_next_entry): set timetsamp,
+	always go the a predicatble position on error
+	* lib/krb5/keytab.c (krb5_kt_copy_entry_contents): copy timestamp
+	* lib/krb5/keytab_file.c (fkt_add_entry): store timestamp
+	(fkt_next_entry_int): return timestamp
+	* lib/krb5/krb5.h (krb5_keytab_entry): add timestamp
diff --git a/crypto/heimdal/Makefile.am b/crypto/heimdal/Makefile.am
index 919d69c..f3d5441 100644
--- a/crypto/heimdal/Makefile.am
+++ b/crypto/heimdal/Makefile.am
@@ -1,9 +1,10 @@
-# $Id: Makefile.am,v 1.14 1999/08/12 02:21:43 assar Exp $
+# $Id: Makefile.am,v 1.16 2000/11/15 22:54:15 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
-SUBDIRS	= include lib kuser kdc admin kadmin kpasswd appl doc
+SUBDIRS	= include lib kuser kdc admin kadmin kpasswd appl doc tools
 
-ACLOCAL = @ACLOCAL@ -I cf
+## ACLOCAL = @ACLOCAL@ -I cf
+ACLOCAL_AMFLAGS = -I cf
 
 EXTRA_DIST = Makefile.am.common krb5.conf
diff --git a/crypto/heimdal/Makefile.in b/crypto/heimdal/Makefile.in
index 28684cb..f534fb7 100644
--- a/crypto/heimdal/Makefile.in
+++ b/crypto/heimdal/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.14 1999/08/12 02:21:43 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,21 +31,22 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 
 top_builddir = .
+
+ACLOCAL = @ACLOCAL@
 AUTOCONF = @AUTOCONF@
 AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -63,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -90,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.16 2000/11/15 22:54:15 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -134,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -142,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -150,32 +170,29 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
-SUBDIRS = include lib kuser kdc admin kadmin kpasswd appl doc
+SUBDIRS = include lib kuser kdc admin kadmin kpasswd appl doc tools
 
-ACLOCAL = @ACLOCAL@ -I cf
+ACLOCAL_AMFLAGS = -I cf
 
 EXTRA_DIST = Makefile.am.common krb5.conf
+subdir = .
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ./include/config.h
@@ -184,15 +201,16 @@ CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
-DIST_COMMON =  ChangeLog Makefile.am Makefile.in NEWS TODO acinclude.m4 \
-aclocal.m4 config.guess config.sub configure configure.in install-sh \
-ltconfig ltmain.sh missing mkinstalldirs
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES = 
+depcomp = 
+DIST_COMMON =  README ChangeLog Makefile.am Makefile.in NEWS TODO \
+acconfig.h acinclude.m4 aclocal.m4 config.guess config.sub configure \
+configure.in install-sh ltconfig ltmain.sh missing mkinstalldirs
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
 all: all-redirect
 .SUFFIXES:
@@ -204,8 +222,30 @@ Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
 	cd $(top_builddir) \
 	  && CONFIG_FILES=$@ CONFIG_HEADERS= $(SHELL) ./config.status
 
-$(ACLOCAL_M4):  configure.in  acinclude.m4
-	cd $(srcdir) && $(ACLOCAL)
+$(ACLOCAL_M4):  configure.in  acinclude.m4 cf/aix.m4 cf/auth-modules.m4 \
+		cf/broken-getnameinfo.m4 cf/broken-glob.m4 \
+		cf/broken-realloc.m4 cf/broken-snprintf.m4 cf/broken.m4 \
+		cf/broken2.m4 cf/c-attribute.m4 cf/c-function.m4 \
+		cf/capabilities.m4 cf/check-declaration.m4 \
+		cf/check-getpwnam_r-posix.m4 cf/check-man.m4 \
+		cf/check-netinet-ip-and-tcp.m4 cf/check-type-extra.m4 \
+		cf/check-var.m4 cf/check-x.m4 cf/check-xau.m4 cf/db.m4 \
+		cf/find-func-no-libs.m4 cf/find-func-no-libs2.m4 \
+		cf/find-func.m4 cf/find-if-not-broken.m4 \
+		cf/grok-type.m4 cf/have-pragma-weak.m4 \
+		cf/have-struct-field.m4 cf/have-type.m4 \
+		cf/have-types.m4 cf/krb-bigendian.m4 cf/krb-find-db.m4 \
+		cf/krb-func-getcwd-broken.m4 cf/krb-func-getlogin.m4 \
+		cf/krb-ipv6.m4 cf/krb-irix.m4 cf/krb-prog-ln-s.m4 \
+		cf/krb-prog-ranlib.m4 cf/krb-prog-yacc.m4 \
+		cf/krb-readline.m4 cf/krb-struct-spwd.m4 \
+		cf/krb-struct-winsize.m4 cf/krb-sys-aix.m4 \
+		cf/krb-sys-nextstep.m4 cf/krb-version.m4 cf/mips-abi.m4 \
+		cf/misc.m4 cf/need-proto.m4 cf/osfc2.m4 \
+		cf/proto-compat.m4 cf/retsigtype.m4 cf/roken-frag.m4 \
+		cf/roken.m4 cf/shared-libs.m4 cf/test-package.m4 \
+		cf/wflags.m4
+	cd $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS)
 
 config.status: $(srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
 	$(SHELL) ./config.status --recheck
@@ -219,8 +259,6 @@ $(srcdir)/configure: $(srcdir)/configure.in $(ACLOCAL_M4) $(CONFIGURE_DEPENDENCI
 #     (which will cause the Makefiles to be regenerated when you run `make');
 # (2) otherwise, pass the desired values on the `make' command line.
 
-@SET_MAKE@
-
 all-recursive install-data-recursive install-exec-recursive \
 installdirs-recursive install-recursive uninstall-recursive  \
 check-recursive installcheck-recursive info-recursive dvi-recursive:
@@ -248,7 +286,7 @@ maintainer-clean-recursive:
 	dot_seen=no; \
 	rev=''; list='$(SUBDIRS)'; for subdir in $$list; do \
 	  rev="$$subdir $$rev"; \
-	  test "$$subdir" = "." && dot_seen=yes; \
+	  if test "$$subdir" = "."; then dot_seen=yes; else :; fi; \
 	done; \
 	test "$$dot_seen" = "no" && rev=". $$rev"; \
 	target=`echo $@ | sed s/-recursive//`; \
@@ -269,15 +307,17 @@ tags-recursive:
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
 	list='$(SUBDIRS)'; for subdir in $$list; do \
@@ -285,12 +325,14 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
 	    test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \
    fi; \
 	done; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -304,49 +346,65 @@ maintainer-clean-tags:
 distdir = $(PACKAGE)-$(VERSION)
 top_distdir = $(distdir)
 
+
 # This target untars the dist file and tries a VPATH configuration.  Then
 # it guarantees that the distribution is self-contained by making another
 # tarfile.
 distcheck: dist
-	-rm -rf $(distdir)
-	GZIP=$(GZIP_ENV) $(TAR) zxf $(distdir).tar.gz
+	-chmod -R a+w $(distdir) > /dev/null 2>&1; rm -rf $(distdir)
+	GZIP=$(GZIP_ENV) gunzip -c $(distdir).tar.gz | $(AMTAR) xf -
+	chmod -R a-w $(distdir); chmod a+w $(distdir)
 	mkdir $(distdir)/=build
 	mkdir $(distdir)/=inst
-	dc_install_base=`cd $(distdir)/=inst && pwd`; \
-	cd $(distdir)/=build \
+	chmod a-w $(distdir)
+	dc_install_base=`CDPATH=: && cd $(distdir)/=inst && pwd` \
+	  && cd $(distdir)/=build \
 	  && ../configure --srcdir=.. --prefix=$$dc_install_base \
 	  && $(MAKE) $(AM_MAKEFLAGS) \
 	  && $(MAKE) $(AM_MAKEFLAGS) dvi \
 	  && $(MAKE) $(AM_MAKEFLAGS) check \
 	  && $(MAKE) $(AM_MAKEFLAGS) install \
 	  && $(MAKE) $(AM_MAKEFLAGS) installcheck \
-	  && $(MAKE) $(AM_MAKEFLAGS) dist
-	-rm -rf $(distdir)
+	  && $(MAKE) $(AM_MAKEFLAGS) uninstall \
+	  && test `find $$dc_install_base -type f -print | wc -l` -le 1 \
+	  && $(MAKE) $(AM_MAKEFLAGS) dist \
+	  && $(MAKE) $(AM_MAKEFLAGS) distclean \
+	  && rm -f $(distdir).tar.gz \
+	  && test `find . -type f -print | wc -l` -eq 0
+	-chmod -R a+w $(distdir) > /dev/null 2>&1; rm -rf $(distdir)
 	@banner="$(distdir).tar.gz is ready for distribution"; \
 	dashes=`echo "$$banner" | sed s/./=/g`; \
 	echo "$$dashes"; \
 	echo "$$banner"; \
 	echo "$$dashes"
 dist: distdir
-	-chmod -R a+r $(distdir)
-	GZIP=$(GZIP_ENV) $(TAR) chozf $(distdir).tar.gz $(distdir)
-	-rm -rf $(distdir)
+	-find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
+	  ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
+	  ! -type d ! -perm -400 -exec chmod a+r {} \; -o \
+	  ! -type d ! -perm -444 -exec $(SHELL) $(install_sh) -c -m a+r {} {} \; \
+	|| chmod -R a+r $(distdir)
+	$(AMTAR) chof - $(distdir) | GZIP=$(GZIP_ENV) gzip -c > $(distdir).tar.gz
+	-chmod -R a+w $(distdir) > /dev/null 2>&1; rm -rf $(distdir)
 dist-all: distdir
-	-chmod -R a+r $(distdir)
-	GZIP=$(GZIP_ENV) $(TAR) chozf $(distdir).tar.gz $(distdir)
-	-rm -rf $(distdir)
+	-find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
+	  ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
+	  ! -type d ! -perm -400 -exec chmod a+r {} \; -o \
+	  ! -type d ! -perm -444 -exec $(SHELL) $(install_sh) -c -m a+r {} {} \; \
+	|| chmod -R a+r $(distdir)
+	$(AMTAR) chof - $(distdir) | GZIP=$(GZIP_ENV) gzip -c > $(distdir).tar.gz
+	-chmod -R a+w $(distdir) > /dev/null 2>&1; rm -rf $(distdir)
 distdir: $(DISTFILES)
-	-rm -rf $(distdir)
+	-chmod -R a+w $(distdir) > /dev/null 2>&1; rm -rf $(distdir)
 	mkdir $(distdir)
-	-chmod 777 $(distdir)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	for subdir in $(SUBDIRS); do \
@@ -354,7 +412,6 @@ distdir: $(DISTFILES)
 	    test -d $(distdir)/$$subdir \
 	    || mkdir $(distdir)/$$subdir \
 	    || exit 1; \
-	    chmod 777 $(distdir)/$$subdir; \
 	    (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$(distdir) distdir=../$(distdir)/$$subdir distdir) \
 	      || exit 1; \
 	  fi; \
@@ -385,7 +442,7 @@ uninstall: uninstall-recursive
 all-am: Makefile all-local
 all-redirect: all-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs: installdirs-recursive
 installdirs-am:
 
@@ -399,6 +456,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-tags mostlyclean-generic
 
 mostlyclean: mostlyclean-recursive
@@ -421,19 +479,19 @@ maintainer-clean-am:  maintainer-clean-tags maintainer-clean-generic \
 maintainer-clean: maintainer-clean-recursive
 	-rm -f config.status
 
-.PHONY: install-data-recursive uninstall-data-recursive \
-install-exec-recursive uninstall-exec-recursive installdirs-recursive \
-uninstalldirs-recursive all-recursive check-recursive \
-installcheck-recursive info-recursive dvi-recursive \
-mostlyclean-recursive distclean-recursive clean-recursive \
+.PHONY: install-recursive uninstall-recursive install-data-recursive \
+uninstall-data-recursive install-exec-recursive \
+uninstall-exec-recursive installdirs-recursive uninstalldirs-recursive \
+all-recursive check-recursive installcheck-recursive info-recursive \
+dvi-recursive mostlyclean-recursive distclean-recursive clean-recursive \
 maintainer-clean-recursive tags tags-recursive mostlyclean-tags \
 distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
 dvi-am dvi check-local check check-am installcheck-am installcheck \
 install-exec-am install-exec install-data-local install-data-am \
 install-data install-am install uninstall-am uninstall all-local \
-all-redirect all-am all installdirs-am installdirs mostlyclean-generic \
-distclean-generic clean-generic maintainer-clean-generic clean \
-mostlyclean distclean maintainer-clean
+all-redirect all-am all install-strip installdirs-am installdirs \
+mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
 
 
 install-suid-programs:
@@ -441,7 +499,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -453,8 +514,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -523,87 +584,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/NEWS b/crypto/heimdal/NEWS
index ead7269f..1005e93 100644
--- a/crypto/heimdal/NEWS
+++ b/crypto/heimdal/NEWS
@@ -1,3 +1,142 @@
+Changes in release 0.3e
+
+ * rcp program included
+
+ * fix buffer overrun in ftpd
+
+ * handle omitted sequence numbers as zeroes to handle MIT krb5 that
+   cannot generate zero sequence numbers
+
+ * handle v4 /.k files better
+
+ * configure/portability fixes
+
+ * fixes in parsing of options to kadmin (sub-)commands
+
+ * handle errors in kadmin load better
+
+ * bug fixes
+
+Changes in release 0.3d
+
+ * add krb5-config
+
+ * fix a bug in 3des gss-api mechanism, making it compatible with the
+   specification and the MIT implementation
+
+ * make telnetd only allow a specific list of environment variables to
+   stop it from setting `sensitive' variables
+
+ * try to use an existing libdes
+
+ * lib/krb5, kdc: use correct usage type for ap-req messages.  This
+   should improve compatability with MIT krb5 when using 3DES
+   encryption types
+
+ * kdc: fix memory allocation problem
+
+ * update config.guess and config.sub
+
+ * lib/roken: more stuff implemented
+
+ * bug fixes and portability enhancements
+
+Changes in release 0.3c
+
+ * lib/krb5: memory caches now support the resolve operation
+
+ * appl/login: set PATH to some sane default
+
+ * kadmind: handle several realms
+
+ * bug fixes (including memory leaks)
+
+Changes in release 0.3b
+
+ * kdc: prefer default-salted keys on v5 requests
+
+ * kdc: lowercase hostnames in v4 mode
+
+ * hprop: handle more types of MIT salts
+
+ * lib/krb5: fix memory leak
+
+ * bug fixes
+
+Changes in release 0.3a:
+
+ * implement arcfour-hmac-md5 to interoperate with W2K
+
+ * modularise the handling of the master key, and allow for other
+   encryption types. This makes it easier to import a database from
+   some other source without having to re-encrypt all keys.
+
+ * allow for better control over which encryption types are created
+
+ * make kinit fallback to v4 if given a v4 KDC
+
+ * make klist work better with v4 and v5, and add some more MIT
+   compatibility options
+
+ * make the kdc listen on the krb524 (4444) port for compatibility
+   with MIT krb5 clients
+
+ * implement more DCE/DFS support, enabled with --enable-dce, see
+   lib/kdfs and appl/dceutils
+
+ * make the sequence numbers work correctly
+
+ * bug fixes
+
+Changes in release 0.2t:
+
+ * bug fixes
+
+Changes in release 0.2s:
+
+ * add OpenLDAP support in hdb
+
+ * login will get v4 tickets when it receives forwarded tickets
+
+ * xnlock supports both v5 and v4
+
+ * repair source routing for telnet
+
+ * fix building problems with krb4 (krb_mk_req)
+
+ * bug fixes
+
+Changes in release 0.2r:
+
+ * fix realloc memory corruption bug in kdc
+
+ * `add --key' and `cpw --key' in kadmin
+
+ * klist supports listing v4 tickets
+
+ * update config.guess and config.sub
+
+ * make v4 -> v5 principal name conversion more robust
+
+ * support for anonymous tickets
+
+ * new man-pages
+
+ * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab.
+
+ * use and set expiration and not password expiration when dumping
+   to/from ka server databases / krb4 databases
+
+ * make the code happier with 64-bit time_t
+
+ * follow RFC2782 and by default do not look for non-underscore SRV names
+
+Changes in release 0.2q:
+
+ * bug fix in tcp-handling in kdc
+
+ * bug fix in expand_hostname
+
 Changes in release 0.2p:
 
  * bug fix in `kadmin load/merge'
diff --git a/crypto/heimdal/README b/crypto/heimdal/README
new file mode 100644
index 0000000..f27b67f
--- /dev/null
+++ b/crypto/heimdal/README
@@ -0,0 +1,19 @@
+$Id: README,v 1.1 2000/07/27 02:33:54 assar Exp $
+
+Heimdal is a Kerberos 5 implementation.
+
+Please see the manual in doc, by default installed in
+/usr/heimdal/info/heimdal.info for information on how to install.
+There are also briefer man pages for most of the commands.
+
+Bug reports and bugs are appreciated, see more under Bug reports in
+the manual on how we prefer them.
+
+For more information see the web-page at
+<http://www.pdc.kth.se/heimdal/> or the mailing lists:
+
+heimdal-announce@sics.se	low-volume announcement
+heimdal-discuss@sics.se		high-volume discussion
+
+send a mail to heimdal-announce-request@sics.se and
+heimdal-discuss-request@sics.se respectively to subscribe.
diff --git a/crypto/heimdal/TODO b/crypto/heimdal/TODO
index e222951..0396339 100644
--- a/crypto/heimdal/TODO
+++ b/crypto/heimdal/TODO
@@ -1,6 +1,6 @@
 -*- indented-text -*-
 
-$Id: TODO,v 1.40 2000/01/28 04:10:56 assar Exp $
+$Id: TODO,v 1.55 2001/01/30 22:51:32 assar Exp $
 
 * configure
 
@@ -8,70 +8,58 @@ use more careful checking before starting to use berkeley db.  it only
 makes sense to do so if we have the appropriate library and the header
 file.
 
-* appl
-
-more programs here
+handle readline hiding in readline/readline.h
 
-** appl/login
-
-/etc/environment etc.
+* appl
 
 ** appl/popper
 
 Implement RFC1731 and 1734, pop over GSS-API
 
-** appl/test
-
-should test more stuff
-
-** appl/rsh
-
-add rcp program
-
-** appl/ftp
-
 * doc
 
-there's some room for improvement here.
-
 * kdc
 
 * kadmin
 
+make it happy with reading and parsing kdc.conf
+
 is in need of a major cleanup
 
+* kpasswdd
+
+figure out what's the deal with do_sequence and the MIT client
+
 * lib
 
 ** lib/asn1
 
 prepend a prefix on all generated symbols
 
-make asn1_compile use enum types where applicable
-
 ** lib/auth
 
 PAM
 
+** lib/com_err
+
+write a man-page
+
 ** lib/des
 
+make everything work with openssl and make prototypes compatible
+
 ** lib/gssapi
 
-process_context_token, display_status, add_cred, inquire_cred_by_mech,
-export_sec_context, import_sec_context, inquire_names_for_mech, and
+process_context_token, add_cred, inquire_cred_by_mech,
+inquire_names_for_mech, and
 inquire_mechs_for_name not implemented.
 
-only DES MAC MD5 and DES implemented.
-
 set minor_status in all functions
 
-init_sec_context: `initiator_cred_handle' and `time_req' ignored.
-
-input channel bindings are not supported
-
-delegation not implemented
-
 anonymous credentials not implemented
 
+add rc4
+
 ** lib/hdb
 
 ** lib/kadm5
@@ -88,20 +76,15 @@ using krb5_get_krbhst.
 
 the replay cache is, in its current state, not very useful
 
-the following encryption types have been implemented: DES-CBC-CRC,
-DES-CBC-MD4, DES-CBC-MD5, DES3-CBC-MD5, DES3-CBC-SHA1
-
-supports the following checksums: CRC32, RSA-MD4, RSA-MD5,
-RSA-MD4-DES, RSA-MD5-DES, RSA-MD5-DES3, SHA1, HMAC-SHA1-DES3
-
 always generates a new subkey in an authenticator
 
 should the sequence numbers be XORed?
 
-fix pre-authentication with pa-afs3-salt
-
 OTP?
 
-** lib/roken
+make checksum/encryption type configuration more realm-specific.  make
+some simple way of handling the w2k situtation
+
+crypto: allow scather/gather creation of checksums
 
-** lib/sl
+** lib/roken
diff --git a/crypto/heimdal/acconfig.h b/crypto/heimdal/acconfig.h
index c94b363..8740dae 100644
--- a/crypto/heimdal/acconfig.h
+++ b/crypto/heimdal/acconfig.h
@@ -13,6 +13,10 @@
 #undef HAVE_U_INT16_T
 #undef HAVE_U_INT32_T
 #undef HAVE_U_INT64_T
+#undef HAVE_UINT8_T
+#undef HAVE_UINT16_T
+#undef HAVE_UINT32_T
+#undef HAVE_UINT64_T
 
 #if defined(HAVE_FOUR_VALUED_KRB_PUT_INT) || !defined(KRB4)
 #define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (L), (S))
diff --git a/crypto/heimdal/aclocal.m4 b/crypto/heimdal/aclocal.m4
index 3435fec..895b888 100644
--- a/crypto/heimdal/aclocal.m4
+++ b/crypto/heimdal/aclocal.m4
@@ -1,6 +1,6 @@
-dnl aclocal.m4 generated automatically by aclocal 1.4
+dnl ./aclocal.m4 generated automatically by aclocal 1.4a
 
-dnl Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+dnl Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 dnl This file is free software; the Free Software Foundation
 dnl gives unlimited permission to copy and/or distribute it,
 dnl with or without modifications, as long as this notice is preserved.
@@ -20,6 +20,33 @@ dnl $xId: misc.m4,v 1.1 1997/12/14 15:59:04 joda Exp $
 dnl
 define(upcase,`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`)dnl
 
+dnl $Id: misc.m4,v 1.2 2000/07/19 15:04:00 joda Exp $
+dnl
+AC_DEFUN([upcase],[`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`])dnl
+AC_DEFUN([rk_CONFIG_HEADER],[AH_TOP([#ifndef RCSID
+#define RCSID(msg) \
+static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
+#endif
+
+#undef BINDIR 
+#undef LIBDIR
+#undef LIBEXECDIR
+#undef SBINDIR
+
+#undef HAVE_INT8_T
+#undef HAVE_INT16_T
+#undef HAVE_INT32_T
+#undef HAVE_INT64_T
+#undef HAVE_U_INT8_T
+#undef HAVE_U_INT16_T
+#undef HAVE_U_INT32_T
+#undef HAVE_U_INT64_T
+
+/* Maximum values on all known systems */
+#define MaxHostNameLen (64+4)
+#define MaxPathLen (1024+4)
+
+])])
 # Like AC_CONFIG_HEADER, but automatically create stamp file.
 
 AC_DEFUN(AM_CONFIG_HEADER,
@@ -47,34 +74,68 @@ changequote([,]))])
 # some checks are only needed if your package does certain things.
 # But this isn't really a big deal.
 
-# serial 1
+# serial 2
+
+# AC_PROVIDE_IFELSE(MACRO-NAME, IF-PROVIDED, IF-NOT-PROVIDED)
+# -----------------------------------------------------------
+# If MACRO-NAME is provided do IF-PROVIDED, else IF-NOT-PROVIDED.
+# The purpose of this macro is to provide the user with a means to
+# check macros which are provided without letting her know how the
+# information is coded.
+# If this macro is not defined by Autoconf, define it here.
+ifdef([AC_PROVIDE_IFELSE],
+      [],
+      [define([AC_PROVIDE_IFELSE],
+              [ifdef([AC_PROVIDE_$1],
+                     [$2], [$3])])])
 
-dnl Usage:
-dnl AM_INIT_AUTOMAKE(package,version, [no-define])
 
+# AM_INIT_AUTOMAKE(PACKAGE,VERSION, [NO-DEFINE])
+# ----------------------------------------------
 AC_DEFUN(AM_INIT_AUTOMAKE,
-[AC_REQUIRE([AC_PROG_INSTALL])
-PACKAGE=[$1]
-AC_SUBST(PACKAGE)
-VERSION=[$2]
-AC_SUBST(VERSION)
-dnl test to see if srcdir already configured
-if test "`cd $srcdir && pwd`" != "`pwd`" && test -f $srcdir/config.status; then
+[dnl We require 2.13 because we rely on SHELL being computed by configure.
+AC_PREREQ([2.13])dnl
+AC_REQUIRE([AC_PROG_INSTALL])dnl
+# test to see if srcdir already configured
+if test "`CDPATH=: && cd $srcdir && pwd`" != "`pwd`" &&
+   test -f $srcdir/config.status; then
   AC_MSG_ERROR([source directory already configured; run "make distclean" there first])
 fi
+
+# Define the identity of the package.
+PACKAGE=$1
+AC_SUBST(PACKAGE)dnl
+VERSION=$2
+AC_SUBST(VERSION)dnl
 ifelse([$3],,
-AC_DEFINE_UNQUOTED(PACKAGE, "$PACKAGE", [Name of package])
-AC_DEFINE_UNQUOTED(VERSION, "$VERSION", [Version number of package]))
-AC_REQUIRE([AM_SANITY_CHECK])
-AC_REQUIRE([AC_ARG_PROGRAM])
-dnl FIXME This is truly gross.
-missing_dir=`cd $ac_aux_dir && pwd`
-AM_MISSING_PROG(ACLOCAL, aclocal, $missing_dir)
-AM_MISSING_PROG(AUTOCONF, autoconf, $missing_dir)
-AM_MISSING_PROG(AUTOMAKE, automake, $missing_dir)
-AM_MISSING_PROG(AUTOHEADER, autoheader, $missing_dir)
-AM_MISSING_PROG(MAKEINFO, makeinfo, $missing_dir)
-AC_REQUIRE([AC_PROG_MAKE_SET])])
+[AC_DEFINE_UNQUOTED(PACKAGE, "$PACKAGE", [Name of package])
+AC_DEFINE_UNQUOTED(VERSION, "$VERSION", [Version number of package])])
+
+# Some tools Automake needs.
+AC_REQUIRE([AM_SANITY_CHECK])dnl
+AC_REQUIRE([AC_ARG_PROGRAM])dnl
+AM_MISSING_PROG(ACLOCAL, aclocal)
+AM_MISSING_PROG(AUTOCONF, autoconf)
+AM_MISSING_PROG(AUTOMAKE, automake)
+AM_MISSING_PROG(AUTOHEADER, autoheader)
+AM_MISSING_PROG(MAKEINFO, makeinfo)
+AM_MISSING_PROG(AMTAR, tar)
+AM_MISSING_INSTALL_SH
+dnl We need awk for the "check" target.  The system "awk" is bad on
+dnl some platforms.
+AC_REQUIRE([AC_PROG_AWK])dnl
+AC_REQUIRE([AC_PROG_MAKE_SET])dnl
+AC_REQUIRE([AM_DEP_TRACK])dnl
+AC_REQUIRE([AM_SET_DEPDIR])dnl
+AC_PROVIDE_IFELSE([AC_PROG_CC],
+                  [AM_DEPENDENCIES(CC)],
+                  [define([AC_PROG_CC],
+                          defn([AC_PROG_CC])[AM_DEPENDENCIES(CC)])])dnl
+AC_PROVIDE_IFELSE([AC_PROG_CXX],
+                  [AM_DEPENDENCIES(CXX)],
+                  [define([AC_PROG_CXX],
+                          defn([AC_PROG_CXX])[AM_DEPENDENCIES(CXX)])])dnl
+])
 
 #
 # Check to make sure that the build environment is sane.
@@ -119,28 +180,199 @@ fi
 rm -f conftest*
 AC_MSG_RESULT(yes)])
 
-dnl AM_MISSING_PROG(NAME, PROGRAM, DIRECTORY)
-dnl The program must properly implement --version.
-AC_DEFUN(AM_MISSING_PROG,
-[AC_MSG_CHECKING(for working $2)
-# Run test in a subshell; some versions of sh will print an error if
-# an executable is not found, even if stderr is redirected.
-# Redirect stdin to placate older versions of autoconf.  Sigh.
-if ($2 --version) < /dev/null > /dev/null 2>&1; then
-   $1=$2
-   AC_MSG_RESULT(found)
+dnl AM_MISSING_PROG(NAME, PROGRAM)
+AC_DEFUN(AM_MISSING_PROG, [
+AC_REQUIRE([AM_MISSING_HAS_RUN])
+$1=${$1-"${am_missing_run}$2"}
+AC_SUBST($1)])
+
+dnl Like AM_MISSING_PROG, but only looks for install-sh.
+dnl AM_MISSING_INSTALL_SH()
+AC_DEFUN(AM_MISSING_INSTALL_SH, [
+AC_REQUIRE([AM_MISSING_HAS_RUN])
+if test -z "$install_sh"; then
+   install_sh="$ac_aux_dir/install-sh"
+   test -f "$install_sh" || install_sh="$ac_aux_dir/install.sh"
+   test -f "$install_sh" || install_sh="${am_missing_run}${ac_auxdir}/install-sh"
+   dnl FIXME: an evil hack: we remove the SHELL invocation from
+   dnl install_sh because automake adds it back in.  Sigh.
+   install_sh="`echo $install_sh | sed -e 's/\${SHELL}//'`"
+fi
+AC_SUBST(install_sh)])
+
+dnl AM_MISSING_HAS_RUN.
+dnl Define MISSING if not defined so far and test if it supports --run.
+dnl If it does, set am_missing_run to use it, otherwise, to nothing.
+AC_DEFUN([AM_MISSING_HAS_RUN], [
+test x"${MISSING+set}" = xset || \
+  MISSING="\${SHELL} `CDPATH=: && cd $ac_aux_dir && pwd`/missing"
+dnl Use eval to expand $SHELL
+if eval "$MISSING --run :"; then
+  am_missing_run="$MISSING --run "
 else
-   $1="$3/missing $2"
-   AC_MSG_RESULT(missing)
+  am_missing_run=
+  am_backtick='`'
+  AC_MSG_WARN([${am_backtick}missing' script is too old or missing])
 fi
-AC_SUBST($1)])
+])
+
+dnl See how the compiler implements dependency checking.
+dnl Usage:
+dnl AM_DEPENDENCIES(NAME)
+dnl NAME is "CC", "CXX" or "OBJC".
+
+dnl We try a few techniques and use that to set a single cache variable.
+
+AC_DEFUN(AM_DEPENDENCIES,[
+AC_REQUIRE([AM_SET_DEPDIR])
+AC_REQUIRE([AM_OUTPUT_DEPENDENCY_COMMANDS])
+ifelse([$1],CC,[
+AC_REQUIRE([AC_PROG_CC])
+AC_REQUIRE([AC_PROG_CPP])
+depcc="$CC"
+depcpp="$CPP"],[$1],CXX,[
+AC_REQUIRE([AC_PROG_CXX])
+AC_REQUIRE([AC_PROG_CXXCPP])
+depcc="$CXX"
+depcpp="$CXXCPP"],[$1],OBJC,[
+am_cv_OBJC_dependencies_compiler_type=gcc],[
+AC_REQUIRE([AC_PROG_][$1])
+depcc="$[$1]"
+depcpp=""])
+AC_MSG_CHECKING([dependency style of $depcc])
+AC_CACHE_VAL(am_cv_[$1]_dependencies_compiler_type,[
+if test -z "$AMDEP"; then
+  echo '#include "conftest.h"' > conftest.c
+  echo 'int i;' > conftest.h
+
+  am_cv_[$1]_dependencies_compiler_type=none
+  for depmode in `sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < "$am_depcomp"`; do
+    case "$depmode" in
+    nosideeffect)
+      # after this tag, mechanisms are not by side-effect, so they'll
+      # only be used when explicitly requested
+      if test "x$enable_dependency_tracking" = xyes; then
+	continue
+      else
+	break
+      fi
+      ;;
+    none) break ;;
+    esac
+    if depmode="$depmode" \
+       source=conftest.c object=conftest.o \
+       depfile=conftest.Po tmpdepfile=conftest.TPo \
+       $SHELL $am_depcomp $depcc -c conftest.c 2>/dev/null &&
+       grep conftest.h conftest.Po > /dev/null 2>&1; then
+      am_cv_[$1]_dependencies_compiler_type="$depmode"
+      break
+    fi
+  done
+
+  rm -f conftest.*
+else
+  am_cv_[$1]_dependencies_compiler_type=none
+fi
+])
+AC_MSG_RESULT($am_cv_[$1]_dependencies_compiler_type)
+[$1]DEPMODE="depmode=$am_cv_[$1]_dependencies_compiler_type"
+AC_SUBST([$1]DEPMODE)
+])
+
+dnl Choose a directory name for dependency files.
+dnl This macro is AC_REQUIREd in AM_DEPENDENCIES
+
+AC_DEFUN(AM_SET_DEPDIR,[
+if test -d .deps || mkdir .deps 2> /dev/null || test -d .deps; then
+  DEPDIR=.deps
+else
+  DEPDIR=_deps
+fi
+AC_SUBST(DEPDIR)
+])
+
+AC_DEFUN(AM_DEP_TRACK,[
+AC_ARG_ENABLE(dependency-tracking,
+[  --disable-dependency-tracking Speeds up one-time builds
+  --enable-dependency-tracking  Do not reject slow dependency extractors])
+if test "x$enable_dependency_tracking" = xno; then
+  AMDEP="#"
+else
+  am_depcomp="$ac_aux_dir/depcomp"
+  if test ! -f "$am_depcomp"; then
+    AMDEP="#"
+  else
+    AMDEP=
+  fi
+fi
+AC_SUBST(AMDEP)
+if test -z "$AMDEP"; then
+  AMDEPBACKSLASH='\'
+else
+  AMDEPBACKSLASH=
+fi
+pushdef([subst], defn([AC_SUBST]))
+subst(AMDEPBACKSLASH)
+popdef([subst])
+])
+
+dnl Generate code to set up dependency tracking.
+dnl This macro should only be invoked once -- use via AC_REQUIRE.
+dnl Usage:
+dnl AM_OUTPUT_DEPENDENCY_COMMANDS
+
+dnl
+dnl This code is only required when automatic dependency tracking
+dnl is enabled.  FIXME.  This creates each `.P' file that we will
+dnl need in order to bootstrap the dependency handling code.
+AC_DEFUN(AM_OUTPUT_DEPENDENCY_COMMANDS,[
+AC_OUTPUT_COMMANDS([
+test x"$AMDEP" != x"" ||
+for mf in $CONFIG_FILES; do
+  case "$mf" in
+  Makefile) dirpart=.;;
+  */Makefile) dirpart=`echo "$mf" | sed -e 's|/[^/]*$||'`;;
+  *) continue;;
+  esac
+  grep '^DEP_FILES *= *[^ #]' < "$mf" > /dev/null || continue
+  # Extract the definition of DEP_FILES from the Makefile without
+  # running `make'.
+  DEPDIR=`sed -n -e '/^DEPDIR = / s///p' < "$mf"`
+  test -z "$DEPDIR" && continue
+  # When using ansi2knr, U may be empty or an underscore; expand it
+  U=`sed -n -e '/^U = / s///p' < "$mf"`
+  test -d "$dirpart/$DEPDIR" || mkdir "$dirpart/$DEPDIR"
+  # We invoke sed twice because it is the simplest approach to
+  # changing $(DEPDIR) to its actual value in the expansion.
+  for file in `sed -n -e '
+    /^DEP_FILES = .*\\\\$/ {
+      s/^DEP_FILES = //
+      :loop
+	s/\\\\$//
+	p
+	n
+	/\\\\$/ b loop
+      p
+    }
+    /^DEP_FILES = / s/^DEP_FILES = //p' < "$mf" | \
+       sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do
+    # Make sure the directory exists.
+    test -f "$dirpart/$file" && continue
+    fdir=`echo "$file" | sed -e 's|/[^/]*$||'`
+    $ac_aux_dir/mkinstalldirs "$dirpart/$fdir" > /dev/null 2>&1
+    # echo "creating $dirpart/$file"
+    echo '# dummy' > "$dirpart/$file"
+  done
+done
+], [AMDEP="$AMDEP"
+ac_aux_dir="$ac_aux_dir"])])
 
 
 dnl AM_PROG_LEX
 dnl Look for flex, lex or missing, then run AC_PROG_LEX and AC_DECL_YYTEXT
 AC_DEFUN(AM_PROG_LEX,
-[missing_dir=ifelse([$1],,`cd $ac_aux_dir && pwd`,$1)
-AC_CHECK_PROGS(LEX, flex lex, "$missing_dir/missing flex")
+[AC_REQUIRE([AM_MISSING_HAS_RUN])
+AC_CHECK_PROGS(LEX, flex lex, [${am_missing_run}flex])
 AC_PROG_LEX
 AC_DECL_YYTEXT])
 
@@ -173,7 +405,7 @@ AC_SUBST(LN_S)dnl
 ])
 
 
-dnl $Id: mips-abi.m4,v 1.4 1998/05/16 20:44:15 joda Exp $
+dnl $Id: mips-abi.m4,v 1.5 2000/07/18 15:01:42 joda Exp $
 dnl
 dnl
 dnl Check for MIPS/IRIX ABI flags. Sets $abi and $abilibdirext to some
@@ -202,7 +434,7 @@ case "${with_mips_abi}" in
        n32|yes) abi='-mabi=n32'; abilibdirext='32'  ;;
         64) abi='-mabi=64';  abilibdirext='64'   ;;
 	no) abi=''; abilibdirext='';;
-         *) AC_ERROR("Invalid ABI specified") ;;
+         *) AC_MSG_ERROR("Invalid ABI specified") ;;
 esac
 if test -n "$abi" ; then
 ac_foo=krb_cv_gcc_`echo $abi | tr =- __`
@@ -229,7 +461,7 @@ case $abi in
 	CLAGS="$save_CFLAGS"
 	if test $ac_res = yes; then
 		# New GCC
-		AC_ERROR([$CC does not support the $with_mips_abi ABI])
+		AC_MSG_ERROR([$CC does not support the $with_mips_abi ABI])
 	fi
 	# Old GCC
 	abi=''
@@ -242,7 +474,7 @@ case $abi in
 			abilibdirext=''
 		else
 			# Some broken GCC
-			AC_ERROR([$CC does not support the $with_mips_abi ABI])
+			AC_MSG_ERROR([$CC does not support the $with_mips_abi ABI])
 		fi
 	;;
 esac
@@ -254,7 +486,7 @@ case "${with_mips_abi}" in
        n32|yes) abi='-n32'; abilibdirext='32'  ;;
         64) abi='-64'; abilibdirext='64'   ;;
 	no) abi=''; abilibdirext='';;
-         *) AC_ERROR("Invalid ABI specified") ;;
+         *) AC_MSG_ERROR("Invalid ABI specified") ;;
 esac
 fi #if test -n "$GCC"; then
 ;;
@@ -294,28 +526,90 @@ AC_MSG_RESULT($ac_cv___attribute__)
 
 
 
-# serial 25 AM_PROG_LIBTOOL
-AC_DEFUN(AM_PROG_LIBTOOL,
-[AC_REQUIRE([AM_ENABLE_SHARED])dnl
-AC_REQUIRE([AM_ENABLE_STATIC])dnl
+# serial 44 AC_PROG_LIBTOOL
+AC_DEFUN(AC_PROG_LIBTOOL,[AC_REQUIRE([_AC_PROG_LIBTOOL])])
+AC_DEFUN(_AC_PROG_LIBTOOL,
+[AC_REQUIRE([AC_LIBTOOL_SETUP])dnl
+
+# Save cache, so that ltconfig can load it
+AC_CACHE_SAVE
+
+# Actually configure libtool.  ac_aux_dir is where install-sh is found.
+AR="$AR" CC="$CC" CFLAGS="$CFLAGS" CPPFLAGS="$CPPFLAGS" \
+MAGIC="$MAGIC" LD="$LD" LDFLAGS="$LDFLAGS" LIBS="$LIBS" \
+LN_S="$LN_S" NM="$NM" RANLIB="$RANLIB" STRIP="$STRIP" \
+AS="$AS" DLLTOOL="$DLLTOOL" OBJDUMP="$OBJDUMP" \
+objext="$OBJEXT" exeext="$EXEEXT" reload_flag="$reload_flag" \
+deplibs_check_method="$deplibs_check_method" file_magic_cmd="$file_magic_cmd" \
+${CONFIG_SHELL-/bin/sh} $ac_aux_dir/ltconfig --no-reexec \
+$libtool_flags --no-verify --build="$build" $ac_aux_dir/ltmain.sh $host \
+|| AC_MSG_ERROR([libtool configure failed])
+
+# Reload cache, that may have been modified by ltconfig
+AC_CACHE_LOAD
+
+# This can be used to rebuild libtool when needed
+LIBTOOL_DEPS="$ac_aux_dir/ltconfig $ac_aux_dir/ltmain.sh"
+
+# Always use our own libtool.
+LIBTOOL='$(SHELL) $(top_builddir)/libtool'
+AC_SUBST(LIBTOOL)dnl
+
+# Redirect the config.log output again, so that the ltconfig log is not
+# clobbered by the next message.
+exec 5>>./config.log
+])
+
+AC_DEFUN(AC_LIBTOOL_SETUP,
+[AC_PREREQ(2.13)dnl
+AC_REQUIRE([AC_ENABLE_SHARED])dnl
+AC_REQUIRE([AC_ENABLE_STATIC])dnl
+AC_REQUIRE([AC_ENABLE_FAST_INSTALL])dnl
 AC_REQUIRE([AC_CANONICAL_HOST])dnl
-AC_REQUIRE([AC_PROG_RANLIB])dnl
+AC_REQUIRE([AC_CANONICAL_BUILD])dnl
 AC_REQUIRE([AC_PROG_CC])dnl
-AC_REQUIRE([AM_PROG_LD])dnl
-AC_REQUIRE([AM_PROG_NM])dnl
+AC_REQUIRE([AC_PROG_LD])dnl
+AC_REQUIRE([AC_PROG_LD_RELOAD_FLAG])dnl
+AC_REQUIRE([AC_PROG_NM])dnl
 AC_REQUIRE([AC_PROG_LN_S])dnl
+AC_REQUIRE([AC_DEPLIBS_CHECK_METHOD])dnl
+AC_REQUIRE([AC_OBJEXT])dnl
+AC_REQUIRE([AC_EXEEXT])dnl
 dnl
-# Always use our own libtool.
-LIBTOOL='$(top_builddir)/libtool'
-AC_SUBST(LIBTOOL)dnl
+
+# Only perform the check for file, if the check method requires it
+case "$deplibs_check_method" in
+file_magic*)
+  if test "$file_magic_cmd" = '${MAGIC}'; then
+    AC_PATH_MAGIC
+  fi
+  ;;
+esac
+
+AC_CHECK_TOOL(RANLIB, ranlib, :)
+AC_CHECK_TOOL(STRIP, strip, :)
 
 # Check for any special flags to pass to ltconfig.
-libtool_flags=
+libtool_flags="--cache-file=$cache_file"
 test "$enable_shared" = no && libtool_flags="$libtool_flags --disable-shared"
 test "$enable_static" = no && libtool_flags="$libtool_flags --disable-static"
-test "$silent" = yes && libtool_flags="$libtool_flags --silent"
+test "$enable_fast_install" = no && libtool_flags="$libtool_flags --disable-fast-install"
 test "$ac_cv_prog_gcc" = yes && libtool_flags="$libtool_flags --with-gcc"
 test "$ac_cv_prog_gnu_ld" = yes && libtool_flags="$libtool_flags --with-gnu-ld"
+ifdef([AC_PROVIDE_AC_LIBTOOL_DLOPEN],
+[libtool_flags="$libtool_flags --enable-dlopen"])
+ifdef([AC_PROVIDE_AC_LIBTOOL_WIN32_DLL],
+[libtool_flags="$libtool_flags --enable-win32-dll"])
+AC_ARG_ENABLE(libtool-lock,
+  [  --disable-libtool-lock  avoid locking (might break parallel builds)])
+test "x$enable_libtool_lock" = xno && libtool_flags="$libtool_flags --disable-lock"
+test x"$silent" = xyes && libtool_flags="$libtool_flags --silent"
+
+AC_ARG_WITH(pic,
+  [  --with-pic              try to use only PIC/non-PIC objects [default=use both]],
+     pic_mode="$withval", pic_mode=default)
+test x"$pic_mode" = xyes && libtool_flags="$libtool_flags --prefer-pic"
+test x"$pic_mode" = xno && libtool_flags="$libtool_flags --prefer-non-pic"
 
 # Some flags need to be propagated to the compiler or linker for good
 # libtool support.
@@ -341,31 +635,67 @@ case "$host" in
 
 *-*-sco3.2v5*)
   # On SCO OpenServer 5, we need -belf to get full-featured binaries.
+  SAVE_CFLAGS="$CFLAGS"
   CFLAGS="$CFLAGS -belf"
+  AC_CACHE_CHECK([whether the C compiler needs -belf], lt_cv_cc_needs_belf,
+    [AC_LANG_SAVE
+     AC_LANG_C
+     AC_TRY_LINK([],[],[lt_cv_cc_needs_belf=yes],[lt_cv_cc_needs_belf=no])
+     AC_LANG_RESTORE])
+  if test x"$lt_cv_cc_needs_belf" != x"yes"; then
+    # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
+    CFLAGS="$SAVE_CFLAGS"
+  fi
   ;;
+
+ifdef([AC_PROVIDE_AC_LIBTOOL_WIN32_DLL],
+[*-*-cygwin* | *-*-mingw*)
+  AC_CHECK_TOOL(DLLTOOL, dlltool, false)
+  AC_CHECK_TOOL(AS, as, false)
+  AC_CHECK_TOOL(OBJDUMP, objdump, false)
+
+  # recent cygwin and mingw systems supply a stub DllMain which the user
+  # can override, but on older systems we have to supply one
+  AC_CACHE_CHECK([if libtool should supply DllMain function], lt_cv_need_dllmain,
+    [AC_TRY_LINK([],
+      [extern int __attribute__((__stdcall__)) DllMain(void*, int, void*);
+      DllMain (0, 0, 0);],
+      [lt_cv_need_dllmain=no],[lt_cv_need_dllmain=yes])])
+
+  case "$host/$CC" in
+  *-*-cygwin*/gcc*-mno-cygwin*|*-*-mingw*)
+    # old mingw systems require "-dll" to link a DLL, while more recent ones
+    # require "-mdll"
+    SAVE_CFLAGS="$CFLAGS"
+    CFLAGS="$CFLAGS -mdll"
+    AC_CACHE_CHECK([how to link DLLs], lt_cv_cc_dll_switch,
+      [AC_TRY_LINK([], [], [lt_cv_cc_dll_switch=-mdll],[lt_cv_cc_dll_switch=-dll])])
+    CFLAGS="$SAVE_CFLAGS" ;;
+  *-*-cygwin*)
+    # cygwin systems need to pass --dll to the linker, and not link
+    # crt.o which will require a WinMain@16 definition.
+    lt_cv_cc_dll_switch="-Wl,--dll -nostartfiles" ;;
+  esac
+  ;;
+  ])
 esac
+])
 
-# Actually configure libtool.  ac_aux_dir is where install-sh is found.
-CC="$CC" CFLAGS="$CFLAGS" CPPFLAGS="$CPPFLAGS" \
-LD="$LD" NM="$NM" RANLIB="$RANLIB" LN_S="$LN_S" \
-${CONFIG_SHELL-/bin/sh} $ac_aux_dir/ltconfig --no-reexec \
-$libtool_flags --no-verify $ac_aux_dir/ltmain.sh $host \
-|| AC_MSG_ERROR([libtool configure failed])
+# AC_LIBTOOL_DLOPEN - enable checks for dlopen support
+AC_DEFUN(AC_LIBTOOL_DLOPEN, [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])])
 
-# Redirect the config.log output again, so that the ltconfig log is not
-# clobbered by the next message.
-exec 5>>./config.log
-])
+# AC_LIBTOOL_WIN32_DLL - declare package support for building win32 dll's
+AC_DEFUN(AC_LIBTOOL_WIN32_DLL, [AC_BEFORE([$0], [AC_LIBTOOL_SETUP])])
 
-# AM_ENABLE_SHARED - implement the --enable-shared flag
-# Usage: AM_ENABLE_SHARED[(DEFAULT)]
+# AC_ENABLE_SHARED - implement the --enable-shared flag
+# Usage: AC_ENABLE_SHARED[(DEFAULT)]
 #   Where DEFAULT is either `yes' or `no'.  If omitted, it defaults to
 #   `yes'.
-AC_DEFUN(AM_ENABLE_SHARED,
-[define([AM_ENABLE_SHARED_DEFAULT], ifelse($1, no, no, yes))dnl
+AC_DEFUN(AC_ENABLE_SHARED, [dnl
+define([AC_ENABLE_SHARED_DEFAULT], ifelse($1, no, no, yes))dnl
 AC_ARG_ENABLE(shared,
 changequote(<<, >>)dnl
-<<  --enable-shared[=PKGS]  build shared libraries [default=>>AM_ENABLE_SHARED_DEFAULT],
+<<  --enable-shared[=PKGS]  build shared libraries [default=>>AC_ENABLE_SHARED_DEFAULT],
 changequote([, ])dnl
 [p=${PACKAGE-default}
 case "$enableval" in
@@ -383,26 +713,22 @@ no) enable_shared=no ;;
   IFS="$ac_save_ifs"
   ;;
 esac],
-enable_shared=AM_ENABLE_SHARED_DEFAULT)dnl
+enable_shared=AC_ENABLE_SHARED_DEFAULT)dnl
 ])
 
-# AM_DISABLE_SHARED - set the default shared flag to --disable-shared
-AC_DEFUN(AM_DISABLE_SHARED,
-[AM_ENABLE_SHARED(no)])
+# AC_DISABLE_SHARED - set the default shared flag to --disable-shared
+AC_DEFUN(AC_DISABLE_SHARED, [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+AC_ENABLE_SHARED(no)])
 
-# AM_DISABLE_STATIC - set the default static flag to --disable-static
-AC_DEFUN(AM_DISABLE_STATIC,
-[AM_ENABLE_STATIC(no)])
-
-# AM_ENABLE_STATIC - implement the --enable-static flag
-# Usage: AM_ENABLE_STATIC[(DEFAULT)]
+# AC_ENABLE_STATIC - implement the --enable-static flag
+# Usage: AC_ENABLE_STATIC[(DEFAULT)]
 #   Where DEFAULT is either `yes' or `no'.  If omitted, it defaults to
 #   `yes'.
-AC_DEFUN(AM_ENABLE_STATIC,
-[define([AM_ENABLE_STATIC_DEFAULT], ifelse($1, no, no, yes))dnl
+AC_DEFUN(AC_ENABLE_STATIC, [dnl
+define([AC_ENABLE_STATIC_DEFAULT], ifelse($1, no, no, yes))dnl
 AC_ARG_ENABLE(static,
 changequote(<<, >>)dnl
-<<  --enable-static[=PKGS]  build static libraries [default=>>AM_ENABLE_STATIC_DEFAULT],
+<<  --enable-static[=PKGS]  build static libraries [default=>>AC_ENABLE_STATIC_DEFAULT],
 changequote([, ])dnl
 [p=${PACKAGE-default}
 case "$enableval" in
@@ -420,28 +746,163 @@ no) enable_static=no ;;
   IFS="$ac_save_ifs"
   ;;
 esac],
-enable_static=AM_ENABLE_STATIC_DEFAULT)dnl
+enable_static=AC_ENABLE_STATIC_DEFAULT)dnl
+])
+
+# AC_DISABLE_STATIC - set the default static flag to --disable-static
+AC_DEFUN(AC_DISABLE_STATIC, [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+AC_ENABLE_STATIC(no)])
+
+
+# AC_ENABLE_FAST_INSTALL - implement the --enable-fast-install flag
+# Usage: AC_ENABLE_FAST_INSTALL[(DEFAULT)]
+#   Where DEFAULT is either `yes' or `no'.  If omitted, it defaults to
+#   `yes'.
+AC_DEFUN(AC_ENABLE_FAST_INSTALL, [dnl
+define([AC_ENABLE_FAST_INSTALL_DEFAULT], ifelse($1, no, no, yes))dnl
+AC_ARG_ENABLE(fast-install,
+changequote(<<, >>)dnl
+<<  --enable-fast-install[=PKGS]  optimize for fast installation [default=>>AC_ENABLE_FAST_INSTALL_DEFAULT],
+changequote([, ])dnl
+[p=${PACKAGE-default}
+case "$enableval" in
+yes) enable_fast_install=yes ;;
+no) enable_fast_install=no ;;
+*)
+  enable_fast_install=no
+  # Look at the argument we got.  We use all the common list separators.
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:,"
+  for pkg in $enableval; do
+    if test "X$pkg" = "X$p"; then
+      enable_fast_install=yes
+    fi
+  done
+  IFS="$ac_save_ifs"
+  ;;
+esac],
+enable_fast_install=AC_ENABLE_FAST_INSTALL_DEFAULT)dnl
+])
+
+# AC_DISABLE_FAST_INSTALL - set the default to --disable-fast-install
+AC_DEFUN(AC_DISABLE_FAST_INSTALL, [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+AC_ENABLE_FAST_INSTALL(no)])
+
+# AC_LIBTOOL_PICMODE - implement the --with-pic flag
+# Usage: AC_LIBTOOL_PICMODE[(MODE)]
+#   Where MODE is either `yes' or `no'.  If omitted, it defaults to
+#   `both'.
+AC_DEFUN(AC_LIBTOOL_PICMODE, [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+pic_mode=ifelse($#,1,$1,default)])
+
+
+# AC_PATH_TOOL_PREFIX - find a file program which can recognise shared library
+AC_DEFUN(AC_PATH_TOOL_PREFIX,
+[AC_MSG_CHECKING([for $1])
+AC_CACHE_VAL(lt_cv_path_MAGIC,
+[case "$MAGIC" in
+  /*)
+  lt_cv_path_MAGIC="$MAGIC" # Let the user override the test with a path.
+  ;;
+  ?:/*)
+  ac_cv_path_MAGIC="$MAGIC" # Let the user override the test with a dos path.
+  ;;
+  *)
+  ac_save_MAGIC="$MAGIC"
+  IFS="${IFS=   }"; ac_save_ifs="$IFS"; IFS=":"
+dnl $ac_dummy forces splitting on constant user-supplied paths.
+dnl POSIX.2 word splitting is done only on the output of word expansions,
+dnl not every word.  This closes a longstanding sh security hole.
+  ac_dummy="ifelse([$2], , $PATH, [$2])"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$1; then
+      lt_cv_path_MAGIC="$ac_dir/$1"
+      if test -n "$file_magic_test_file"; then
+	case "$deplibs_check_method" in
+	"file_magic "*)
+	  file_magic_regex="`expr \"$deplibs_check_method\" : \"file_magic \(.*\)\"`"
+	  MAGIC="$lt_cv_path_MAGIC"
+	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
+	    egrep "$file_magic_regex" > /dev/null; then
+	    :
+	  else
+	    cat <<EOF 1>&2
+
+*** Warning: the command libtool uses to detect shared libraries,
+*** $file_magic_cmd, produces output that libtool cannot recognize.
+*** The result is that libtool may fail to recognize shared libraries
+*** as such.  This will affect the creation of libtool libraries that
+*** depend on shared libraries, but programs linked with such libtool
+*** libraries will work regardless of this problem.  Nevertheless, you
+*** may want to report the problem to your system manager and/or to
+*** bug-libtool@gnu.org
+
+EOF
+	  fi ;;
+	esac
+      fi
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+  MAGIC="$ac_save_MAGIC"
+  ;;
+esac])
+MAGIC="$lt_cv_path_MAGIC"
+if test -n "$MAGIC"; then
+  AC_MSG_RESULT($MAGIC)
+else
+  AC_MSG_RESULT(no)
+fi
 ])
 
 
-# AM_PROG_LD - find the path to the GNU or non-GNU linker
-AC_DEFUN(AM_PROG_LD,
+# AC_PATH_MAGIC - find a file program which can recognise a shared library
+AC_DEFUN(AC_PATH_MAGIC,
+[AC_REQUIRE([AC_CHECK_TOOL_PREFIX])dnl
+AC_PATH_TOOL_PREFIX(${ac_tool_prefix}file, /usr/bin:$PATH)
+if test -z "$lt_cv_path_MAGIC"; then
+  if test -n "$ac_tool_prefix"; then
+    AC_PATH_TOOL_PREFIX(file, /usr/bin:$PATH)
+  else
+    MAGIC=:
+  fi
+fi
+])
+
+
+# AC_PROG_LD - find the path to the GNU or non-GNU linker
+AC_DEFUN(AC_PROG_LD,
 [AC_ARG_WITH(gnu-ld,
 [  --with-gnu-ld           assume the C compiler uses GNU ld [default=no]],
 test "$withval" = no || with_gnu_ld=yes, with_gnu_ld=no)
-AC_REQUIRE([AC_PROG_CC])
+AC_REQUIRE([AC_PROG_CC])dnl
+AC_REQUIRE([AC_CANONICAL_HOST])dnl
+AC_REQUIRE([AC_CANONICAL_BUILD])dnl
 ac_prog=ld
 if test "$ac_cv_prog_gcc" = yes; then
   # Check if gcc -print-prog-name=ld gives a path.
   AC_MSG_CHECKING([for ld used by GCC])
-  ac_prog=`($CC -print-prog-name=ld) 2>&5`
+  case $host in
+  *-*-mingw*)
+    # gcc leaves a trailing carriage return which upsets mingw
+    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
+  *)
+    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
+  esac
   case "$ac_prog" in
-  # Accept absolute paths.
+    # Accept absolute paths.
 changequote(,)dnl
-  /* | [A-Za-z]:\\*)
+    [\\/]* | [A-Za-z]:[\\/]*)
+      re_direlt='/[^/][^/]*/\.\./'
 changequote([,])dnl
-    test -z "$LD" && LD="$ac_prog"
-    ;;
+      # Canonicalize the path of ld
+      ac_prog=`echo $ac_prog| sed 's%\\\\%/%g'`
+      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
+	ac_prog=`echo $ac_prog| sed "s%$re_direlt%/%"`
+      done
+      test -z "$LD" && LD="$ac_prog"
+      ;;
   "")
     # If it fails, then pretend we aren't using GCC.
     ac_prog=ld
@@ -458,10 +919,10 @@ else
 fi
 AC_CACHE_VAL(ac_cv_path_LD,
 [if test -z "$LD"; then
-  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:"
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}${PATH_SEPARATOR-:}"
   for ac_dir in $PATH; do
     test -z "$ac_dir" && ac_dir=.
-    if test -f "$ac_dir/$ac_prog"; then
+    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
       ac_cv_path_LD="$ac_dir/$ac_prog"
       # Check to see if the program is GNU ld.  I'd rather use --version,
       # but apparently some GNU ld's only accept -v.
@@ -469,7 +930,7 @@ AC_CACHE_VAL(ac_cv_path_LD,
       if "$ac_cv_path_LD" -v 2>&1 < /dev/null | egrep '(GNU|with BFD)' > /dev/null; then
 	test "$with_gnu_ld" != no && break
       else
-        test "$with_gnu_ld" != yes && break
+	test "$with_gnu_ld" != yes && break
       fi
     fi
   done
@@ -484,11 +945,10 @@ else
   AC_MSG_RESULT(no)
 fi
 test -z "$LD" && AC_MSG_ERROR([no acceptable ld found in \$PATH])
-AC_SUBST(LD)
-AM_PROG_LD_GNU
+AC_PROG_LD_GNU
 ])
 
-AC_DEFUN(AM_PROG_LD_GNU,
+AC_DEFUN(AC_PROG_LD_GNU,
 [AC_CACHE_CHECK([if the linker ($LD) is GNU ld], ac_cv_prog_gnu_ld,
 [# I'd rather use --version here, but apparently some GNU ld's only accept -v.
 if $LD -v 2>&1 </dev/null | egrep '(GNU|with BFD)' 1>&5; then
@@ -496,31 +956,196 @@ if $LD -v 2>&1 </dev/null | egrep '(GNU|with BFD)' 1>&5; then
 else
   ac_cv_prog_gnu_ld=no
 fi])
+with_gnu_ld=$ac_cv_prog_gnu_ld
+])
+
+# AC_PROG_LD_RELOAD_FLAG - find reload flag for linker
+#   -- PORTME Some linkers may need a different reload flag.
+AC_DEFUN(AC_PROG_LD_RELOAD_FLAG,
+[AC_CACHE_CHECK([for $LD option to reload object files], lt_cv_ld_reload_flag,
+[lt_cv_ld_reload_flag='-r'])
+reload_flag=$lt_cv_ld_reload_flag
+test -n "$reload_flag" && reload_flag=" $reload_flag"
+])
+
+# AC_DEPLIBS_CHECK_METHOD - how to check for library dependencies
+#  -- PORTME fill in with the dynamic library characteristics
+AC_DEFUN(AC_DEPLIBS_CHECK_METHOD,
+[AC_CACHE_CHECK([how to recognise dependant libraries],
+lt_cv_deplibs_check_method,
+[lt_cv_file_magic_cmd='${MAGIC}'
+lt_cv_file_magic_test_file=
+lt_cv_deplibs_check_method='unknown'
+# Need to set the preceding variable on all platforms that support
+# interlibrary dependencies.
+# 'none' -- dependencies not supported.
+# `unknown' -- same as none, but documents that we really don't know.
+# 'pass_all' -- all dependencies passed with no checks.
+# 'test_compile' -- check by making test program.
+# 'file_magic [regex]' -- check by looking for files in library path
+# which responds to the $file_magic_cmd with a given egrep regex.
+# If you have `file' or equivalent on your system and you're not sure
+# whether `pass_all' will *always* work, you probably want this one.
+
+case "$host_os" in
+aix4*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+beos*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+bsdi4*)
+  changequote(,)dnl
+  lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib)'
+  changequote([, ])dnl
+  lt_cv_file_magic_cmd='/usr/bin/file -L'
+  lt_cv_file_magic_test_file=/shlib/libc.so
+  ;;
+
+cygwin* | mingw*)
+  lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
+  lt_cv_file_magic_cmd='${OBJDUMP} -f'
+  ;;
+
+freebsd*)
+  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
+    case "$host_cpu" in
+    i*86 )
+      changequote(,)dnl
+      lt_cv_deplibs_check_method=='file_magic OpenBSD/i[3-9]86 demand paged shared library'
+      changequote([, ])dnl
+      lt_cv_file_magic_cmd=/usr/bin/file
+      lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
+      ;;
+    esac
+  else
+    lt_cv_deplibs_check_method=pass_all
+  fi
+  ;;
+
+gnu*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+hpux10.20*)
+  # TODO:  Does this work for hpux-11 too?
+  lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|PA-RISC[0-9].[0-9]) shared library'
+  lt_cv_file_magic_cmd=/usr/bin/file
+  lt_cv_file_magic_test_file=/usr/lib/libc.sl
+  ;;
+
+irix5* | irix6*)
+  case "$host_os" in
+  irix5*)
+    # this will be overridden with pass_all, but let us keep it just in case
+    lt_cv_deplibs_check_method="file_magic ELF 32-bit MSB dynamic lib MIPS - version 1"
+    ;;
+  *)
+    case "$LD" in
+    *-32|*"-32 ") libmagic=32-bit;;
+    *-n32|*"-n32 ") libmagic=N32;;
+    *-64|*"-64 ") libmagic=64-bit;;
+    *) libmagic=never-match;;
+    esac
+    # this will be overridden with pass_all, but let us keep it just in case
+    changequote(,)dnl
+    lt_cv_deplibs_check_method="file_magic ELF ${libmagic} MSB mips-[1234] dynamic lib MIPS - version 1"
+    changequote([, ])dnl
+    ;;
+  esac
+  lt_cv_file_magic_test_file=`echo /lib${libsuff}/libc.so*`
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+# This must be Linux ELF.
+linux-gnu*)
+  case "$host_cpu" in
+  alpha* | i*86 | powerpc* | sparc* | ia64* )
+    lt_cv_deplibs_check_method=pass_all ;;
+  *)
+    # glibc up to 2.1.1 does not perform some relocations on ARM
+    changequote(,)dnl
+    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB (shared object|dynamic lib )' ;;
+    changequote([, ])dnl
+  esac
+  lt_cv_file_magic_test_file=`echo /lib/libc.so* /lib/libc-*.so`
+  ;;
+
+netbsd*)
+  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then :
+  else
+    changequote(,)dnl
+    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB shared object'
+    changequote([, ])dnl
+    lt_cv_file_magic_cmd='/usr/bin/file -L'
+    lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*`
+  fi
+  ;;
+
+osf3* | osf4* | osf5*)
+  # this will be overridden with pass_all, but let us keep it just in case
+  lt_cv_deplibs_check_method='file_magic COFF format alpha shared library'
+  lt_cv_file_magic_test_file=/shlib/libc.so
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+sco3.2v5*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+solaris*)
+  lt_cv_deplibs_check_method=pass_all
+  lt_cv_file_magic_test_file=/lib/libc.so
+  ;;
+
+sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+  case "$host_vendor" in
+  ncr)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  motorola)
+    changequote(,)dnl
+    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib) M[0-9][0-9]* Version [0-9]'
+    changequote([, ])dnl
+    lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*`
+    ;;
+  esac
+  ;;
+esac
 ])
+file_magic_cmd=$lt_cv_file_magic_cmd
+deplibs_check_method=$lt_cv_deplibs_check_method
+])
+
 
-# AM_PROG_NM - find the path to a BSD-compatible name lister
-AC_DEFUN(AM_PROG_NM,
+# AC_PROG_NM - find the path to a BSD-compatible name lister
+AC_DEFUN(AC_PROG_NM,
 [AC_MSG_CHECKING([for BSD-compatible nm])
 AC_CACHE_VAL(ac_cv_path_NM,
 [if test -n "$NM"; then
   # Let the user override the test.
   ac_cv_path_NM="$NM"
 else
-  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:"
-  for ac_dir in /usr/ucb /usr/ccs/bin $PATH /bin; do
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}${PATH_SEPARATOR-:}"
+  for ac_dir in $PATH /usr/ccs/bin /usr/ucb /bin; do
     test -z "$ac_dir" && ac_dir=.
-    if test -f $ac_dir/nm; then
+    tmp_nm=$ac_dir/${ac_tool_prefix}nm
+    if test -f $tmp_nm || test -f $tmp_nm$ac_exeext ; then
       # Check to see if the nm accepts a BSD-compat flag.
       # Adding the `sed 1q' prevents false positives on HP-UX, which says:
       #   nm: unknown option "B" ignored
-      if ($ac_dir/nm -B /dev/null 2>&1 | sed '1q'; exit 0) | egrep /dev/null >/dev/null; then
-        ac_cv_path_NM="$ac_dir/nm -B"
-      elif ($ac_dir/nm -p /dev/null 2>&1 | sed '1q'; exit 0) | egrep /dev/null >/dev/null; then
-        ac_cv_path_NM="$ac_dir/nm -p"
+      if ($tmp_nm -B /dev/null 2>&1 | sed '1q'; exit 0) | egrep /dev/null >/dev/null; then
+	ac_cv_path_NM="$tmp_nm -B"
+	break
+      elif ($tmp_nm -p /dev/null 2>&1 | sed '1q'; exit 0) | egrep /dev/null >/dev/null; then
+	ac_cv_path_NM="$tmp_nm -p"
+	break
       else
-        ac_cv_path_NM="$ac_dir/nm"
+	ac_cv_path_NM=${ac_cv_path_NM="$tmp_nm"} # keep the first match, but
+	continue # so that we can try to find one that supports BSD flags
       fi
-      break
     fi
   done
   IFS="$ac_save_ifs"
@@ -528,9 +1153,89 @@ else
 fi])
 NM="$ac_cv_path_NM"
 AC_MSG_RESULT([$NM])
-AC_SUBST(NM)
 ])
 
+# AC_CHECK_LIBM - check for math library
+AC_DEFUN(AC_CHECK_LIBM,
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
+LIBM=
+case "$host" in
+*-*-beos* | *-*-cygwin*)
+  # These system don't have libm
+  ;;
+*-ncr-sysv4.3*)
+  AC_CHECK_LIB(mw, _mwvalidcheckl, LIBM="-lmw")
+  AC_CHECK_LIB(m, main, LIBM="$LIBM -lm")
+  ;;
+*)
+  AC_CHECK_LIB(m, main, LIBM="-lm")
+  ;;
+esac
+])
+
+# AC_LIBLTDL_CONVENIENCE[(dir)] - sets LIBLTDL to the link flags for
+# the libltdl convenience library and INCLTDL to the include flags for
+# the libltdl header and adds --enable-ltdl-convenience to the
+# configure arguments.  Note that LIBLTDL and INCLTDL are not
+# AC_SUBSTed, nor is AC_CONFIG_SUBDIRS called.  If DIR is not
+# provided, it is assumed to be `libltdl'.  LIBLTDL will be prefixed
+# with '${top_builddir}/' and INCLTDL will be prefixed with
+# '${top_srcdir}/' (note the single quotes!).  If your package is not
+# flat and you're not using automake, define top_builddir and
+# top_srcdir appropriately in the Makefiles.
+AC_DEFUN(AC_LIBLTDL_CONVENIENCE, [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+  case "$enable_ltdl_convenience" in
+  no) AC_MSG_ERROR([this package needs a convenience libltdl]) ;;
+  "") enable_ltdl_convenience=yes
+      ac_configure_args="$ac_configure_args --enable-ltdl-convenience" ;;
+  esac
+  LIBLTDL='${top_builddir}/'ifelse($#,1,[$1],['libltdl'])/libltdlc.la
+  INCLTDL='-I${top_srcdir}/'ifelse($#,1,[$1],['libltdl'])
+])
+
+# AC_LIBLTDL_INSTALLABLE[(dir)] - sets LIBLTDL to the link flags for
+# the libltdl installable library and INCLTDL to the include flags for
+# the libltdl header and adds --enable-ltdl-install to the configure
+# arguments.  Note that LIBLTDL and INCLTDL are not AC_SUBSTed, nor is
+# AC_CONFIG_SUBDIRS called.  If DIR is not provided and an installed
+# libltdl is not found, it is assumed to be `libltdl'.  LIBLTDL will
+# be prefixed with '${top_builddir}/' and INCLTDL will be prefixed
+# with '${top_srcdir}/' (note the single quotes!).  If your package is
+# not flat and you're not using automake, define top_builddir and
+# top_srcdir appropriately in the Makefiles.
+# In the future, this macro may have to be called after AC_PROG_LIBTOOL.
+AC_DEFUN(AC_LIBLTDL_INSTALLABLE, [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+  AC_CHECK_LIB(ltdl, main,
+  [test x"$enable_ltdl_install" != xyes && enable_ltdl_install=no],
+  [if test x"$enable_ltdl_install" = xno; then
+     AC_MSG_WARN([libltdl not installed, but installation disabled])
+   else
+     enable_ltdl_install=yes
+   fi
+  ])
+  if test x"$enable_ltdl_install" = x"yes"; then
+    ac_configure_args="$ac_configure_args --enable-ltdl-install"
+    LIBLTDL='${top_builddir}/'ifelse($#,1,[$1],['libltdl'])/libltdl.la
+    INCLTDL='-I${top_srcdir}/'ifelse($#,1,[$1],['libltdl'])
+  else
+    ac_configure_args="$ac_configure_args --enable-ltdl-install=no"
+    LIBLTDL="-lltdl"
+    INCLTDL=
+  fi
+])
+
+dnl old names
+AC_DEFUN(AM_PROG_LIBTOOL, [indir([AC_PROG_LIBTOOL])])dnl
+AC_DEFUN(AM_ENABLE_SHARED, [indir([AC_ENABLE_SHARED], $@)])dnl
+AC_DEFUN(AM_ENABLE_STATIC, [indir([AC_ENABLE_STATIC], $@)])dnl
+AC_DEFUN(AM_DISABLE_SHARED, [indir([AC_DISABLE_SHARED], $@)])dnl
+AC_DEFUN(AM_DISABLE_STATIC, [indir([AC_DISABLE_STATIC], $@)])dnl
+AC_DEFUN(AM_PROG_LD, [indir([AC_PROG_LD])])dnl
+AC_DEFUN(AM_PROG_NM, [indir([AC_PROG_NM])])dnl
+
+dnl This is just to silence aclocal about the macro not being used
+ifelse([AC_DISABLE_FAST_INSTALL])dnl
+
 dnl $Id: wflags.m4,v 1.3 1999/03/11 12:11:41 joda Exp $
 dnl
 dnl set WFLAGS
@@ -553,116 +1258,48 @@ AC_SUBST(WFLAGS_NOUNUSED)dnl
 AC_SUBST(WFLAGS_NOIMPLICITINT)dnl
 ])
 
-dnl $Id: test-package.m4,v 1.7 1999/04/19 13:33:05 assar Exp $
+dnl $Id: db.m4,v 1.1 2000/07/19 11:21:07 joda Exp $
 dnl
-dnl AC_TEST_PACKAGE_NEW(package,headers,libraries,extra libs,default locations)
-
-AC_DEFUN(AC_TEST_PACKAGE,[AC_TEST_PACKAGE_NEW($1,[#include <$2>],$4,,$5)])
-
-AC_DEFUN(AC_TEST_PACKAGE_NEW,[
-AC_ARG_WITH($1,
-[  --with-$1=dir                use $1 in dir])
-AC_ARG_WITH($1-lib,
-[  --with-$1-lib=dir            use $1 libraries in dir],
-[if test "$withval" = "yes" -o "$withval" = "no"; then
-  AC_MSG_ERROR([No argument for --with-$1-lib])
-elif test "X$with_$1" = "X"; then
-  with_$1=yes
-fi])
-AC_ARG_WITH($1-include,
-[  --with-$1-include=dir        use $1 headers in dir],
-[if test "$withval" = "yes" -o "$withval" = "no"; then
-  AC_MSG_ERROR([No argument for --with-$1-include])
-elif test "X$with_$1" = "X"; then
-  with_$1=yes
-fi])
-
-AC_MSG_CHECKING(for $1)
-
-case "$with_$1" in
-yes)	;;
-no)	;;
-"")	;;
-*)	if test "$with_$1_include" = ""; then
-		with_$1_include="$with_$1/include"
-	fi
-	if test "$with_$1_lib" = ""; then
-		with_$1_lib="$with_$1/lib$abilibdirext"
-	fi
-	;;
-esac
-header_dirs=
-lib_dirs=
-d='$5'
-for i in $d; do
-	header_dirs="$header_dirs $i/include"
-	lib_dirs="$lib_dirs $i/lib$abilibdirext"
-done
+dnl tests for various db libraries
+dnl
+AC_DEFUN([rk_DB],[berkeley_db=db
+AC_ARG_WITH(berkeley-db,
+[  --without-berkeley-db   if you don't want berkeley db],[
+if test "$withval" = no; then
+	berkeley_db=""
+fi
+])
+if test "$berkeley_db"; then
+  AC_CHECK_HEADERS([				\
+	db.h					\
+	db_185.h				\
+  ])
+fi
 
-case "$with_$1_include" in
-yes) ;;
-no)  ;;
-*)   header_dirs="$with_$1_include $header_dirs";;
-esac
-case "$with_$1_lib" in
-yes) ;;
-no)  ;;
-*)   lib_dirs="$with_$1_lib $lib_dirs";;
-esac
+AC_FIND_FUNC_NO_LIBS2(dbopen, $berkeley_db, [
+#include <stdio.h>
+#if defined(HAVE_DB_185_H)
+#include <db_185.h>
+#elif defined(HAVE_DB_H)
+#include <db.h>
+#endif
+],[NULL, 0, 0, 0, NULL])
 
-save_CFLAGS="$CFLAGS"
-save_LIBS="$LIBS"
-ires= lres=
-for i in $header_dirs; do
-	CFLAGS="-I$i $save_CFLAGS"
-	AC_TRY_COMPILE([$2],,ires=$i;break)
-done
-for i in $lib_dirs; do
-	LIBS="-L$i $3 $4 $save_LIBS"
-	AC_TRY_LINK([$2],,lres=$i;break)
-done
-CFLAGS="$save_CFLAGS"
-LIBS="$save_LIBS"
+AC_FIND_FUNC_NO_LIBS(dbm_firstkey, $berkeley_db gdbm ndbm)
+AC_FIND_FUNC_NO_LIBS(db_create, $berkeley_db)
 
-if test "$ires" -a "$lres" -a "$with_$1" != "no"; then
-	$1_includedir="$ires"
-	$1_libdir="$lres"
-	INCLUDE_$1="-I$$1_includedir"
-	LIB_$1="-L$$1_libdir $3"
-	AC_DEFINE_UNQUOTED(upcase($1),1,[Define if you have the $1 package.])
-	with_$1=yes
-	AC_MSG_RESULT([headers $ires, libraries $lres])
-else
-	INCLUDE_$1=
-	LIB_$1=
-	with_$1=no
-	AC_MSG_RESULT($with_$1)
+DBLIB="$LIB_dbopen"
+if test "$LIB_dbopen" != "$LIB_db_create"; then
+        DBLIB="$DBLIB $LIB_db_create"
 fi
-AC_SUBST(INCLUDE_$1)
-AC_SUBST(LIB_$1)
-])
-
-dnl $Id: find-func.m4,v 1.1 1997/12/14 15:58:58 joda Exp $
-dnl
-dnl AC_FIND_FUNC(func, libraries, includes, arguments)
-AC_DEFUN(AC_FIND_FUNC, [
-AC_FIND_FUNC_NO_LIBS([$1], [$2], [$3], [$4])
-if test -n "$LIB_$1"; then
-	LIBS="$LIB_$1 $LIBS"
+if test "$LIB_dbopen" != "$LIB_dbm_firstkey"; then
+	DBLIB="$DBLIB $LIB_dbm_firstkey"
 fi
-])
-
-dnl $Id: find-func-no-libs.m4,v 1.5 1999/10/30 21:08:18 assar Exp $
-dnl
-dnl
-dnl Look for function in any of the specified libraries
-dnl
+AC_SUBST(DBLIB)dnl
 
-dnl AC_FIND_FUNC_NO_LIBS(func, libraries, includes, arguments, extra libs, extra args)
-AC_DEFUN(AC_FIND_FUNC_NO_LIBS, [
-AC_FIND_FUNC_NO_LIBS2([$1], ["" $2], [$3], [$4], [$5], [$6])])
+])
 
-dnl $Id: find-func-no-libs2.m4,v 1.3 1999/10/30 21:09:53 assar Exp $
+dnl $Id: find-func-no-libs2.m4,v 1.4 2000/07/15 18:10:19 joda Exp $
 dnl
 dnl
 dnl Look for function in any of the specified libraries
@@ -692,12 +1329,10 @@ fi
 
 eval "ac_res=\$ac_cv_funclib_$1"
 
-dnl autoheader tricks *sigh*
-: << END
-@@@funcs="$funcs $1"@@@
-@@@libs="$libs $2"@@@
-END
-
+if false; then
+	AC_CHECK_FUNCS($1)
+dnl	AC_CHECK_LIBS($2, foo)
+fi
 # $1
 eval "ac_tr_func=HAVE_[]upcase($1)"
 eval "ac_tr_lib=HAVE_LIB[]upcase($ac_res | sed -e 's/-l//')"
@@ -726,263 +1361,602 @@ esac
 AC_SUBST(LIB_$1)
 ])
 
-# Define a conditional.
+dnl $Id: find-func-no-libs.m4,v 1.5 1999/10/30 21:08:18 assar Exp $
+dnl
+dnl
+dnl Look for function in any of the specified libraries
+dnl
 
-AC_DEFUN(AM_CONDITIONAL,
-[AC_SUBST($1_TRUE)
-AC_SUBST($1_FALSE)
-if $2; then
-  $1_TRUE=
-  $1_FALSE='#'
-else
-  $1_TRUE='#'
-  $1_FALSE=
-fi])
+dnl AC_FIND_FUNC_NO_LIBS(func, libraries, includes, arguments, extra libs, extra args)
+AC_DEFUN(AC_FIND_FUNC_NO_LIBS, [
+AC_FIND_FUNC_NO_LIBS2([$1], ["" $2], [$3], [$4], [$5], [$6])])
 
-dnl $Id: osfc2.m4,v 1.2 1999/03/27 17:28:16 joda Exp $
+dnl $Id: roken-frag.m4,v 1.19 2000/12/15 14:29:54 assar Exp $
 dnl
-dnl enable OSF C2 stuff
+dnl some code to get roken working
+dnl
+dnl rk_ROKEN(subdir)
+dnl
+AC_DEFUN(rk_ROKEN, [
 
-AC_DEFUN(AC_CHECK_OSFC2,[
-AC_ARG_ENABLE(osfc2,
-[  --enable-osfc2          enable some OSF C2 support])
-LIB_security=
-if test "$enable_osfc2" = yes; then
-	AC_DEFINE(HAVE_OSFC2, 1, [Define to enable basic OSF C2 support.])
-	LIB_security=-lsecurity
+AC_REQUIRE([rk_CONFIG_HEADER])
+
+DIR_roken=roken
+LIB_roken='$(top_builddir)/$1/libroken.la'
+INCLUDES_roken='-I$(top_builddir)/$1 -I$(top_srcdir)/$1'
+
+dnl Checks for programs
+AC_REQUIRE([AC_PROG_CC])
+AC_REQUIRE([AC_PROG_AWK])
+AC_REQUIRE([AC_OBJEXT])
+AC_REQUIRE([AC_EXEEXT])
+AC_REQUIRE([AC_PROG_LIBTOOL])
+
+AC_REQUIRE([AC_MIPS_ABI])
+
+dnl C characteristics
+
+AC_REQUIRE([AC_C___ATTRIBUTE__])
+AC_REQUIRE([AC_C_INLINE])
+AC_REQUIRE([AC_C_CONST])
+AC_WFLAGS(-Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs)
+
+AC_REQUIRE([rk_DB])
+
+dnl C types
+
+AC_REQUIRE([AC_TYPE_SIZE_T])
+AC_CHECK_TYPE_EXTRA(ssize_t, int, [#include <unistd.h>])
+AC_REQUIRE([AC_TYPE_PID_T])
+AC_REQUIRE([AC_TYPE_UID_T])
+AC_HAVE_TYPE([long long])
+
+AC_REQUIRE([rk_RETSIGTYPE])
+
+dnl Checks for header files.
+AC_REQUIRE([AC_HEADER_STDC])
+AC_REQUIRE([AC_HEADER_TIME])
+
+AC_CHECK_HEADERS([\
+	arpa/inet.h				\
+	arpa/nameser.h				\
+	config.h				\
+	crypt.h					\
+	dbm.h					\
+	db.h					\
+	dirent.h				\
+	errno.h					\
+	err.h					\
+	fcntl.h					\
+	gdbm/ndbm.h				\
+	grp.h					\
+	ifaddrs.h				\
+	ndbm.h					\
+	net/if.h				\
+	netdb.h					\
+	netinet/in.h				\
+	netinet/in6.h				\
+	netinet/in_systm.h			\
+	netinet6/in6.h				\
+	netinet6/in6_var.h			\
+	paths.h					\
+	pwd.h					\
+	resolv.h				\
+	rpcsvc/dbm.h				\
+	rpcsvc/ypclnt.h				\
+	shadow.h				\
+	sys/ioctl.h				\
+	sys/param.h				\
+	sys/proc.h				\
+	sys/resource.h				\
+	sys/socket.h				\
+	sys/sockio.h				\
+	sys/stat.h				\
+	sys/sysctl.h				\
+	sys/time.h				\
+	sys/tty.h				\
+	sys/types.h				\
+	sys/uio.h				\
+	sys/utsname.h				\
+	sys/wait.h				\
+	syslog.h				\
+	termios.h				\
+	unistd.h				\
+	userconf.h				\
+	usersec.h				\
+	util.h					\
+	vis.h					\
+	winsock.h				\
+])
+	
+AC_REQUIRE([CHECK_NETINET_IP_AND_TCP])
+
+AM_CONDITIONAL(have_err_h, test "$ac_cv_header_err_h" = yes)
+AM_CONDITIONAL(have_fnmatch_h, test "$ac_cv_header_fnmatch_h" = yes)
+AM_CONDITIONAL(have_ifaddrs_h, test "$ac_cv_header_ifaddrs_h" = yes)
+AM_CONDITIONAL(have_vis_h, test "$ac_cv_header_vis_h" = yes)
+
+dnl Check for functions and libraries
+
+AC_KRB_IPV6
+
+AC_FIND_FUNC(socket, socket)
+AC_FIND_FUNC(gethostbyname, nsl)
+AC_FIND_FUNC(syslog, syslog)
+AC_FIND_FUNC(gethostbyname2, inet6 ip6)
+
+AC_FIND_FUNC(res_search, resolv,
+[
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+],
+[0,0,0,0,0])
+
+AC_FIND_FUNC(dn_expand, resolv,
+[
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+],
+[0,0,0,0,0])
+
+AC_BROKEN_SNPRINTF
+AC_BROKEN_VSNPRINTF
+
+AC_BROKEN_GLOB
+if test "$ac_cv_func_glob_working" != yes; then
+	LIBOBJS="$LIBOBJS glob.o"
 fi
-AC_SUBST(LIB_security)
+AM_CONDITIONAL(have_glob_h, test "$ac_cv_func_glob_working" = yes)
+
+
+AC_CHECK_FUNCS([				\
+	asnprintf				\
+	asprintf				\
+	cgetent					\
+	getconfattr				\
+	getrlimit				\
+	getspnam				\
+	strsvis					\
+	strunvis				\
+	strvis					\
+	strvisx					\
+	svis					\
+	sysconf					\
+	sysctl					\
+	uname					\
+	unvis					\
+	vasnprintf				\
+	vasprintf				\
+	vis					\
 ])
 
-dnl $Id: check-man.m4,v 1.2 1999/03/21 14:30:50 joda Exp $
-dnl check how to format manual pages
-dnl
+if test "$ac_cv_func_cgetent" = no; then
+	LIBOBJS="$LIBOBJS getcap.o"
+fi
 
-AC_DEFUN(AC_CHECK_MAN,
-[AC_PATH_PROG(NROFF, nroff)
-AC_PATH_PROG(GROFF, groff)
-AC_CACHE_CHECK(how to format man pages,ac_cv_sys_man_format,
-[cat > conftest.1 << END
-.Dd January 1, 1970
-.Dt CONFTEST 1
-.Sh NAME
-.Nm conftest
-.Nd
-foobar
-END
+AC_REQUIRE([AC_FUNC_GETLOGIN])
 
-if test "$NROFF" ; then
-	for i in "-mdoc" "-mandoc"; do
-		if "$NROFF" $i conftest.1 2> /dev/null | \
-			grep Jan > /dev/null 2>&1 ; then
-			ac_cv_sys_man_format="$NROFF $i"
-			break
-		fi
-	done
+AC_FIND_FUNC_NO_LIBS(getsockopt,,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif],
+[0,0,0,0,0])
+AC_FIND_FUNC_NO_LIBS(setsockopt,,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif],
+[0,0,0,0,0])
+
+AC_FIND_IF_NOT_BROKEN(hstrerror, resolv,
+[#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif],
+17)
+if test "$ac_cv_func_hstrerror" = yes; then
+AC_NEED_PROTO([
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif],
+hstrerror)
 fi
-if test "$ac_cv_sys_man_format" = "" -a "$GROFF" ; then
-	for i in "-mdoc" "-mandoc"; do
-		if "$GROFF" -Tascii $i conftest.1 2> /dev/null | \
-			grep Jan > /dev/null 2>&1 ; then
-			ac_cv_sys_man_format="$GROFF -Tascii $i"
-			break
-		fi
-	done
+
+dnl sigh, wish this could be done in a loop
+if test "$ac_cv_func_asprintf" = yes; then
+AC_NEED_PROTO([
+#include <stdio.h>
+#include <string.h>],
+asprintf)dnl
 fi
-if test "$ac_cv_sys_man_format"; then
-	ac_cv_sys_man_format="$ac_cv_sys_man_format \[$]< > \[$]@"
+if test "$ac_cv_func_vasprintf" = yes; then
+AC_NEED_PROTO([
+#include <stdio.h>
+#include <string.h>],
+vasprintf)dnl
 fi
-])
-if test "$ac_cv_sys_man_format"; then
-	CATMAN="$ac_cv_sys_man_format"
-	AC_SUBST(CATMAN)
+if test "$ac_cv_func_asnprintf" = yes; then
+AC_NEED_PROTO([
+#include <stdio.h>
+#include <string.h>],
+asnprintf)dnl
 fi
-AM_CONDITIONAL(CATMAN, test "$CATMAN")
-AC_CACHE_CHECK(extension of pre-formatted manual pages,ac_cv_sys_catman_ext,
-[if grep _suffix /etc/man.conf > /dev/null 2>&1; then
-	ac_cv_sys_catman_ext=0
-else
-	ac_cv_sys_catman_ext=number
+if test "$ac_cv_func_vasnprintf" = yes; then
+AC_NEED_PROTO([
+#include <stdio.h>
+#include <string.h>],
+vasnprintf)dnl
 fi
+
+AC_FIND_FUNC_NO_LIBS(pidfile,util,
+[#ifdef HAVE_UTIL_H
+#include <util.h>
+#endif],0)
+
+AC_BROKEN([					\
+	chown					\
+	copyhostent				\
+	daemon					\
+	err					\
+	errx					\
+	fchown					\
+	flock					\
+	fnmatch					\
+	freeaddrinfo				\
+	freehostent				\
+	gai_strerror				\
+	getaddrinfo				\
+	getcwd					\
+	getdtablesize				\
+	getegid					\
+	geteuid					\
+	getgid					\
+	gethostname				\
+	getifaddrs				\
+	getipnodebyaddr				\
+	getipnodebyname				\
+	getnameinfo				\
+	getopt					\
+	gettimeofday				\
+	getuid					\
+	getusershell				\
+	initgroups				\
+	innetgr					\
+	iruserok				\
+	lstat					\
+	memmove					\
+	mkstemp					\
+	putenv					\
+	rcmd					\
+	readv					\
+	recvmsg					\
+	sendmsg					\
+	setegid					\
+	setenv					\
+	seteuid					\
+	strcasecmp				\
+	strdup					\
+	strerror				\
+	strftime				\
+	strlcat					\
+	strlcpy					\
+	strlwr					\
+	strncasecmp				\
+	strndup					\
+	strnlen					\
+	strptime				\
+	strsep					\
+	strsep_copy				\
+	strtok_r				\
+	strupr					\
+	swab					\
+	unsetenv				\
+	verr					\
+	verrx					\
+	vsyslog					\
+	vwarn					\
+	vwarnx					\
+	warn					\
+	warnx					\
+	writev					\
 ])
-if test "$ac_cv_sys_catman_ext" = number; then
-	CATMANEXT='$$ext'
-else
-	CATMANEXT=0
+
+AC_BROKEN2(inet_aton,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif],
+[0,0])
+
+AC_BROKEN2(inet_ntop,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif],
+[0, 0, 0, 0])
+
+AC_BROKEN2(inet_pton,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif],
+[0,0,0])
+
+dnl
+dnl Check for sa_len in struct sockaddr, 
+dnl needs to come before the getnameinfo test
+dnl
+AC_HAVE_STRUCT_FIELD(struct sockaddr, sa_len, [#include <sys/types.h>
+#include <sys/socket.h>])
+
+if test "$ac_cv_func_getnameinfo" = "yes"; then
+  rk_BROKEN_GETNAMEINFO
+  if test "$ac_cv_func_getnameinfo_broken" = yes; then
+    LIBOBJS="$LIBOBJS getnameinfo.o"
+  fi
 fi
-AC_SUBST(CATMANEXT)
 
-])
+AC_NEED_PROTO([#include <stdlib.h>], setenv)
+AC_NEED_PROTO([#include <stdlib.h>], unsetenv)
+AC_NEED_PROTO([#include <unistd.h>], gethostname)
+AC_NEED_PROTO([#include <unistd.h>], mkstemp)
+AC_NEED_PROTO([#include <unistd.h>], getusershell)
+
+AC_NEED_PROTO([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif],
+inet_aton)
+
+AC_FIND_FUNC_NO_LIBS(crypt, crypt)dnl
+
+AC_REQUIRE([rk_BROKEN_REALLOC])dnl
+
+dnl AC_KRB_FUNC_GETCWD_BROKEN
+
 dnl
-dnl $Id: krb-bigendian.m4,v 1.5 2000/01/08 10:34:44 assar Exp $
+dnl Checks for prototypes and declarations
 dnl
 
-dnl check if this computer is little or big-endian
-dnl if we can figure it out at compile-time then don't define the cpp symbol
-dnl otherwise test for it and define it.  also allow options for overriding
-dnl it when cross-compiling
+AC_PROTO_COMPAT([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+],
+gethostbyname, struct hostent *gethostbyname(const char *))
 
-AC_DEFUN(KRB_C_BIGENDIAN, [
-AC_ARG_ENABLE(bigendian,
-[  --enable-bigendian	the target is big endian],
-krb_cv_c_bigendian=yes)
-AC_ARG_ENABLE(littleendian,
-[  --enable-littleendian	the target is little endian],
-krb_cv_c_bigendian=no)
-AC_CACHE_CHECK(whether byte order is known at compile time,
-krb_cv_c_bigendian_compile,
-[AC_TRY_COMPILE([
+AC_PROTO_COMPAT([
+#ifdef HAVE_SYS_TYPES_H
 #include <sys/types.h>
-#include <sys/param.h>],[
-#if !BYTE_ORDER || !BIG_ENDIAN || !LITTLE_ENDIAN
- bogus endian macros
-#endif], krb_cv_c_bigendian_compile=yes, krb_cv_c_bigendian_compile=no)])
-if test "$krb_cv_c_bigendian_compile" = "no"; then
-  AC_CACHE_CHECK(whether byte ordering is bigendian, krb_cv_c_bigendian,[
-  if test "$krb_cv_c_bigendian" = ""; then
-    krb_cv_c_bigendian=unknown
-  fi
-  AC_TRY_COMPILE([
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+],
+gethostbyaddr, struct hostent *gethostbyaddr(const void *, size_t, int))
+
+AC_PROTO_COMPAT([
+#ifdef HAVE_SYS_TYPES_H
 #include <sys/types.h>
-#include <sys/param.h>],[
-#if BYTE_ORDER != BIG_ENDIAN
-  not big endian
-#endif], krb_cv_c_bigendian=yes, krb_cv_c_bigendian=no)
-  if test "$krb_cv_c_bigendian" = "unknown"; then
-    AC_TRY_RUN([main () {
-      /* Are we little or big endian?  From Harbison&Steele.  */
-      union
-      {
-	long l;
-	char c[sizeof (long)];
-      } u;
-      u.l = 1;
-      exit (u.c[sizeof (long) - 1] == 1);
-    }], krb_cv_c_bigendian=no, krb_cv_c_bigendian=yes,
-    AC_MSG_ERROR([specify either --enable-bigendian or --enable-littleendian]))
-  fi
-  ])
-  if test "$krb_cv_c_bigendian" = "yes"; then
-    AC_DEFINE(WORDS_BIGENDIAN, 1, [define if target is big endian])dnl
-  fi
-fi
-if test "$krb_cv_c_bigendian_compile" = "yes"; then
-  AC_DEFINE(ENDIANESS_IN_SYS_PARAM_H, 1, [define if sys/param.h defines the endiness])dnl
-fi
-])
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+],
+getservbyname, struct servent *getservbyname(const char *, const char *))
+
+AC_PROTO_COMPAT([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+],
+getsockname, int getsockname(int, struct sockaddr*, socklen_t*))
+
+AC_PROTO_COMPAT([
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#endif
+],
+openlog, void openlog(const char *, int, int))
+
+AC_NEED_PROTO([
+#ifdef HAVE_CRYPT_H
+#include <crypt.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+],
+crypt)
+
+AC_NEED_PROTO([
+#include <string.h>
+],
+strtok_r)
+
+AC_NEED_PROTO([
+#include <string.h>
+],
+strsep)
+
+dnl variables
+
+rk_CHECK_VAR(h_errno, 
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif])
+
+rk_CHECK_VAR(h_errlist, 
+[#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif])
+
+rk_CHECK_VAR(h_nerr, 
+[#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif])
+
+rk_CHECK_VAR([__progname], 
+[#ifdef HAVE_ERR_H
+#include <err.h>
+#endif])
+
+AC_CHECK_DECLARATION([#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif], optarg)
+AC_CHECK_DECLARATION([#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif], optind)
+AC_CHECK_DECLARATION([#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif], opterr)
+AC_CHECK_DECLARATION([#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif], optopt)
+
+AC_CHECK_DECLARATION([#include <stdlib.h>], environ)
 
-dnl 
-dnl See if there is any X11 present
 dnl
-dnl $Id: check-x.m4,v 1.2 1999/11/05 04:25:23 assar Exp $
+dnl Check for fields in struct tm
+dnl
 
-AC_DEFUN(KRB_CHECK_X,[
-AC_PATH_XTRA
+AC_HAVE_STRUCT_FIELD(struct tm, tm_gmtoff, [#include <time.h>])
+AC_HAVE_STRUCT_FIELD(struct tm, tm_zone, [#include <time.h>])
 
-# try to figure out if we need any additional ld flags, like -R
-# and yes, the autoconf X test is utterly broken
-if test "$no_x" != yes; then
-	AC_CACHE_CHECK(for special X linker flags,krb_cv_sys_x_libs_rpath,[
-	ac_save_libs="$LIBS"
-	ac_save_cflags="$CFLAGS"
-	CFLAGS="$CFLAGS $X_CFLAGS"
-	krb_cv_sys_x_libs_rpath=""
-	krb_cv_sys_x_libs=""
-	for rflag in "" "-R" "-R " "-rpath "; do
-		if test "$rflag" = ""; then
-			foo="$X_LIBS"
-		else
-			foo=""
-			for flag in $X_LIBS; do
-			case $flag in
-			-L*)
-				foo="$foo $flag `echo $flag | sed \"s/-L/$rflag/\"`"
-				;;
-			*)
-				foo="$foo $flag"
-				;;
-			esac
-			done
-		fi
-		LIBS="$ac_save_libs $foo $X_PRE_LIBS -lX11 $X_EXTRA_LIBS"
-		AC_TRY_RUN([
-		#include <X11/Xlib.h>
-		foo()
-		{
-		XOpenDisplay(NULL);
-		}
-		main()
-		{
-		return 0;
-		}
-		], krb_cv_sys_x_libs_rpath="$rflag"; krb_cv_sys_x_libs="$foo"; break,:)
-	done
-	LIBS="$ac_save_libs"
-	CFLAGS="$ac_save_cflags"
-	])
-	X_LIBS="$krb_cv_sys_x_libs"
-fi
-])
+dnl
+dnl or do we have a variable `timezone' ?
+dnl
+
+rk_CHECK_VAR(timezone,[#include <time.h>])
+
+AC_HAVE_TYPE([sa_family_t],[#include <sys/socket.h>])
+AC_HAVE_TYPE([socklen_t],[#include <sys/socket.h>])
+AC_HAVE_TYPE([struct sockaddr], [#include <sys/socket.h>])
+AC_HAVE_TYPE([struct sockaddr_storage], [#include <sys/socket.h>])
+AC_HAVE_TYPE([struct addrinfo], [#include <netdb.h>])
+AC_HAVE_TYPE([struct ifaddrs], [#include <ifaddrs.h>])
 
-dnl $Id: check-xau.m4,v 1.3 1999/05/14 01:17:06 assar Exp $
 dnl
-dnl check for Xau{Read,Write}Auth and XauFileName
+dnl Check for struct winsize
 dnl
-AC_DEFUN(AC_CHECK_XAU,[
-save_CFLAGS="$CFLAGS"
-CFLAGS="$X_CFLAGS $CFLAGS"
-save_LIBS="$LIBS"
-dnl LIBS="$X_LIBS $X_PRE_LIBS $X_EXTRA_LIBS $LIBS"
-LIBS="$X_PRE_LIBS $X_EXTRA_LIBS $LIBS"
-save_LDFLAGS="$LDFLAGS"
-LDFLAGS="$LDFLAGS $X_LIBS"
 
+AC_KRB_STRUCT_WINSIZE
 
-AC_FIND_FUNC_NO_LIBS(XauWriteAuth, X11 Xau)
-ac_xxx="$LIBS"
-LIBS="$LIB_XauWriteAuth $LIBS"
-AC_FIND_FUNC_NO_LIBS(XauReadAuth, X11 Xau)
-LIBS="$LIB_XauReadAauth $LIBS"
-AC_FIND_FUNC_NO_LIBS(XauFileName, X11 Xau)
-LIBS="$ac_xxx"
+dnl
+dnl Check for struct spwd
+dnl
 
-case "$ac_cv_funclib_XauWriteAuth" in
-yes)	;;
-no)	;;
-*)	if test "$ac_cv_funclib_XauReadAuth" = yes; then
-		if test "$ac_cv_funclib_XauFileName" = yes; then
-			LIB_XauReadAuth="$LIB_XauWriteAuth"
-		else
-			LIB_XauReadAuth="$LIB_XauWriteAuth $LIB_XauFileName"
-		fi
-	else
-		if test "$ac_cv_funclib_XauFileName" = yes; then
-			LIB_XauReadAuth="$LIB_XauReadAuth $LIB_XauWriteAuth"
-		else
-			LIB_XauReadAuth="$LIB_XauReadAuth $LIB_XauWriteAuth $LIB_XauFileName"
-		fi
-	fi
-	;;
-esac
+AC_KRB_STRUCT_SPWD
 
-if test "$AUTOMAKE" != ""; then
-	AM_CONDITIONAL(NEED_WRITEAUTH, test "$ac_cv_func_XauWriteAuth" != "yes")
-else
-	AC_SUBST(NEED_WRITEAUTH_TRUE)
-	AC_SUBST(NEED_WRITEAUTH_FALSE)
-	if test "$ac_cv_func_XauWriteAuth" != "yes"; then
-		NEED_WRITEAUTH_TRUE=
-		NEED_WRITEAUTH_FALSE='#'
-	else
-		NEED_WRITEAUTH_TRUE='#'
-		NEED_WRITEAUTH_FALSE=
-	fi
-fi
-CFLAGS=$save_CFLAGS
-LIBS=$save_LIBS
-LDFLAGS=$save_LDFLAGS
-])
+dnl won't work with automake
+dnl moved to AC_OUTPUT in configure.in
+dnl AC_CONFIG_FILES($1/Makefile)
 
+LIB_roken="${LIB_roken} \$(LIB_crypt) \$(LIB_dbopen)"
+
+AC_SUBST(DIR_roken)dnl
+AC_SUBST(LIB_roken)dnl
+AC_SUBST(INCLUDES_roken)dnl
+])
 dnl $Id: check-type-extra.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
 dnl
 dnl ac_check_type + extra headers
@@ -1007,7 +1981,7 @@ if test $ac_cv_type_$1 = no; then
 fi
 ])
 
-dnl $Id: have-type.m4,v 1.5 1999/12/31 03:10:22 assar Exp $
+dnl $Id: have-type.m4,v 1.6 2000/07/15 18:10:00 joda Exp $
 dnl
 dnl check for existance of a type
 
@@ -1027,21 +2001,37 @@ $2],
 [$1 foo;],
 eval "ac_cv_type_$cv=yes",
 eval "ac_cv_type_$cv=no"))dnl
-AC_MSG_RESULT(`eval echo \\$ac_cv_type_$cv`)
-if test `eval echo \\$ac_cv_type_$cv` = yes; then
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+AC_MSG_RESULT($ac_foo)
+if test "$ac_foo" = yes; then
   ac_tr_hdr=HAVE_`echo $1 | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
-dnl autoheader tricks *sigh*
-define(foo,translit($1, [ ], [_]))
-: << END
-@@@funcs="$funcs foo"@@@
-END
-undefine([foo])
-  AC_DEFINE_UNQUOTED($ac_tr_hdr, 1)
+if false; then
+	AC_CHECK_TYPES($1)
+fi
+  AC_DEFINE_UNQUOTED($ac_tr_hdr, 1, [Define if you have type `$1'])
 fi
 ])
 
 dnl
-dnl $Id: check-netinet-ip-and-tcp.m4,v 1.2 1999/05/14 13:15:40 assar Exp $
+dnl $Id: retsigtype.m4,v 1.1 2000/07/15 18:05:56 joda Exp $
+dnl
+dnl Figure out return type of signal handlers, and define SIGRETURN macro
+dnl that can be used to return from one
+dnl
+AC_DEFUN(rk_RETSIGTYPE,[
+AC_TYPE_SIGNAL
+if test "$ac_cv_type_signal" = "void" ; then
+	AC_DEFINE(VOID_RETSIGTYPE, 1, [Define if signal handlers return void.])
+fi
+AC_SUBST(VOID_RETSIGTYPE)
+AH_BOTTOM([#ifdef VOID_RETSIGTYPE
+#define SIGRETURN(x) return
+#else
+#define SIGRETURN(x) return (RETSIGTYPE)(x)
+#endif])
+])
+dnl
+dnl $Id: check-netinet-ip-and-tcp.m4,v 1.3 2000/07/18 10:33:02 joda Exp $
 dnl
 
 dnl extra magic check for netinet/{ip.h,tcp.h} because on irix 6.5.3
@@ -1054,8 +2044,7 @@ for i in netinet/ip.h netinet/tcp.h; do
 
 cv=`echo "$i" | sed 'y%./+-%__p_%'`
 
-AC_MSG_CHECKING([for $i])
-AC_CACHE_VAL([ac_cv_header_$cv],
+AC_CACHE_CHECK([for $i],ac_cv_header_$cv,
 [AC_TRY_CPP([\
 #ifdef HAVE_STANDARDS_H
 #include <standards.h>
@@ -1064,22 +2053,31 @@ AC_CACHE_VAL([ac_cv_header_$cv],
 ],
 eval "ac_cv_header_$cv=yes",
 eval "ac_cv_header_$cv=no")])
-AC_MSG_RESULT(`eval echo \\$ac_cv_header_$cv`)
-changequote(, )dnl
-if test `eval echo \\$ac_cv_header_$cv` = yes; then
-  ac_tr_hdr=HAVE_`echo $i | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
-changequote([, ])dnl
-  AC_DEFINE_UNQUOTED($ac_tr_hdr, 1)
+ac_res=`eval echo \\$ac_cv_header_$cv`
+if test "$ac_res" = yes; then
+	ac_tr_hdr=HAVE_`echo $i | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+	AC_DEFINE_UNQUOTED($ac_tr_hdr, 1)
 fi
 done
-dnl autoheader tricks *sigh*
-: << END
-@@@headers="$headers netinet/ip.h netinet/tcp.h"@@@
-END
-
+if false;then
+	AC_CHECK_HEADERS(netinet/ip.h netinet/tcp.h)
+fi
 ])
 
-dnl $Id: krb-ipv6.m4,v 1.8 2000/01/01 11:44:45 assar Exp $
+# Define a conditional.
+
+AC_DEFUN(AM_CONDITIONAL,
+[AC_SUBST($1_TRUE)
+AC_SUBST($1_FALSE)
+if $2; then
+  $1_TRUE=
+  $1_FALSE='#'
+else
+  $1_TRUE='#'
+  $1_FALSE=
+fi])
+
+dnl $Id: krb-ipv6.m4,v 1.9 2000/12/26 20:27:30 assar Exp $
 dnl
 dnl test for IPv6
 dnl
@@ -1098,7 +2096,7 @@ AC_MSG_CHECKING([ipv6 stack type])
 for i in v6d toshiba kame inria zeta linux; do
 	case $i in
 	v6d)
-		AC_EGREP_CPP(yes, [dnl
+		AC_EGREP_CPP(yes, [
 #include </usr/local/v6/include/sys/types.h>
 #ifdef __V6D__
 yes
@@ -1108,7 +2106,7 @@ yes
 			CFLAGS="-I/usr/local/v6/include $CFLAGS"])
 		;;
 	toshiba)
-		AC_EGREP_CPP(yes, [dnl
+		AC_EGREP_CPP(yes, [
 #include <sys/param.h>
 #ifdef _TOSHIBA_INET6
 yes
@@ -1118,7 +2116,7 @@ yes
 			CFLAGS="-DINET6 $CFLAGS"])
 		;;
 	kame)
-		AC_EGREP_CPP(yes, [dnl
+		AC_EGREP_CPP(yes, [
 #include <netinet/in.h>
 #ifdef __KAME__
 yes
@@ -1128,7 +2126,7 @@ yes
 			CFLAGS="-DINET6 $CFLAGS"])
 		;;
 	inria)
-		AC_EGREP_CPP(yes, [dnl
+		AC_EGREP_CPP(yes, [
 #include <netinet/in.h>
 #ifdef IPV6_INRIA_VERSION
 yes
@@ -1136,7 +2134,7 @@ yes
 			[v6type=$i; CFLAGS="-DINET6 $CFLAGS"])
 		;;
 	zeta)
-		AC_EGREP_CPP(yes, [dnl
+		AC_EGREP_CPP(yes, [
 #include <sys/param.h>
 #ifdef _ZETA_MINAMI_INET6
 yes
@@ -1202,6 +2200,16 @@ if test "$ac_cv_lib_ipv6" = yes; then
 fi
 ])
 
+dnl $Id: find-func.m4,v 1.1 1997/12/14 15:58:58 joda Exp $
+dnl
+dnl AC_FIND_FUNC(func, libraries, includes, arguments)
+AC_DEFUN(AC_FIND_FUNC, [
+AC_FIND_FUNC_NO_LIBS([$1], [$2], [$3], [$4])
+if test -n "$LIB_$1"; then
+	LIBS="$LIB_$1 $LIBS"
+fi
+])
+
 dnl $Id: broken-snprintf.m4,v 1.3 1999/03/01 09:52:22 joda Exp $
 dnl
 AC_DEFUN(AC_BROKEN_SNPRINTF, [
@@ -1333,45 +2341,6 @@ fi
 fi
 ])
 
-dnl
-dnl $Id: capabilities.m4,v 1.2 1999/09/01 11:02:26 joda Exp $
-dnl
-
-dnl
-dnl Test SGI capabilities
-dnl
-
-AC_DEFUN(KRB_CAPABILITIES,[
-
-AC_CHECK_HEADERS(capability.h sys/capability.h)
-
-AC_CHECK_FUNCS(sgi_getcapabilitybyname cap_set_proc)
-])
-
-dnl $Id: check-getpwnam_r-posix.m4,v 1.2 1999/03/23 16:47:31 joda Exp $
-dnl
-dnl check for getpwnam_r, and if it's posix or not
-
-AC_DEFUN(AC_CHECK_GETPWNAM_R_POSIX,[
-AC_FIND_FUNC_NO_LIBS(getpwnam_r,c_r)
-if test "$ac_cv_func_getpwnam_r" = yes; then
-	AC_CACHE_CHECK(if getpwnam_r is posix,ac_cv_func_getpwnam_r_posix,
-	ac_libs="$LIBS"
-	LIBS="$LIBS $LIB_getpwnam_r"
-	AC_TRY_RUN([
-#include <pwd.h>
-int main()
-{
-	struct passwd pw, *pwd;
-	return getpwnam_r("", &pw, NULL, 0, &pwd) < 0;
-}
-],ac_cv_func_getpwnam_r_posix=yes,ac_cv_func_getpwnam_r_posix=no,:)
-LIBS="$ac_libs")
-if test "$ac_cv_func_getpwnam_r_posix" = yes; then
-	AC_DEFINE(POSIX_GETPWNAM_R, 1, [Define if getpwnam_r has POSIX flavour.])
-fi
-fi
-])
 dnl $Id: find-if-not-broken.m4,v 1.2 1998/03/16 22:16:27 joda Exp $
 dnl
 dnl
@@ -1386,7 +2355,7 @@ fi
 AC_SUBST(LIBOBJS)dnl
 ])
 
-dnl $Id: broken.m4,v 1.3 1998/03/16 22:16:19 joda Exp $
+dnl $Id: broken.m4,v 1.4 2000/07/15 18:06:36 joda Exp $
 dnl
 dnl
 dnl Same as AC _REPLACE_FUNCS, just define HAVE_func if found in normal
@@ -1398,14 +2367,168 @@ do
 AC_CHECK_FUNC($ac_func, [
 ac_tr_func=HAVE_[]upcase($ac_func)
 AC_DEFINE_UNQUOTED($ac_tr_func)],[LIBOBJS[]="$LIBOBJS ${ac_func}.o"])
-dnl autoheader tricks *sigh*
-: << END
-@@@funcs="$funcs $1"@@@
-END
+if false; then
+	AC_CHECK_FUNCS($1)
+fi
+done
+AC_SUBST(LIBOBJS)dnl
+])
+
+dnl $Id: broken2.m4,v 1.1 2000/12/15 14:27:33 assar Exp $
+dnl
+dnl AC_BROKEN but with more arguments
+
+dnl AC_BROKEN2(func, includes, arguments)
+AC_DEFUN(AC_BROKEN2,
+[for ac_func in $1
+do
+AC_MSG_CHECKING([for $ac_func])
+AC_CACHE_VAL(ac_cv_func_$ac_func,
+[AC_TRY_LINK([$2],
+[
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$1) || defined (__stub___$1)
+choke me
+#else
+$ac_func($3)
+#endif
+], [eval "ac_cv_func_$ac_func=yes"], [eval "ac_cv_func_$ac_func=no"])])
+if eval "test \"\${ac_cv_func_$ac_func}\" = yes"; then
+  ac_tr_func=HAVE_[]upcase($ac_func)
+  AC_DEFINE_UNQUOTED($ac_tr_func)
+  AC_MSG_RESULT(yes)
+else
+  AC_MSG_RESULT(no)
+  LIBOBJS[]="$LIBOBJS ${ac_func}.o"
+fi
 done
+if false; then
+	AC_CHECK_FUNCS($1)
+fi
 AC_SUBST(LIBOBJS)dnl
 ])
 
+dnl $Id: have-struct-field.m4,v 1.6 1999/07/29 01:44:32 assar Exp $
+dnl
+dnl check for fields in a structure
+dnl
+dnl AC_HAVE_STRUCT_FIELD(struct, field, headers)
+
+AC_DEFUN(AC_HAVE_STRUCT_FIELD, [
+define(cache_val, translit(ac_cv_type_$1_$2, [A-Z ], [a-z_]))
+AC_CACHE_CHECK([for $2 in $1], cache_val,[
+AC_TRY_COMPILE([$3],[$1 x; x.$2;],
+cache_val=yes,
+cache_val=no)])
+if test "$cache_val" = yes; then
+	define(foo, translit(HAVE_$1_$2, [a-z ], [A-Z_]))
+	AC_DEFINE(foo, 1, [Define if $1 has field $2.])
+	undefine([foo])
+fi
+undefine([cache_val])
+])
+
+dnl $Id: broken-getnameinfo.m4,v 1.2 2000/12/05 09:09:00 joda Exp $
+dnl
+dnl test for broken AIX getnameinfo
+
+AC_DEFUN(rk_BROKEN_GETNAMEINFO,[
+AC_CACHE_CHECK([if getnameinfo is broken], ac_cv_func_getnameinfo_broken,
+AC_TRY_RUN([[#include <stdio.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netdb.h>
+
+int
+main(int argc, char **argv)
+{
+  struct sockaddr_in sin;
+  char host[256];
+  memset(&sin, 0, sizeof(sin));
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+  sin.sin_len = sizeof(sin);
+#endif
+  sin.sin_family = AF_INET;
+  sin.sin_addr.s_addr = 0xffffffff;
+  sin.sin_port = 0;
+  return getnameinfo((struct sockaddr*)&sin, sizeof(sin), host, sizeof(host),
+	      NULL, 0, 0);
+}
+]], ac_cv_func_getnameinfo_broken=no, ac_cv_func_getnameinfo_broken=yes))])
+
+dnl
+dnl $Id: broken-realloc.m4,v 1.1 2000/07/15 18:05:36 joda Exp $
+dnl
+dnl Test for realloc that doesn't handle NULL as first parameter
+dnl
+AC_DEFUN(rk_BROKEN_REALLOC, [
+AC_CACHE_CHECK(if realloc if broken, ac_cv_func_realloc_broken, [
+ac_cv_func_realloc_broken=no
+AC_TRY_RUN([
+#include <stddef.h>
+#include <stdlib.h>
+
+int main()
+{
+	return realloc(NULL, 17) == NULL;
+}
+],:, ac_cv_func_realloc_broken=yes, :)
+])
+if test "$ac_cv_func_realloc_broken" = yes ; then
+	AC_DEFINE(BROKEN_REALLOC, 1, [Define if realloc(NULL) doesn't work.])
+fi
+AH_BOTTOM([#ifdef BROKEN_REALLOC
+#define realloc(X, Y) isoc_realloc((X), (Y))
+#define isoc_realloc(X, Y) ((X) ? realloc((X), (Y)) : malloc(Y))
+#endif])
+])
+
+dnl $Id: krb-func-getcwd-broken.m4,v 1.2 1999/03/01 13:03:32 joda Exp $
+dnl
+dnl
+dnl test for broken getcwd in (SunOS braindamage)
+dnl
+
+AC_DEFUN(AC_KRB_FUNC_GETCWD_BROKEN, [
+if test "$ac_cv_func_getcwd" = yes; then
+AC_MSG_CHECKING(if getcwd is broken)
+AC_CACHE_VAL(ac_cv_func_getcwd_broken, [
+ac_cv_func_getcwd_broken=no
+
+AC_TRY_RUN([
+#include <errno.h>
+char *getcwd(char*, int);
+
+void *popen(char *cmd, char *mode)
+{
+	errno = ENOTTY;
+	return 0;
+}
+
+int main()
+{
+	char *ret;
+	ret = getcwd(0, 1024);
+	if(ret == 0 && errno == ENOTTY)
+		return 0;
+	return 1;
+}
+], ac_cv_func_getcwd_broken=yes,:,:)
+])
+if test "$ac_cv_func_getcwd_broken" = yes; then
+	AC_DEFINE(BROKEN_GETCWD, 1, [Define if getcwd is broken (like in SunOS 4).])dnl
+	LIBOBJS="$LIBOBJS getcwd.o"
+	AC_SUBST(LIBOBJS)dnl
+	AC_MSG_RESULT($ac_cv_func_getcwd_broken)
+else
+	AC_MSG_RESULT([seems ok])
+fi
+fi
+])
+
 dnl $Id: proto-compat.m4,v 1.3 1999/03/01 13:03:48 joda Exp $
 dnl
 dnl
@@ -1428,27 +2551,28 @@ if test "$ac_cv_func_$2_proto_compat" = yes; then
 fi
 undefine([foo])
 ])
-dnl $Id: check-var.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
+dnl $Id: check-var.m4,v 1.5 2000/12/15 04:54:06 assar Exp $
 dnl
-dnl AC_CHECK_VAR(includes, variable)
-AC_DEFUN(AC_CHECK_VAR, [
-AC_MSG_CHECKING(for $2)
-AC_CACHE_VAL(ac_cv_var_$2, [
-AC_TRY_LINK([extern int $2;
-int foo() { return $2; }],
+dnl rk_CHECK_VAR(variable, includes)
+AC_DEFUN([rk_CHECK_VAR], [
+AC_MSG_CHECKING(for $1)
+AC_CACHE_VAL(ac_cv_var_$1, [
+AC_TRY_LINK([extern int $1;
+int foo() { return $1; }],
 	    [foo()],
-	    ac_cv_var_$2=yes, ac_cv_var_$2=no)
+	    ac_cv_var_$1=yes, ac_cv_var_$1=no)
 ])
-define([foo], [HAVE_]translit($2, [a-z], [A-Z]))
-
-AC_MSG_RESULT(`eval echo \\$ac_cv_var_$2`)
-if test `eval echo \\$ac_cv_var_$2` = yes; then
-	AC_DEFINE_UNQUOTED(foo, 1, [define if you have $2])
-	AC_CHECK_DECLARATION([$1],[$2])
+ac_foo=`eval echo \\$ac_cv_var_$1`
+AC_MSG_RESULT($ac_foo)
+if test "$ac_foo" = yes; then
+	AC_DEFINE_UNQUOTED(AC_TR_CPP(HAVE_[]$1), 1, 
+		[Define if you have the `]$1[' variable.])
+	m4_ifval([$2], AC_CHECK_DECLARATION([$2],[$1]))
 fi
-undefine([foo])
 ])
 
+AC_WARNING_ENABLE([obsolete])
+AU_DEFUN([AC_CHECK_VAR], [rk_CHECK_VAR([$2], [$1])], [foo])
 dnl $Id: check-declaration.m4,v 1.3 1999/03/01 13:03:08 joda Exp $
 dnl
 dnl
@@ -1475,26 +2599,6 @@ fi
 undefine([foo])
 ])
 
-dnl $Id: have-struct-field.m4,v 1.6 1999/07/29 01:44:32 assar Exp $
-dnl
-dnl check for fields in a structure
-dnl
-dnl AC_HAVE_STRUCT_FIELD(struct, field, headers)
-
-AC_DEFUN(AC_HAVE_STRUCT_FIELD, [
-define(cache_val, translit(ac_cv_type_$1_$2, [A-Z ], [a-z_]))
-AC_CACHE_CHECK([for $2 in $1], cache_val,[
-AC_TRY_COMPILE([$3],[$1 x; x.$2;],
-cache_val=yes,
-cache_val=no)])
-if test "$cache_val" = yes; then
-	define(foo, translit(HAVE_$1_$2, [a-z ], [A-Z_]))
-	AC_DEFINE(foo, 1, [Define if $1 has field $2.])
-	undefine([foo])
-fi
-undefine([cache_val])
-])
-
 dnl $Id: krb-struct-winsize.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
 dnl
 dnl
@@ -1546,6 +2650,430 @@ if test "$ac_cv_struct_spwd" = "yes"; then
 fi
 ])
 
+dnl $Id: test-package.m4,v 1.9 2000/12/15 04:54:24 assar Exp $
+dnl
+dnl AC_TEST_PACKAGE_NEW(package,headers,libraries,extra libs,default locations, conditional)
+
+AC_DEFUN(AC_TEST_PACKAGE,[AC_TEST_PACKAGE_NEW($1,[#include <$2>],$4,,$5)])
+
+AC_DEFUN(AC_TEST_PACKAGE_NEW,[
+AC_ARG_WITH($1,
+[  --with-$1=dir                use $1 in dir])
+AC_ARG_WITH($1-lib,
+[  --with-$1-lib=dir            use $1 libraries in dir],
+[if test "$withval" = "yes" -o "$withval" = "no"; then
+  AC_MSG_ERROR([No argument for --with-$1-lib])
+elif test "X$with_$1" = "X"; then
+  with_$1=yes
+fi])
+AC_ARG_WITH($1-include,
+[  --with-$1-include=dir        use $1 headers in dir],
+[if test "$withval" = "yes" -o "$withval" = "no"; then
+  AC_MSG_ERROR([No argument for --with-$1-include])
+elif test "X$with_$1" = "X"; then
+  with_$1=yes
+fi])
+
+AC_MSG_CHECKING(for $1)
+
+case "$with_$1" in
+yes)	;;
+no)	;;
+"")	;;
+*)	if test "$with_$1_include" = ""; then
+		with_$1_include="$with_$1/include"
+	fi
+	if test "$with_$1_lib" = ""; then
+		with_$1_lib="$with_$1/lib$abilibdirext"
+	fi
+	;;
+esac
+header_dirs=
+lib_dirs=
+d='$5'
+for i in $d; do
+	header_dirs="$header_dirs $i/include"
+	lib_dirs="$lib_dirs $i/lib$abilibdirext"
+done
+
+case "$with_$1_include" in
+yes) ;;
+no)  ;;
+*)   header_dirs="$with_$1_include $header_dirs";;
+esac
+case "$with_$1_lib" in
+yes) ;;
+no)  ;;
+*)   lib_dirs="$with_$1_lib $lib_dirs";;
+esac
+
+save_CFLAGS="$CFLAGS"
+save_LIBS="$LIBS"
+ires= lres=
+for i in $header_dirs; do
+	CFLAGS="-I$i $save_CFLAGS"
+	AC_TRY_COMPILE([$2],,ires=$i;break)
+done
+for i in $lib_dirs; do
+	LIBS="-L$i $3 $4 $save_LIBS"
+	AC_TRY_LINK([$2],,lres=$i;break)
+done
+CFLAGS="$save_CFLAGS"
+LIBS="$save_LIBS"
+
+if test "$ires" -a "$lres" -a "$with_$1" != "no"; then
+	$1_includedir="$ires"
+	$1_libdir="$lres"
+	INCLUDE_$1="-I$$1_includedir"
+	LIB_$1="-L$$1_libdir $3"
+	m4_ifval([$6],
+		AC_DEFINE_UNQUOTED($6,1,[Define if you have the $1 package.]),
+		AC_DEFINE_UNQUOTED(upcase($1),1,[Define if you have the $1 package.]))
+	with_$1=yes
+	AC_MSG_RESULT([headers $ires, libraries $lres])
+else
+	INCLUDE_$1=
+	LIB_$1=
+	with_$1=no
+	AC_MSG_RESULT($with_$1)
+fi
+dnl m4_ifval([$6],
+dnl 	AM_CONDITIONAL($6, test "$with_$1" = yes)
+dnl 	AM_CONDITIONAL(upcase($1), test "$with_$1" = yes))
+AC_SUBST(INCLUDE_$1)
+AC_SUBST(LIB_$1)
+])
+
+dnl $Id: osfc2.m4,v 1.2 1999/03/27 17:28:16 joda Exp $
+dnl
+dnl enable OSF C2 stuff
+
+AC_DEFUN(AC_CHECK_OSFC2,[
+AC_ARG_ENABLE(osfc2,
+[  --enable-osfc2          enable some OSF C2 support])
+LIB_security=
+if test "$enable_osfc2" = yes; then
+	AC_DEFINE(HAVE_OSFC2, 1, [Define to enable basic OSF C2 support.])
+	LIB_security=-lsecurity
+fi
+AC_SUBST(LIB_security)
+])
+
+dnl $Id: check-man.m4,v 1.3 2000/11/30 01:47:17 joda Exp $
+dnl check how to format manual pages
+dnl
+
+AC_DEFUN(rk_CHECK_MAN,
+[AC_PATH_PROG(NROFF, nroff)
+AC_PATH_PROG(GROFF, groff)
+AC_CACHE_CHECK(how to format man pages,ac_cv_sys_man_format,
+[cat > conftest.1 << END
+.Dd January 1, 1970
+.Dt CONFTEST 1
+.Sh NAME
+.Nm conftest
+.Nd
+foobar
+END
+
+if test "$NROFF" ; then
+	for i in "-mdoc" "-mandoc"; do
+		if "$NROFF" $i conftest.1 2> /dev/null | \
+			grep Jan > /dev/null 2>&1 ; then
+			ac_cv_sys_man_format="$NROFF $i"
+			break
+		fi
+	done
+fi
+if test "$ac_cv_sys_man_format" = "" -a "$GROFF" ; then
+	for i in "-mdoc" "-mandoc"; do
+		if "$GROFF" -Tascii $i conftest.1 2> /dev/null | \
+			grep Jan > /dev/null 2>&1 ; then
+			ac_cv_sys_man_format="$GROFF -Tascii $i"
+			break
+		fi
+	done
+fi
+if test "$ac_cv_sys_man_format"; then
+	ac_cv_sys_man_format="$ac_cv_sys_man_format \[$]< > \[$]@"
+fi
+])
+if test "$ac_cv_sys_man_format"; then
+	CATMAN="$ac_cv_sys_man_format"
+	AC_SUBST(CATMAN)
+fi
+AM_CONDITIONAL(CATMAN, test "$CATMAN")
+AC_CACHE_CHECK(extension of pre-formatted manual pages,ac_cv_sys_catman_ext,
+[if grep _suffix /etc/man.conf > /dev/null 2>&1; then
+	ac_cv_sys_catman_ext=0
+else
+	ac_cv_sys_catman_ext=number
+fi
+])
+if test "$ac_cv_sys_catman_ext" = number; then
+	CATMANEXT='$$section'
+else
+	CATMANEXT=0
+fi
+AC_SUBST(CATMANEXT)
+])
+dnl
+dnl $Id: krb-bigendian.m4,v 1.6 2000/08/19 15:37:00 assar Exp $
+dnl
+
+dnl check if this computer is little or big-endian
+dnl if we can figure it out at compile-time then don't define the cpp symbol
+dnl otherwise test for it and define it.  also allow options for overriding
+dnl it when cross-compiling
+
+AC_DEFUN(KRB_C_BIGENDIAN, [
+AC_ARG_ENABLE(bigendian,
+[  --enable-bigendian	the target is big endian],
+krb_cv_c_bigendian=yes)
+AC_ARG_ENABLE(littleendian,
+[  --enable-littleendian	the target is little endian],
+krb_cv_c_bigendian=no)
+AC_CACHE_CHECK(whether byte order is known at compile time,
+krb_cv_c_bigendian_compile,
+[AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/param.h>],[
+#if !BYTE_ORDER || !BIG_ENDIAN || !LITTLE_ENDIAN
+ bogus endian macros
+#endif], krb_cv_c_bigendian_compile=yes, krb_cv_c_bigendian_compile=no)])
+AC_CACHE_CHECK(whether byte ordering is bigendian, krb_cv_c_bigendian,[
+  if test "$krb_cv_c_bigendian_compile" = "yes"; then
+    AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/param.h>],[
+#if BYTE_ORDER != BIG_ENDIAN
+  not big endian
+#endif], krb_cv_c_bigendian=yes, krb_cv_c_bigendian=no)
+  else
+    AC_TRY_RUN([main () {
+      /* Are we little or big endian?  From Harbison&Steele.  */
+      union
+      {
+	long l;
+	char c[sizeof (long)];
+    } u;
+    u.l = 1;
+    exit (u.c[sizeof (long) - 1] == 1);
+  }], krb_cv_c_bigendian=no, krb_cv_c_bigendian=yes,
+  AC_MSG_ERROR([specify either --enable-bigendian or --enable-littleendian]))
+  fi
+])
+if test "$krb_cv_c_bigendian" = "yes"; then
+  AC_DEFINE(WORDS_BIGENDIAN, 1, [define if target is big endian])dnl
+fi
+if test "$krb_cv_c_bigendian_compile" = "yes"; then
+  AC_DEFINE(ENDIANESS_IN_SYS_PARAM_H, 1, [define if sys/param.h defines the endiness])dnl
+fi
+])
+
+dnl
+dnl $Id: aix.m4,v 1.5 2000/11/05 17:15:46 joda Exp $
+dnl
+
+AC_DEFUN(KRB_AIX,[
+aix=no
+case "$host" in 
+*-*-aix3*)
+	aix=3
+	;;
+*-*-aix4*)
+	aix=4
+	;;
+esac
+AM_CONDITIONAL(AIX, test "$aix" != no)dnl
+AM_CONDITIONAL(AIX4, test "$aix" = 4)
+aix_dynamic_afs=yes
+AM_CONDITIONAL(AIX_DYNAMIC_AFS, test "$aix_dynamic_afs" = yes)dnl
+
+AC_FIND_FUNC_NO_LIBS(dlopen, dl)
+
+if test "$aix" != no; then
+	if test "$aix_dynamic_afs" = yes; then
+		if test "$ac_cv_funclib_dlopen" = yes; then
+			AIX_EXTRA_KAFS=
+		elif test "$ac_cv_funclib_dlopen" != no; then
+			AIX_EXTRA_KAFS="$ac_cv_funclib_dlopen"
+		else
+			AIX_EXTRA_KAFS=-lld
+		fi
+	else
+		AIX_EXTRA_KAFS=
+	fi
+fi
+
+AM_CONDITIONAL(HAVE_DLOPEN, test "$ac_cv_funclib_dlopen" != no)dnl
+AC_SUBST(AIX_EXTRA_KAFS)dnl
+
+])
+dnl
+dnl $Id: krb-irix.m4,v 1.2 2000/12/13 12:48:45 assar Exp $
+dnl
+
+dnl requires AC_CANONICAL_HOST
+AC_DEFUN(KRB_IRIX,[
+irix=no
+case "$host_os" in
+irix*) irix=yes ;;
+esac
+AM_CONDITIONAL(IRIX, test "$irix" != no)dnl
+])
+
+dnl 
+dnl See if there is any X11 present
+dnl
+dnl $Id: check-x.m4,v 1.2 1999/11/05 04:25:23 assar Exp $
+
+AC_DEFUN(KRB_CHECK_X,[
+AC_PATH_XTRA
+
+# try to figure out if we need any additional ld flags, like -R
+# and yes, the autoconf X test is utterly broken
+if test "$no_x" != yes; then
+	AC_CACHE_CHECK(for special X linker flags,krb_cv_sys_x_libs_rpath,[
+	ac_save_libs="$LIBS"
+	ac_save_cflags="$CFLAGS"
+	CFLAGS="$CFLAGS $X_CFLAGS"
+	krb_cv_sys_x_libs_rpath=""
+	krb_cv_sys_x_libs=""
+	for rflag in "" "-R" "-R " "-rpath "; do
+		if test "$rflag" = ""; then
+			foo="$X_LIBS"
+		else
+			foo=""
+			for flag in $X_LIBS; do
+			case $flag in
+			-L*)
+				foo="$foo $flag `echo $flag | sed \"s/-L/$rflag/\"`"
+				;;
+			*)
+				foo="$foo $flag"
+				;;
+			esac
+			done
+		fi
+		LIBS="$ac_save_libs $foo $X_PRE_LIBS -lX11 $X_EXTRA_LIBS"
+		AC_TRY_RUN([
+		#include <X11/Xlib.h>
+		foo()
+		{
+		XOpenDisplay(NULL);
+		}
+		main()
+		{
+		return 0;
+		}
+		], krb_cv_sys_x_libs_rpath="$rflag"; krb_cv_sys_x_libs="$foo"; break,:)
+	done
+	LIBS="$ac_save_libs"
+	CFLAGS="$ac_save_cflags"
+	])
+	X_LIBS="$krb_cv_sys_x_libs"
+fi
+])
+
+dnl $Id: check-xau.m4,v 1.3 1999/05/14 01:17:06 assar Exp $
+dnl
+dnl check for Xau{Read,Write}Auth and XauFileName
+dnl
+AC_DEFUN(AC_CHECK_XAU,[
+save_CFLAGS="$CFLAGS"
+CFLAGS="$X_CFLAGS $CFLAGS"
+save_LIBS="$LIBS"
+dnl LIBS="$X_LIBS $X_PRE_LIBS $X_EXTRA_LIBS $LIBS"
+LIBS="$X_PRE_LIBS $X_EXTRA_LIBS $LIBS"
+save_LDFLAGS="$LDFLAGS"
+LDFLAGS="$LDFLAGS $X_LIBS"
+
+
+AC_FIND_FUNC_NO_LIBS(XauWriteAuth, X11 Xau)
+ac_xxx="$LIBS"
+LIBS="$LIB_XauWriteAuth $LIBS"
+AC_FIND_FUNC_NO_LIBS(XauReadAuth, X11 Xau)
+LIBS="$LIB_XauReadAauth $LIBS"
+AC_FIND_FUNC_NO_LIBS(XauFileName, X11 Xau)
+LIBS="$ac_xxx"
+
+case "$ac_cv_funclib_XauWriteAuth" in
+yes)	;;
+no)	;;
+*)	if test "$ac_cv_funclib_XauReadAuth" = yes; then
+		if test "$ac_cv_funclib_XauFileName" = yes; then
+			LIB_XauReadAuth="$LIB_XauWriteAuth"
+		else
+			LIB_XauReadAuth="$LIB_XauWriteAuth $LIB_XauFileName"
+		fi
+	else
+		if test "$ac_cv_funclib_XauFileName" = yes; then
+			LIB_XauReadAuth="$LIB_XauReadAuth $LIB_XauWriteAuth"
+		else
+			LIB_XauReadAuth="$LIB_XauReadAuth $LIB_XauWriteAuth $LIB_XauFileName"
+		fi
+	fi
+	;;
+esac
+
+if test "$AUTOMAKE" != ""; then
+	AM_CONDITIONAL(NEED_WRITEAUTH, test "$ac_cv_func_XauWriteAuth" != "yes")
+else
+	AC_SUBST(NEED_WRITEAUTH_TRUE)
+	AC_SUBST(NEED_WRITEAUTH_FALSE)
+	if test "$ac_cv_func_XauWriteAuth" != "yes"; then
+		NEED_WRITEAUTH_TRUE=
+		NEED_WRITEAUTH_FALSE='#'
+	else
+		NEED_WRITEAUTH_TRUE='#'
+		NEED_WRITEAUTH_FALSE=
+	fi
+fi
+CFLAGS=$save_CFLAGS
+LIBS=$save_LIBS
+LDFLAGS=$save_LDFLAGS
+])
+
+dnl
+dnl $Id: capabilities.m4,v 1.2 1999/09/01 11:02:26 joda Exp $
+dnl
+
+dnl
+dnl Test SGI capabilities
+dnl
+
+AC_DEFUN(KRB_CAPABILITIES,[
+
+AC_CHECK_HEADERS(capability.h sys/capability.h)
+
+AC_CHECK_FUNCS(sgi_getcapabilitybyname cap_set_proc)
+])
+
+dnl $Id: check-getpwnam_r-posix.m4,v 1.2 1999/03/23 16:47:31 joda Exp $
+dnl
+dnl check for getpwnam_r, and if it's posix or not
+
+AC_DEFUN(AC_CHECK_GETPWNAM_R_POSIX,[
+AC_FIND_FUNC_NO_LIBS(getpwnam_r,c_r)
+if test "$ac_cv_func_getpwnam_r" = yes; then
+	AC_CACHE_CHECK(if getpwnam_r is posix,ac_cv_func_getpwnam_r_posix,
+	ac_libs="$LIBS"
+	LIBS="$LIBS $LIB_getpwnam_r"
+	AC_TRY_RUN([
+#include <pwd.h>
+int main()
+{
+	struct passwd pw, *pwd;
+	return getpwnam_r("", &pw, NULL, 0, &pwd) < 0;
+}
+],ac_cv_func_getpwnam_r_posix=yes,ac_cv_func_getpwnam_r_posix=no,:)
+LIBS="$ac_libs")
+if test "$ac_cv_func_getpwnam_r_posix" = yes; then
+	AC_DEFINE(POSIX_GETPWNAM_R, 1, [Define if getpwnam_r has POSIX flavour.])
+fi
+fi
+])
 dnl $Id: grok-type.m4,v 1.4 1999/11/29 11:16:48 joda Exp $
 dnl
 AC_DEFUN(AC_GROK_TYPE, [
@@ -1585,6 +3113,49 @@ for i in $1; do
 done
 ])
 
+dnl $Id: krb-readline.m4,v 1.2 2000/11/15 00:47:08 assar Exp $
+dnl
+dnl Tests for readline functions
+dnl
+
+dnl el_init
+
+AC_DEFUN(KRB_READLINE,[
+AC_FIND_FUNC_NO_LIBS(el_init, edit, [], [], [$LIB_tgetent])
+if test "$ac_cv_func_el_init" = yes ; then
+	AC_CACHE_CHECK(for four argument el_init, ac_cv_func_el_init_four,[
+		AC_TRY_COMPILE([#include <stdio.h>
+			#include <histedit.h>],
+			[el_init("", NULL, NULL, NULL);],
+			ac_cv_func_el_init_four=yes,
+			ac_cv_func_el_init_four=no)])
+	if test "$ac_cv_func_el_init_four" = yes; then
+		AC_DEFINE(HAVE_FOUR_VALUED_EL_INIT, 1, [Define if el_init takes four arguments.])
+	fi
+fi
+
+dnl readline
+
+ac_foo=no
+if test "$with_readline" = yes; then
+	:
+elif test "$ac_cv_func_readline" = yes; then
+	:
+elif test "$ac_cv_func_el_init" = yes; then
+	ac_foo=yes
+	LIB_readline="\$(top_builddir)/lib/editline/libel_compat.la $LIB_el_init"
+else
+	LIB_readline='$(top_builddir)/lib/editline/libeditline.la'
+fi
+AM_CONDITIONAL(el_compat, test "$ac_foo" = yes)
+if test "$readline_libdir"; then
+	LIB_readline="-rpath $readline_libdir $LIB_readline"
+fi
+LIB_readline="$LIB_readline \$(LIB_tgetent)"
+AC_DEFINE(HAVE_READLINE, 1, 
+	[Define if you have a readline compatible library.])dnl
+
+])
 dnl $Id: auth-modules.m4,v 1.1 1999/03/21 13:48:00 joda Exp $
 dnl
 dnl Figure what authentication modules should be built
diff --git a/crypto/heimdal/admin/Makefile.am b/crypto/heimdal/admin/Makefile.am
index 2b9d5b9..f6eca74 100644
--- a/crypto/heimdal/admin/Makefile.am
+++ b/crypto/heimdal/admin/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.30 2000/01/06 08:02:37 assar Exp $
+# $Id: Makefile.am,v 1.33 2000/12/16 00:16:45 joda Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
@@ -15,14 +15,12 @@ ktutil_SOURCES = add.c				\
 		 ktutil.c			\
 		 list.c				\
 		 purge.c			\
-		 remove.c			\
-		 srvconvert.c			\
-		 srvcreate.c
+		 remove.c
 
 LDADD = \
 	$(top_builddir)/lib/kadm5/libkadm5clnt.la \
 	$(top_builddir)/lib/krb5/libkrb5.la \
-	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_des) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(top_builddir)/lib/sl/libsl.la \
 	$(LIB_readline) \
diff --git a/crypto/heimdal/admin/Makefile.in b/crypto/heimdal/admin/Makefile.in
index 52665a5..9c192ad 100644
--- a/crypto/heimdal/admin/Makefile.in
+++ b/crypto/heimdal/admin/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.30 2000/01/06 08:02:37 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.33 2000/12/16 00:16:45 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include $(INCLUDE_readline)
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_readline)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,24 +170,20 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
@@ -177,11 +191,26 @@ man_MANS = ktutil.8
 
 sbin_PROGRAMS = ktutil
 
-ktutil_SOURCES = add.c						 change.c					 copy.c						 get.c						 ktutil.c					 list.c						 purge.c					 remove.c					 srvconvert.c					 srvcreate.c
-
-
-LDADD =  	$(top_builddir)/lib/kadm5/libkadm5clnt.la 	$(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/des/libdes.la 	$(top_builddir)/lib/asn1/libasn1.la 	$(top_builddir)/lib/sl/libsl.la 	$(LIB_readline) 	$(LIB_roken)
+ktutil_SOURCES = add.c				\
+		 change.c			\
+		 copy.c				\
+		 get.c				\
+		 ktutil.c			\
+		 list.c				\
+		 purge.c			\
+		 remove.c
+
+
+LDADD = \
+	$(top_builddir)/lib/kadm5/libkadm5clnt.la \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(top_builddir)/lib/sl/libsl.la \
+	$(LIB_readline) \
+	$(LIB_roken)
 
+subdir = admin
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -192,39 +221,40 @@ PROGRAMS =  $(sbin_PROGRAMS)
 DEFS = @DEFS@ -I. -I$(srcdir) -I../include
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
-LIBS = @LIBS@
 X_CFLAGS = @X_CFLAGS@
 X_LIBS = @X_LIBS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
-ktutil_OBJECTS =  add.$(OBJEXT) change.$(OBJEXT) copy.$(OBJEXT) \
+am_ktutil_OBJECTS =  add.$(OBJEXT) change.$(OBJEXT) copy.$(OBJEXT) \
 get.$(OBJEXT) ktutil.$(OBJEXT) list.$(OBJEXT) purge.$(OBJEXT) \
-remove.$(OBJEXT) srvconvert.$(OBJEXT) srvcreate.$(OBJEXT)
+remove.$(OBJEXT)
+ktutil_OBJECTS =  $(am_ktutil_OBJECTS)
 ktutil_LDADD = $(LDADD)
 ktutil_DEPENDENCIES =  $(top_builddir)/lib/kadm5/libkadm5clnt.la \
-$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/des/libdes.la \
-$(top_builddir)/lib/asn1/libasn1.la $(top_builddir)/lib/sl/libsl.la
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/asn1/libasn1.la \
+$(top_builddir)/lib/sl/libsl.la
 ktutil_LDFLAGS = 
-CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(ktutil_SOURCES)
 man8dir = $(mandir)/man8
 MANS = $(man_MANS)
+depcomp = 
 DIST_COMMON =  Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
 SOURCES = $(ktutil_SOURCES)
-OBJECTS = $(ktutil_OBJECTS)
+OBJECTS = $(am_ktutil_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign admin/Makefile
 
@@ -247,31 +277,20 @@ install-sbinPROGRAMS: $(sbin_PROGRAMS)
 	$(mkinstalldirs) $(DESTDIR)$(sbindir)
 	@list='$(sbin_PROGRAMS)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(sbindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(sbindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(sbindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(sbindir)/$$f; \
 	  else :; fi; \
 	done
 
 uninstall-sbinPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	list='$(sbin_PROGRAMS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(sbindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	@list='$(sbin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(sbindir)/$$f"; \
+	  rm -f $(DESTDIR)$(sbindir)/$$f; \
 	done
 
-.c.o:
-	$(COMPILE) -c $<
-
-# FIXME: We should only use cygpath when building on Windows,
-# and only if it is available.
-.c.obj:
-	$(COMPILE) -c `cygpath -w $<`
-
-.s.o:
-	$(COMPILE) -c $<
-
-.S.o:
-	$(COMPILE) -c $<
-
 mostlyclean-compile:
 	-rm -f *.o core *.core
 	-rm -f *.$(OBJEXT)
@@ -283,15 +302,6 @@ distclean-compile:
 
 maintainer-clean-compile:
 
-.c.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.s.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.S.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -305,6 +315,12 @@ maintainer-clean-libtool:
 ktutil$(EXEEXT): $(ktutil_OBJECTS) $(ktutil_DEPENDENCIES)
 	@rm -f ktutil$(EXEEXT)
 	$(LINK) $(ktutil_LDFLAGS) $(ktutil_OBJECTS) $(ktutil_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
 
 install-man8:
 	$(mkinstalldirs) $(DESTDIR)$(man8dir)
@@ -319,6 +335,7 @@ install-man8:
 	  else file=$$i; fi; \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
 	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
 	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \
 	  $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \
@@ -334,6 +351,7 @@ uninstall-man8:
 	for i in $$list; do \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
 	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
 	  echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \
 	  rm -f $(DESTDIR)$(man8dir)/$$inst; \
@@ -347,23 +365,27 @@ uninstall-man:
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -376,17 +398,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = admin
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
@@ -415,7 +436,7 @@ uninstall: uninstall-am
 all-am: Makefile $(PROGRAMS) $(MANS) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
 	$(mkinstalldirs)  $(DESTDIR)$(sbindir) $(DESTDIR)$(mandir)/man8
 
@@ -429,6 +450,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-sbinPROGRAMS mostlyclean-compile \
 		mostlyclean-libtool mostlyclean-tags \
 		mostlyclean-generic
@@ -466,7 +488,7 @@ distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
 dvi-am dvi check-local check check-am installcheck-am installcheck \
 install-exec-am install-exec install-data-local install-data-am \
 install-data install-am install uninstall-am uninstall all-local \
-all-redirect all-am all installdirs mostlyclean-generic \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
 distclean-generic clean-generic maintainer-clean-generic clean \
 mostlyclean distclean maintainer-clean
 
@@ -476,7 +498,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -488,8 +513,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -558,87 +583,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/admin/change.c b/crypto/heimdal/admin/change.c
index 3de4f86..128395a 100644
--- a/crypto/heimdal/admin/change.c
+++ b/crypto/heimdal/admin/change.c
@@ -33,7 +33,7 @@
 
 #include "ktutil_locl.h"
 
-RCSID("$Id: change.c,v 1.1 2000/01/02 04:41:00 assar Exp $");
+RCSID("$Id: change.c,v 1.2 2000/06/03 12:24:03 assar Exp $");
 
 static void
 change_entry (krb5_context context, krb5_keytab_entry *entry,
@@ -158,7 +158,7 @@ kt_change (int argc, char **argv)
 
     ret = krb5_kt_start_seq_get(context, keytab, &cursor);
     if(ret){
-	krb5_warn(context, ret, "krb5_kt_start_seq_get");
+	krb5_warn(context, ret, "krb5_kt_start_seq_get %s", keytab_string);
 	return 1;
     }
 
diff --git a/crypto/heimdal/admin/copy.c b/crypto/heimdal/admin/copy.c
index d846610..d2b5069 100644
--- a/crypto/heimdal/admin/copy.c
+++ b/crypto/heimdal/admin/copy.c
@@ -33,17 +33,105 @@
 
 #include "ktutil_locl.h"
 
-RCSID("$Id: copy.c,v 1.1 2000/01/02 04:41:01 assar Exp $");
+RCSID("$Id: copy.c,v 1.5 2000/12/16 00:45:29 joda Exp $");
+
+
+static krb5_boolean
+compare_keyblock(const krb5_keyblock *a, const krb5_keyblock *b)
+{
+    if(a->keytype != b->keytype ||
+       a->keyvalue.length != b->keyvalue.length ||
+       memcmp(a->keyvalue.data, b->keyvalue.data, a->keyvalue.length) != 0)
+	return FALSE;
+    return TRUE;
+}
+
+static int
+kt_copy_int (const char *from, const char *to)
+{
+    krb5_error_code ret;
+    krb5_keytab src_keytab, dst_keytab;
+    krb5_kt_cursor cursor;
+    krb5_keytab_entry entry, dummy;
+
+    ret = krb5_kt_resolve (context, from, &src_keytab);
+    if (ret) {
+	krb5_warn (context, ret, "resolving src keytab `%s'", from);
+	return 0;
+    }
+
+    ret = krb5_kt_resolve (context, to, &dst_keytab);
+    if (ret) {
+	krb5_kt_close (context, src_keytab);
+	krb5_warn (context, ret, "resolving dst keytab `%s'", to);
+	return 0;
+    }
+
+    ret = krb5_kt_start_seq_get (context, src_keytab, &cursor);
+    if (ret) {
+	krb5_warn (context, ret, "krb5_kt_start_seq_get %s", keytab_string);
+	goto fail;
+    }
+
+    while((ret = krb5_kt_next_entry(context, src_keytab,
+				    &entry, &cursor)) == 0) {
+	char *name_str;
+	char *etype_str;
+	krb5_unparse_name (context, entry.principal, &name_str);
+	krb5_enctype_to_string(context, entry.keyblock.keytype, &etype_str);
+	ret = krb5_kt_get_entry(context, dst_keytab, 
+				entry.principal, 
+				entry.vno, 
+				entry.keyblock.keytype,
+				&dummy);
+	if(ret == 0) {
+	    /* this entry is already in the new keytab, so no need to
+               copy it; if the keyblocks are not the same, something
+               is weird, so complain about that */
+	    if(!compare_keyblock(&entry.keyblock, &dummy.keyblock)) {
+		krb5_warnx(context, "entry with different keyvalue "
+			   "already exists for %s, keytype %s, kvno %d", 
+			   name_str, etype_str, entry.vno);
+	    }
+	    krb5_kt_free_entry(context, &dummy);
+	    krb5_kt_free_entry (context, &entry);
+	    free(name_str);
+	    free(etype_str);
+	    continue;
+	} else if(ret != KRB5_KT_NOTFOUND) {
+	    krb5_warn(context, ret, "krb5_kt_get_entry(%s)", name_str);
+	    krb5_kt_free_entry (context, &entry);
+	    free(name_str);
+	    free(etype_str);
+	    break;
+	}
+	if (verbose_flag)
+	    fprintf (stderr, "copying %s, keytype %s, kvno %d\n", name_str, 
+		     etype_str, entry.vno);
+	ret = krb5_kt_add_entry (context, dst_keytab, &entry);
+	krb5_kt_free_entry (context, &entry);
+	if (ret) {
+	    krb5_warn (context, ret, "krb5_kt_add_entry(%s)", name_str);
+	    free(name_str);
+	    free(etype_str);
+	    break;
+	}
+	free(name_str);
+	free(etype_str);
+    }
+    krb5_kt_end_seq_get (context, src_keytab, &cursor);
+
+  fail:
+    krb5_kt_close (context, src_keytab);
+    krb5_kt_close (context, dst_keytab);
+    return 0;
+}
 
 int
 kt_copy (int argc, char **argv)
 {
-    krb5_error_code ret;
     int help_flag = 0;
     int optind = 0;
-    krb5_keytab src_keytab, dst_keytab;
-    krb5_kt_cursor cursor;
-    krb5_keytab_entry entry;
 
     struct getargs args[] = {
 	{ "help", 'h', arg_flag, NULL}
@@ -53,6 +141,7 @@ kt_copy (int argc, char **argv)
     int i = 0;
 
     args[i++].value = &help_flag;
+    args[i++].value = &verbose_flag;
 
     if(getarg(args, num_args, argc, argv, &optind)) {
 	arg_printusage(args, num_args, "ktutil copy",
@@ -74,46 +163,83 @@ kt_copy (int argc, char **argv)
 	return 0;
     }
 
-    ret = krb5_kt_resolve (context, argv[0], &src_keytab);
-    if (ret) {
-	krb5_warn (context, ret, "resolving src keytab `%s'", argv[0]);
-	return 0;
-    }
+    return kt_copy_int(argv[0], argv[1]);
+}
 
-    ret = krb5_kt_resolve (context, argv[1], &dst_keytab);
-    if (ret) {
-	krb5_kt_close (context, src_keytab);
-	krb5_warn (context, ret, "resolving dst keytab `%s'", argv[1]);
+#ifndef KEYFILE
+#define KEYFILE "/etc/srvtab"
+#endif
+
+/* copy to from v4 srvtab, just short for copy */
+static int
+conv(int srvconv, int argc, char **argv)
+{
+    int help_flag = 0;
+    char *srvtab = KEYFILE;
+    int optind = 0;
+    char kt4[1024], kt5[1024];
+
+    char *name;
+
+    struct getargs args[] = {
+	{ "srvtab", 's', arg_string, NULL},
+	{ "help", 'h', arg_flag, NULL}
+    };
+
+    int num_args = sizeof(args) / sizeof(args[0]);
+    int i = 0;
+
+    args[i++].value = &srvtab;
+    args[i++].value = &help_flag;
+
+    if(srvconv)
+	name = "ktutil srvconvert";
+    else 
+	name = "ktutil srvcreate";
+
+    if(getarg(args, num_args, argc, argv, &optind)){
+	arg_printusage(args, num_args, name, "");
+	return 1;
+    }
+    if(help_flag){
+	arg_printusage(args, num_args, name, "");
 	return 0;
     }
 
-    ret = krb5_kt_start_seq_get (context, src_keytab, &cursor);
-    if (ret) {
-	krb5_warn (context, ret, "krb5_kt_start_seq_get");
-	goto fail;
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 0) {
+	arg_printusage(args, num_args, name, "");
+	return 1;
     }
 
-    while((ret = krb5_kt_next_entry(context, src_keytab,
-				    &entry, &cursor)) == 0) {
-	ret = krb5_kt_add_entry (context, dst_keytab, &entry);
-	if (verbose_flag) {
-	    char *name_str;
+    snprintf(kt4, sizeof(kt4), "krb4:%s", srvtab);
 
-	    krb5_unparse_name (context, entry.principal, &name_str);
-	    printf ("copying %s\n", name_str);
-	    free (name_str);
+    if(srvconv) {
+	if(keytab_string != NULL)
+	    return kt_copy_int(kt4, keytab_string);
+	else {
+	    krb5_kt_default_name(context, kt5, sizeof(kt5));
+	    return kt_copy_int(kt4, kt5);
 	}
+    } else {
+	if(keytab_string != NULL)
+	    return kt_copy_int(keytab_string, kt4);
 
-	krb5_kt_free_entry (context, &entry);
-	if (ret) {
-	    krb5_warn (context, ret, "krb5_kt_add_entry");
-	    break;
-	}
+	krb5_kt_default_name(context, kt5, sizeof(kt5));
+	return kt_copy_int(kt5, kt4);
     }
-    krb5_kt_end_seq_get (context, src_keytab, &cursor);
+}
 
-fail:
-    krb5_kt_close (context, src_keytab);
-    krb5_kt_close (context, dst_keytab);
-    return 0;
+int
+srvconv(int argc, char **argv)
+{
+    return conv(1, argc, argv);
+}
+
+int
+srvcreate(int argc, char **argv)
+{
+    return conv(0, argc, argv);
 }
diff --git a/crypto/heimdal/admin/get.c b/crypto/heimdal/admin/get.c
index 143ffa2..5df72a1 100644
--- a/crypto/heimdal/admin/get.c
+++ b/crypto/heimdal/admin/get.c
@@ -33,7 +33,7 @@
 
 #include "ktutil_locl.h"
 
-RCSID("$Id: get.c,v 1.15 2000/01/02 04:41:01 assar Exp $");
+RCSID("$Id: get.c,v 1.16 2000/12/31 02:51:43 assar Exp $");
 
 int
 kt_get(int argc, char **argv)
@@ -131,13 +131,26 @@ kt_get(int argc, char **argv)
 	if(ret == 0)
 	    created++;
 	else if(ret != KADM5_DUP) {
+	    krb5_warn(context, ret, "kadm5_create_principal(%s)", argv[i]);
 	    krb5_free_principal(context, princ_ent);
 	    continue;
 	}
 	ret = kadm5_randkey_principal(kadm_handle, princ_ent, &keys, &n_keys);
+	if (ret) {
+	    krb5_warn(context, ret, "kadm5_randkey_principal(%s)", argv[i]);
+	    krb5_free_principal(context, princ_ent);
+	    continue;
+	}
 	
 	ret = kadm5_get_principal(kadm_handle, princ_ent, &princ, 
 			      KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES);
+	if (ret) {
+	    krb5_warn(context, ret, "kadm5_get_principal(%s)", argv[i]);
+	    for (j = 0; j < n_keys; j++)
+		krb5_free_keyblock_contents(context, &keys[j]);
+	    krb5_free_principal(context, princ_ent);
+	    continue;
+	}
 	princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX);
 	mask = KADM5_ATTRIBUTES;
 	if(created) {
@@ -145,6 +158,13 @@ kt_get(int argc, char **argv)
 	    mask |= KADM5_KVNO;
 	}
 	ret = kadm5_modify_principal(kadm_handle, &princ, mask);
+	if (ret) {
+	    krb5_warn(context, ret, "kadm5_modify_principal(%s)", argv[i]);
+	    for (j = 0; j < n_keys; j++)
+		krb5_free_keyblock_contents(context, &keys[j]);
+	    krb5_free_principal(context, princ_ent);
+	    continue;
+	}
 	for(j = 0; j < n_keys; j++) {
 	    entry.principal = princ_ent;
 	    entry.vno = princ.kvno;
diff --git a/crypto/heimdal/admin/ktutil.8 b/crypto/heimdal/admin/ktutil.8
index b70fc93..cb86fa5 100644
--- a/crypto/heimdal/admin/ktutil.8
+++ b/crypto/heimdal/admin/ktutil.8
@@ -1,22 +1,23 @@
-.\" $Id: ktutil.8,v 1.6 2000/01/02 05:07:50 assar Exp $
+.\" $Id: ktutil.8,v 1.9 2000/12/16 00:58:49 joda Exp $
 .\"
-.Dd Aug 27, 1997
+.Dd December 16, 2000
 .Dt KTUTIL 8
 .Os HEIMDAL
 .Sh NAME
 .Nm ktutil
-.Ar command
 .Nd
-handle a keytab
+manage Kerberos keytabs
 .Sh SYNOPSIS
 .Nm
-.Op Fl k Ar keytab
-.Op Fl -keytab= Ns Ar keytab
-.Op Fl v
+.Oo Fl k Ar keytab \*(Ba Xo
+.Fl -keytab= Ns Ar keytab 
+.Xc
+.Oc
+.Op Fl v | Fl -verbose
 .Op Fl -version
-.Op Fl h
-.Op Fl -help
-.Ar command
+.Op Fl h | Fl -help
+.Ar command 
+.Op Ar args
 .Sh DESCRIPTION
 .Nm
 is a program for managing keytabs.
@@ -43,7 +44,7 @@ prompted for.
 .Op Fl r Ar realm
 .Op Fl -realm= Ns Ar realm
 .Op Fl -a Ar host
-.Op Fl -admin-server= Ns Ar hots
+.Op Fl -admin-server= Ns Ar host
 .Op Fl -s Ar port
 .Op Fl -server-port= Ns Ar port
 .Xc
@@ -74,7 +75,10 @@ to
 Get a key for
 .Nm principal
 and store it in a keytab.
-.It list
+.It list Xo
+.Op Fl -keys
+.Op Fl -timestamp
+.Xc
 List the keys stored in the keytab.
 .It remove Xo
 .Op Fl p Ar principal
@@ -94,8 +98,8 @@ removes keys of any type.
 .Xc
 Removes all old entries (for which there is a newer version) that are
 older than
-.Ar age
-seconds.
+.Ar age 
+(default one week).
 .It srvconvert
 .It srv2keytab Xo
 .Op Fl s Ar srvtab
@@ -104,7 +108,13 @@ seconds.
 Converts the version 4 srvtab in
 .Ar srvtab
 to a version 5 keytab and stores it in
-.Ar keytab .
+.Ar keytab . 
+Identical to:
+.Bd -ragged -offset indent
+.Li ktutil copy 
+.Li krb4: Ns Ar srvtab
+.Ar keytab 
+.Ed
 .It srvcreate
 .It key2srvtab Xo
 .Op Fl s Ar srvtab
@@ -114,6 +124,12 @@ Converts the version 5 keytab in
 .Ar keytab
 to a version 4 srvtab and stores it in
 .Ar srvtab .
+Identical to:
+.Bd -ragged -offset indent
+.Li ktutil copy 
+.Ar keytab 
+.Li krb4: Ns Ar srvtab
+.Ed
 .El
 .Sh SEE ALSO
 .Xr kadmin 8
diff --git a/crypto/heimdal/admin/ktutil.c b/crypto/heimdal/admin/ktutil.c
index 205bd89..35ca1c9 100644
--- a/crypto/heimdal/admin/ktutil.c
+++ b/crypto/heimdal/admin/ktutil.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,14 +32,17 @@
  */
 
 #include "ktutil_locl.h"
+#include <err.h>
 
-RCSID("$Id: ktutil.c,v 1.26 2000/02/07 04:29:25 assar Exp $");
+RCSID("$Id: ktutil.c,v 1.30 2001/01/25 12:44:37 assar Exp $");
 
 static int help_flag;
 static int version_flag;
 int verbose_flag;
 char *keytab_string; 
 
+static char keytab_buf[256];
+
 static int help(int argc, char **argv);
 
 static SL_cmd cmds[] = {
@@ -127,7 +130,9 @@ main(int argc, char **argv)
     int optind = 0;
     krb5_error_code ret;
     set_progname(argv[0]);
-    krb5_init_context(&context);
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
     if(getarg(args, num_args, argc, argv, &optind))
 	usage(1);
     if(help_flag)
@@ -143,6 +148,10 @@ main(int argc, char **argv)
     if(keytab_string) {
 	ret = krb5_kt_resolve(context, keytab_string, &keytab);
     } else {
+	if(krb5_kt_default_name (context, keytab_buf, sizeof(keytab_buf)))
+	    strlcpy (keytab_buf, "unknown", sizeof(keytab_buf));
+	keytab_string = keytab_buf;
+
 	ret = krb5_kt_default(context, &keytab);
     }
     if(ret)
diff --git a/crypto/heimdal/admin/list.c b/crypto/heimdal/admin/list.c
index 1924a21..04c1d78 100644
--- a/crypto/heimdal/admin/list.c
+++ b/crypto/heimdal/admin/list.c
@@ -33,7 +33,28 @@
 
 #include "ktutil_locl.h"
 
-RCSID("$Id: list.c,v 1.1 2000/01/02 04:41:02 assar Exp $");
+RCSID("$Id: list.c,v 1.3 2000/06/29 08:21:40 joda Exp $");
+
+static int help_flag;
+static int list_keys;
+static int list_timestamp;
+
+static struct getargs args[] = {
+    { "help",      'h', arg_flag, &help_flag },
+    { "keys",	   0,   arg_flag, &list_keys, "show key value" },
+    { "timestamp", 0,   arg_flag, &list_timestamp, "show timestamp" },
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+struct key_info {
+    char *version;
+    char *etype;
+    char *principal;
+    char *timestamp;
+    char *key;
+    struct key_info *next;
+};
 
 int
 kt_list(int argc, char **argv)
@@ -41,43 +62,102 @@ kt_list(int argc, char **argv)
     krb5_error_code ret;
     krb5_kt_cursor cursor;
     krb5_keytab_entry entry;
+    int optind = 0;
+    struct key_info *ki, **kie = &ki, *kp;
+
+    int max_version = sizeof("Vno") - 1;
+    int max_etype = sizeof("Type") - 1;
+    int max_principal = sizeof("Principal") - 1;
+    int max_timestamp = sizeof("Date") - 1;
+    int max_key = sizeof("Key") - 1;
+
+    if(verbose_flag)
+	list_timestamp = 1;
+
+    if(getarg(args, num_args, argc, argv, &optind)){
+	arg_printusage(args, num_args, "ktutil list", "");
+	return 1;
+    }
+    if(help_flag){
+	arg_printusage(args, num_args, "ktutil list", "");
+	return 0;
+    }
 
     ret = krb5_kt_start_seq_get(context, keytab, &cursor);
     if(ret){
-	krb5_warn(context, ret, "krb5_kt_start_seq_get");
+	krb5_warn(context, ret, "krb5_kt_start_seq_get %s", keytab_string);
 	return 1;
     }
-    printf("%s", "Version");
-    printf("  ");
-    printf("%-15s", "Type");
-    printf("  ");
-    printf("%s", "Principal");
-    printf("\n");
     while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){
-	char *p;
-	printf("   %3d ", entry.vno);
-	printf("  ");
-	ret = krb5_enctype_to_string(context, entry.keyblock.keytype, &p);
+#define CHECK_MAX(F) if(max_##F < strlen(kp->F)) max_##F = strlen(kp->F)
+
+	kp = malloc(sizeof(*kp));
+
+	asprintf(&kp->version, "%d", entry.vno);
+	CHECK_MAX(version);
+	ret = krb5_enctype_to_string(context, 
+				     entry.keyblock.keytype, &kp->etype);
 	if (ret != 0) 
-	    asprintf(&p, "unknown (%d)", entry.keyblock.keytype);
-	printf("%-15s", p);
-	free(p);
-	printf("  ");
-	krb5_unparse_name(context, entry.principal, &p);
-	printf("%s ", p);
-	free(p);
-	printf("\n");
-	if (verbose_flag) {
+	    asprintf(&kp->etype, "unknown (%d)", entry.keyblock.keytype);
+	CHECK_MAX(etype);
+	krb5_unparse_name_short(context, entry.principal, &kp->principal);
+	CHECK_MAX(principal);
+	if (list_timestamp) {
 	    char tstamp[256];
-	    struct tm *tm;
-	    time_t ts = entry.timestamp;
 
-	    tm = gmtime (&ts);
-	    strftime (tstamp, sizeof(tstamp), "%Y-%m-%d %H:%M:%S UTC", tm);
-	    printf("   Timestamp: %s\n", tstamp);
+	    krb5_format_time(context, entry.timestamp, 
+			     tstamp, sizeof(tstamp), FALSE);
+
+	    kp->timestamp = strdup(tstamp);
+	    CHECK_MAX(timestamp);
 	}
+	if(list_keys) {
+	    int i;
+	    kp->key = malloc(2 * entry.keyblock.keyvalue.length + 1);
+	    for(i = 0; i < entry.keyblock.keyvalue.length; i++)
+		snprintf(kp->key + 2 * i, 3, "%02x", 
+			 ((unsigned char*)entry.keyblock.keyvalue.data)[i]);
+	    CHECK_MAX(key);
+	}
+	kp->next = NULL;
+	*kie = kp;
+	kie = &kp->next;
 	krb5_kt_free_entry(context, &entry);
     }
     ret = krb5_kt_end_seq_get(context, keytab, &cursor);
+
+    printf("%-*s  %-*s  %-*s", max_version, "Vno", 
+	   max_etype, "Type", 
+	   max_principal, "Principal");
+    if(list_timestamp)
+	printf("  %-*s", max_timestamp, "Date");
+    if(list_keys)
+	printf("  %s", "Key");
+    printf("\n");
+
+    for(kp = ki; kp; ) {
+	printf("%*s  %-*s  %-*s", max_version, kp->version, 
+	       max_etype, kp->etype, 
+	       max_principal, kp->principal);
+	if(list_timestamp)
+	    printf("  %-*s", max_timestamp, kp->timestamp);
+	if(list_keys)
+	    printf("  %s", kp->key);
+	printf("\n");
+
+	/* free entries */
+	free(kp->version);
+	free(kp->etype);
+	free(kp->principal);
+	if(list_timestamp)
+	    free(kp->timestamp);
+	if(list_keys) {
+	    memset(kp->key, 0, strlen(kp->key));
+	    free(kp->key);
+	}
+	ki = kp;
+	kp = kp->next;
+	free(ki);
+    }
     return 0;
 }
diff --git a/crypto/heimdal/admin/purge.c b/crypto/heimdal/admin/purge.c
index 3e262c5..5e22de5 100644
--- a/crypto/heimdal/admin/purge.c
+++ b/crypto/heimdal/admin/purge.c
@@ -33,7 +33,7 @@
 
 #include "ktutil_locl.h"
 
-RCSID("$Id: purge.c,v 1.1 2000/01/02 05:06:50 assar Exp $");
+RCSID("$Id: purge.c,v 1.3 2000/06/29 08:31:47 joda Exp $");
 
 /*
  * keep track of the highest version for every principal.
@@ -101,9 +101,10 @@ kt_purge(int argc, char **argv)
     krb5_kt_cursor cursor;
     krb5_keytab_entry entry;
     int help_flag = 0;
-    int age = 7 * 24 * 60 * 60;
+    char *age_str = "1 week";
+    int age;
     struct getargs args[] = {
-	{ "age",   0,  arg_integer, NULL, "age to retire" },
+	{ "age",   0,  arg_string, NULL, "age to retire" },
 	{ "help", 'h', arg_flag, NULL }
     };
     int num_args = sizeof(args) / sizeof(args[0]);
@@ -112,7 +113,7 @@ kt_purge(int argc, char **argv)
     struct e *head = NULL;
     time_t judgement_day;
 
-    args[i++].value = &age;
+    args[i++].value = &age_str;
     args[i++].value = &help_flag;
 
     if(getarg(args, num_args, argc, argv, &optind)) {
@@ -124,9 +125,15 @@ kt_purge(int argc, char **argv)
 	return 0;
     }
 
+    age = parse_time(age_str, "s");
+    if(age < 0) {
+	krb5_warnx(context, "unparasable time `%s'", age_str);
+	return 0;
+    }
+
     ret = krb5_kt_start_seq_get(context, keytab, &cursor);
     if(ret){
-	krb5_warn(context, ret, "krb5_kt_start_seq_get");
+	krb5_warn(context, ret, "krb5_kt_start_seq_get %s", keytab_string);
 	return 1;
     }
 
@@ -140,7 +147,7 @@ kt_purge(int argc, char **argv)
 
     ret = krb5_kt_start_seq_get(context, keytab, &cursor);
     if(ret){
-	krb5_warn(context, ret, "krb5_kt_start_seq_get");
+	krb5_warn(context, ret, "krb5_kt_start_seq_get, %s", keytab_string);
 	return 1;
     }
 
diff --git a/crypto/heimdal/appl/Makefile.am b/crypto/heimdal/appl/Makefile.am
index 307f450..e867521 100644
--- a/crypto/heimdal/appl/Makefile.am
+++ b/crypto/heimdal/appl/Makefile.am
@@ -1,10 +1,13 @@
-# $Id: Makefile.am,v 1.19 1999/10/17 10:51:26 assar Exp $
+# $Id: Makefile.am,v 1.24 2001/01/27 18:34:39 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
 if OTP
 dir_otp = otp
 endif
+if DCE
+dir_dce = dceutils
+endif
 SUBDIRS = 					\
 	  afsutil				\
 	  ftp					\
@@ -13,10 +16,11 @@ SUBDIRS = 					\
 	  popper				\
 	  push					\
 	  rsh					\
+	  rcp					\
 	  su					\
 	  xnlock				\
 	  telnet				\
 	  test					\
 	  kx					\
 	  kf					\
-	  # kauth
+	  $(dir_dce)
diff --git a/crypto/heimdal/appl/Makefile.in b/crypto/heimdal/appl/Makefile.in
index f78cfa3..2690db2 100644
--- a/crypto/heimdal/appl/Makefile.in
+++ b/crypto/heimdal/appl/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.19 1999/10/17 10:51:26 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.24 2001/01/27 18:34:39 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,30 +170,43 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
-@OTP_TRUE@dir_otp = otp
-SUBDIRS =  	  afsutil					  ftp						  login						  $(dir_otp)					  popper					  push						  rsh						  su						  xnlock					  telnet					  test						  kx						  kf						  # kauth
+@OTP_TRUE@dir_otp = @OTP_TRUE@otp
+@DCE_TRUE@dir_dce = @DCE_TRUE@dceutils
+SUBDIRS = \
+	  afsutil				\
+	  ftp					\
+	  login					\
+	  $(dir_otp)				\
+	  popper				\
+	  push					\
+	  rsh					\
+	  rcp					\
+	  su					\
+	  xnlock				\
+	  telnet				\
+	  test					\
+	  kx					\
+	  kf					\
+	  $(dir_dce)
 
+subdir = appl
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -183,16 +214,17 @@ CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES = 
+depcomp = 
 DIST_COMMON =  Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
-DIST_SUBDIRS =  afsutil ftp login otp popper push rsh su xnlock telnet \
-test kx kf
+DIST_SUBDIRS =  afsutil ftp login otp popper push rsh rcp su xnlock \
+telnet test kx kf dceutils
 all: all-redirect
 .SUFFIXES:
 .SUFFIXES: .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .et .h .x
@@ -211,8 +243,6 @@ Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
 #     (which will cause the Makefiles to be regenerated when you run `make');
 # (2) otherwise, pass the desired values on the `make' command line.
 
-@SET_MAKE@
-
 all-recursive install-data-recursive install-exec-recursive \
 installdirs-recursive install-recursive uninstall-recursive  \
 check-recursive installcheck-recursive info-recursive dvi-recursive:
@@ -240,7 +270,7 @@ maintainer-clean-recursive:
 	dot_seen=no; \
 	rev=''; list='$(SUBDIRS)'; for subdir in $$list; do \
 	  rev="$$subdir $$rev"; \
-	  test "$$subdir" = "." && dot_seen=yes; \
+	  if test "$$subdir" = "."; then dot_seen=yes; else :; fi; \
 	done; \
 	test "$$dot_seen" = "no" && rev=". $$rev"; \
 	target=`echo $@ | sed s/-recursive//`; \
@@ -261,15 +291,17 @@ tags-recursive:
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
 	list='$(SUBDIRS)'; for subdir in $$list; do \
@@ -277,12 +309,14 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
 	    test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \
    fi; \
 	done; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -295,17 +329,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = appl
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	for subdir in $(DIST_SUBDIRS); do \
@@ -313,7 +346,6 @@ distdir: $(DISTFILES)
 	    test -d $(distdir)/$$subdir \
 	    || mkdir $(distdir)/$$subdir \
 	    || exit 1; \
-	    chmod 777 $(distdir)/$$subdir; \
 	    (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$(top_distdir) distdir=../$(distdir)/$$subdir distdir) \
 	      || exit 1; \
 	  fi; \
@@ -344,7 +376,7 @@ uninstall: uninstall-recursive
 all-am: Makefile all-local
 all-redirect: all-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs: installdirs-recursive
 installdirs-am:
 
@@ -358,6 +390,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-tags mostlyclean-generic
 
 mostlyclean: mostlyclean-recursive
@@ -378,19 +411,19 @@ maintainer-clean-am:  maintainer-clean-tags maintainer-clean-generic \
 
 maintainer-clean: maintainer-clean-recursive
 
-.PHONY: install-data-recursive uninstall-data-recursive \
-install-exec-recursive uninstall-exec-recursive installdirs-recursive \
-uninstalldirs-recursive all-recursive check-recursive \
-installcheck-recursive info-recursive dvi-recursive \
-mostlyclean-recursive distclean-recursive clean-recursive \
+.PHONY: install-recursive uninstall-recursive install-data-recursive \
+uninstall-data-recursive install-exec-recursive \
+uninstall-exec-recursive installdirs-recursive uninstalldirs-recursive \
+all-recursive check-recursive installcheck-recursive info-recursive \
+dvi-recursive mostlyclean-recursive distclean-recursive clean-recursive \
 maintainer-clean-recursive tags tags-recursive mostlyclean-tags \
 distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
 dvi-am dvi check-local check check-am installcheck-am installcheck \
 install-exec-am install-exec install-data-local install-data-am \
 install-data install-am install uninstall-am uninstall all-local \
-all-redirect all-am all installdirs-am installdirs mostlyclean-generic \
-distclean-generic clean-generic maintainer-clean-generic clean \
-mostlyclean distclean maintainer-clean
+all-redirect all-am all install-strip installdirs-am installdirs \
+mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
 
 
 install-suid-programs:
@@ -398,7 +431,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -410,8 +446,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -480,87 +516,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/appl/afsutil/ChangeLog b/crypto/heimdal/appl/afsutil/ChangeLog
index 5cdc960..af83aef 100644
--- a/crypto/heimdal/appl/afsutil/ChangeLog
+++ b/crypto/heimdal/appl/afsutil/ChangeLog
@@ -1,3 +1,11 @@
+2000-12-31  Assar Westerlund  <assar@sics.se>
+
+	* afslog.c (main): handle krb5_init_context failure consistently
+
+2000-12-25  Assar Westerlund  <assar@sics.se>
+
+	* afslog.c: clarify usage strings
+
 1999-08-04  Assar Westerlund  <assar@sics.se>
 
 	* pagsh.c (main): use mkstemp to generate temporary file names.
diff --git a/crypto/heimdal/appl/afsutil/Makefile.am b/crypto/heimdal/appl/afsutil/Makefile.am
index 6d94758..8b0ca8c 100644
--- a/crypto/heimdal/appl/afsutil/Makefile.am
+++ b/crypto/heimdal/appl/afsutil/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.11 1999/06/27 00:45:26 assar Exp $
+# $Id: Makefile.am,v 1.12 2000/11/15 22:51:07 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
@@ -17,5 +17,5 @@ LDADD = $(LIB_kafs) \
 	$(LIB_krb4) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_des) \
 	$(LIB_roken)
diff --git a/crypto/heimdal/appl/afsutil/Makefile.in b/crypto/heimdal/appl/afsutil/Makefile.in
index bf33ad1..24f5a61 100644
--- a/crypto/heimdal/appl/afsutil/Makefile.in
+++ b/crypto/heimdal/appl/afsutil/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.11 1999/06/27 00:45:26 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.12 2000/11/15 22:51:07 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4)
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,90 +170,90 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
-@KRB4_TRUE@AFSPROGS = afslog pagsh
+@KRB4_TRUE@AFSPROGS = @KRB4_TRUE@afslog pagsh
 bin_PROGRAMS = $(AFSPROGS)
 
 afslog_SOURCES = afslog.c
 
 pagsh_SOURCES = pagsh.c
 
-LDADD = $(LIB_kafs) 	$(LIB_krb4) 	$(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la 	$(top_builddir)/lib/des/libdes.la 	$(LIB_roken)
+LDADD = $(LIB_kafs) \
+	$(LIB_krb4) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_des) \
+	$(LIB_roken)
 
+subdir = appl/afsutil
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../include/config.h
 CONFIG_CLEAN_FILES = 
-@KRB4_TRUE@bin_PROGRAMS =  afslog$(EXEEXT) pagsh$(EXEEXT)
 @KRB4_FALSE@bin_PROGRAMS = 
+@KRB4_TRUE@bin_PROGRAMS =  afslog$(EXEEXT) pagsh$(EXEEXT)
 PROGRAMS =  $(bin_PROGRAMS)
 
 
 DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
-LIBS = @LIBS@
 X_CFLAGS = @X_CFLAGS@
 X_LIBS = @X_LIBS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
-afslog_OBJECTS =  afslog.$(OBJEXT)
+am_afslog_OBJECTS =  afslog.$(OBJEXT)
+afslog_OBJECTS =  $(am_afslog_OBJECTS)
 afslog_LDADD = $(LDADD)
+@KRB4_FALSE@afslog_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
 @KRB4_TRUE@afslog_DEPENDENCIES =  $(top_builddir)/lib/kafs/libkafs.la \
 @KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
-@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
-@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la
-@KRB4_FALSE@afslog_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
-@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la \
-@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la
+@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
 afslog_LDFLAGS = 
-pagsh_OBJECTS =  pagsh.$(OBJEXT)
+am_pagsh_OBJECTS =  pagsh.$(OBJEXT)
+pagsh_OBJECTS =  $(am_pagsh_OBJECTS)
 pagsh_LDADD = $(LDADD)
+@KRB4_FALSE@pagsh_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
 @KRB4_TRUE@pagsh_DEPENDENCIES =  $(top_builddir)/lib/kafs/libkafs.la \
 @KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
-@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
-@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la
-@KRB4_FALSE@pagsh_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
-@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la \
-@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la
+@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
 pagsh_LDFLAGS = 
-CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(afslog_SOURCES) $(pagsh_SOURCES)
+depcomp = 
 DIST_COMMON =  ChangeLog Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
 SOURCES = $(afslog_SOURCES) $(pagsh_SOURCES)
-OBJECTS = $(afslog_OBJECTS) $(pagsh_OBJECTS)
+OBJECTS = $(am_afslog_OBJECTS) $(am_pagsh_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/afsutil/Makefile
 
@@ -258,31 +276,20 @@ install-binPROGRAMS: $(bin_PROGRAMS)
 	$(mkinstalldirs) $(DESTDIR)$(bindir)
 	@list='$(bin_PROGRAMS)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
 	  else :; fi; \
 	done
 
 uninstall-binPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	list='$(bin_PROGRAMS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
 	done
 
-.c.o:
-	$(COMPILE) -c $<
-
-# FIXME: We should only use cygpath when building on Windows,
-# and only if it is available.
-.c.obj:
-	$(COMPILE) -c `cygpath -w $<`
-
-.s.o:
-	$(COMPILE) -c $<
-
-.S.o:
-	$(COMPILE) -c $<
-
 mostlyclean-compile:
 	-rm -f *.o core *.core
 	-rm -f *.$(OBJEXT)
@@ -294,15 +301,6 @@ distclean-compile:
 
 maintainer-clean-compile:
 
-.c.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.s.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.S.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -320,26 +318,36 @@ afslog$(EXEEXT): $(afslog_OBJECTS) $(afslog_DEPENDENCIES)
 pagsh$(EXEEXT): $(pagsh_OBJECTS) $(pagsh_DEPENDENCIES)
 	@rm -f pagsh$(EXEEXT)
 	$(LINK) $(pagsh_LDFLAGS) $(pagsh_OBJECTS) $(pagsh_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -352,17 +360,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = appl/afsutil
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
@@ -391,7 +398,7 @@ uninstall: uninstall-am
 all-am: Makefile $(PROGRAMS) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
 	$(mkinstalldirs)  $(DESTDIR)$(bindir)
 
@@ -405,6 +412,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-compile \
 		mostlyclean-libtool mostlyclean-tags \
 		mostlyclean-generic
@@ -440,7 +448,7 @@ distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
 dvi-am dvi check-local check check-am installcheck-am installcheck \
 install-exec-am install-exec install-data-local install-data-am \
 install-data install-am install uninstall-am uninstall all-local \
-all-redirect all-am all installdirs mostlyclean-generic \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
 distclean-generic clean-generic maintainer-clean-generic clean \
 mostlyclean distclean maintainer-clean
 
@@ -450,7 +458,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -462,8 +473,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -532,87 +543,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/appl/afsutil/afslog.c b/crypto/heimdal/appl/afsutil/afslog.c
index 431231f..f557421 100644
--- a/crypto/heimdal/appl/afsutil/afslog.c
+++ b/crypto/heimdal/appl/afsutil/afslog.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,14 +33,14 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: afslog.c,v 1.11 1999/07/04 23:50:39 assar Exp $");
+RCSID("$Id: afslog.c,v 1.14 2001/01/25 12:44:46 assar Exp $");
 #endif
 #include <ctype.h>
 #include <krb5.h>
 #include <kafs.h>
 #include <roken.h>
 #include <getarg.h>
-
+#include <err.h>
 
 static int help_flag;
 static int version_flag;
@@ -54,8 +54,8 @@ static int unlog_flag;
 static int verbose;
 
 struct getargs args[] = {
-    { "cell",	'c', arg_strings, &cells, "cell to get tokens for", "cell" },
-    { "file",	'p', arg_strings, &files, "file to get tokens for", "path" },
+    { "cell",	'c', arg_strings, &cells, "cells to get tokens for", "cells" },
+    { "file",	'p', arg_strings, &files, "files to get tokens for", "paths" },
     { "realm",	'k', arg_string, &realm, "realm for afs cell", "realm" },
     { "unlog",	'u', arg_flag, &unlog_flag, "remove tokens" },
 #if 0
@@ -190,7 +190,9 @@ main(int argc, char **argv)
 	exit(0);
     }
 
-    krb5_init_context(&context);
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
     if(!k_hasafs())
 	krb5_errx(context, 1, 
 		  "AFS doesn't seem to be present on this machine");
diff --git a/crypto/heimdal/appl/afsutil/pagsh.c b/crypto/heimdal/appl/afsutil/pagsh.c
index 6bddb40..006b357 100644
--- a/crypto/heimdal/appl/afsutil/pagsh.c
+++ b/crypto/heimdal/appl/afsutil/pagsh.c
@@ -35,7 +35,7 @@
 #include <config.h>
 #endif
 
-RCSID("$Id: pagsh.c,v 1.3 1999/12/02 17:04:55 joda Exp $");
+RCSID("$Id: pagsh.c,v 1.4 2000/10/02 05:05:53 assar Exp $");
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -83,7 +83,7 @@ main(int argc, char **argv)
   f = mkstemp (tf + 5);
   close (f);
   unlink (tf + 5);
-  setenv("KRB5CCNAME", tf, 1);
+  esetenv("KRB5CCNAME", tf, 1);
 #endif
 
 #ifdef KRB4
@@ -91,7 +91,7 @@ main(int argc, char **argv)
   f = mkstemp (tf);
   close (f);
   unlink (tf);
-  setenv("KRBTKFILE", tf, 1);
+  esetenv("KRBTKFILE", tf, 1);
 #endif
 
   i = 0;
diff --git a/crypto/heimdal/appl/ftp/ChangeLog b/crypto/heimdal/appl/ftp/ChangeLog
index bcf72a7..58dd9f8 100644
--- a/crypto/heimdal/appl/ftp/ChangeLog
+++ b/crypto/heimdal/appl/ftp/ChangeLog
@@ -1,3 +1,156 @@
+2001-02-05  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/popen.c (ftpd_popen): avoid overwriting the bounds of argv
+	and gargv
+
+2001-01-30  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/gss_userok.c: use gss_krb5_copy_ccache
+
+2001-01-29  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/Makefile.am: move up LIB_otp so we do not end up picking
+ 	one from /usr/athena
+
+2001-01-25  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ls.c: fix bug in previous; make it easier to build test
+	version
+
+2001-01-19  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ls.c (lstat_file): handle case where file lives in `/'
+
+2001-01-18  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpd.c (pasv): close already open passive port
+
+2000-12-14  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ls.c: reverse time and size sort order (pointed out by
+	tege)
+
+2000-12-11  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpd.c: make it possible to set list of good filename
+	characters from command line
+
+2000-12-10  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpd.c: some spec-violating mirror software assumes that
+	you can do things like `LIST -CF'; don't pass `--' to ls so this
+	actually works
+
+	* ftpd/ls.c: implement -1CFx flags
+
+2000-12-08  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/gss_userok.c (gss_userok): handle getpwnam failing
+	* ftp/gssapi.c (gss_auth): be more explicit in error message
+
+2000-11-29  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpd.8: close list
+
+2000-11-15  Assar Westerlund  <assar@sics.se>
+
+	* ftp/main.c: add `-l' for no line-editing
+	* ftp/globals.c (readline): add
+	* ftp/ftp_var.h (lineedit): add variable indicated if we should
+	use readline
+
+2000-11-09  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftp/security.c (sec_read): fix bug in previous (from Jacques A.
+	Vidrine <n@nectar.com>)
+
+2000-11-05  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpcmd.y: only allow pasv if logged in
+
+2000-10-23  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpd.c: change bad filename message slightly
+
+	* common/buffer.c: HAVE_ST_BLKSIZE -> HAVE_STRUCT_STAT_ST_BLKSIZE
+
+2000-10-08  Assar Westerlund  <assar@sics.se>
+
+	* ftp/ftp.c (*): check that fds are not too large to select on
+	* ftp/main.c (cmdscanner): print a newline upon EOF
+
+2000-09-19  Assar Westerlund  <assar@sics.se>
+
+	* ftp/security.h: add some attributes to prototypes of sec*
+	* ftp/extern.h (command): add attributes
+
+2000-08-31  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpd.c: change redundant password message to something
+	people can understand
+
+2000-07-27  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/gss_userok.c (gss_userok): only do AFS iff KRB4
+	* ftpd/ftpd.c (krb5_verify): only do AFS stuff if KRB4
+
+2000-07-07  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd.c: do not call setproctitle with a variable as the
+	format string
+
+2000-07-01  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd_locl.h: krb5.h before kafs.h
+	* ftpd/ftpd.c (krb5_verify): static-ize
+	* ftpd/ftpd.c (krb5_verify): conditionalize on KRB5
+
+2000-06-21  Assar Westerlund  <assar@sics.se>
+
+	* ftpd: support for authenticating passwords with krb5, by Daniel
+	Kouril <kouril@ics.muni.cz>
+
+2000-06-06  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpcmd.y: change unix test to be negative
+	
+2000-05-18  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd.c (args): should use `debug'.  From Onno van der
+	Linden <onno@simplex.nl>.
+
+2000-04-25  Assar Westerlund  <assar@sics.se>
+
+	* ftp/ftp.c (login): re-structure code so that we prompt for
+	password for ftp/anonymous
+
+2000-04-11  Assar Westerlund  <assar@sics.se>
+
+	* ftp/ftp.c (login): initialize tmp before calling fgets
+
+2000-04-02  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ls.c: rename all st_mtime variables to avoid conflict with
+	#define.
+	* ftpd/ftpcmd.y: rename all st_mtime variables to avoid conflict
+	with #define.
+	* ftp/cmds.c: rename all st_mtime variables to avoid conflict with
+	#define.
+
+2000-03-26  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ls.c, ftpd/ftpcmd.y, ftp/cmds.c: make sure to always call
+	time, ctime, and gmtime with `time_t's.  there were some types
+	(like in lastlog) that we believed to always be time_t.  this has
+	proven wrong on Solaris 8 in 64-bit mode, where they are stored as
+	32-bit quantities but time_t has gone up to 64 bits
+
+2000-03-09  Johan Danielsson  <joda@pdc.kth.se>
+
+	* call list_file for broken usages of nlst too
+
+	* ftpd/ftpd.c: call list_file for broken usages of nlst too
+
 2000-02-07  Assar Westerlund  <assar@sics.se>
 
 	* ftp/security.c (sec_read): more paranoia with return value from
diff --git a/crypto/heimdal/appl/ftp/Makefile.in b/crypto/heimdal/appl/ftp/Makefile.in
index 9c0d09d..e25633c 100644
--- a/crypto/heimdal/appl/ftp/Makefile.in
+++ b/crypto/heimdal/appl/ftp/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.5 1999/03/20 13:58:14 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.5 1999/03/20 13:58:14 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,28 +170,25 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
 SUBDIRS = common ftp ftpd
+subdir = appl/ftp
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -181,13 +196,14 @@ CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES = 
+depcomp = 
 DIST_COMMON =  ChangeLog Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
 all: all-redirect
 .SUFFIXES:
@@ -207,8 +223,6 @@ Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
 #     (which will cause the Makefiles to be regenerated when you run `make');
 # (2) otherwise, pass the desired values on the `make' command line.
 
-@SET_MAKE@
-
 all-recursive install-data-recursive install-exec-recursive \
 installdirs-recursive install-recursive uninstall-recursive  \
 check-recursive installcheck-recursive info-recursive dvi-recursive:
@@ -236,7 +250,7 @@ maintainer-clean-recursive:
 	dot_seen=no; \
 	rev=''; list='$(SUBDIRS)'; for subdir in $$list; do \
 	  rev="$$subdir $$rev"; \
-	  test "$$subdir" = "." && dot_seen=yes; \
+	  if test "$$subdir" = "."; then dot_seen=yes; else :; fi; \
 	done; \
 	test "$$dot_seen" = "no" && rev=". $$rev"; \
 	target=`echo $@ | sed s/-recursive//`; \
@@ -257,15 +271,17 @@ tags-recursive:
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
 	list='$(SUBDIRS)'; for subdir in $$list; do \
@@ -273,12 +289,14 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
 	    test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \
    fi; \
 	done; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -291,17 +309,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = appl/ftp
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	for subdir in $(SUBDIRS); do \
@@ -309,7 +326,6 @@ distdir: $(DISTFILES)
 	    test -d $(distdir)/$$subdir \
 	    || mkdir $(distdir)/$$subdir \
 	    || exit 1; \
-	    chmod 777 $(distdir)/$$subdir; \
 	    (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$(top_distdir) distdir=../$(distdir)/$$subdir distdir) \
 	      || exit 1; \
 	  fi; \
@@ -340,7 +356,7 @@ uninstall: uninstall-recursive
 all-am: Makefile all-local
 all-redirect: all-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs: installdirs-recursive
 installdirs-am:
 
@@ -354,6 +370,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-tags mostlyclean-generic
 
 mostlyclean: mostlyclean-recursive
@@ -374,19 +391,19 @@ maintainer-clean-am:  maintainer-clean-tags maintainer-clean-generic \
 
 maintainer-clean: maintainer-clean-recursive
 
-.PHONY: install-data-recursive uninstall-data-recursive \
-install-exec-recursive uninstall-exec-recursive installdirs-recursive \
-uninstalldirs-recursive all-recursive check-recursive \
-installcheck-recursive info-recursive dvi-recursive \
-mostlyclean-recursive distclean-recursive clean-recursive \
+.PHONY: install-recursive uninstall-recursive install-data-recursive \
+uninstall-data-recursive install-exec-recursive \
+uninstall-exec-recursive installdirs-recursive uninstalldirs-recursive \
+all-recursive check-recursive installcheck-recursive info-recursive \
+dvi-recursive mostlyclean-recursive distclean-recursive clean-recursive \
 maintainer-clean-recursive tags tags-recursive mostlyclean-tags \
 distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
 dvi-am dvi check-local check check-am installcheck-am installcheck \
 install-exec-am install-exec install-data-local install-data-am \
 install-data install-am install uninstall-am uninstall all-local \
-all-redirect all-am all installdirs-am installdirs mostlyclean-generic \
-distclean-generic clean-generic maintainer-clean-generic clean \
-mostlyclean distclean maintainer-clean
+all-redirect all-am all install-strip installdirs-am installdirs \
+mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
 
 
 install-suid-programs:
@@ -394,7 +411,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -406,8 +426,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -476,87 +496,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/appl/ftp/common/Makefile.in b/crypto/heimdal/appl/ftp/common/Makefile.in
index 1dc613c..a46eff6 100644
--- a/crypto/heimdal/appl/ftp/common/Makefile.in
+++ b/crypto/heimdal/appl/ftp/common/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.9 1999/07/28 21:15:06 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.9 1999/07/28 21:15:06 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4) 
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) 
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,31 +170,31 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
 noinst_LIBRARIES = libcommon.a
 
-libcommon_a_SOURCES =  	sockbuf.c 	buffer.c 	common.h
+libcommon_a_SOURCES = \
+	sockbuf.c \
+	buffer.c \
+	common.h
 
+subdir = appl/ftp/common
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -186,32 +204,34 @@ LIBRARIES =  $(noinst_LIBRARIES)
 DEFS = @DEFS@ -I. -I$(srcdir) -I../../../include
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
-LIBS = @LIBS@
 X_CFLAGS = @X_CFLAGS@
 X_LIBS = @X_LIBS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
+libcommon_a_AR = $(AR) cru
 libcommon_a_LIBADD = 
-libcommon_a_OBJECTS =  sockbuf.$(OBJEXT) buffer.$(OBJEXT)
+am_libcommon_a_OBJECTS =  sockbuf.$(OBJEXT) buffer.$(OBJEXT)
+libcommon_a_OBJECTS =  $(am_libcommon_a_OBJECTS)
 AR = ar
-CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(libcommon_a_SOURCES)
+depcomp = 
 DIST_COMMON =  Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
 SOURCES = $(libcommon_a_SOURCES)
-OBJECTS = $(libcommon_a_OBJECTS)
+OBJECTS = $(am_libcommon_a_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/ftp/common/Makefile
 
@@ -229,20 +249,6 @@ distclean-noinstLIBRARIES:
 
 maintainer-clean-noinstLIBRARIES:
 
-.c.o:
-	$(COMPILE) -c $<
-
-# FIXME: We should only use cygpath when building on Windows,
-# and only if it is available.
-.c.obj:
-	$(COMPILE) -c `cygpath -w $<`
-
-.s.o:
-	$(COMPILE) -c $<
-
-.S.o:
-	$(COMPILE) -c $<
-
 mostlyclean-compile:
 	-rm -f *.o core *.core
 	-rm -f *.$(OBJEXT)
@@ -254,15 +260,6 @@ distclean-compile:
 
 maintainer-clean-compile:
 
-.c.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.s.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.S.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -275,28 +272,38 @@ maintainer-clean-libtool:
 
 libcommon.a: $(libcommon_a_OBJECTS) $(libcommon_a_DEPENDENCIES)
 	-rm -f libcommon.a
-	$(AR) cru libcommon.a $(libcommon_a_OBJECTS) $(libcommon_a_LIBADD)
+	$(libcommon_a_AR) libcommon.a $(libcommon_a_OBJECTS) $(libcommon_a_LIBADD)
 	$(RANLIB) libcommon.a
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -309,17 +316,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = appl/ftp/common
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
@@ -348,7 +354,7 @@ uninstall: uninstall-am
 all-am: Makefile $(LIBRARIES) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
 
 
@@ -361,6 +367,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-noinstLIBRARIES mostlyclean-compile \
 		mostlyclean-libtool mostlyclean-tags \
 		mostlyclean-generic
@@ -397,7 +404,7 @@ distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
 dvi-am dvi check-local check check-am installcheck-am installcheck \
 install-exec-am install-exec install-data-local install-data-am \
 install-data install-am install uninstall-am uninstall all-local \
-all-redirect all-am all installdirs mostlyclean-generic \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
 distclean-generic clean-generic maintainer-clean-generic clean \
 mostlyclean distclean maintainer-clean
 
@@ -407,7 +414,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -419,8 +429,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -489,87 +499,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/appl/ftp/common/buffer.c b/crypto/heimdal/appl/ftp/common/buffer.c
index 0385d49..ba7773b 100644
--- a/crypto/heimdal/appl/ftp/common/buffer.c
+++ b/crypto/heimdal/appl/ftp/common/buffer.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995-2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -36,7 +36,7 @@
 #include <err.h>
 #include "roken.h"
 
-RCSID("$Id: buffer.c,v 1.3 1999/12/02 16:58:29 joda Exp $");
+RCSID("$Id: buffer.c,v 1.4 2000/10/23 04:49:25 joda Exp $");
 
 /*
  * Allocate a buffer enough to handle st->st_blksize, if
@@ -49,7 +49,7 @@ alloc_buffer (void *oldbuf, size_t *sz, struct stat *st)
     size_t new_sz;
 
     new_sz = BUFSIZ;
-#ifdef HAVE_ST_BLKSIZE
+#ifdef HAVE_STRUCT_STAT_ST_BLKSIZE
     if (st)
 	new_sz = max(BUFSIZ, st->st_blksize);
 #endif
diff --git a/crypto/heimdal/appl/ftp/ftp/Makefile.am b/crypto/heimdal/appl/ftp/ftp/Makefile.am
index e24025c..9a77c0b 100644
--- a/crypto/heimdal/appl/ftp/ftp/Makefile.am
+++ b/crypto/heimdal/appl/ftp/ftp/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.13 2000/01/06 15:11:43 assar Exp $
+# $Id: Makefile.am,v 1.14 2000/11/15 22:51:07 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
@@ -41,6 +41,6 @@ LDADD = \
 	$(LIB_gssapi) \
 	$(LIB_krb5) \
 	$(LIB_krb4) \
-	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_des) \
 	$(LIB_roken) \
 	$(LIB_readline)
diff --git a/crypto/heimdal/appl/ftp/ftp/Makefile.in b/crypto/heimdal/appl/ftp/ftp/Makefile.in
index 6f8603d..1a28ad9 100644
--- a/crypto/heimdal/appl/ftp/ftp/Makefile.in
+++ b/crypto/heimdal/appl/ftp/ftp/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.13 2000/01/06 15:11:43 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.14 2000/11/15 22:51:07 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include -I$(srcdir)/../common $(INCLUDE_readline) $(INCLUDE_krb4)
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/../common $(INCLUDE_readline) $(INCLUDE_krb4)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,41 +170,60 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = 
 
 bin_PROGRAMS = ftp
 
-@KRB4_TRUE@krb4_sources = krb4.c kauth.c
-@KRB5_TRUE@krb5_sources = gssapi.c
-
-ftp_SOURCES =  	cmds.c 	cmdtab.c 	extern.h 	ftp.c 	ftp_locl.h 	ftp_var.h 	main.c 	pathnames.h 	ruserpass.c 	domacro.c 	globals.c 	security.c 	security.h 	$(krb4_sources) 	$(krb5_sources)
+@KRB4_TRUE@krb4_sources = @KRB4_TRUE@krb4.c kauth.c
+@KRB5_TRUE@krb5_sources = @KRB5_TRUE@gssapi.c
+
+ftp_SOURCES = \
+	cmds.c \
+	cmdtab.c \
+	extern.h \
+	ftp.c \
+	ftp_locl.h \
+	ftp_var.h \
+	main.c \
+	pathnames.h \
+	ruserpass.c \
+	domacro.c \
+	globals.c \
+	security.c \
+	security.h \
+	$(krb4_sources) \
+	$(krb5_sources)
 
 
 EXTRA_ftp_SOURCES = krb4.c kauth.c gssapi.c
 
 man_MANS = ftp.1
 
-LDADD =  	../common/libcommon.a 	$(LIB_gssapi) 	$(LIB_krb5) 	$(LIB_krb4) 	$(top_builddir)/lib/des/libdes.la 	$(LIB_roken) 	$(LIB_readline)
+LDADD = \
+	../common/libcommon.a \
+	$(LIB_gssapi) \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(LIB_readline)
 
+subdir = appl/ftp/ftp
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -197,58 +234,57 @@ PROGRAMS =  $(bin_PROGRAMS)
 DEFS = @DEFS@ -I. -I$(srcdir) -I../../../include
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
-LIBS = @LIBS@
 X_CFLAGS = @X_CFLAGS@
 X_LIBS = @X_LIBS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
-@KRB4_TRUE@@KRB5_FALSE@ftp_OBJECTS =  cmds.$(OBJEXT) cmdtab.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_FALSE@am_ftp_OBJECTS =  cmds.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_FALSE@cmdtab.$(OBJEXT) ftp.$(OBJEXT) main.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_FALSE@ruserpass.$(OBJEXT) domacro.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_FALSE@globals.$(OBJEXT) security.$(OBJEXT)
+@KRB4_FALSE@@KRB5_TRUE@am_ftp_OBJECTS =  cmds.$(OBJEXT) cmdtab.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_TRUE@ftp.$(OBJEXT) main.$(OBJEXT) ruserpass.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_TRUE@domacro.$(OBJEXT) globals.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_TRUE@security.$(OBJEXT) gssapi.$(OBJEXT)
+@KRB4_TRUE@@KRB5_FALSE@am_ftp_OBJECTS =  cmds.$(OBJEXT) cmdtab.$(OBJEXT) \
 @KRB4_TRUE@@KRB5_FALSE@ftp.$(OBJEXT) main.$(OBJEXT) ruserpass.$(OBJEXT) \
 @KRB4_TRUE@@KRB5_FALSE@domacro.$(OBJEXT) globals.$(OBJEXT) \
 @KRB4_TRUE@@KRB5_FALSE@security.$(OBJEXT) krb4.$(OBJEXT) \
 @KRB4_TRUE@@KRB5_FALSE@kauth.$(OBJEXT)
-@KRB4_FALSE@@KRB5_TRUE@ftp_OBJECTS =  cmds.$(OBJEXT) cmdtab.$(OBJEXT) \
-@KRB4_FALSE@@KRB5_TRUE@ftp.$(OBJEXT) main.$(OBJEXT) ruserpass.$(OBJEXT) \
-@KRB4_FALSE@@KRB5_TRUE@domacro.$(OBJEXT) globals.$(OBJEXT) \
-@KRB4_FALSE@@KRB5_TRUE@security.$(OBJEXT) gssapi.$(OBJEXT)
-@KRB4_FALSE@@KRB5_FALSE@ftp_OBJECTS =  cmds.$(OBJEXT) cmdtab.$(OBJEXT) \
-@KRB4_FALSE@@KRB5_FALSE@ftp.$(OBJEXT) main.$(OBJEXT) \
-@KRB4_FALSE@@KRB5_FALSE@ruserpass.$(OBJEXT) domacro.$(OBJEXT) \
-@KRB4_FALSE@@KRB5_FALSE@globals.$(OBJEXT) security.$(OBJEXT)
-@KRB4_TRUE@@KRB5_TRUE@ftp_OBJECTS =  cmds.$(OBJEXT) cmdtab.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_TRUE@am_ftp_OBJECTS =  cmds.$(OBJEXT) cmdtab.$(OBJEXT) \
 @KRB4_TRUE@@KRB5_TRUE@ftp.$(OBJEXT) main.$(OBJEXT) ruserpass.$(OBJEXT) \
 @KRB4_TRUE@@KRB5_TRUE@domacro.$(OBJEXT) globals.$(OBJEXT) \
 @KRB4_TRUE@@KRB5_TRUE@security.$(OBJEXT) krb4.$(OBJEXT) kauth.$(OBJEXT) \
 @KRB4_TRUE@@KRB5_TRUE@gssapi.$(OBJEXT)
+ftp_OBJECTS =  $(am_ftp_OBJECTS)
 ftp_LDADD = $(LDADD)
+@KRB5_FALSE@ftp_DEPENDENCIES =  ../common/libcommon.a
 @KRB5_TRUE@ftp_DEPENDENCIES =  ../common/libcommon.a \
 @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la \
 @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
-@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
-@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la
-@KRB5_FALSE@ftp_DEPENDENCIES =  ../common/libcommon.a \
-@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la
+@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
 ftp_LDFLAGS = 
-CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(ftp_SOURCES) $(EXTRA_ftp_SOURCES)
 man1dir = $(mandir)/man1
 MANS = $(man_MANS)
+depcomp = 
 DIST_COMMON =  Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
 SOURCES = $(ftp_SOURCES) $(EXTRA_ftp_SOURCES)
-OBJECTS = $(ftp_OBJECTS)
+OBJECTS = $(am_ftp_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/ftp/ftp/Makefile
 
@@ -271,31 +307,20 @@ install-binPROGRAMS: $(bin_PROGRAMS)
 	$(mkinstalldirs) $(DESTDIR)$(bindir)
 	@list='$(bin_PROGRAMS)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
 	  else :; fi; \
 	done
 
 uninstall-binPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	list='$(bin_PROGRAMS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
 	done
 
-.c.o:
-	$(COMPILE) -c $<
-
-# FIXME: We should only use cygpath when building on Windows,
-# and only if it is available.
-.c.obj:
-	$(COMPILE) -c `cygpath -w $<`
-
-.s.o:
-	$(COMPILE) -c $<
-
-.S.o:
-	$(COMPILE) -c $<
-
 mostlyclean-compile:
 	-rm -f *.o core *.core
 	-rm -f *.$(OBJEXT)
@@ -307,15 +332,6 @@ distclean-compile:
 
 maintainer-clean-compile:
 
-.c.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.s.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.S.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -329,6 +345,12 @@ maintainer-clean-libtool:
 ftp$(EXEEXT): $(ftp_OBJECTS) $(ftp_DEPENDENCIES)
 	@rm -f ftp$(EXEEXT)
 	$(LINK) $(ftp_LDFLAGS) $(ftp_OBJECTS) $(ftp_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
 
 install-man1:
 	$(mkinstalldirs) $(DESTDIR)$(man1dir)
@@ -343,6 +365,7 @@ install-man1:
 	  else file=$$i; fi; \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
 	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
 	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \
 	  $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \
@@ -358,6 +381,7 @@ uninstall-man1:
 	for i in $$list; do \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
 	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
 	  echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \
 	  rm -f $(DESTDIR)$(man1dir)/$$inst; \
@@ -371,23 +395,27 @@ uninstall-man:
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -400,17 +428,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = appl/ftp/ftp
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
@@ -439,7 +466,7 @@ uninstall: uninstall-am
 all-am: Makefile $(PROGRAMS) $(MANS) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
 	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1
 
@@ -453,6 +480,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-compile \
 		mostlyclean-libtool mostlyclean-tags \
 		mostlyclean-generic
@@ -489,8 +517,9 @@ clean-tags maintainer-clean-tags distdir info-am info dvi-am dvi \
 check-local check check-am installcheck-am installcheck install-exec-am \
 install-exec install-data-local install-data-am install-data install-am \
 install uninstall-am uninstall all-local all-redirect all-am all \
-installdirs mostlyclean-generic distclean-generic clean-generic \
-maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+install-strip installdirs mostlyclean-generic distclean-generic \
+clean-generic maintainer-clean-generic clean mostlyclean distclean \
+maintainer-clean
 
 
 install-suid-programs:
@@ -498,7 +527,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -510,8 +542,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -580,87 +612,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/appl/ftp/ftp/cmds.c b/crypto/heimdal/appl/ftp/ftp/cmds.c
index 7698313..c7a066d 100644
--- a/crypto/heimdal/appl/ftp/ftp/cmds.c
+++ b/crypto/heimdal/appl/ftp/ftp/cmds.c
@@ -36,7 +36,7 @@
  */
 
 #include "ftp_locl.h"
-RCSID("$Id: cmds.c,v 1.36 1999/09/16 20:37:28 assar Exp $");
+RCSID("$Id: cmds.c,v 1.41 2000/07/18 10:00:31 joda Exp $");
 
 typedef void (*sighand)(int);
 
@@ -435,7 +435,7 @@ void
 mput(int argc, char **argv)
 {
     int i;
-    RETSIGTYPE (*oldintr)();
+    RETSIGTYPE (*oldintr)(int);
     int ointer;
     char *tp;
 
@@ -566,16 +566,17 @@ get(int argc, char **argv)
 {
     char *mode;
 
-    if (restart_point)
+    if (restart_point) {
 	if (curtype == TYPE_I)
 	    mode = "r+wb";
 	else
 	    mode = "r+w";
-    else
+    } else {
 	if (curtype == TYPE_I)
 	    mode = "wb";
 	else
 	    mode = "w";
+    }
 
     getit(argc, argv, 0, mode);
 }
@@ -647,6 +648,7 @@ getit(int argc, char **argv, int restartit, char *mode)
 			int cmdret;
 			int yy, mo, day, hour, min, sec;
 			struct tm *tm;
+			time_t mtime = stbuf.st_mtime;
 
 			overbose = verbose;
 			if (debug == 0)
@@ -665,7 +667,7 @@ getit(int argc, char **argv, int restartit, char *mode)
 				return (0);
 			}
 
-			tm = gmtime(&stbuf.st_mtime);
+			tm = gmtime(&mtime);
 			tm->tm_mon++;
 			tm->tm_year += 1900;
 
@@ -1223,7 +1225,7 @@ void
 shell(int argc, char **argv)
 {
 	pid_t pid;
-	RETSIGTYPE (*old1)(), (*old2)();
+	RETSIGTYPE (*old1)(int), (*old2)(int);
 	char shellnam[40], *shell, *namep; 
 	int status;
 
@@ -1611,7 +1613,7 @@ void
 doproxy(int argc, char **argv)
 {
 	struct cmd *c;
-	RETSIGTYPE (*oldintr)();
+	RETSIGTYPE (*oldintr)(int);
 
 	if (argc < 2 && !another(&argc, &argv, "command")) {
 		printf("usage: %s command\n", argv[0]);
diff --git a/crypto/heimdal/appl/ftp/ftp/extern.h b/crypto/heimdal/appl/ftp/ftp/extern.h
index d488ecd..337bed6 100644
--- a/crypto/heimdal/appl/ftp/ftp/extern.h
+++ b/crypto/heimdal/appl/ftp/ftp/extern.h
@@ -33,7 +33,7 @@
  *	@(#)extern.h	8.3 (Berkeley) 10/9/94
  */
 
-/* $Id: extern.h,v 1.18 1999/10/28 20:49:10 assar Exp $ */
+/* $Id: extern.h,v 1.19 2000/09/19 13:15:12 assar Exp $ */
 
 #include <setjmp.h>
 #include <stdlib.h>
@@ -60,7 +60,8 @@ void	cdup (int, char **);
 void	changetype (int, int);
 void	cmdabort (int);
 void	cmdscanner (int);
-int	command (char *fmt, ...);
+int	command (char *fmt, ...)
+    __attribute__ ((format (printf, 1,2)));
 int	confirm (char *, char *);
 FILE   *dataconn (const char *);
 void	delete (int, char **);
diff --git a/crypto/heimdal/appl/ftp/ftp/ftp.1 b/crypto/heimdal/appl/ftp/ftp/ftp.1
index e5c21f0..9534d9e 100644
--- a/crypto/heimdal/appl/ftp/ftp/ftp.1
+++ b/crypto/heimdal/appl/ftp/ftp/ftp.1
@@ -50,6 +50,7 @@ file transfer program
 .Op Fl n
 .Op Fl g
 .Op Fl p
+.Op Fl l
 .Op Ar host
 .Sh DESCRIPTION
 .Nm Ftp
@@ -96,6 +97,8 @@ Turn on passive mode.
 Enables debugging.
 .It Fl g
 Disables file name globbing.
+.It Fl l
+Disables command line editing.
 .El
 .Pp
 The client host with which
@@ -913,7 +916,7 @@ if verbose is on, when a file transfer completes, statistics
 regarding the efficiency of the transfer are reported.
 By default,
 verbose is on.
-.It Ic ? Op Ar command
+.It Ic \&? Op Ar command
 A synonym for help.
 .El
 .Pp
diff --git a/crypto/heimdal/appl/ftp/ftp/ftp.c b/crypto/heimdal/appl/ftp/ftp/ftp.c
index 2e7a9dd..2f630f3 100644
--- a/crypto/heimdal/appl/ftp/ftp/ftp.c
+++ b/crypto/heimdal/appl/ftp/ftp/ftp.c
@@ -32,7 +32,7 @@
  */
 
 #include "ftp_locl.h"
-RCSID ("$Id: ftp.c,v 1.63 2000/01/08 07:43:47 assar Exp $");
+RCSID ("$Id: ftp.c,v 1.69 2000/10/08 13:15:33 assar Exp $");
 
 struct sockaddr_storage hisctladdr_ss;
 struct sockaddr *hisctladdr = (struct sockaddr *)&hisctladdr_ss;
@@ -60,7 +60,7 @@ hookup (const char *host, int port)
     struct addrinfo hints;
     int error;
     char portstr[NI_MAXSERV];
-    int len;
+    socklen_t len;
     int s;
 
     memset (&hints, 0, sizeof(hints));
@@ -190,8 +190,9 @@ login (char *host)
 	    printf ("Name (%s:%s): ", host, myname);
 	else
 	    printf ("Name (%s): ", host);
-	fgets (tmp, sizeof (tmp) - 1, stdin);
-	tmp[strlen (tmp) - 1] = '\0';
+	*tmp = '\0';
+	if (fgets (tmp, sizeof (tmp) - 1, stdin) != NULL)
+	    tmp[strlen (tmp) - 1] = '\0';
 	if (*tmp == '\0')
 	    user = myname;
 	else
@@ -199,25 +200,29 @@ login (char *host)
     }
     strlcpy(username, user, sizeof(username));
     n = command("USER %s", user);
-    if (n == CONTINUE) {
-	if(sec_complete)
-	    pass = myname;
-	else if (pass == NULL) {
+    if (n == COMPLETE) 
+       n = command("PASS dummy"); /* DK: Compatibility with gssftp daemon */
+    else if(n == CONTINUE) {
+	if (pass == NULL) {
 	    char prompt[128];
 	    if(myname && 
-	       (!strcmp(user, "ftp") || !strcmp(user, "anonymous"))){
+	       (!strcmp(user, "ftp") || !strcmp(user, "anonymous"))) {
 		snprintf(defaultpass, sizeof(defaultpass), 
 			 "%s@%s", myname, mydomain);
 		snprintf(prompt, sizeof(prompt), 
 			 "Password (%s): ", defaultpass);
-	    }else{
+	    } else if (sec_complete) {
+		pass = myname;
+	    } else {
 		*defaultpass = '\0';
 		snprintf(prompt, sizeof(prompt), "Password: ");
 	    }
-	    pass = defaultpass;
-	    des_read_pw_string (tmp, sizeof (tmp), prompt, 0);
-	    if (tmp[0])
-		pass = tmp;
+	    if (pass == NULL) {
+		pass = defaultpass;
+		des_read_pw_string (tmp, sizeof (tmp), prompt, 0);
+		if (tmp[0])
+		    pass = tmp;
+	    }
 	}
 	n = command ("PASS %s", pass);
     }
@@ -525,9 +530,9 @@ empty (fd_set * mask, int sec)
 {
     struct timeval t;
 
-    t.tv_sec = (long) sec;
+    t.tv_sec = sec;
     t.tv_usec = 0;
-    return (select (32, mask, NULL, NULL, &t));
+    return (select (FD_SETSIZE, mask, NULL, NULL, &t));
 }
 
 jmp_buf sendabort;
@@ -617,7 +622,7 @@ sendrequest (char *cmd, char *local, char *remote, char *lmode, int printnames)
     int c, d;
     FILE *fin, *dout = 0;
     int (*closefunc) (FILE *);
-    RETSIGTYPE (*oldintr)(), (*oldintp)();
+    RETSIGTYPE (*oldintr)(int), (*oldintp)(int);
     long bytes = 0, hashbytes = HASHBYTES;
     char *rmode = "w";
 
@@ -1235,7 +1240,7 @@ static int
 active_mode (void)
 {
     int tmpno = 0;
-    int len;
+    socklen_t len;
     int result;
 
 noport:
@@ -1361,7 +1366,8 @@ dataconn (const char *lmode)
 {
     struct sockaddr_storage from_ss;
     struct sockaddr *from = (struct sockaddr *)&from_ss;
-    int s, fromlen = sizeof (from_ss);
+    socklen_t fromlen = sizeof(from_ss);
+    int s;
 
     if (passivemode)
 	return (fdopen (data, lmode));
@@ -1621,6 +1627,8 @@ abort:
     pswitch (!proxy);
     if (cpend) {
 	FD_ZERO (&mask);
+	if (fileno(cin) >= FD_SETSIZE)
+	    errx (1, "fd too large");
 	FD_SET (fileno (cin), &mask);
 	if ((nfnd = empty (&mask, 10)) <= 0) {
 	    if (nfnd < 0) {
@@ -1649,6 +1657,8 @@ reset (int argc, char **argv)
 
     FD_ZERO (&mask);
     while (nfnd > 0) {
+	if (fileno (cin) >= FD_SETSIZE)
+	    errx (1, "fd too large");
 	FD_SET (fileno (cin), &mask);
 	if ((nfnd = empty (&mask, 0)) < 0) {
 	    warn ("reset");
@@ -1722,8 +1732,12 @@ abort_remote (FILE * din)
     fprintf (cout, "%cABOR\r\n", DM);
     fflush (cout);
     FD_ZERO (&mask);
+    if (fileno (cin) >= FD_SETSIZE)
+	errx (1, "fd too large");
     FD_SET (fileno (cin), &mask);
     if (din) {
+    if (fileno (din) >= FD_SETSIZE)
+	errx (1, "fd too large");
 	FD_SET (fileno (din), &mask);
     }
     if ((nfnd = empty (&mask, 10)) <= 0) {
diff --git a/crypto/heimdal/appl/ftp/ftp/ftp_var.h b/crypto/heimdal/appl/ftp/ftp/ftp_var.h
index ffac59a..3dbe6b4 100644
--- a/crypto/heimdal/appl/ftp/ftp/ftp_var.h
+++ b/crypto/heimdal/appl/ftp/ftp/ftp_var.h
@@ -52,6 +52,7 @@ extern int	verbose;		/* print messages coming back from server */
 extern int	connected;		/* connected to server */
 extern int	fromatty;		/* input is from a terminal */
 extern int	interactive;		/* interactively prompt on m* cmds */
+extern int	lineedit;		/* use line-editing */
 extern int	debug;			/* debugging level */
 extern int	bell;			/* ring bell on cmd completion */
 extern int	doglob;			/* glob local file names */
@@ -101,6 +102,7 @@ extern int     cpend;                  /* flag: if != 0, then pending server rep
 extern int	mflag;			/* flag: if != 0, then active multi command */
 
 extern int	options;		/* used during socket creation */
+extern int      use_kerberos;           /* use Kerberos authentication */
 
 /*
  * Format of command table.
diff --git a/crypto/heimdal/appl/ftp/ftp/globals.c b/crypto/heimdal/appl/ftp/ftp/globals.c
index 7199e65..8a0e1c9 100644
--- a/crypto/heimdal/appl/ftp/ftp/globals.c
+++ b/crypto/heimdal/appl/ftp/ftp/globals.c
@@ -1,5 +1,5 @@
 #include "ftp_locl.h"
-RCSID("$Id: globals.c,v 1.6 1996/08/26 22:46:26 assar Exp $");
+RCSID("$Id: globals.c,v 1.8 2000/11/15 22:56:08 assar Exp $");
 
 /*
  * Options and other state info.
@@ -11,6 +11,7 @@ int	verbose;		/* print messages coming back from server */
 int	connected;		/* connected to server */
 int	fromatty;		/* input is from a terminal */
 int	interactive;		/* interactively prompt on m* cmds */
+int	lineedit;		/* use line-editing */
 int	debug;			/* debugging level */
 int	bell;			/* ring bell on cmd completion */
 int	doglob;			/* glob local file names */
@@ -60,6 +61,7 @@ int     cpend;                  /* flag: if != 0, then pending server reply */
 int	mflag;			/* flag: if != 0, then active multi command */
 
 int	options;		/* used during socket creation */
+int     use_kerberos;           /* use Kerberos authentication */
 
 /*
  * Format of command table.
diff --git a/crypto/heimdal/appl/ftp/ftp/gssapi.c b/crypto/heimdal/appl/ftp/ftp/gssapi.c
index d06b5d6..f875c4a 100644
--- a/crypto/heimdal/appl/ftp/ftp/gssapi.c
+++ b/crypto/heimdal/appl/ftp/ftp/gssapi.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -38,11 +38,12 @@
 #endif
 #include <gssapi.h>
 
-RCSID("$Id: gssapi.c,v 1.13 1999/12/02 16:58:29 joda Exp $");
+RCSID("$Id: gssapi.c,v 1.15 2000/12/08 05:07:49 assar Exp $");
 
 struct gss_data {
     gss_ctx_id_t context_hdl;
     char *client_name;
+    gss_cred_id_t delegated_cred_handle;
 };
 
 static int
@@ -50,7 +51,17 @@ gss_init(void *app_data)
 {
     struct gss_data *d = app_data;
     d->context_hdl = GSS_C_NO_CONTEXT;
+    d->delegated_cred_handle = NULL;
+#if defined(FTP_SERVER)
     return 0;
+#else
+    /* XXX Check the gss mechanism; with  gss_indicate_mechs() ? */
+#ifdef KRB5
+    return !use_kerberos;
+#else
+    return 0
+#endif /* KRB5 */
+#endif /* FTP_SERVER */
 }
 
 static int
@@ -168,6 +179,15 @@ gss_adat(void *app_data, void *buf, size_t len)
 
     input_token.value = buf;
     input_token.length = len;
+
+    d->delegated_cred_handle = malloc(sizeof(*d->delegated_cred_handle));
+    if (d->delegated_cred_handle == NULL) {
+       reply(500, "Out of memory");
+       goto out;
+    }
+
+    memset ((char*)d->delegated_cred_handle, 0,
+            sizeof(*d->delegated_cred_handle));
     
     maj_stat = gss_accept_sec_context (&min_stat,
 				       &d->context_hdl,
@@ -179,7 +199,7 @@ gss_adat(void *app_data, void *buf, size_t len)
 				       &output_token,
 				       NULL,
 				       NULL,
-				       NULL);
+                                       &d->delegated_cred_handle);
 
     if(output_token.length) {
 	if(base64_encode(output_token.value, output_token.length, &p) < 0) {
@@ -304,7 +324,8 @@ gss_auth(void *app_data, char *host)
 					&d->context_hdl,
 					target_name,
 					GSS_C_NO_OID,
-					GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG,
+                                        GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG
+                                          | GSS_C_DELEG_FLAG,
 					0,
 					bindings,
 					&input,
@@ -346,7 +367,8 @@ gss_auth(void *app_data, char *host)
 	if (maj_stat & GSS_S_CONTINUE_NEEDED) {
 	    p = strstr(reply_string, "ADAT=");
 	    if(p == NULL){
-		printf("Error: expected ADAT in reply.\n");
+		printf("Error: expected ADAT in reply. got: %s\n",
+		       reply_string);
 		return AUTH_ERROR;
 	    } else {
 		p+=5;
diff --git a/crypto/heimdal/appl/ftp/ftp/krb4.c b/crypto/heimdal/appl/ftp/ftp/krb4.c
index c89ba95..d057ed7 100644
--- a/crypto/heimdal/appl/ftp/ftp/krb4.c
+++ b/crypto/heimdal/appl/ftp/ftp/krb4.c
@@ -38,7 +38,7 @@
 #endif
 #include <krb.h>
 
-RCSID("$Id: krb4.c,v 1.37 1999/12/06 17:10:13 assar Exp $");
+RCSID("$Id: krb4.c,v 1.38 2000/06/21 02:46:09 assar Exp $");
 
 #ifdef FTP_SERVER
 #define LOCAL_ADDR ctrl_addr
@@ -202,6 +202,12 @@ struct sec_server_mech krb4_server_mech = {
 #else /* FTP_SERVER */
 
 static int
+krb4_init(void *app_data)
+{
+   return !use_kerberos;
+}
+
+static int
 mk_auth(struct krb4_data *d, KTEXT adat, 
 	char *service, char *host, int checksum)
 {
@@ -322,7 +328,7 @@ krb4_auth(void *app_data, char *host)
 struct sec_client_mech krb4_client_mech = {
     "KERBEROS_V4",
     sizeof(struct krb4_data),
-    NULL, /* init */
+    krb4_init, /* init */
     krb4_auth,
     NULL, /* end */
     krb4_check_prot,
diff --git a/crypto/heimdal/appl/ftp/ftp/main.c b/crypto/heimdal/appl/ftp/ftp/main.c
index dfe9e88..e1a4e14 100644
--- a/crypto/heimdal/appl/ftp/ftp/main.c
+++ b/crypto/heimdal/appl/ftp/ftp/main.c
@@ -36,7 +36,7 @@
  */
 
 #include "ftp_locl.h"
-RCSID("$Id: main.c,v 1.27 1999/11/13 06:18:02 assar Exp $");
+RCSID("$Id: main.c,v 1.30 2000/11/15 22:56:35 assar Exp $");
 
 int
 main(int argc, char **argv)
@@ -54,9 +54,11 @@ main(int argc, char **argv)
 	doglob = 1;
 	interactive = 1;
 	autologin = 1;
+	lineedit = 1;
 	passivemode = 0; /* passive mode not active */
+        use_kerberos = 1;
 
-	while ((ch = getopt(argc, argv, "dginptv")) != -1) {
+	while ((ch = getopt(argc, argv, "dgilnptvK")) != -1) {
 		switch (ch) {
 		case 'd':
 			options |= SO_DEBUG;
@@ -71,6 +73,9 @@ main(int argc, char **argv)
 			interactive = 0;
 			break;
 
+		case 'l':
+			lineedit = 0;
+			break;
 		case 'n':
 			autologin = 0;
 			break;
@@ -86,9 +91,14 @@ main(int argc, char **argv)
 			verbose++;
 			break;
 
+                case 'K':
+                        /* Disable Kerberos authentication */
+                        use_kerberos = 0;
+                        break;
+
 		default:
 		    fprintf(stderr,
-			    "usage: ftp [-dginptv] [host [port]]\n");
+                            "usage: ftp [-dgilnptvK] [host [port]]\n");
 		    exit(1);
 		}
 	}
@@ -200,10 +210,8 @@ tail(filename)
 }
 */
 
-#ifndef HAVE_READLINE
-
 static char *
-readline(char *prompt)
+simple_readline(char *prompt)
 {
     char buf[BUFSIZ];
     printf ("%s", prompt);
@@ -215,6 +223,14 @@ readline(char *prompt)
     return strdup(buf);
 }
 
+#ifndef HAVE_READLINE
+
+static char *
+readline(char *prompt)
+{
+    return simple_readline (prompt);
+}
+
 static void
 add_history(char *p)
 {
@@ -243,11 +259,17 @@ cmdscanner(int top)
     for (;;) {
 	if (fromatty) {
 	    char *p;
-	    p = readline("ftp> ");
-	    if(p == NULL)
+	    if (lineedit)
+		p = readline("ftp> ");
+	    else
+		p = simple_readline("ftp> ");
+	    if(p == NULL) {
+		printf("\n");
 		quit(0, 0);
+	    }
 	    strlcpy(line, p, sizeof(line));
-	    add_history(p);
+	    if (lineedit)
+		add_history(p);
 	    free(p);
 	} else{
 	    if (fgets(line, sizeof line, stdin) == NULL)
diff --git a/crypto/heimdal/appl/ftp/ftp/security.c b/crypto/heimdal/appl/ftp/ftp/security.c
index 8c90f5e..ab3785a 100644
--- a/crypto/heimdal/appl/ftp/ftp/security.c
+++ b/crypto/heimdal/appl/ftp/ftp/security.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1998-2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -37,7 +37,7 @@
 #include "ftp_locl.h"
 #endif
 
-RCSID("$Id: security.c,v 1.16 2000/02/07 03:11:43 assar Exp $");
+RCSID("$Id: security.c,v 1.17 2000/11/08 23:30:32 joda Exp $");
 
 static enum protection_level command_prot;
 static enum protection_level data_prot;
@@ -237,7 +237,7 @@ sec_read(int fd, void *data, int length)
 	ret = sec_get_data(fd, &in_buffer, data_prot);
 	if (ret < 0)
 	    return -1;
-	if(ret == 0 || in_buffer.size == 0) {
+	if(ret == 0 && in_buffer.size == 0) {
 	    if(rx)
 		in_buffer.eof_flag = 1;
 	    return rx;
diff --git a/crypto/heimdal/appl/ftp/ftp/security.h b/crypto/heimdal/appl/ftp/ftp/security.h
index 6fe0694..47e7084 100644
--- a/crypto/heimdal/appl/ftp/ftp/security.h
+++ b/crypto/heimdal/appl/ftp/ftp/security.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: security.h,v 1.7 1999/12/02 16:58:30 joda Exp $ */
+/* $Id: security.h,v 1.9 2000/10/04 06:07:52 assar Exp $ */
 
 #ifndef __security_h__
 #define __security_h__
@@ -94,14 +94,18 @@ void delete_ftp_command(void);
 
 
 int sec_fflush (FILE *);
-int sec_fprintf (FILE *, const char *, ...);
+int sec_fprintf (FILE *, const char *, ...)
+    __attribute__ ((format (printf, 2,3)));
 int sec_getc (FILE *);
 int sec_putc (int, FILE *);
 int sec_read (int, void *, int);
 int sec_read_msg (char *, int);
-int sec_vfprintf (FILE *, const char *, va_list);
-int sec_fprintf2(FILE *f, const char *fmt, ...);
-int sec_vfprintf2(FILE *, const char *, va_list);
+int sec_vfprintf (FILE *, const char *, va_list)
+    __attribute__ ((format (printf, 2,0)));
+int sec_fprintf2(FILE *f, const char *fmt, ...)
+    __attribute__ ((format (printf, 2,3)));
+int sec_vfprintf2(FILE *, const char *, va_list)
+    __attribute__ ((format (printf, 2,0)));
 int sec_write (int, char *, int);
 
 #ifdef FTP_SERVER
diff --git a/crypto/heimdal/appl/ftp/ftpd/Makefile.am b/crypto/heimdal/appl/ftp/ftpd/Makefile.am
index 92d8e7c..8753739 100644
--- a/crypto/heimdal/appl/ftp/ftpd/Makefile.am
+++ b/crypto/heimdal/appl/ftp/ftpd/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.21 2000/01/06 15:10:57 assar Exp $
+# $Id: Makefile.am,v 1.23 2001/01/28 23:17:36 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
@@ -48,9 +48,9 @@ man_MANS = ftpd.8 ftpusers.5
 LDADD = ../common/libcommon.a \
 	$(LIB_kafs) \
 	$(LIB_gssapi) \
+	$(LIB_otp) \
 	$(LIB_krb5) \
 	$(LIB_krb4) \
-	$(LIB_otp) \
-	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_des) \
 	$(LIB_roken) \
 	$(DBLIB)
diff --git a/crypto/heimdal/appl/ftp/ftpd/Makefile.in b/crypto/heimdal/appl/ftp/ftpd/Makefile.in
index 1cd211b..a3fa628 100644
--- a/crypto/heimdal/appl/ftp/ftpd/Makefile.in
+++ b/crypto/heimdal/appl/ftp/ftpd/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.21 2000/01/06 15:10:57 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.23 2001/01/28 23:17:36 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include -I$(srcdir)/../common $(INCLUDE_krb4) -DFTP_SERVER
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/../common $(INCLUDE_krb4) -DFTP_SERVER
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,33 +170,40 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = 
 
 libexec_PROGRAMS = ftpd
 
-@KRB4_TRUE@krb4_sources = krb4.c kauth.c
-@KRB5_TRUE@krb5_sources = gssapi.c gss_userok.c
+@KRB4_TRUE@krb4_sources = @KRB4_TRUE@krb4.c kauth.c
+@KRB5_TRUE@krb5_sources = @KRB5_TRUE@gssapi.c gss_userok.c
 
-ftpd_SOURCES =  	extern.h		ftpcmd.y		ftpd.c			ftpd_locl.h		logwtmp.c		ls.c			pathnames.h		popen.c			security.c		$(krb4_sources) 	$(krb5_sources)
+ftpd_SOURCES = \
+	extern.h	\
+	ftpcmd.y	\
+	ftpd.c		\
+	ftpd_locl.h	\
+	logwtmp.c	\
+	ls.c		\
+	pathnames.h	\
+	popen.c		\
+	security.c	\
+	$(krb4_sources) \
+	$(krb5_sources)
 
 
 EXTRA_ftpd_SOURCES = krb4.c kauth.c gssapi.c gss_userok.c
@@ -187,8 +212,17 @@ CLEANFILES = security.c security.h krb4.c gssapi.c ftpcmd.c
 
 man_MANS = ftpd.8 ftpusers.5
 
-LDADD = ../common/libcommon.a 	$(LIB_kafs) 	$(LIB_gssapi) 	$(LIB_krb5) 	$(LIB_krb4) 	$(LIB_otp) 	$(top_builddir)/lib/des/libdes.la 	$(LIB_roken) 	$(DBLIB)
+LDADD = ../common/libcommon.a \
+	$(LIB_kafs) \
+	$(LIB_gssapi) \
+	$(LIB_otp) \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(DBLIB)
 
+subdir = appl/ftp/ftpd
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -199,65 +233,62 @@ PROGRAMS =  $(libexec_PROGRAMS)
 DEFS = @DEFS@ -I. -I$(srcdir) -I../../../include
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
-LIBS = @LIBS@
 X_CFLAGS = @X_CFLAGS@
 X_LIBS = @X_LIBS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
-@KRB4_TRUE@@KRB5_FALSE@ftpd_OBJECTS =  ftpcmd.$(OBJEXT) ftpd.$(OBJEXT) \
-@KRB4_TRUE@@KRB5_FALSE@logwtmp.$(OBJEXT) ls.$(OBJEXT) popen.$(OBJEXT) \
-@KRB4_TRUE@@KRB5_FALSE@security.$(OBJEXT) krb4.$(OBJEXT) \
-@KRB4_TRUE@@KRB5_FALSE@kauth.$(OBJEXT)
-@KRB4_FALSE@@KRB5_TRUE@ftpd_OBJECTS =  ftpcmd.$(OBJEXT) ftpd.$(OBJEXT) \
-@KRB4_FALSE@@KRB5_TRUE@logwtmp.$(OBJEXT) ls.$(OBJEXT) popen.$(OBJEXT) \
-@KRB4_FALSE@@KRB5_TRUE@security.$(OBJEXT) gssapi.$(OBJEXT) \
-@KRB4_FALSE@@KRB5_TRUE@gss_userok.$(OBJEXT)
-@KRB4_FALSE@@KRB5_FALSE@ftpd_OBJECTS =  ftpcmd.$(OBJEXT) ftpd.$(OBJEXT) \
-@KRB4_FALSE@@KRB5_FALSE@logwtmp.$(OBJEXT) ls.$(OBJEXT) popen.$(OBJEXT) \
-@KRB4_FALSE@@KRB5_FALSE@security.$(OBJEXT)
-@KRB4_TRUE@@KRB5_TRUE@ftpd_OBJECTS =  ftpcmd.$(OBJEXT) ftpd.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_FALSE@am_ftpd_OBJECTS =  ftpcmd.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_FALSE@ftpd.$(OBJEXT) logwtmp.$(OBJEXT) ls.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_FALSE@popen.$(OBJEXT) security.$(OBJEXT)
+@KRB4_FALSE@@KRB5_TRUE@am_ftpd_OBJECTS =  ftpcmd.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_TRUE@ftpd.$(OBJEXT) logwtmp.$(OBJEXT) ls.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_TRUE@popen.$(OBJEXT) security.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_TRUE@gssapi.$(OBJEXT) gss_userok.$(OBJEXT)
+@KRB4_TRUE@@KRB5_FALSE@am_ftpd_OBJECTS =  ftpcmd.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_FALSE@ftpd.$(OBJEXT) logwtmp.$(OBJEXT) ls.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_FALSE@popen.$(OBJEXT) security.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_FALSE@krb4.$(OBJEXT) kauth.$(OBJEXT)
+@KRB4_TRUE@@KRB5_TRUE@am_ftpd_OBJECTS =  ftpcmd.$(OBJEXT) ftpd.$(OBJEXT) \
 @KRB4_TRUE@@KRB5_TRUE@logwtmp.$(OBJEXT) ls.$(OBJEXT) popen.$(OBJEXT) \
 @KRB4_TRUE@@KRB5_TRUE@security.$(OBJEXT) krb4.$(OBJEXT) kauth.$(OBJEXT) \
 @KRB4_TRUE@@KRB5_TRUE@gssapi.$(OBJEXT) gss_userok.$(OBJEXT)
+ftpd_OBJECTS =  $(am_ftpd_OBJECTS)
 ftpd_LDADD = $(LDADD)
-@KRB4_TRUE@@KRB5_FALSE@ftpd_DEPENDENCIES =  ../common/libcommon.a \
-@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la \
-@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la
+@KRB4_FALSE@@KRB5_FALSE@ftpd_DEPENDENCIES =  ../common/libcommon.a
 @KRB4_FALSE@@KRB5_TRUE@ftpd_DEPENDENCIES =  ../common/libcommon.a \
 @KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la \
 @KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
-@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
-@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la
-@KRB4_FALSE@@KRB5_FALSE@ftpd_DEPENDENCIES =  ../common/libcommon.a \
-@KRB4_FALSE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_TRUE@@KRB5_FALSE@ftpd_DEPENDENCIES =  ../common/libcommon.a \
+@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la
 @KRB4_TRUE@@KRB5_TRUE@ftpd_DEPENDENCIES =  ../common/libcommon.a \
 @KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \
 @KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la \
 @KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
-@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
-@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
 ftpd_LDFLAGS = 
-CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(ftpd_SOURCES) $(EXTRA_ftpd_SOURCES)
 man5dir = $(mandir)/man5
 man8dir = $(mandir)/man8
 MANS = $(man_MANS)
+depcomp = 
 DIST_COMMON =  Makefile.am Makefile.in ftpcmd.c
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
 SOURCES = $(ftpd_SOURCES) $(EXTRA_ftpd_SOURCES)
-OBJECTS = $(ftpd_OBJECTS)
+OBJECTS = $(am_ftpd_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x .y
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x .y
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/ftp/ftpd/Makefile
 
@@ -280,31 +311,20 @@ install-libexecPROGRAMS: $(libexec_PROGRAMS)
 	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
 	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f; \
 	  else :; fi; \
 	done
 
 uninstall-libexecPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	list='$(libexec_PROGRAMS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \
+	  rm -f $(DESTDIR)$(libexecdir)/$$f; \
 	done
 
-.c.o:
-	$(COMPILE) -c $<
-
-# FIXME: We should only use cygpath when building on Windows,
-# and only if it is available.
-.c.obj:
-	$(COMPILE) -c `cygpath -w $<`
-
-.s.o:
-	$(COMPILE) -c $<
-
-.S.o:
-	$(COMPILE) -c $<
-
 mostlyclean-compile:
 	-rm -f *.o core *.core
 	-rm -f *.$(OBJEXT)
@@ -316,15 +336,6 @@ distclean-compile:
 
 maintainer-clean-compile:
 
-.c.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.s.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.S.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -338,12 +349,17 @@ maintainer-clean-libtool:
 ftpd$(EXEEXT): $(ftpd_OBJECTS) $(ftpd_DEPENDENCIES)
 	@rm -f ftpd$(EXEEXT)
 	$(LINK) $(ftpd_LDFLAGS) $(ftpd_OBJECTS) $(ftpd_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
 .y.c:
 	$(YACC) $(AM_YFLAGS) $(YFLAGS) $< && mv y.tab.c $*.c
 	if test -f y.tab.h; then \
 	if cmp -s y.tab.h $*.h; then rm -f y.tab.h; else mv y.tab.h $*.h; fi; \
 	else :; fi
-ftpcmd.h: ftpcmd.c
 
 
 install-man5:
@@ -359,6 +375,7 @@ install-man5:
 	  else file=$$i; fi; \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
 	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
 	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man5dir)/$$inst"; \
 	  $(INSTALL_DATA) $$file $(DESTDIR)$(man5dir)/$$inst; \
@@ -374,6 +391,7 @@ uninstall-man5:
 	for i in $$list; do \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
 	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
 	  echo " rm -f $(DESTDIR)$(man5dir)/$$inst"; \
 	  rm -f $(DESTDIR)$(man5dir)/$$inst; \
@@ -392,6 +410,7 @@ install-man8:
 	  else file=$$i; fi; \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
 	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
 	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \
 	  $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \
@@ -407,6 +426,7 @@ uninstall-man8:
 	for i in $$list; do \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
 	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
 	  echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \
 	  rm -f $(DESTDIR)$(man8dir)/$$inst; \
@@ -420,23 +440,27 @@ uninstall-man:
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -449,17 +473,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = appl/ftp/ftpd
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
@@ -488,7 +511,7 @@ uninstall: uninstall-am
 all-am: Makefile $(PROGRAMS) $(MANS) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
 	$(mkinstalldirs)  $(DESTDIR)$(libexecdir) $(DESTDIR)$(mandir)/man5 \
 		$(DESTDIR)$(mandir)/man8
@@ -504,7 +527,8 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
-	-test -z "ftpcmdhftpcmdc" || rm -f ftpcmdh ftpcmdc
+	-rm -f Makefile.in
+	-test -z "ftpcmd.c" || rm -f ftpcmd.c
 mostlyclean-am:  mostlyclean-libexecPROGRAMS mostlyclean-compile \
 		mostlyclean-libtool mostlyclean-tags \
 		mostlyclean-generic
@@ -543,7 +567,7 @@ distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
 dvi-am dvi check-local check check-am installcheck-am installcheck \
 install-exec-am install-exec install-data-local install-data-am \
 install-data install-am install uninstall-am uninstall all-local \
-all-redirect all-am all installdirs mostlyclean-generic \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
 distclean-generic clean-generic maintainer-clean-generic clean \
 mostlyclean distclean maintainer-clean
 
@@ -553,7 +577,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -565,8 +592,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -635,87 +662,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/appl/ftp/ftpd/extern.h b/crypto/heimdal/appl/ftp/ftpd/extern.h
index 2e1e0d0..e976b55 100644
--- a/crypto/heimdal/appl/ftp/ftpd/extern.h
+++ b/crypto/heimdal/appl/ftp/ftpd/extern.h
@@ -76,17 +76,11 @@ FILE   *ftpd_popen(char *, char *, int, int);
 char   *ftpd_getline(char *, int);
 void	ftpd_logwtmp(char *, char *, char *);
 void	lreply(int, const char *, ...)
-#ifdef __GNUC__
-__attribute__ ((format (printf, 2, 3)))
-#endif
-;
+    __attribute__ ((format (printf, 2, 3)));
 void	makedir(char *);
 void	nack(char *);
 void	nreply(const char *, ...)
-#ifdef __GNUC__
-__attribute__ ((format (printf, 1, 2)))
-#endif
-;
+    __attribute__ ((format (printf, 1, 2)));
 void	pass(char *);
 void	pasv(void);
 void	perror_reply(int, const char *);
@@ -95,17 +89,11 @@ void	removedir(char *);
 void	renamecmd(char *, char *);
 char   *renamefrom(char *);
 void	reply(int, const char *, ...)
-#ifdef __GNUC__
-__attribute__ ((format (printf, 2, 3)))
-#endif
-;
+    __attribute__ ((format (printf, 2, 3)));
 void	retrieve(const char *, char *);
 void	send_file_list(char *);
 void	setproctitle(const char *, ...)
-#ifdef __GNUC__
-__attribute__ ((format (printf, 1, 2)))
-#endif
-;
+    __attribute__ ((format (printf, 1, 2)));
 void	statcmd(void);
 void	statfilecmd(char *);
 void	do_store(char *, char *, int);
diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpcmd.y b/crypto/heimdal/appl/ftp/ftpd/ftpcmd.y
index 07ff9a5..8a67a61 100644
--- a/crypto/heimdal/appl/ftp/ftpd/ftpcmd.y
+++ b/crypto/heimdal/appl/ftp/ftpd/ftpcmd.y
@@ -43,7 +43,7 @@
 %{
 
 #include "ftpd_locl.h"
-RCSID("$Id: ftpcmd.y,v 1.56 1999/10/26 11:56:23 assar Exp $");
+RCSID("$Id: ftpcmd.y,v 1.60 2000/11/05 16:53:20 joda Exp $");
 
 off_t	restart_point;
 
@@ -159,18 +159,21 @@ cmd
 			eprt ($3);
 			free ($3);
 		}
-	| PASV CRLF
+	| PASV CRLF check_login
 		{
+		    if($3)
 			pasv ();
 		}
-	| EPSV CRLF
+	| EPSV CRLF check_login
 		{
+		    if($3)
 			epsv (NULL);
 		}
-	| EPSV SP STRING CRLF
+	| EPSV SP STRING CRLF check_login
 		{
+		    if($5)
 			epsv ($3);
-			free ($3);
+		    free ($3);
 		}
 	| TYPE SP type_code CRLF
 		{
@@ -577,7 +580,7 @@ cmd
 		}
 	| SYST CRLF
 		{
-#if defined(unix) || defined(__unix__) || defined(__unix) || defined(_AIX) || defined(_CRAY)
+#if !defined(WIN32) && !defined(__EMX__) && !defined(__OS2__) && !defined(__CYGWIN32__)
 		    reply(215, "UNIX Type: L%d", NBBY);
 #else
 		    reply(215, "UNKNOWN Type: L%d", NBBY);
@@ -620,7 +623,9 @@ cmd
 					      "%s: not a plain file.", $3);
 				} else {
 					struct tm *t;
-					t = gmtime(&stbuf.st_mtime);
+					time_t mtime = stbuf.st_mtime;
+
+					t = gmtime(&mtime);
 					reply(213,
 					      "%04d%02d%02d%02d%02d%02d",
 					      t->tm_year + 1900,
diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpd.8 b/crypto/heimdal/appl/ftp/ftpd/ftpd.8
index c51de1c..872a7b8 100644
--- a/crypto/heimdal/appl/ftp/ftpd/ftpd.8
+++ b/crypto/heimdal/appl/ftp/ftpd/ftpd.8
@@ -81,7 +81,7 @@ but only OTP is allowed.
 .It Ar ftp
 Allow anonymous login.
 .El
-
+.Pp
 The following combination modes exists for backwards compatibility:
 .Bl -tag -width plain
 .It Ar none
@@ -319,7 +319,7 @@ that the
 .Dq ftp
 subtree be constructed with care, consider following these guidelines
 for anonymous ftp.
-
+.Pp
 In general all files should be owned by
 .Dq root ,
 and have non-write permissions (644 or 755 depending on the kind of
@@ -377,7 +377,7 @@ and
 .Xr group 5
 files here, ls will be able to produce owner names rather than
 numbers. Remember to remove any passwords from these files.  
-
+.Pp
 The file
 .Pa motd ,
 if present, will be printed after a successful login.
@@ -388,7 +388,7 @@ here.
 .It Pa ~ftp/pub
 Traditional place to put whatever you want to make public.
 .El
-
+.Pp
 If you want guests to be able to upload files, create a
 .Pa ~ftp/incoming
 directory owned by 
@@ -459,6 +459,7 @@ FTP PROTOCOL SPECIFICATION
 OTP Specification
 .It Cm RFC 2228
 FTP Security Extensions.
+.El
 .Sh BUGS
 The server must run as the super-user
 to create sockets with privileged port numbers.  It maintains
diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpd.c b/crypto/heimdal/appl/ftp/ftpd/ftpd.c
index 21b3e44..4db5e9f 100644
--- a/crypto/heimdal/appl/ftp/ftpd/ftpd.c
+++ b/crypto/heimdal/appl/ftp/ftpd/ftpd.c
@@ -38,7 +38,7 @@
 #endif
 #include "getarg.h"
 
-RCSID("$Id: ftpd.c,v 1.137 2000/01/05 13:46:04 joda Exp $");
+RCSID("$Id: ftpd.c,v 1.153 2001/01/18 09:14:59 joda Exp $");
 
 static char version[] = "Version 6.00";
 
@@ -195,7 +195,6 @@ parse_auth_level(char *str)
  * Print usage and die.
  */
 
-static int debug_flag;
 static int interactive_flag;
 static char *guest_umask_string;
 static char *port_string;
@@ -207,6 +206,8 @@ int use_builtin_ls = -1;
 static int help_flag;
 static int version_flag;
 
+static const char *good_chars = "+-=_,.";
+
 struct getargs args[] = {
     { NULL, 'a', arg_string, &auth_string, "required authentication" },
     { NULL, 'i', arg_flag, &interactive_flag, "don't assume stdin is a socket" },
@@ -216,9 +217,10 @@ struct getargs args[] = {
     { NULL, 't', arg_integer, &ftpd_timeout, "initial timeout" },
     { NULL, 'T', arg_integer, &maxtimeout, "max timeout" },
     { NULL, 'u', arg_string, &umask_string, "umask for user logins" },
-    { NULL, 'd', arg_flag, &debug_flag, "enable debugging" },
-    { NULL, 'v', arg_flag, &debug_flag, "enable debugging" },
+    { NULL, 'd', arg_flag, &debug, "enable debugging" },
+    { NULL, 'v', arg_flag, &debug, "enable debugging" },
     { "builtin-ls", 'B', arg_flag, &use_builtin_ls, "use built-in ls to list files" },
+    { "good-chars", 0, arg_string, &good_chars, "allowed anonymous upload filename chars" },
     { "version", 0, arg_flag, &version_flag },
     { "help", 'h', arg_flag, &help_flag }
 };
@@ -253,9 +255,8 @@ show_file(const char *file, int code)
 int
 main(int argc, char **argv)
 {
-    int his_addr_len, ctrl_addr_len, on = 1, tos;
-    char *cp, line[LINE_MAX];
-    FILE *fd;
+    socklen_t his_addr_len, ctrl_addr_len;
+    int on = 1;
     int port;
     struct servent *sp;
 
@@ -263,17 +264,20 @@ main(int argc, char **argv)
 
     set_progname (argv[0]);
 
-#ifdef KRB4
     /* detach from any tickets and tokens */
     {
+#ifdef KRB4
 	char tkfile[1024];
 	snprintf(tkfile, sizeof(tkfile),
 		 "/tmp/ftp_%u", (unsigned)getpid());
 	krb_set_tkt_string(tkfile);
+#endif
+#if defined(KRB4) && defined(KRB5)
 	if(k_hasafs())
 	    k_setpag();
-    }
 #endif
+    }
+
     if(getarg(args, num_args, argc, argv, &optind))
 	usage(1);
 
@@ -350,10 +354,13 @@ main(int argc, char **argv)
 	exit(1);
     }
 #if defined(IP_TOS) && defined(HAVE_SETSOCKOPT)
-    tos = IPTOS_LOWDELAY;
-    if (setsockopt(STDIN_FILENO, IPPROTO_IP, IP_TOS,
-		   (void *)&tos, sizeof(int)) < 0)
-	syslog(LOG_WARNING, "setsockopt (IP_TOS): %m");
+    {
+	int tos = IPTOS_LOWDELAY;
+
+	if (setsockopt(STDIN_FILENO, IPPROTO_IP, IP_TOS,
+		       (void *)&tos, sizeof(int)) < 0)
+	    syslog(LOG_WARNING, "setsockopt (IP_TOS): %m");
+    }
 #endif
     data_source->sa_family = ctrl_addr->sa_family;
     socket_set_port (data_source,
@@ -709,7 +716,6 @@ checkaccess(char *name)
 
 int do_login(int code, char *passwd)
 {
-    FILE *fd;
     login_attempts = 0;		/* this time successful */
     if (setegid((gid_t)pw->pw_gid) < 0) {
 	reply(550, "Can't set gid.");
@@ -833,6 +839,51 @@ end_login(void)
 	dochroot = 0;
 }
 
+#ifdef KRB5
+static int
+krb5_verify(struct passwd *pwd, char *passwd)
+{
+   krb5_context context;  
+   krb5_ccache  id;
+   krb5_principal princ;
+   krb5_error_code ret;
+  
+   ret = krb5_init_context(&context);
+   if(ret)
+        return ret;
+
+  ret = krb5_parse_name(context, pwd->pw_name, &princ);
+  if(ret){
+        krb5_free_context(context);
+        return ret;
+  }
+  ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &id);
+  if(ret){
+        krb5_free_principal(context, princ);
+        krb5_free_context(context);
+        return ret;
+  }
+  ret = krb5_verify_user(context,
+                         princ,
+                         id,
+                         passwd,
+                         1,
+                         NULL);
+  krb5_free_principal(context, princ);
+#ifdef KRB4
+  if (k_hasafs()) {
+      k_setpag();
+      krb5_afslog_uid_home(context, id,NULL, NULL,pwd->pw_uid, pwd->pw_dir);
+  }
+#endif /* KRB4 */
+  krb5_cc_destroy(context, id);
+  krb5_free_context (context);
+  if(ret) 
+      return ret;
+  return 0;
+}
+#endif /* KRB5 */
+
 void
 pass(char *passwd)
 {
@@ -840,8 +891,8 @@ pass(char *passwd)
 
 	/* some clients insists on sending a password */
 	if (logged_in && askpasswd == 0){
-	     reply(230, "Dumpucko!");
-	     return;
+	    reply(230, "Password not necessary");
+	    return;
 	}
 
 	if (logged_in || askpasswd == 0) {
@@ -859,19 +910,25 @@ pass(char *passwd)
 		}
 #endif
 		else if((auth_level & AUTH_OTP) == 0) {
+#ifdef KRB5
+		    rval = krb5_verify(pw, passwd);
+#endif
 #ifdef KRB4
-		    char realm[REALM_SZ];
-		    if((rval = krb_get_lrealm(realm, 1)) == KSUCCESS)
-			rval = krb_verify_user(pw->pw_name,
-					       "", realm, 
-					       passwd, 
-					       KRB_VERIFY_SECURE, NULL);
-		    if (rval == KSUCCESS ) {
-			chown (tkt_string(), pw->pw_uid, pw->pw_gid);
-			if(k_hasafs())
-			    krb_afslog(0, 0);
-		    } else 
+		    if (rval) {
+			char realm[REALM_SZ];
+			if((rval = krb_get_lrealm(realm, 1)) == KSUCCESS)
+			    rval = krb_verify_user(pw->pw_name,
+						   "", realm, 
+						   passwd, 
+						   KRB_VERIFY_SECURE, NULL);
+			if (rval == KSUCCESS ) {
+			    chown (tkt_string(), pw->pw_uid, pw->pw_gid);
+			    if(k_hasafs())
+				krb_afslog(0, 0);
+			}
+		    }
 #endif
+		    if (rval)
 			rval = unix_verify_user(pw->pw_name, passwd);
 		} else {
 		    char *s;
@@ -1048,7 +1105,6 @@ done:
 int 
 filename_check(char *filename)
 {
-  static const char good_chars[] = "+-=_,.";
     char *p;
 
     p = strrchr(filename, '/');
@@ -1064,7 +1120,7 @@ filename_check(char *filename)
 	if(*p == '\0')
 	    return 0;
     }
-    lreply(553, "\"%s\" is an illegal filename.", filename);
+    lreply(553, "\"%s\" is not an acceptable filename.", filename);
     lreply(553, "The filename must start with an alphanumeric "
 	   "character and must only");
     reply(553, "consist of alphanumeric characters or any of the following: %s", 
@@ -1201,7 +1257,7 @@ dataconn(const char *name, off_t size, const char *mode)
 		struct sockaddr_storage from_ss;
 		struct sockaddr *from = (struct sockaddr *)&from_ss;
 		int s;
-		int fromlen = sizeof(from_ss);
+		socklen_t fromlen = sizeof(from_ss);
 
 		s = accept(pdata, from, &fromlen);
 		if (s < 0) {
@@ -1869,7 +1925,7 @@ myoob(int signo)
 void
 pasv(void)
 {
-	int len;
+	socklen_t len;
 	char *p, *a;
 	struct sockaddr_in *sin;
 
@@ -1879,6 +1935,9 @@ pasv(void)
 		return;
 	}
 
+	if(pdata != -1)
+	    close(pdata);
+
 	pdata = socket(ctrl_addr->sa_family, SOCK_STREAM, 0);
 	if (pdata < 0) {
 		perror_reply(425, "Can't open passive connection");
@@ -1919,7 +1978,7 @@ pasv_error:
 void
 epsv(char *proto)
 {
-	int len;
+	socklen_t len;
 
 	pdata = socket(ctrl_addr->sa_family, SOCK_STREAM, 0);
 	if (pdata < 0) {
@@ -2080,9 +2139,9 @@ list_file(char *file)
 	pdata = -1;
     } else {
 #ifdef HAVE_LS_A
-	const char *cmd = "/bin/ls -lA -- %s";
+	const char *cmd = "/bin/ls -lA %s";
 #else
-	const char *cmd = "/bin/ls -la -- %s";
+	const char *cmd = "/bin/ls -la %s";
 #endif
 	retrieve(cmd, file);
     }
@@ -2133,8 +2192,8 @@ send_file_list(char *whichf)
        */
       if (dirname[0] == '-' && *dirlist == NULL &&
 	  transflag == 0) {
-	retrieve("/bin/ls -- %s", dirname);
-	goto out;
+	  list_file(dirname);
+	  goto out;
       }
       perror_reply(550, whichf);
       if (dout != NULL) {
diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpd_locl.h b/crypto/heimdal/appl/ftp/ftpd/ftpd_locl.h
index 5cb4904..1497b43 100644
--- a/crypto/heimdal/appl/ftp/ftpd/ftpd_locl.h
+++ b/crypto/heimdal/appl/ftp/ftpd/ftpd_locl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: ftpd_locl.h,v 1.9 1999/12/02 16:58:30 joda Exp $ */
+/* $Id: ftpd_locl.h,v 1.12 2000/09/19 13:16:44 assar Exp $ */
 
 #ifndef __ftpd_locl_h__
 #define __ftpd_locl_h__
@@ -134,6 +134,7 @@
 #endif
 
 #include <err.h>
+#include "roken.h"
 
 #include "pathnames.h"
 #include "extern.h"
@@ -141,13 +142,15 @@
 
 #include "security.h"
 
-#include "roken.h"
+#ifdef KRB5
+#include <krb5.h>
+#endif /* KRB5 */
 
 #ifdef KRB4
 #include <krb.h>
 #include <kafs.h>
 #endif
-
+ 
 #ifdef OTP
 #include <otp.h>
 #endif
diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpusers.5 b/crypto/heimdal/appl/ftp/ftpd/ftpusers.5
index dfd66f9..c06561b 100644
--- a/crypto/heimdal/appl/ftp/ftpd/ftpusers.5
+++ b/crypto/heimdal/appl/ftp/ftpd/ftpusers.5
@@ -1,4 +1,4 @@
-.\"	$Id: ftpusers.5,v 1.2 1997/05/07 20:11:11 joda Exp $
+.\"	$Id: ftpusers.5,v 1.3 2001/01/11 16:16:26 assar Exp $
 .\"
 .Dd May 7, 1997
 .Dt FTPUSERS 5
@@ -20,7 +20,7 @@ matches any user.  Users that has an explicit
 .Dq allow ,
 or that does not match any line, are allowed access. Anyone else is
 denied access.
-
+.Pp
 Note that this is compatible with the old format, where this file
 contained a list of users that should be denied access.
 .Sh EXAMPLES
diff --git a/crypto/heimdal/appl/ftp/ftpd/gss_userok.c b/crypto/heimdal/appl/ftp/ftpd/gss_userok.c
index 28e3596..7b3caf2 100644
--- a/crypto/heimdal/appl/ftp/ftpd/gss_userok.c
+++ b/crypto/heimdal/appl/ftp/ftpd/gss_userok.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * Copyright (c) 1998 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -35,7 +35,7 @@
 #include <gssapi.h>
 #include <krb5.h>
 
-RCSID("$Id: gss_userok.c,v 1.2 1999/12/02 16:58:31 joda Exp $");
+RCSID("$Id: gss_userok.c,v 1.7 2001/01/30 00:36:58 assar Exp $");
 
 /* XXX a bit too much of krb5 dependency here... 
    What is the correct way to do this? 
@@ -47,6 +47,7 @@ extern krb5_context gssapi_krb5_context;
 struct gss_data {
     gss_ctx_id_t context_hdl;
     char *client_name;
+    gss_cred_id_t delegated_cred_handle;
 };
 
 int gss_userok(void*, char*); /* to keep gcc happy */
@@ -58,12 +59,67 @@ gss_userok(void *app_data, char *username)
     if(gssapi_krb5_context) {
 	krb5_principal client;
 	krb5_error_code ret;
+        
 	ret = krb5_parse_name(gssapi_krb5_context, data->client_name, &client);
 	if(ret)
 	    return 1;
 	ret = krb5_kuserok(gssapi_krb5_context, client, username);
+        if (!ret) {
+           krb5_free_principal(gssapi_krb5_context, client);
+           return 1;
+        }
+        
+        ret = 0;
+        
+        /* more of krb-depend stuff :-( */
+	/* gss_add_cred() ? */
+        if (data->delegated_cred_handle && 
+            data->delegated_cred_handle->ccache ) {
+            
+           krb5_ccache ccache = NULL; 
+           char* ticketfile;
+           struct passwd *pw;
+	   OM_uint32 minor_status;
+           
+           pw = getpwnam(username);
+           
+	   if (pw == NULL) {
+	       ret = 1;
+	       goto fail;
+	   }
+
+           asprintf (&ticketfile, "%s%u", KRB5_DEFAULT_CCROOT, pw->pw_uid);
+        
+           ret = krb5_cc_resolve(gssapi_krb5_context, ticketfile, &ccache);
+           if (ret)
+              goto fail;
+           
+           ret = gss_krb5_copy_ccache(&minor_status,
+				      data->delegated_cred_handle,
+				      ccache);
+           if (ret)
+              goto fail;
+           
+           chown (ticketfile+5, pw->pw_uid, pw->pw_gid);
+           
+#ifdef KRB4
+           if (k_hasafs()) {
+              krb5_afslog(gssapi_krb5_context, ccache, 0, 0);
+           }
+#endif
+           esetenv ("KRB5CCNAME", ticketfile, 1);
+           
+fail:
+           if (ccache)
+              krb5_cc_close(gssapi_krb5_context, ccache); 
+           krb5_cc_destroy(gssapi_krb5_context, 
+                           data->delegated_cred_handle->ccache);
+           data->delegated_cred_handle->ccache = NULL;
+           free(ticketfile);
+        }
+           
 	krb5_free_principal(gssapi_krb5_context, client);
-	return !ret;
+        return ret;
     }
     return 1;
 }
diff --git a/crypto/heimdal/appl/ftp/ftpd/logwtmp.c b/crypto/heimdal/appl/ftp/ftpd/logwtmp.c
index 019cc2d..51139a8 100644
--- a/crypto/heimdal/appl/ftp/ftpd/logwtmp.c
+++ b/crypto/heimdal/appl/ftp/ftpd/logwtmp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: logwtmp.c,v 1.14 1999/12/02 16:58:31 joda Exp $");
+RCSID("$Id: logwtmp.c,v 1.15 2000/09/19 13:17:05 assar Exp $");
 #endif
 
 #include <stdio.h>
@@ -58,6 +58,7 @@ RCSID("$Id: logwtmp.c,v 1.14 1999/12/02 16:58:31 joda Exp $");
 #ifdef HAVE_UTMPX_H
 #include <utmpx.h>
 #endif
+#include <roken.h>
 #include "extern.h"
 
 #ifndef WTMP_FILE
diff --git a/crypto/heimdal/appl/ftp/ftpd/ls.c b/crypto/heimdal/appl/ftp/ftpd/ls.c
index 2c85487..9311119 100644
--- a/crypto/heimdal/appl/ftp/ftpd/ls.c
+++ b/crypto/heimdal/appl/ftp/ftpd/ls.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -30,9 +30,36 @@
  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
 
+#ifndef TEST
 #include "ftpd_locl.h"
 
-RCSID("$Id: ls.c,v 1.14 2000/01/05 13:48:58 joda Exp $");
+RCSID("$Id: ls.c,v 1.20 2001/01/25 01:33:15 joda Exp $");
+
+#else
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <time.h>
+#include <dirent.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <pwd.h>
+#include <grp.h>
+#include <errno.h>
+
+#define sec_fprintf2 fprintf
+#define sec_fflush fflush
+void
+builtin_ls(FILE *out, const char *file);
+int
+main(int argc, char **argv)
+{
+    int i;
+    for(i = 1; i < argc; i++)
+	builtin_ls(stdout, argv[i]);
+    return 0;
+}
+#endif
 
 struct fileinfo {
     struct stat st;
@@ -63,17 +90,23 @@ free_fileinfo(struct fileinfo *f)
     free(f->link);
 }
 
-#define LS_DIRS		 1
-#define LS_IGNORE_DOT	 2
-#define LS_SORT_MODE	 12
+#define LS_DIRS		(1 << 0)
+#define LS_IGNORE_DOT	(1 << 1)
+#define LS_SORT_MODE	(3 << 2)
 #define SORT_MODE(f) ((f) & LS_SORT_MODE)
-#define LS_SORT_NAME	 4
-#define LS_SORT_MTIME	 8
-#define LS_SORT_SIZE	12
-#define LS_SORT_REVERSE	16
-
-#define LS_SIZE		32
-#define LS_INODE	64
+#define LS_SORT_NAME	(1 << 2)
+#define LS_SORT_MTIME	(2 << 2)
+#define LS_SORT_SIZE	(3 << 2)
+#define LS_SORT_REVERSE	(1 << 4)
+
+#define LS_SIZE		(1 << 5)
+#define LS_INODE	(1 << 6)
+#define LS_TYPE		(1 << 7)
+#define LS_DISP_MODE	(3 << 8)
+#define DISP_MODE(f) ((f) & LS_DISP_MODE)
+#define LS_DISP_LONG	(1 << 8)
+#define LS_DISP_COLUMN	(2 << 8)
+#define LS_DISP_CROSS	(3 << 8)
 
 #ifndef S_ISTXT
 #define S_ISTXT S_ISVTX
@@ -91,6 +124,7 @@ static void
 make_fileinfo(const char *filename, struct fileinfo *file, int flags)
 {
     char buf[128];
+    int file_type = 0;
     struct stat *st = &file->st;
 
     file->inode = st->st_ino;
@@ -100,23 +134,36 @@ make_fileinfo(const char *filename, struct fileinfo *file, int flags)
     file->bsize = st->st_blocks * 512 / 1024;
 #endif
 
-    if(S_ISDIR(st->st_mode))
+    if(S_ISDIR(st->st_mode)) {
 	file->mode[0] = 'd';
+	file_type = '/';
+    }
     else if(S_ISCHR(st->st_mode))
 	file->mode[0] = 'c';
     else if(S_ISBLK(st->st_mode))
 	file->mode[0] = 'b';
-    else if(S_ISREG(st->st_mode))
+    else if(S_ISREG(st->st_mode)) {
 	file->mode[0] = '-';
-    else if(S_ISFIFO(st->st_mode))
+	if(st->st_mode & (S_IXUSR | S_IXGRP | S_IXOTH))
+	    file_type = '*';
+    }
+    else if(S_ISFIFO(st->st_mode)) {
 	file->mode[0] = 'p';
-    else if(S_ISLNK(st->st_mode))
+	file_type = '|';
+    }
+    else if(S_ISLNK(st->st_mode)) {
 	file->mode[0] = 'l';
-    else if(S_ISSOCK(st->st_mode))
+	file_type = '@';
+    }
+    else if(S_ISSOCK(st->st_mode)) {
 	file->mode[0] = 's';
+	file_type = '=';
+    }
 #ifdef S_ISWHT
-    else if(S_ISWHT(st->st_mode))
+    else if(S_ISWHT(st->st_mode)) {
 	file->mode[0] = 'w';
+	file_type = '%';
+    }
 #endif
     else 
 	file->mode[0] = '?';
@@ -177,9 +224,10 @@ make_fileinfo(const char *filename, struct fileinfo *file, int flags)
 
     {
 	time_t t = time(NULL);
-	struct tm *tm = localtime(&st->st_mtime);
-	if((t - st->st_mtime > 6*30*24*60*60) ||
-	   (st->st_mtime - t > 6*30*24*60*60))
+	time_t mtime = st->st_mtime;
+	struct tm *tm = localtime(&mtime);
+	if((t - mtime > 6*30*24*60*60) ||
+	   (mtime - t > 6*30*24*60*60))
 	    strftime(buf, sizeof(buf), "%b %e  %Y", tm);
 	else
 	    strftime(buf, sizeof(buf), "%b %e %H:%M", tm);
@@ -191,7 +239,10 @@ make_fileinfo(const char *filename, struct fileinfo *file, int flags)
 	    p++;
 	else
 	    p = filename;
-	file->filename = strdup(p);
+	if((flags & LS_TYPE) && file_type != 0)
+	    asprintf(&file->filename, "%s%c", p, file_type);
+	else
+	    file->filename = strdup(p);
     }
     if(S_ISLNK(st->st_mode)) {
 	int n;
@@ -267,7 +318,7 @@ compare_mtime(struct fileinfo *a, struct fileinfo *b)
 	return 1;
     if(b->filename == NULL)
 	return -1;
-    return a->st.st_mtime - b->st.st_mtime;
+    return b->st.st_mtime - a->st.st_mtime;
 }
 
 static int
@@ -277,7 +328,7 @@ compare_size(struct fileinfo *a, struct fileinfo *b)
 	return 1;
     if(b->filename == NULL)
 	return -1;
-    return a->st.st_size - b->st.st_size;
+    return b->st.st_size - a->st.st_size;
 }
 
 static void
@@ -299,16 +350,22 @@ log10(int num)
  * have to fetch them.
  */
 
+#ifdef KRB4
+static int do_the_afs_dance = 1;
+#endif
+
 static int
 lstat_file (const char *file, struct stat *sb)
 {
 #ifdef KRB4
-    if (k_hasafs() 
+    if (do_the_afs_dance &&
+	k_hasafs() 
 	&& strcmp(file, ".")
-	&& strcmp(file, "..")) 
+	&& strcmp(file, "..")
+	&& strcmp(file, "/"))
     {
 	struct ViceIoctl    a_params;
-	char               *last;
+	char               *dir, *last;
 	char               *path_bkp;
 	static ino_t	   ino_counter = 0, ino_last = 0;
 	int		   ret;
@@ -328,16 +385,28 @@ lstat_file (const char *file, struct stat *sb)
 	
 	last = strrchr (path_bkp, '/');
 	if (last != NULL) {
-	    *last = '\0';
-	    a_params.in = last + 1;
-	} else
-	    a_params.in = (char *)file;
+	    if(last[1] == '\0')
+		/* if path ended in /, replace with `.' */
+		a_params.in = ".";
+	    else
+		a_params.in = last + 1;
+	    while(last > path_bkp && *--last == '/');
+	    if(*last != '/' || last != path_bkp) {
+		*++last = '\0';
+		dir = path_bkp;
+	    } else
+		/* we got to the start, so this must be the root dir */
+		dir = "/";
+	} else {
+	    /* file is relative to cdir */
+	    dir = ".";
+	    a_params.in = path_bkp;
+	}
 	
 	a_params.in_size  = strlen (a_params.in) + 1;
 	a_params.out_size = maxsize;
 	
-	ret = k_pioctl (last ? path_bkp : "." ,
-			VIOC_AFS_STAT_MT_PT, &a_params, 0);
+	ret = k_pioctl (dir, VIOC_AFS_STAT_MT_PT, &a_params, 0);
 	free (a_params.out);
 	if (ret < 0) {
 	    free (path_bkp);
@@ -354,7 +423,7 @@ lstat_file (const char *file, struct stat *sb)
 	 * use . as a prototype
 	 */
 
-	ret = lstat (path_bkp, sb);
+	ret = lstat (dir, sb);
 	free (path_bkp);
 	if (ret < 0)
 	    return ret;
@@ -413,7 +482,7 @@ list_files(FILE *out, const char **files, int n_files, int flags)
 	      (int (*)(const void*, const void*))compare_size);
 	break;
     }
-    {
+    if(DISP_MODE(flags) == LS_DISP_LONG) {
 	int max_inode = 0;
 	int max_bsize = 0;
 	int max_n_link = 0;
@@ -481,10 +550,58 @@ list_files(FILE *out, const char **files, int n_files, int flags)
 			   max_major,
 			   max_minor,
 			   max_date);
-	for(i = 0; i < n_files; i++)
-	    free_fileinfo(&fi[i]);
-	free(fi);
+    } else if(DISP_MODE(flags) == LS_DISP_COLUMN || 
+	      DISP_MODE(flags) == LS_DISP_CROSS) {
+	int max_len = 0;
+	int num_files = n_files;
+	int columns;
+	int j;
+	for(i = 0; i < n_files; i++) {
+	    if(fi[i].filename == NULL) {
+		num_files--;
+		continue;
+	    }
+	    if(strlen(fi[i].filename) > max_len)
+		max_len = strlen(fi[i].filename);
+	}
+	columns = 80 / (max_len + 1); /* get space between columns */
+	max_len = 80 / columns;
+	if(DISP_MODE(flags) == LS_DISP_CROSS) {
+	    for(i = 0, j = 0; i < n_files; i++) {
+		if(fi[i].filename == NULL)
+		    continue;
+		sec_fprintf2(out, "%-*s", max_len, fi[i].filename);
+		j++;
+		if(j == columns) {
+		    sec_fprintf2(out, "\r\n");
+		    j = 0;
+		}
+	    }
+	    if(j > 0)
+		    sec_fprintf2(out, "\r\n");
+	} else {
+	    int skip = (num_files + columns - 1) / columns;
+	    j = 0;
+	    for(i = 0; i < skip; i++) {
+		for(j = i; j < n_files;) {
+		    while(j < n_files && fi[j].filename == NULL)
+			j++;
+		    sec_fprintf2(out, "%-*s", max_len, fi[j].filename);
+		    j += skip;
+		}
+		sec_fprintf2(out, "\r\n");
+	    }
+	}
+    } else {
+	for(i = 0; i < n_files; i++) {
+	    if(fi[i].filename == NULL)
+		continue;
+	    sec_fprintf2(out, "%s\r\n", fi[i].filename);
+	}
     }
+    for(i = 0; i < n_files; i++)
+	free_fileinfo(&fi[i]);
+    free(fi);
 }
 
 static void
@@ -544,17 +661,21 @@ list_dir(FILE *out, const char *directory, int flags)
 void
 builtin_ls(FILE *out, const char *file)
 {
-    int flags = LS_SORT_NAME;
+    int flags = LS_SORT_NAME | LS_IGNORE_DOT | LS_DISP_LONG;
 
     if(*file == '-') {
 	const char *p;
 	for(p = file + 1; *p; p++) {
 	    switch(*p) {
+	    case '1':
+		flags = (flags & ~LS_DISP_MODE);
+		break;
 	    case 'a':
 	    case 'A':
 		flags &= ~LS_IGNORE_DOT;
 		break;
 	    case 'C':
+		flags = (flags & ~LS_DISP_MODE) | LS_DISP_COLUMN;
 		break;
 	    case 'd':
 		flags |= LS_DIRS;
@@ -562,10 +683,14 @@ builtin_ls(FILE *out, const char *file)
 	    case 'f':
 		flags = (flags & ~LS_SORT_MODE);
 		break;
+	    case 'F':
+		flags |= LS_TYPE;
+		break;
 	    case 'i':
-		flags |= flags | LS_INODE;
+		flags |= LS_INODE;
 		break;
 	    case 'l':
+		flags = (flags & ~LS_DISP_MODE) | LS_DISP_LONG;
 		break;
 	    case 't':
 		flags = (flags & ~LS_SORT_MODE) | LS_SORT_MTIME;
@@ -579,6 +704,9 @@ builtin_ls(FILE *out, const char *file)
 	    case 'r':
 		flags |= LS_SORT_REVERSE;
 		break;
+	    case 'x':
+		flags = (flags & ~LS_DISP_MODE) | LS_DISP_CROSS;
+		break;
 	    }
 	}
 	file = ".";
diff --git a/crypto/heimdal/appl/ftp/ftpd/popen.c b/crypto/heimdal/appl/ftp/ftpd/popen.c
index 5f36813..d8a4996 100644
--- a/crypto/heimdal/appl/ftp/ftpd/popen.c
+++ b/crypto/heimdal/appl/ftp/ftpd/popen.c
@@ -37,7 +37,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: popen.c,v 1.19 1999/09/16 20:38:45 assar Exp $");
+RCSID("$Id: popen.c,v 1.22 2001/02/05 07:51:51 assar Exp $");
 #endif
 
 #include <sys/types.h>
@@ -61,10 +61,9 @@ RCSID("$Id: popen.c,v 1.19 1999/09/16 20:38:45 assar Exp $");
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
-
+#include <roken.h>
 #include "extern.h"
 
-#include <roken.h>
 
 /* 
  * Special version of popen which avoids call to shell.  This ensures
@@ -97,13 +96,16 @@ ftp_rooted(const char *path)
 }
 
 
+#define MAXARGS	100
+#define MAXGLOBS 1000
+
 FILE *
 ftpd_popen(char *program, char *type, int do_stderr, int no_glob)
 {
 	char *cp;
 	FILE *iop;
 	int argc, gargc, pdes[2], pid;
-	char **pop, *argv[100], *gargv[1000];
+	char **pop, *argv[MAXARGS], *gargv[MAXGLOBS];
 	char *foo;
 
 	if (strcmp(type, "r") && strcmp(type, "w"))
@@ -126,14 +128,15 @@ ftpd_popen(char *program, char *type, int do_stderr, int no_glob)
 
 	/* break up string into pieces */
 	foo = NULL;
-	for (argc = 0, cp = program;; cp = NULL) {
+	for (argc = 0, cp = program; argc < MAXARGS - 1; cp = NULL) {
 		if (!(argv[argc++] = strtok_r(cp, " \t\n", &foo)))
 			break;
 	}
+	argv[MAXARGS - 1] = NULL;
 
 	gargv[0] = (char*)ftp_rooted(argv[0]);
 	/* glob each piece */
-	for (gargc = argc = 1; argv[argc]; argc++) {
+	for (gargc = argc = 1; argv[argc] && gargc < MAXGLOBS - 1; argc++) {
 		glob_t gl;
 		int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
 
@@ -141,7 +144,9 @@ ftpd_popen(char *program, char *type, int do_stderr, int no_glob)
 		if (no_glob || glob(argv[argc], flags, NULL, &gl))
 			gargv[gargc++] = strdup(argv[argc]);
 		else
-			for (pop = gl.gl_pathv; *pop; pop++)
+			for (pop = gl.gl_pathv;
+			     *pop && gargc < MAXGLOBS - 1;
+			     pop++)
 				gargv[gargc++] = strdup(*pop);
 		globfree(&gl);
 	}
diff --git a/crypto/heimdal/appl/kf/Makefile.am b/crypto/heimdal/appl/kf/Makefile.am
index 44b7069..c145e07 100644
--- a/crypto/heimdal/appl/kf/Makefile.am
+++ b/crypto/heimdal/appl/kf/Makefile.am
@@ -1,14 +1,18 @@
-# $Id: Makefile.am,v 1.1 1999/07/22 11:36:26 assar Exp $
+# $Id: Makefile.am,v 1.5 2000/11/15 22:51:08 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
-noinst_PROGRAMS = kf kfd
+bin_PROGRAMS = kf
+
+libexec_PROGRAMS = kfd
+
+man_MANS = kf.1 kfd.8
 
 kf_SOURCES = kf.c kf_locl.h
 
 kfd_SOURCES = kfd.c kf_locl.h
 
 LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
-	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_des) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken)
diff --git a/crypto/heimdal/appl/kf/Makefile.in b/crypto/heimdal/appl/kf/Makefile.in
index 5c60810..fe2a23b 100644
--- a/crypto/heimdal/appl/kf/Makefile.in
+++ b/crypto/heimdal/appl/kf/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.1 1999/07/22 11:36:26 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.5 2000/11/15 22:51:08 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,78 +170,88 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
-noinst_PROGRAMS = kf kfd
+bin_PROGRAMS = kf
+
+libexec_PROGRAMS = kfd
+
+man_MANS = kf.1 kfd.8
 
 kf_SOURCES = kf.c kf_locl.h
 
 kfd_SOURCES = kfd.c kf_locl.h
 
-LDADD = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/des/libdes.la 	$(top_builddir)/lib/asn1/libasn1.la 	$(LIB_roken)
+LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
 
+subdir = appl/kf
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../include/config.h
 CONFIG_CLEAN_FILES = 
-noinst_PROGRAMS =  kf$(EXEEXT) kfd$(EXEEXT)
-PROGRAMS =  $(noinst_PROGRAMS)
+bin_PROGRAMS =  kf$(EXEEXT)
+libexec_PROGRAMS =  kfd$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS) $(libexec_PROGRAMS)
 
 
 DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
-LIBS = @LIBS@
 X_CFLAGS = @X_CFLAGS@
 X_LIBS = @X_LIBS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
-kf_OBJECTS =  kf.$(OBJEXT)
+am_kf_OBJECTS =  kf.$(OBJEXT)
+kf_OBJECTS =  $(am_kf_OBJECTS)
 kf_LDADD = $(LDADD)
 kf_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
-$(top_builddir)/lib/des/libdes.la $(top_builddir)/lib/asn1/libasn1.la
+$(top_builddir)/lib/asn1/libasn1.la
 kf_LDFLAGS = 
-kfd_OBJECTS =  kfd.$(OBJEXT)
+am_kfd_OBJECTS =  kfd.$(OBJEXT)
+kfd_OBJECTS =  $(am_kfd_OBJECTS)
 kfd_LDADD = $(LDADD)
 kfd_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
-$(top_builddir)/lib/des/libdes.la $(top_builddir)/lib/asn1/libasn1.la
+$(top_builddir)/lib/asn1/libasn1.la
 kfd_LDFLAGS = 
-CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(kf_SOURCES) $(kfd_SOURCES)
+man1dir = $(mandir)/man1
+man8dir = $(mandir)/man8
+MANS = $(man_MANS)
+depcomp = 
 DIST_COMMON =  Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
 SOURCES = $(kf_SOURCES) $(kfd_SOURCES)
-OBJECTS = $(kf_OBJECTS) $(kfd_OBJECTS)
+OBJECTS = $(am_kf_OBJECTS) $(am_kfd_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/kf/Makefile
 
@@ -232,28 +260,61 @@ Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
 	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
 
 
-mostlyclean-noinstPROGRAMS:
+mostlyclean-binPROGRAMS:
 
-clean-noinstPROGRAMS:
-	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
 
-distclean-noinstPROGRAMS:
+distclean-binPROGRAMS:
 
-maintainer-clean-noinstPROGRAMS:
+maintainer-clean-binPROGRAMS:
 
-.c.o:
-	$(COMPILE) -c $<
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
 
-# FIXME: We should only use cygpath when building on Windows,
-# and only if it is available.
-.c.obj:
-	$(COMPILE) -c `cygpath -w $<`
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
 
-.s.o:
-	$(COMPILE) -c $<
+mostlyclean-libexecPROGRAMS:
 
-.S.o:
-	$(COMPILE) -c $<
+clean-libexecPROGRAMS:
+	-test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS)
+
+distclean-libexecPROGRAMS:
+
+maintainer-clean-libexecPROGRAMS:
+
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \
+	  rm -f $(DESTDIR)$(libexecdir)/$$f; \
+	done
 
 mostlyclean-compile:
 	-rm -f *.o core *.core
@@ -266,15 +327,6 @@ distclean-compile:
 
 maintainer-clean-compile:
 
-.c.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.s.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.S.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -292,26 +344,112 @@ kf$(EXEEXT): $(kf_OBJECTS) $(kf_DEPENDENCIES)
 kfd$(EXEEXT): $(kfd_OBJECTS) $(kfd_DEPENDENCIES)
 	@rm -f kfd$(EXEEXT)
 	$(LINK) $(kfd_LDFLAGS) $(kfd_OBJECTS) $(kfd_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+install-man1:
+	$(mkinstalldirs) $(DESTDIR)$(man1dir)
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \
+	done
+
+uninstall-man1:
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man1dir)/$$inst; \
+	done
+
+install-man8:
+	$(mkinstalldirs) $(DESTDIR)$(man8dir)
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \
+	done
+
+uninstall-man8:
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man8dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man1 install-man8
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man1 uninstall-man8
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -324,17 +462,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = appl/kf
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
@@ -347,24 +484,27 @@ check-am: all-am
 check: check-am
 installcheck-am:
 installcheck: installcheck-am
-install-exec-am:
+install-exec-am: install-binPROGRAMS install-libexecPROGRAMS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 install-exec: install-exec-am
 
-install-data-am: install-data-local
+install-data-am: install-man install-data-local
 install-data: install-data-am
 
 install-am: all-am
 	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
 install: install-am
-uninstall-am:
+uninstall-am: uninstall-binPROGRAMS uninstall-libexecPROGRAMS \
+		uninstall-man
 uninstall: uninstall-am
-all-am: Makefile $(PROGRAMS) all-local
+all-am: Makefile $(PROGRAMS) $(MANS) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(libexecdir) \
+		$(DESTDIR)$(mandir)/man1 $(DESTDIR)$(mandir)/man8
 
 
 mostlyclean-generic:
@@ -376,25 +516,27 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
-mostlyclean-am:  mostlyclean-noinstPROGRAMS mostlyclean-compile \
-		mostlyclean-libtool mostlyclean-tags \
-		mostlyclean-generic
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-libexecPROGRAMS \
+		mostlyclean-compile mostlyclean-libtool \
+		mostlyclean-tags mostlyclean-generic
 
 mostlyclean: mostlyclean-am
 
-clean-am:  clean-noinstPROGRAMS clean-compile clean-libtool clean-tags \
-		clean-generic mostlyclean-am
+clean-am:  clean-binPROGRAMS clean-libexecPROGRAMS clean-compile \
+		clean-libtool clean-tags clean-generic mostlyclean-am
 
 clean: clean-am
 
-distclean-am:  distclean-noinstPROGRAMS distclean-compile \
-		distclean-libtool distclean-tags distclean-generic \
-		clean-am
+distclean-am:  distclean-binPROGRAMS distclean-libexecPROGRAMS \
+		distclean-compile distclean-libtool distclean-tags \
+		distclean-generic clean-am
 	-rm -f libtool
 
 distclean: distclean-am
 
-maintainer-clean-am:  maintainer-clean-noinstPROGRAMS \
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-libexecPROGRAMS \
 		maintainer-clean-compile maintainer-clean-libtool \
 		maintainer-clean-tags maintainer-clean-generic \
 		distclean-am
@@ -403,16 +545,20 @@ maintainer-clean-am:  maintainer-clean-noinstPROGRAMS \
 
 maintainer-clean: maintainer-clean-am
 
-.PHONY: mostlyclean-noinstPROGRAMS distclean-noinstPROGRAMS \
-clean-noinstPROGRAMS maintainer-clean-noinstPROGRAMS \
-mostlyclean-compile distclean-compile clean-compile \
-maintainer-clean-compile mostlyclean-libtool distclean-libtool \
-clean-libtool maintainer-clean-libtool tags mostlyclean-tags \
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-libexecPROGRAMS distclean-libexecPROGRAMS \
+clean-libexecPROGRAMS maintainer-clean-libexecPROGRAMS \
+uninstall-libexecPROGRAMS install-libexecPROGRAMS mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool install-man1 uninstall-man1 install-man8 \
+uninstall-man8 install-man uninstall-man tags mostlyclean-tags \
 distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
 dvi-am dvi check-local check check-am installcheck-am installcheck \
 install-exec-am install-exec install-data-local install-data-am \
 install-data install-am install uninstall-am uninstall all-local \
-all-redirect all-am all installdirs mostlyclean-generic \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
 distclean-generic clean-generic maintainer-clean-generic clean \
 mostlyclean distclean maintainer-clean
 
@@ -422,7 +568,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -434,8 +583,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -504,87 +653,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/appl/kf/kf.1 b/crypto/heimdal/appl/kf/kf.1
new file mode 100644
index 0000000..27ca59f
--- /dev/null
+++ b/crypto/heimdal/appl/kf/kf.1
@@ -0,0 +1,92 @@
+.\" Things to fix:
+.\"   * correct section, and operating system
+.\"   * remove Op from mandatory flags
+.\"   * use better macros for arguments (like .Pa for files)
+.\"
+.Dd July  2, 2000
+.Dt KF 1
+.Os Heimdal
+.Sh NAME
+.Nm kf
+.Nd
+securly forward tickets
+.Sh SYNOPSIS
+.Nm
+.Oo Fl p Ar port \*(Ba Xo
+.Fl -port= Ns Ar port Oc
+.Xc
+.Oo Fl l Ar login \*(Ba Xo
+.Fl -login= Ns Ar login Oc
+.Xc
+.Oo Fl c Ar ccache \*(Ba Xo
+.Fl -ccache= Ns Ar ccache Oc
+.Xc
+.Op Fl F | Fl -forwardable
+.Op Fl G | Fl -no-forwardable
+.Op Fl h | Fl -help
+.Op Fl -version
+.Ar host ...
+.Sh DESCRIPTION
+The
+.Nm
+program forwards tickets to a remove host through an authenticated
+and encrypted stream. Options supported are:
+.Bl -tag -width Ds
+.It Xo
+.Fl p Ar port Ns ,
+.Fl -port= Ns Ar port
+.Xc
+port to connect to
+.It Xo
+.Fl l Ar login Ns ,
+.Fl -login= Ns Ar login
+.Xc
+remote login name
+.It Xo
+.Fl c Ar ccache Ns ,
+.Fl -ccache= Ns Ar ccache
+.Xc
+remote cred cache
+.It Xo
+.Fl F Ns ,
+.Fl -forwardable
+.Xc
+forward forwardable credentials
+.It Xo
+.Fl G Ns ,
+.Fl -no-forwardable
+.Xc
+do not forward forwardable credentials
+.It Xo
+.Fl h Ns ,
+.Fl -help
+.Xc
+.It Xo
+.Fl -version
+.Xc
+.El
+.Pp
+.Nm
+is useful when you do not want to enter your password on a remote host
+but want to have your tickets one for example afs.
+.Pp
+In order for
+.Nm
+to work you will need to acquire your initial ticket with forwardable
+flag, ie
+.Nm kinit Fl -forwardable .
+.Pp
+.Nm telnet
+is able to forward ticket by itself.
+.\".Sh ENVIRONMENT
+.\".Sh FILES
+.\".Sh EXAMPLES
+.\".Sh DIAGNOSTICS
+.Sh SEE ALSO
+.Xr kfd 8 ,
+.Xr kinit 1 ,
+.Xr telnet 1
+.\".Sh STANDARDS
+.\".Sh HISTORY
+.\".Sh AUTHORS
+.\".Sh BUGS
diff --git a/crypto/heimdal/appl/kf/kf.c b/crypto/heimdal/appl/kf/kf.c
index 1e85f94..0800ce9 100644
--- a/crypto/heimdal/appl/kf/kf.c
+++ b/crypto/heimdal/appl/kf/kf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,7 +32,7 @@
  */
 
 #include "kf_locl.h"
-RCSID("$Id: kf.c,v 1.13 1999/12/04 18:04:09 assar Exp $");
+RCSID("$Id: kf.c,v 1.14 2000/12/31 07:31:06 assar Exp $");
 
 krb5_context context;
 static int help_flag;
@@ -75,7 +75,7 @@ client_setup(krb5_context *context, int *argc, char **argv)
  
     status = krb5_init_context (context);
     if (status)
-	errx(1, "krb5_init_context failed: %u", status);
+	errx(1, "krb5_init_context failed: %d", status);
  
     forwardable = krb5_config_get_bool (*context, NULL,
 					"libdefaults",
diff --git a/crypto/heimdal/appl/kf/kfd.8 b/crypto/heimdal/appl/kf/kfd.8
new file mode 100644
index 0000000..3fca73b
--- /dev/null
+++ b/crypto/heimdal/appl/kf/kfd.8
@@ -0,0 +1,59 @@
+.\" Things to fix:
+.\"   * correct section, and operating system
+.\"   * remove Op from mandatory flags
+.\"   * use better macros for arguments (like .Pa for files)
+.\"
+.Dd July  2, 2000
+.Dt KFD 8
+.Os Heimdal
+.Sh NAME
+.Nm kfd
+.Nd
+receive forwarded tickets
+.Sh SYNOPSIS
+.Nm
+.Oo Fl p Ar port \*(Ba Xo
+.Fl -port= Ns Ar port Oc
+.Xc
+.Op Fl i | Fl -inetd
+.Oo Fl R Ar regpag \*(Ba Xo
+.Fl -regpag= Ns Ar regpag Oc
+.Xc
+.Op Fl h | Fl -help
+.Op Fl -version
+.Sh DESCRIPTION
+This is the daemon for
+.Nm kf .
+Supported options:
+.Bl -tag -width Ds
+.It Xo
+.Fl p Ar port Ns ,
+.Fl -port= Ns Ar port
+.Xc
+port to listen to
+.It Xo
+.Fl i Ns ,
+.Fl -inetd
+.Xc
+not started from inetd
+.It Xo
+.Fl R Ar regpag Ns ,
+.Fl -regpag= Ns Ar regpag
+.Xc
+path to regpag binary
+.El
+.\".Sh ENVIRONMENT
+.\".Sh FILES
+.Sh EXAMPLES
+Put the following in
+.Pa /etc/inetd.conf :
+.Bd -literal
+kf	stream	tcp	nowait	root	/usr/heimdal/libexec/kfd	kfd
+.Ed
+.\".Sh DIAGNOSTICS
+.Sh SEE ALSO
+.Xr kf 1
+.\".Sh STANDARDS
+.\".Sh HISTORY
+.\".Sh AUTHORS
+.\".Sh BUGS
diff --git a/crypto/heimdal/appl/kf/kfd.c b/crypto/heimdal/appl/kf/kfd.c
index 9ad434f..3791579 100644
--- a/crypto/heimdal/appl/kf/kfd.c
+++ b/crypto/heimdal/appl/kf/kfd.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,7 +32,7 @@
  */
 
 #include "kf_locl.h"
-RCSID("$Id: kfd.c,v 1.7 1999/12/02 17:04:55 joda Exp $");
+RCSID("$Id: kfd.c,v 1.8 2001/01/09 18:43:10 assar Exp $");
 
 krb5_context context;
 char krb5_tkfile[MAXPATHLEN];
@@ -266,7 +266,7 @@ proto (int sock, const char *service)
 			krb5_get_err_text(context, status));
         goto out;
     }
-    status = krb5_rd_cred (context, auth_context, ccache, &data);
+    status = krb5_rd_cred2 (context, auth_context, ccache, &data);
     krb5_cc_close (context, ccache);
     if (status) {
 	syslog_and_cont("krb5_rd_cred: %s",
diff --git a/crypto/heimdal/appl/login/ChangeLog b/crypto/heimdal/appl/login/ChangeLog
index a751cae..fc9f7554 100644
--- a/crypto/heimdal/appl/login/ChangeLog
+++ b/crypto/heimdal/appl/login/ChangeLog
@@ -1,3 +1,57 @@
+2001-01-29  Assar Westerlund  <assar@sics.se>
+
+	* login.c: remove some krb5_free_context that might happen at
+	unappropriate times
+
+2000-12-31  Assar Westerlund  <assar@sics.se>
+
+	* login.c (main): handle krb5_init_context failure consistently
+
+2000-12-11  Assar Westerlund  <assar@sics.se>
+
+	* login.c (do_login): set the group on the tty.
+	(r_flag): comment out
+	* login.c (krb5_to4): always return a value
+
+2000-10-15  Assar Westerlund  <assar@sics.se>
+
+	* login.c (krb5_to4): check another return code
+
+2000-08-22  Johan Danielsson  <joda@pdc.kth.se>
+
+	* login.c (do_login): set PATH to something sane;
+	(start_logout_process): avoid getting signals sent to the parent
+
+	* login_locl.h: _PATH_DEFPATH
+
+2000-07-01  Assar Westerlund  <assar@sics.se>
+
+	* login.c (login_timeout): add back
+
+2000-06-28  Johan Danielsson  <joda@pdc.kth.se>
+
+	* env.c: new file for environment related functions
+
+	* login.c: move environment stuff to separate file, allow
+	specifying list of environment files via login.conf
+
+2000-06-21  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (LDADD): add otp
+	* login.c: add reading of /etc/environment.  From Ake Sandgren
+	<ake@cs.umu.se>
+	add otp support. From Daniel Kouril <kouril@ics.muni.cz>
+
+2000-06-09  Assar Westerlund  <assar@sics.se>
+
+	* login.c (do_login): work-around for setuid and capabilities bug
+	fixed in Linux 2.2.16
+
+2000-04-09  Assar Westerlund  <assar@sics.se>
+
+	* login.c: allow conversion of v5 -> v4 tickets when logging in
+	with forwarded tickets
+
 1999-11-09  Johan Danielsson  <joda@pdc.kth.se>
 
 	* conf.c: remove case for not having cgetent, since it's in roken
diff --git a/crypto/heimdal/appl/login/Makefile.am b/crypto/heimdal/appl/login/Makefile.am
index 22b4b62..1f458e9 100644
--- a/crypto/heimdal/appl/login/Makefile.am
+++ b/crypto/heimdal/appl/login/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.16 1999/10/30 08:51:45 assar Exp $
+# $Id: Makefile.am,v 1.19 2000/11/15 22:51:08 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
@@ -6,27 +6,30 @@ INCLUDES += $(INCLUDE_krb4)
 
 bin_PROGRAMS = login
 
-login_SOURCES = \
+login_SOURCES =					\
+		conf.c				\
+		env.c				\
 		login.c				\
+		login_access.c			\
+		login_locl.h			\
+		login_protos.h			\
 		osfc2.c				\
 		read_string.c			\
-		utmp_login.c			\
-		utmpx_login.c			\
-		tty.c				\
+		shadow.c			\
 		stty_default.c			\
-		login_access.c			\
-		login_locl.h			\
-		login_proto.h			\
-		conf.c				\
-		shadow.c
+		tty.c				\
+		utmp_login.c			\
+		utmpx_login.c
 
-LDADD = $(LIB_kafs) \
+LDADD = $(LIB_otp) \
+	$(LIB_kafs) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(LIB_krb4) \
-	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_des) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken) \
-	$(LIB_security)
+	$(LIB_security) \
+	$(DBLIB)
 
 $(srcdir)/login_protos.h:
 	cd $(srcdir); perl ../../cf/make-proto.pl -o login_protos.h $(login_SOURCES) || rm -f login_protos.h
diff --git a/crypto/heimdal/appl/login/Makefile.in b/crypto/heimdal/appl/login/Makefile.in
index 10b75e8..ba353de 100644
--- a/crypto/heimdal/appl/login/Makefile.in
+++ b/crypto/heimdal/appl/login/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.16 1999/10/30 08:51:45 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.19 2000/11/15 22:51:08 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4)
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,34 +170,52 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
 bin_PROGRAMS = login
 
-login_SOURCES =  		login.c						osfc2.c						read_string.c					utmp_login.c					utmpx_login.c					tty.c						stty_default.c					login_access.c					login_locl.h					login_proto.h					conf.c						shadow.c
-
-
-LDADD = $(LIB_kafs) 	$(top_builddir)/lib/krb5/libkrb5.la 	$(LIB_krb4) 	$(top_builddir)/lib/des/libdes.la 	$(top_builddir)/lib/asn1/libasn1.la 	$(LIB_roken) 	$(LIB_security)
+login_SOURCES = \
+		conf.c				\
+		env.c				\
+		login.c				\
+		login_access.c			\
+		login_locl.h			\
+		login_protos.h			\
+		osfc2.c				\
+		read_string.c			\
+		shadow.c			\
+		stty_default.c			\
+		tty.c				\
+		utmp_login.c			\
+		utmpx_login.c
+
+
+LDADD = $(LIB_otp) \
+	$(LIB_kafs) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken) \
+	$(LIB_security) \
+	$(DBLIB)
 
+subdir = appl/login
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -190,42 +226,41 @@ PROGRAMS =  $(bin_PROGRAMS)
 DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
-LIBS = @LIBS@
 X_CFLAGS = @X_CFLAGS@
 X_LIBS = @X_LIBS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
-login_OBJECTS =  login.$(OBJEXT) osfc2.$(OBJEXT) read_string.$(OBJEXT) \
-utmp_login.$(OBJEXT) utmpx_login.$(OBJEXT) tty.$(OBJEXT) \
-stty_default.$(OBJEXT) login_access.$(OBJEXT) conf.$(OBJEXT) \
-shadow.$(OBJEXT)
+am_login_OBJECTS =  conf.$(OBJEXT) env.$(OBJEXT) login.$(OBJEXT) \
+login_access.$(OBJEXT) osfc2.$(OBJEXT) read_string.$(OBJEXT) \
+shadow.$(OBJEXT) stty_default.$(OBJEXT) tty.$(OBJEXT) \
+utmp_login.$(OBJEXT) utmpx_login.$(OBJEXT)
+login_OBJECTS =  $(am_login_OBJECTS)
 login_LDADD = $(LDADD)
+@KRB4_FALSE@login_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
 @KRB4_TRUE@login_DEPENDENCIES =  $(top_builddir)/lib/kafs/libkafs.la \
 @KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
-@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la \
 @KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
-@KRB4_FALSE@login_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
-@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la \
-@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
 login_LDFLAGS = 
-CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(login_SOURCES)
+depcomp = 
 DIST_COMMON =  ChangeLog Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
 SOURCES = $(login_SOURCES)
-OBJECTS = $(login_OBJECTS)
+OBJECTS = $(am_login_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/login/Makefile
 
@@ -248,31 +283,20 @@ install-binPROGRAMS: $(bin_PROGRAMS)
 	$(mkinstalldirs) $(DESTDIR)$(bindir)
 	@list='$(bin_PROGRAMS)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
 	  else :; fi; \
 	done
 
 uninstall-binPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	list='$(bin_PROGRAMS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
 	done
 
-.c.o:
-	$(COMPILE) -c $<
-
-# FIXME: We should only use cygpath when building on Windows,
-# and only if it is available.
-.c.obj:
-	$(COMPILE) -c `cygpath -w $<`
-
-.s.o:
-	$(COMPILE) -c $<
-
-.S.o:
-	$(COMPILE) -c $<
-
 mostlyclean-compile:
 	-rm -f *.o core *.core
 	-rm -f *.$(OBJEXT)
@@ -284,15 +308,6 @@ distclean-compile:
 
 maintainer-clean-compile:
 
-.c.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.s.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.S.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -306,26 +321,36 @@ maintainer-clean-libtool:
 login$(EXEEXT): $(login_OBJECTS) $(login_DEPENDENCIES)
 	@rm -f login$(EXEEXT)
 	$(LINK) $(login_LDFLAGS) $(login_OBJECTS) $(login_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -338,17 +363,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = appl/login
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
@@ -377,7 +401,7 @@ uninstall: uninstall-am
 all-am: Makefile $(PROGRAMS) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
 	$(mkinstalldirs)  $(DESTDIR)$(bindir)
 
@@ -391,6 +415,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-compile \
 		mostlyclean-libtool mostlyclean-tags \
 		mostlyclean-generic
@@ -426,7 +451,7 @@ distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
 dvi-am dvi check-local check check-am installcheck-am installcheck \
 install-exec-am install-exec install-data-local install-data-am \
 install-data install-am install uninstall-am uninstall all-local \
-all-redirect all-am all installdirs mostlyclean-generic \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
 distclean-generic clean-generic maintainer-clean-generic clean \
 mostlyclean distclean maintainer-clean
 
@@ -436,7 +461,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -448,8 +476,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -518,87 +546,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/appl/login/conf.c b/crypto/heimdal/appl/login/conf.c
index 6a4b2a8..85cfc00 100644
--- a/crypto/heimdal/appl/login/conf.c
+++ b/crypto/heimdal/appl/login/conf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,7 +32,7 @@
 
 #include "login_locl.h"
 
-RCSID("$Id: conf.c,v 1.2 1999/11/09 18:05:49 joda Exp $");
+RCSID("$Id: conf.c,v 1.3 2000/05/29 16:52:24 assar Exp $");
 
 static char *confbuf;
 
@@ -49,7 +49,7 @@ login_conf_get_string(const char *str)
     char *value;
     if(login_conf_init() != 0)
 	return NULL;
-    if(cgetstr(confbuf, str, &value) < 0)
+    if(cgetstr(confbuf, (char *)str, &value) < 0)
 	return NULL;
     return value;
 }
diff --git a/crypto/heimdal/appl/login/env.c b/crypto/heimdal/appl/login/env.c
new file mode 100644
index 0000000..57f68b1
--- /dev/null
+++ b/crypto/heimdal/appl/login/env.c
@@ -0,0 +1,98 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "login_locl.h"
+RCSID("$Id: env.c,v 1.1 2000/06/28 12:27:38 joda Exp $");
+
+/*
+ * the environment we will send to execle and the shell.
+ */
+
+char **env;
+int num_env;
+
+void
+extend_env(char *str)
+{
+    env = realloc(env, (num_env + 1) * sizeof(*env));
+    if(env == NULL)
+	errx(1, "Out of memory!");
+    env[num_env++] = str;
+}
+
+void
+add_env(const char *var, const char *value)
+{
+    int i;
+    char *str;
+    asprintf(&str, "%s=%s", var, value);
+    if(str == NULL)
+	errx(1, "Out of memory!");
+    for(i = 0; i < num_env; i++)
+	if(strncmp(env[i], var, strlen(var)) == 0 && 
+	   env[i][strlen(var)] == '='){
+	    free(env[i]);
+	    env[i] = str;
+	    return;
+	}
+    
+    extend_env(str);
+}
+
+void
+copy_env(void)
+{
+    char **p;
+    for(p = environ; *p; p++)
+	extend_env(*p);
+}
+
+int
+login_read_env(const char *file)
+{
+    char **newenv;
+    char *p;
+    int i, j;
+    
+    newenv = NULL;
+    i = read_environment(file, &newenv);
+    for (j = 0; j < i; j++) {
+	p = strchr(newenv[j], '=');
+	*p++ = 0;
+	add_env(newenv[j], p);
+	*--p = '=';
+	free(newenv[j]);
+    }
+    free(newenv);
+    return 0;
+}
diff --git a/crypto/heimdal/appl/login/login.c b/crypto/heimdal/appl/login/login.c
index a149449..2ada921 100644
--- a/crypto/heimdal/appl/login/login.c
+++ b/crypto/heimdal/appl/login/login.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -39,50 +39,9 @@
 #include <sys/capability.h>
 #endif
 
-RCSID("$Id: login.c,v 1.33 1999/12/02 17:04:55 joda Exp $");
+RCSID("$Id: login.c,v 1.46 2001/01/29 02:18:03 assar Exp $");
 
-/*
- * the environment we will send to execle and the shell.
- */
-
-static char **env;
-static int num_env;
-
-static void
-extend_env(char *str)
-{
-    env = realloc(env, (num_env + 1) * sizeof(*env));
-    if(env == NULL)
-	errx(1, "Out of memory!");
-    env[num_env++] = str;
-}
-
-static void
-add_env(const char *var, const char *value)
-{
-    int i;
-    char *str;
-    asprintf(&str, "%s=%s", var, value);
-    if(str == NULL)
-	errx(1, "Out of memory!");
-    for(i = 0; i < num_env; i++)
-	if(strncmp(env[i], var, strlen(var)) == 0 && 
-	   env[i][strlen(var)] == '='){
-	    free(env[i]);
-	    env[i] = str;
-	    return;
-	}
-    
-    extend_env(str);
-}
-
-static void
-copy_env(void)
-{
-    char **p;
-    for(p = environ; *p; p++)
-	extend_env(*p);
-}
+static int login_timeout = 60;
 
 static int
 start_login_process(void)
@@ -118,8 +77,11 @@ start_logout_process(void)
 	argv0 = prog;
 
     pid = fork();
-    if(pid == 0)
+    if(pid == 0) {
+	/* avoid getting signals sent to the shell */
+	setpgid(0, getpid());
 	return 0;
+    }
     if(pid == -1)
 	err(1, "fork");
     /* wait for the real login process to exit */
@@ -167,7 +129,18 @@ exec_shell(const char *shell, int fallback)
     err(1, "%s", shell);
 }
 
-static enum { AUTH_KRB4, AUTH_KRB5 } auth;
+static enum { NONE = 0, AUTH_KRB4 = 1, AUTH_KRB5 = 2, AUTH_OTP = 3 } auth;
+
+#ifdef OTP
+static OtpContext otp_ctx;
+
+static int
+otp_verify(struct passwd *pwd, const char *password)
+{
+   return (otp_verify_user (&otp_ctx, password));
+}
+#endif /* OTP */
+
 
 #ifdef KRB5
 static krb5_context context;
@@ -179,19 +152,12 @@ krb5_verify(struct passwd *pwd, const char *password)
     krb5_error_code ret;
     krb5_principal princ;
 
-    ret = krb5_init_context(&context);
-    if(ret)
-	return 1;
-	    
     ret = krb5_parse_name(context, pwd->pw_name, &princ);
-    if(ret){
-	krb5_free_context(context);
+    if(ret)
 	return 1;
-    }
     ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &id);
-    if(ret){
+    if(ret) {
 	krb5_free_principal(context, princ);
-	krb5_free_context(context);
 	return 1;
     }
     ret = krb5_verify_user_lrealm(context,
@@ -201,47 +167,39 @@ krb5_verify(struct passwd *pwd, const char *password)
 				  1,
 				  NULL);
     krb5_free_principal(context, princ);
-    if (ret)
-	krb5_free_context (context);
     return ret;
 }
 
-static int
-krb5_start_session (const struct passwd *pwd)
-{
-    krb5_error_code ret;
-    char residual[64];
-
-    /* copy credentials to file cache */
-    snprintf(residual, sizeof(residual), "FILE:/tmp/krb5cc_%u", 
-	     (unsigned)pwd->pw_uid);
-    krb5_cc_resolve(context, residual, &id2);
-    ret = krb5_cc_copy_cache(context, id, id2);
-    if (ret == 0)
-	add_env("KRB5CCNAME", residual);
-    else {
-	krb5_cc_destroy (context, id2);
-	return ret;
-    }
 #ifdef KRB4
+static krb5_error_code
+krb5_to4 (krb5_ccache id)
+{
     if (krb5_config_get_bool(context, NULL,
 			     "libdefaults",
 			     "krb4_get_tickets",
 			     NULL)) {
         CREDENTIALS c;
         krb5_creds mcred, cred;
-        krb5_realm realm;
         char krb4tkfile[MAXPATHLEN];
+	krb5_error_code ret;
+	krb5_principal princ;
+
+	ret = krb5_cc_get_principal (context, id, &princ);
+	if (ret)
+	    return ret;
 
-        krb5_get_default_realm(context, &realm);
-	krb5_make_principal(context, &mcred.server, realm,
-			    "krbtgt",
-			    realm,
-			    NULL);
-	free (realm);
-	ret = krb5_cc_retrieve_cred(context, id2, 0, &mcred, &cred);
+	ret = krb5_make_principal(context, &mcred.server,
+				  princ->realm,
+				  "krbtgt",
+				  princ->realm,
+				  NULL);
+	krb5_free_principal (context, princ);
+	if (ret)
+	    return ret;
+
+	ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred);
 	if(ret == 0) {
-	    ret = krb524_convert_creds_kdc(context, id2, &cred, &c);
+	    ret = krb524_convert_creds_kdc(context, id, &cred, &c);
 	    if(ret == 0) {
 		snprintf(krb4tkfile,sizeof(krb4tkfile),"%s%d",TKT_ROOT,
 			 getuid());
@@ -253,6 +211,29 @@ krb5_start_session (const struct passwd *pwd)
 	}
 	krb5_free_principal(context, mcred.server);
     }
+    return 0;
+}
+#endif /* KRB4 */
+
+static int
+krb5_start_session (const struct passwd *pwd)
+{
+    krb5_error_code ret;
+    char residual[64];
+
+    /* copy credentials to file cache */
+    snprintf(residual, sizeof(residual), "FILE:/tmp/krb5cc_%u", 
+	     (unsigned)pwd->pw_uid);
+    krb5_cc_resolve(context, residual, &id2);
+    ret = krb5_cc_copy_cache(context, id, id2);
+    if (ret == 0)
+	add_env("KRB5CCNAME", residual);
+    else {
+	krb5_cc_destroy (context, id2);
+	return ret;
+    }
+#ifdef KRB4
+    krb5_to4 (id2);
 #endif
     krb5_cc_close(context, id2);
     krb5_cc_destroy(context, id);
@@ -279,9 +260,6 @@ krb5_get_afs_tokens (const struct passwd *pwd)
     if (!k_hasafs ())
 	return;
 
-    ret = krb5_init_context(&context);
-    if(ret)
-	return;
     ret = krb5_cc_default(context, &id2);
  
     if (ret == 0) {
@@ -299,7 +277,6 @@ krb5_get_afs_tokens (const struct passwd *pwd)
 			      pwd->pw_uid, pwd->pw_dir);
 	krb5_cc_close (context, id2);
     }
-    krb5_free_context (context);
 }
 
 #endif /* KRB4 */
@@ -365,14 +342,17 @@ krb4_get_afs_tokens (const struct passwd *pwd)
 
 static int f_flag;
 static int p_flag;
+#if 0
 static int r_flag;
+#endif
 static int version_flag;
 static int help_flag;
 static char *remote_host;
+static char *auth_level = NULL;
 
 struct getargs args[] = {
+    { NULL, 'a', arg_string,    &auth_level,    "authentication mode" },
 #if 0
-    { NULL, 'a' },
     { NULL, 'd' },
 #endif
     { NULL, 'f', arg_flag,	&f_flag,	"pre-authenticated" },
@@ -450,7 +430,7 @@ do_login(const struct passwd *pwd, char *tty, char *ttyn)
     else
 	tty_gid = pwd->pw_gid;
 
-    if (chown (ttyn, pwd->pw_uid, pwd->pw_gid) < 0) {
+    if (chown (ttyn, pwd->pw_uid, tty_gid) < 0) {
 	warn("chown %s", ttyn);
 	if (rootlogin == 0)
 	    exit (1);
@@ -481,7 +461,7 @@ do_login(const struct passwd *pwd, char *tty, char *ttyn)
 	if(rootlogin == 0)
 	    exit(1);
     }
-    if(setuid(pwd->pw_uid)){
+    if(setuid(pwd->pw_uid) || (pwd->pw_uid != 0 && setuid(0) == 0)) {
 	warn("setuid(%u)", (unsigned)pwd->pw_uid);
 	if(rootlogin == 0)
 	    exit(1);
@@ -560,17 +540,44 @@ do_login(const struct passwd *pwd, char *tty, char *ttyn)
 #ifdef KRB5
     if (auth == AUTH_KRB5) {
 	krb5_start_session (pwd);
-	krb5_finish ();
     }
 #ifdef KRB4
+    else if (auth == 0) {
+	krb5_error_code ret;
+	krb5_ccache id;
+
+	ret = krb5_cc_default (context, &id);
+	if (ret == 0) {
+	    krb5_to4 (id);
+	    krb5_cc_close (context, id);
+	}
+    }
+
     krb5_get_afs_tokens (pwd);
 #endif /* KRB4 */
+    krb5_finish ();
 #endif /* KRB5 */
 
 #ifdef KRB4
     krb4_get_afs_tokens (pwd);
 #endif /* KRB4 */
 
+    add_env("PATH", _PATH_DEFPATH);
+
+    {
+	const char *str = login_conf_get_string("environment");
+	char buf[MAXPATHLEN];
+
+	if(str == NULL) {
+	    login_read_env(_PATH_ETC_ENVIRONMENT);
+	} else {
+	    while(strsep_copy(&str, ",", buf, sizeof(buf)) != -1) {
+		if(buf[0] == '\0')
+		    continue;
+		login_read_env(buf);
+	    }
+	}
+    }
     add_env("HOME", home_dir);
     add_env("USER", pwd->pw_name);
     add_env("LOGNAME", pwd->pw_name);
@@ -604,6 +611,12 @@ check_password(struct passwd *pwd, const char *password)
 	return 0;
     }
 #endif
+#ifdef OTP
+    if (otp_verify (pwd, password) == 0) {
+       auth = AUTH_OTP;
+       return 0;
+    }
+#endif
     return 1;
 }
 
@@ -614,6 +627,17 @@ usage(int status)
     exit(status);
 }
 
+static RETSIGTYPE
+sig_handler(int sig)
+{
+    if (sig == SIGALRM)
+         fprintf(stderr, "Login timed out after %d seconds\n",
+                login_timeout);
+      else
+         fprintf(stderr, "Login received signal, exiting\n");
+    exit(0);
+}
+
 int
 main(int argc, char **argv)
 {
@@ -624,9 +648,20 @@ main(int argc, char **argv)
     int optind = 0;
 
     int ask = 1;
+    struct sigaction sa;
     
     set_progname(argv[0]);
 
+#ifdef KRB5
+    {
+	krb5_error_code ret;
+
+	ret = krb5_init_context(&context);
+	if (ret)
+	    errx (1, "krb5_init_context failed: %d", ret);
+    }
+#endif
+
     openlog("login", LOG_ODELAY, LOG_AUTH);
 
     if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
@@ -664,21 +699,41 @@ main(int argc, char **argv)
 	    ask = 0;
 	}
     }
+
+#if defined(DCE) && defined(AIX)
+    esetenv("AUTHSTATE", "DCE", 1);
+#endif
+
     /* XXX should we care about environment on the command line? */
+
+    memset(&sa, 0, sizeof(sa));
+    sa.sa_handler = sig_handler;
+    sigemptyset(&sa.sa_mask);
+    sa.sa_flags = 0;
+    sigaction(SIGALRM, &sa, NULL);
+    alarm(login_timeout);
+
     for(try = 0; try < max_tries; try++){
 	struct passwd *pwd;
 	char password[128];
 	int ret;
 	char ttname[32];
 	char *tty, *ttyn;
+        char prompt[128];
+#ifdef OTP
+        char otp_str[256];
+#endif
 
 	if(ask){
-	    f_flag = r_flag = 0;
+	    f_flag = 0;
+#if 0
+	    r_flag = 0;
+#endif
 	    ret = read_string("login: ", username, sizeof(username), 1);
 	    if(ret == -3)
 		exit(0);
 	    if(ret == -2)
-		continue;
+		sig_handler(0); /* exit */
 	}
         pwd = k_getpwnam(username);
 #ifdef ALLOW_NULL_PASSWORD
@@ -687,11 +742,28 @@ main(int argc, char **argv)
         }
         else
 #endif
-	if(f_flag == 0) {
-	    ret = read_string("Password: ", password, sizeof(password), 0);
-	    if(ret == -3 || ret == -2)
-		continue;
-	}
+
+        {
+#ifdef OTP
+           if(auth_level && strcmp(auth_level, "otp") == 0 &&
+                 otp_challenge(&otp_ctx, username,
+                            otp_str, sizeof(otp_str)) == 0)
+                 snprintf (prompt, sizeof(prompt), "%s's %s Password: ",
+                            username, otp_str);
+            else
+#endif
+                 strncpy(prompt, "Password: ", sizeof(prompt));
+
+	    if (f_flag == 0) {
+	       ret = read_string(prompt, password, sizeof(password), 0);
+               if (ret == -3) {
+                  ask = 1;
+                  continue;
+               }
+               if (ret == -2)
+                  sig_handler(0);
+            }
+         }
 	
 	if(pwd == NULL){
 	    fprintf(stderr, "Login incorrect.\n");
@@ -724,6 +796,7 @@ main(int argc, char **argv)
 		       pwd->pw_name, tty);
 	    exit (1);
 	}
+        alarm(0);
 	do_login(pwd, tty, ttyn);
     }
     exit(1);
diff --git a/crypto/heimdal/appl/login/login_locl.h b/crypto/heimdal/appl/login/login_locl.h
index 2d2f7fd..6c5857b 100644
--- a/crypto/heimdal/appl/login/login_locl.h
+++ b/crypto/heimdal/appl/login/login_locl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: login_locl.h,v 1.17 1999/12/02 17:04:55 joda Exp $ */
+/* $Id: login_locl.h,v 1.20 2000/08/22 14:05:35 joda Exp $ */
 
 #ifndef __LOGIN_LOCL_H__
 #define __LOGIN_LOCL_H__
@@ -86,6 +86,10 @@
 #endif
 #include <kafs.h>
 
+#ifdef OTP
+#include <otp.h>
+#endif
+
 #ifndef _PATH_BSHELL
 #define _PATH_BSHELL "/bin/sh"
 #endif
@@ -121,8 +125,19 @@
 #define _PATH_LOGIN_CONF "/etc/login.conf"
 #endif /* _PATH_LOGIN_CONF */
 
+#ifndef _PATH_ETC_ENVIRONMENT
+#define _PATH_ETC_ENVIRONMENT "/etc/environment"
+#endif
+
+#ifndef _PATH_DEFPATH
+#define _PATH_DEFPATH "/usr/bin:/bin"
+#endif
+
 struct spwd;
 
+extern char **env;
+extern int num_env;
+
 #include "login_protos.h"
 
 #endif /* __LOGIN_LOCL_H__ */
diff --git a/crypto/heimdal/appl/login/login_protos.h b/crypto/heimdal/appl/login/login_protos.h
index 173acc5..e19a598 100644
--- a/crypto/heimdal/appl/login/login_protos.h
+++ b/crypto/heimdal/appl/login/login_protos.h
@@ -14,6 +14,11 @@
 #endif
 
 void
+add_env __P((
+	const char *var,
+	const char *value));
+
+void
 check_shadow __P((
 	const struct passwd *pw,
 	const struct spwd *sp));
@@ -21,9 +26,15 @@ check_shadow __P((
 char *
 clean_ttyname __P((char *tty));
 
+void
+copy_env __P((void));
+
 int
 do_osfc2_magic __P((uid_t uid));
 
+void
+extend_env __P((char *str));
+
 int
 login_access __P((
 	struct passwd *user,
@@ -32,6 +43,9 @@ login_access __P((
 char *
 login_conf_get_string __P((const char *str));
 
+int
+login_read_env __P((const char *file));
+
 char *
 make_id __P((char *tty));
 
diff --git a/crypto/heimdal/appl/login/read_string.c b/crypto/heimdal/appl/login/read_string.c
index 2c4b66b..f3cee14 100644
--- a/crypto/heimdal/appl/login/read_string.c
+++ b/crypto/heimdal/appl/login/read_string.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "login_locl.h"
 
-RCSID("$Id: read_string.c,v 1.3 1999/12/02 17:04:56 joda Exp $");
+RCSID("$Id: read_string.c,v 1.4 2000/06/21 02:09:36 assar Exp $");
 
 static sig_atomic_t intr_flag;
 
@@ -62,7 +62,7 @@ read_string(const char *prompt, char *buf, size_t len, int echo)
     sigemptyset(&sa.sa_mask);
     sa.sa_flags = 0;
     for(i = 0; i < sizeof(sigs) / sizeof(sigs[0]); i++)
-	sigaction(i, &sa, &sigs[i]);
+	if (i != SIGALRM) sigaction(i, &sa, &sigs[i]);
 
     if((tty = fopen("/dev/tty", "r")) == NULL)
 	tty = stdin;
@@ -104,7 +104,7 @@ read_string(const char *prompt, char *buf, size_t len, int echo)
 	fclose(tty);
 
     for(i = 0; i < sizeof(sigs) / sizeof(sigs[0]); i++)
-	sigaction(i, &sigs[i], NULL);
+	if (i != SIGALRM) sigaction(i, &sigs[i], NULL);
     
     if(ret)
 	return -3;
diff --git a/crypto/heimdal/appl/push/ChangeLog b/crypto/heimdal/appl/push/ChangeLog
index f013090..96a4a70 100644
--- a/crypto/heimdal/appl/push/ChangeLog
+++ b/crypto/heimdal/appl/push/ChangeLog
@@ -1,3 +1,32 @@
+2000-12-31  Assar Westerlund  <assar@sics.se>
+
+	* push.c (main): handle krb5_init_context failure consistently
+
+2000-12-26  Assar Westerlund  <assar@sics.se>
+
+	* push.c: support several headers, from <mattiasa@e.kth.se> use
+	estrdup, emalloc, erealloc
+
+2000-11-29  Johan Danielsson  <joda@pdc.kth.se>
+
+	* pfrom.1: work around bug in grog that makes it think it needs
+	mdoc.old
+
+	* push.8: work around bug in grog that makes it think it needs
+	mdoc.old
+
+2000-11-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* push.c: add space to usage
+
+2000-10-08  Assar Westerlund  <assar@sics.se>
+
+	* push.c (doit): check that fds are not too large to select on
+
+2000-03-04  Assar Westerlund  <assar@sics.se>
+
+	* add man-page for pfrom
+
 1999-12-28  Assar Westerlund  <assar@sics.se>
 
 	* push.c (main): call k_getportbyname with port number in
diff --git a/crypto/heimdal/appl/push/Makefile.am b/crypto/heimdal/appl/push/Makefile.am
index 07ecd0a..5999ec1 100644
--- a/crypto/heimdal/appl/push/Makefile.am
+++ b/crypto/heimdal/appl/push/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.15 1999/04/09 18:29:48 assar Exp $
+# $Id: Makefile.am,v 1.17 2000/11/15 22:51:09 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
@@ -14,7 +14,7 @@ pfrom: pfrom.in
 	sed -e "s!%libexecdir%!$(libexecdir)!" $(srcdir)/pfrom.in > $@
 	chmod +x $@
 
-man_MANS = push.8
+man_MANS = push.8 pfrom.1
 
 CLEANFILES = pfrom
 
@@ -22,6 +22,6 @@ EXTRA_DIST = pfrom.in $(man_MANS)
 
 LDADD = $(LIB_krb5) \
 	$(LIB_krb4) \
-	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_des) \
 	$(LIB_roken) \
 	$(LIB_hesiod)
diff --git a/crypto/heimdal/appl/push/Makefile.in b/crypto/heimdal/appl/push/Makefile.in
index 6e9fef1..e677966 100644
--- a/crypto/heimdal/appl/push/Makefile.in
+++ b/crypto/heimdal/appl/push/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.15 1999/04/09 18:29:48 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.17 2000/11/15 22:51:09 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4) $(INCLUDE_hesiod)
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(INCLUDE_hesiod)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,24 +170,20 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
@@ -179,14 +193,19 @@ libexec_PROGRAMS = push
 
 push_SOURCES = push.c push_locl.h
 
-man_MANS = push.8
+man_MANS = push.8 pfrom.1
 
 CLEANFILES = pfrom
 
 EXTRA_DIST = pfrom.in $(man_MANS)
 
-LDADD = $(LIB_krb5) 	$(LIB_krb4) 	$(top_builddir)/lib/des/libdes.la 	$(LIB_roken) 	$(LIB_hesiod)
+LDADD = $(LIB_krb5) \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(LIB_hesiod)
 
+subdir = appl/push
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -197,40 +216,41 @@ PROGRAMS =  $(libexec_PROGRAMS)
 DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
-LIBS = @LIBS@
 X_CFLAGS = @X_CFLAGS@
 X_LIBS = @X_LIBS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
-push_OBJECTS =  push.$(OBJEXT)
+am_push_OBJECTS =  push.$(OBJEXT)
+push_OBJECTS =  $(am_push_OBJECTS)
 push_LDADD = $(LDADD)
+@KRB5_FALSE@push_DEPENDENCIES = 
 @KRB5_TRUE@push_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
-@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
-@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la
-@KRB5_FALSE@push_DEPENDENCIES =  $(top_builddir)/lib/des/libdes.la
+@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
 push_LDFLAGS = 
 SCRIPTS =  $(bin_SCRIPTS)
 
-CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(push_SOURCES)
+man1dir = $(mandir)/man1
 man8dir = $(mandir)/man8
 MANS = $(man_MANS)
+depcomp = 
 DIST_COMMON =  ChangeLog Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
 SOURCES = $(push_SOURCES)
-OBJECTS = $(push_OBJECTS)
+OBJECTS = $(am_push_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/push/Makefile
 
@@ -253,31 +273,20 @@ install-libexecPROGRAMS: $(libexec_PROGRAMS)
 	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
 	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f; \
 	  else :; fi; \
 	done
 
 uninstall-libexecPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	list='$(libexec_PROGRAMS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \
+	  rm -f $(DESTDIR)$(libexecdir)/$$f; \
 	done
 
-.c.o:
-	$(COMPILE) -c $<
-
-# FIXME: We should only use cygpath when building on Windows,
-# and only if it is available.
-.c.obj:
-	$(COMPILE) -c `cygpath -w $<`
-
-.s.o:
-	$(COMPILE) -c $<
-
-.S.o:
-	$(COMPILE) -c $<
-
 mostlyclean-compile:
 	-rm -f *.o core *.core
 	-rm -f *.$(OBJEXT)
@@ -289,15 +298,6 @@ distclean-compile:
 
 maintainer-clean-compile:
 
-.c.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.s.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.S.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -316,19 +316,63 @@ install-binSCRIPTS: $(bin_SCRIPTS)
 	@$(NORMAL_INSTALL)
 	$(mkinstalldirs) $(DESTDIR)$(bindir)
 	@list='$(bin_SCRIPTS)'; for p in $$list; do \
+	  f="`echo $$p|sed '$(transform)'`"; \
 	  if test -f $$p; then \
-	    echo " $(INSTALL_SCRIPT) $$p $(DESTDIR)$(bindir)/`echo $$p|sed '$(transform)'`"; \
-	    $(INSTALL_SCRIPT) $$p $(DESTDIR)$(bindir)/`echo $$p|sed '$(transform)'`; \
-	  else if test -f $(srcdir)/$$p; then \
-	    echo " $(INSTALL_SCRIPT) $(srcdir)/$$p $(DESTDIR)$(bindir)/`echo $$p|sed '$(transform)'`"; \
-	    $(INSTALL_SCRIPT) $(srcdir)/$$p $(DESTDIR)$(bindir)/`echo $$p|sed '$(transform)'`; \
-	  else :; fi; fi; \
+	    echo " $(INSTALL_SCRIPT) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(INSTALL_SCRIPT) $$p $(DESTDIR)$(bindir)/$$f; \
+	  elif test -f $(srcdir)/$$p; then \
+	    echo " $(INSTALL_SCRIPT) $(srcdir)/$$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(INSTALL_SCRIPT) $(srcdir)/$$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
 	done
 
 uninstall-binSCRIPTS:
 	@$(NORMAL_UNINSTALL)
-	list='$(bin_SCRIPTS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(bindir)/`echo $$p|sed '$(transform)'`; \
+	@list='$(bin_SCRIPTS)'; for p in $$list; do \
+	  f="`echo $$p|sed '$(transform)'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+install-man1:
+	$(mkinstalldirs) $(DESTDIR)$(man1dir)
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \
+	done
+
+uninstall-man1:
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man1dir)/$$inst; \
 	done
 
 install-man8:
@@ -344,6 +388,7 @@ install-man8:
 	  else file=$$i; fi; \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
 	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
 	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \
 	  $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \
@@ -359,36 +404,41 @@ uninstall-man8:
 	for i in $$list; do \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
 	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
 	  echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \
 	  rm -f $(DESTDIR)$(man8dir)/$$inst; \
 	done
 install-man: $(MANS)
 	@$(NORMAL_INSTALL)
-	$(MAKE) $(AM_MAKEFLAGS) install-man8
+	$(MAKE) $(AM_MAKEFLAGS) install-man1 install-man8
 uninstall-man:
 	@$(NORMAL_UNINSTALL)
-	$(MAKE) $(AM_MAKEFLAGS) uninstall-man8
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man1 uninstall-man8
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -401,17 +451,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = appl/push
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
@@ -441,10 +490,10 @@ uninstall: uninstall-am
 all-am: Makefile $(PROGRAMS) $(SCRIPTS) $(MANS) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
 	$(mkinstalldirs)  $(DESTDIR)$(libexecdir) $(DESTDIR)$(bindir) \
-		$(DESTDIR)$(mandir)/man8
+		$(DESTDIR)$(mandir)/man1 $(DESTDIR)$(mandir)/man8
 
 
 mostlyclean-generic:
@@ -457,6 +506,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-libexecPROGRAMS mostlyclean-compile \
 		mostlyclean-libtool mostlyclean-tags \
 		mostlyclean-generic
@@ -490,13 +540,13 @@ uninstall-libexecPROGRAMS install-libexecPROGRAMS mostlyclean-compile \
 distclean-compile clean-compile maintainer-clean-compile \
 mostlyclean-libtool distclean-libtool clean-libtool \
 maintainer-clean-libtool uninstall-binSCRIPTS install-binSCRIPTS \
-install-man8 uninstall-man8 install-man uninstall-man tags \
-mostlyclean-tags distclean-tags clean-tags maintainer-clean-tags \
-distdir info-am info dvi-am dvi check-local check check-am \
-installcheck-am installcheck install-exec-am install-exec \
+install-man1 uninstall-man1 install-man8 uninstall-man8 install-man \
+uninstall-man tags mostlyclean-tags distclean-tags clean-tags \
+maintainer-clean-tags distdir info-am info dvi-am dvi check-local check \
+check-am installcheck-am installcheck install-exec-am install-exec \
 install-data-local install-data-am install-data install-am install \
-uninstall-am uninstall all-local all-redirect all-am all installdirs \
-mostlyclean-generic distclean-generic clean-generic \
+uninstall-am uninstall all-local all-redirect all-am all install-strip \
+installdirs mostlyclean-generic distclean-generic clean-generic \
 maintainer-clean-generic clean mostlyclean distclean maintainer-clean
 
 
@@ -505,7 +555,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -517,8 +570,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -587,87 +640,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/appl/push/pfrom.1 b/crypto/heimdal/appl/push/pfrom.1
new file mode 100644
index 0000000..c04d1116c
--- /dev/null
+++ b/crypto/heimdal/appl/push/pfrom.1
@@ -0,0 +1,25 @@
+.\" $Id: pfrom.1,v 1.2 2000/11/29 18:26:27 joda Exp $
+.\"
+.Dd Mars 4, 2000
+.Dt PFROM 1
+.Os HEIMDAL
+.Sh NAME
+.Nm pfrom
+.Nd
+fetch a list of the current mail via POP
+.Sh SYNOPSIS
+.Nm
+.Op Fl 4 | Fl -krb4
+.Op Fl 5 | Fl -krb5
+.Op Fl v | Fl -verbose
+.Op Fl c | -count
+.Op Fl -header
+.Oo Fl p Ar port-spec  \*(Ba Xo
+.Fl -port= Ns Ar port-spec
+.Xc
+.Oc
+.Sh DESCRIPTION
+.Nm
+is a script that does push --from.
+.Sh SEE ALSO
+.Xr push 8
diff --git a/crypto/heimdal/appl/push/push.8 b/crypto/heimdal/appl/push/push.8
index d8f4401..363eb92 100644
--- a/crypto/heimdal/appl/push/push.8
+++ b/crypto/heimdal/appl/push/push.8
@@ -1,4 +1,4 @@
-.\" $Id: push.8,v 1.4 1999/12/05 13:00:56 assar Exp $
+.\" $Id: push.8,v 1.8 2001/01/11 16:16:28 assar Exp $
 .\"
 .Dd May 31, 1998
 .Dt PUSH 8
@@ -16,10 +16,11 @@ fetch mail via POP
 .Op Fl l | -leave
 .Op Fl -from
 .Op Fl c | -count
-.Op Fl -header
+.Op Fl -headers= Ns Ar headers
 .Oo Fl p Ar port-spec  \*(Ba Xo
-.Fl -port= Ns Ar port-spec Oc
+.Fl -port= Ns Ar port-spec
 .Xc
+.Oc
 .Ar po-box
 .Pa filename
 .Sh DESCRIPTION
@@ -39,7 +40,7 @@ can have any of the following formats:
 .It Ql hostname
 .It Ql po:username
 .El
-
+.Pp
 If no username is specified,
 .Nm
 assumes that it's the same as on the local machine; 
@@ -47,7 +48,7 @@ assumes that it's the same as on the local machine;
 defaults to the value of the
 .Ev MAILHOST
 environment variable.
-
+.Pp
 Supported options:
 .Bl -tag -width Ds
 .It Xo
@@ -80,9 +81,9 @@ behave like from.
 .Xc
 first print how many messages and bytes there are.
 .It Xo
-.Fl -header
+.Fl -headers= Ns Ar headers
 .Xc
-which header from should print.
+a list of comma-separated headers that should get printed.
 .It Xo
 .Fl p Ar port-spec Ns ,
 .Fl -port= Ns Ar port-spec
@@ -92,11 +93,10 @@ use this port instead of the default
 or
 .Ql 1109 .
 .El
-
+.Pp
 The default is to first try Kerberos 5 authentication and then, if
 that fails, Kerberos 4.
 .Sh ENVIRONMENT
-
 .Bl -tag -width Ds
 .It Ev MAILHOST
 points to the post office, if no other hostname is specified.
@@ -106,7 +106,7 @@ points to the post office, if no other hostname is specified.
 .Bd -literal -offset indent
 $ push cornfield:roosta ~/.gnus-crash-box
 .Ed
-
+.Pp
 tries to fetch mail for the user
 .Ar roosta
 from the post office at
@@ -117,7 +117,7 @@ and stores the mail in
 .Bd -literal -offset indent
 $ push --from -5 havregryn
 .Ed
-
+.Pp
 tries to fetch 
 .Nm From: 
 lines for current user at post office
@@ -127,7 +127,8 @@ using Kerberos 5.
 .Sh SEE ALSO
 .Xr movemail 8 ,
 .Xr popper 8 ,
-.Xr from 1
+.Xr from 1 ,
+.Xr pfrom 1
 .\".Sh STANDARDS
 .Sh HISTORY
 .Nm
diff --git a/crypto/heimdal/appl/push/push.c b/crypto/heimdal/appl/push/push.c
index 1689a83..4e9a7d1 100644
--- a/crypto/heimdal/appl/push/push.c
+++ b/crypto/heimdal/appl/push/push.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,7 +32,7 @@
  */
 
 #include "push_locl.h"
-RCSID("$Id: push.c,v 1.38 1999/12/28 03:46:06 assar Exp $");
+RCSID("$Id: push.c,v 1.43 2000/12/31 07:35:59 assar Exp $");
 
 #ifdef KRB4
 static int use_v4 = -1;
@@ -72,7 +72,7 @@ struct getargs args[] = {
       "number-or-service" },
     { "from",	 0,  arg_flag,		&do_from,	"Behave like from",
       NULL },
-    { "header",	 0,  arg_string,	&header_str,	"Header string to print", NULL },
+    { "headers", 0,  arg_string,	&header_str,	"Headers to print", NULL },
     { "count", 'c',  arg_flag,		&do_count,	"Print number of messages", NULL},
     { "version", 0,  arg_flag,		&do_version,	"Print version",
       NULL },
@@ -87,7 +87,7 @@ usage (int ret)
     arg_printusage (args,
 		    sizeof(args) / sizeof(args[0]),
 		    NULL,
-		    "[[{po:username[@hostname] | hostname[:username]}] ...]"
+		    "[[{po:username[@hostname] | hostname[:username]}] ...] "
 		    "filename");
     exit (ret);
 }
@@ -98,7 +98,7 @@ do_connect (const char *hostname, int port, int nodelay)
     struct addrinfo *ai, *a;
     struct addrinfo hints;
     int error;
-    int s;
+    int s = -1;
     char portstr[NI_MAXSERV];
 
     memset (&hints, 0, sizeof(hints));
@@ -157,9 +157,7 @@ write_state_init (struct write_state *w, int fd)
 #endif
     w->allociovecs = min(STEP, w->maxiovecs);
     w->niovecs = 0;
-    w->iovecs = malloc(w->allociovecs * sizeof(*w->iovecs));
-    if (w->iovecs == NULL)
-	err (1, "malloc");
+    w->iovecs = emalloc(w->allociovecs * sizeof(*w->iovecs));
     w->fd = fd;
 }
 
@@ -173,10 +171,8 @@ write_state_add (struct write_state *w, void *v, size_t len)
 	    w->niovecs = 0;					
 	} else {						
 	    w->allociovecs = min(w->allociovecs + STEP, w->maxiovecs);	
-	    w->iovecs = realloc (w->iovecs,				
-				 w->allociovecs * sizeof(*w->iovecs));	
-	    if (w->iovecs == NULL)					
-		errx (1, "realloc");				
+	    w->iovecs = erealloc (w->iovecs,				
+				  w->allociovecs * sizeof(*w->iovecs));	
 	}							
     }								
     w->iovecs[w->niovecs].iov_base = v;				
@@ -225,11 +221,32 @@ doit(int s,
     size_t from_line_length;
     time_t now;
     struct write_state write_state;
+    int numheaders = 1;
+    char **headers = NULL;
+    int i;
+    char *tmp = NULL;
 
     if (do_from) {
+	char *tmp2;
+
+	tmp2 = tmp = estrdup(header_str);
+
 	out_fd = -1;
 	if (verbose)
 	    fprintf (stderr, "%s@%s\n", user, host);
+	while (*tmp != '\0') {
+	    tmp = strchr(tmp, ',');
+	    if (tmp == NULL)
+		break;
+	    tmp++;
+	    numheaders++;
+	}
+
+	headers = emalloc(sizeof(char *) * (numheaders + 1));
+	for (i = 0; i < numheaders; i++) {
+	    headers[i] = strtok_r(tmp2, ",", &tmp2);
+	}
+	headers[numheaders] = NULL;
     } else {
 	out_fd = open(outfilename, O_WRONLY | O_APPEND | O_CREAT, 0666);
 	if (out_fd < 0)
@@ -258,6 +275,8 @@ doit(int s,
 
 	FD_ZERO(&readset);
 	FD_ZERO(&writeset);
+	if (s >= FD_SETSIZE)
+	    errx (1, "fd too large");
 	FD_SET(s,&readset);
 	if (((state == STAT || state == RETR || state == TOP)
 	     && asked_for < count)
@@ -294,12 +313,17 @@ doit(int s,
 		if (state == TOP) {
 		    char *copy = beg;
 
-		    if (strncasecmp(copy,
-				    header_str,
-				    min(p - copy + 1, strlen(header_str))) == 0) {
-			fprintf (stdout, "%.*s\n", (int)(p - copy), copy);
+		    for (i = 0; i < numheaders; i++) {
+			size_t len;
+
+			len = min(p - copy + 1, strlen(headers[i]));
+			if (strncasecmp(copy, headers[i], len) == 0) {
+			    fprintf (stdout, "%.*s\n", (int)(p - copy), copy);
+			}
 		    }
 		    if (beg[0] == '.' && beg[1] == '\r' && beg[2] == '\n') {
+			if (numheaders > 1)
+			    fprintf (stdout, "\n");
 			state = STAT;
 			if (++retrieved == count) {
 			    state = QUIT;
@@ -448,8 +472,12 @@ doit(int s,
     }
     if (verbose)
 	fprintf (stderr, "Done\n");
-    if (!do_from)
+    if (do_from) {
+	free (tmp);
+	free (headers);
+    } else {
 	write_state_destroy (&write_state);
+    }
     return 0;
 }
 
@@ -570,12 +598,8 @@ hesiod_get_pobox (const char **user)
 	if (strcasecmp(hpo->hesiod_po_type, "pop") != 0)
 	    errx (1, "Unsupported po type %s", hpo->hesiod_po_type);
 
-	ret = strdup(hpo->hesiod_po_host);
-	if(ret == NULL)
-	    errx (1, "strdup: out of memory");
-	*user = strdup(hpo->hesiod_po_name);
-	if (*user == NULL)
-	    errx (1, "strdup: out of memory");
+	ret = estrdup(hpo->hesiod_po_host);
+	*user = estrdup(hpo->hesiod_po_name);
 	hesiod_free_postoffice (context, hpo);
     }
     hesiod_end (context);
@@ -597,12 +621,8 @@ hesiod_get_pobox (const char **user)
 	if (strcasecmp(hpo->po_type, "pop") != 0)
 	    errx (1, "Unsupported po type %s", hpo->po_type);
 
-	ret = strdup(hpo->po_host);
-	if(ret == NULL)
-	    errx (1, "strdup: out of memory");
-	*user = strdup(hpo->po_name);
-	if (*user == NULL)
-	    errx (1, "strdup: out of memory");
+	ret = estrdup(hpo->po_host);
+	*user = estrdup(hpo->po_name);
     }
     return ret;
 }
@@ -642,9 +662,7 @@ parse_pobox (char *a0, const char **host, const char **user)
 
 	    if (pwd == NULL)
 		errx (1, "Who are you?");
-	    *user = strdup (pwd->pw_name);
-	    if (*user == NULL)
-		errx (1, "strdup: out of memory");
+	    *user = estrdup (pwd->pw_name);
 	}
 	*host = get_pobox (user);
 	return;
@@ -699,7 +717,13 @@ main(int argc, char **argv)
     set_progname (argv[0]);
 
 #ifdef KRB5
-    krb5_init_context (&context);
+    {
+	krb5_error_code ret;
+
+	ret = krb5_init_context (&context);
+	if (ret)
+	    errx (1, "krb5_init_context failed: %d", ret);
+    }
 #endif
 
     if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
diff --git a/crypto/heimdal/appl/rcp/ChangeLog b/crypto/heimdal/appl/rcp/ChangeLog
new file mode 100644
index 0000000..0685061
--- /dev/null
+++ b/crypto/heimdal/appl/rcp/ChangeLog
@@ -0,0 +1,29 @@
+2001-01-29  Assar Westerlund  <assar@sics.se>
+
+	* util.c (roundup): add fallback definition
+
+	* rcp.c: remove non-STDC code
+	* rcp_locl.h: add sys/types.h and sys/wait.h
+
+	* rcp.c: no calls to err with NULL
+
+2001-01-28  Assar Westerlund  <assar@sics.se>
+
+	* rcp_locl.h: add
+
+	* Makefile.am (LDADD): remove unused libraries
+
+2001-01-27  Assar Westerlund  <assar@sics.se>
+
+	* util.c: replace vfork by fork
+
+	* rcp.c: add RCSID S_ISTXT -> S_ISVTX printf sizes of files with
+ 	%lu instead of %q (which is not portable)
+
+	* util.c: add RCSID do not use sig_t
+	* rcp.c: remove __P, use st_mtime et al from struct stat
+	* extern.h: remove __P
+
+	* initial import of port of bsd rcp changed to use existing rsh,
+	contributed by Richard Nyberg <rnyberg@it.su.se>
+
diff --git a/crypto/heimdal/appl/rcp/Makefile.am b/crypto/heimdal/appl/rcp/Makefile.am
new file mode 100644
index 0000000..4ecf7a6
--- /dev/null
+++ b/crypto/heimdal/appl/rcp/Makefile.am
@@ -0,0 +1,11 @@
+# $Id: Makefile.am,v 1.2 2001/01/28 22:50:35 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4)
+
+bin_PROGRAMS = rcp
+
+rcp_SOURCES  = rcp.c util.c
+
+LDADD = $(LIB_roken)
diff --git a/crypto/heimdal/appl/rcp/Makefile.in b/crypto/heimdal/appl/rcp/Makefile.in
new file mode 100644
index 0000000..f0ee151
--- /dev/null
+++ b/crypto/heimdal/appl/rcp/Makefile.in
@@ -0,0 +1,559 @@
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
+
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.2 2001/01/28 22:50:35 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+bin_PROGRAMS = rcp
+
+rcp_SOURCES = rcp.c util.c
+
+LDADD = $(LIB_roken)
+subdir = appl/rcp
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+bin_PROGRAMS =  rcp$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+am_rcp_OBJECTS =  rcp.$(OBJEXT) util.$(OBJEXT)
+rcp_OBJECTS =  $(am_rcp_OBJECTS)
+rcp_LDADD = $(LDADD)
+rcp_DEPENDENCIES = 
+rcp_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(rcp_SOURCES)
+depcomp = 
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(rcp_SOURCES)
+OBJECTS = $(am_rcp_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/rcp/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+rcp$(EXEEXT): $(rcp_OBJECTS) $(rcp_DEPENDENCIES)
+	@rm -f rcp$(EXEEXT)
+	$(LINK) $(rcp_LDFLAGS) $(rcp_OBJECTS) $(rcp_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binPROGRAMS
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-binPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-binPROGRAMS distclean-compile distclean-libtool \
+		distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/rcp/extern.h b/crypto/heimdal/appl/rcp/extern.h
new file mode 100644
index 0000000..a98456d
--- /dev/null
+++ b/crypto/heimdal/appl/rcp/extern.h
@@ -0,0 +1,51 @@
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)extern.h	8.1 (Berkeley) 5/31/93
+ * $FreeBSD$
+ */
+
+typedef struct {
+	int cnt;
+	char *buf;
+} BUF;
+
+extern int iamremote;
+
+BUF	*allocbuf (BUF *, int, int);
+char	*colon (char *);
+void	 lostconn (int);
+void	 nospace (void);
+int	 okname (char *);
+void	 run_err (const char *, ...);
+int	 susystem (char *, int);
+void	 verifydir (char *);
diff --git a/crypto/heimdal/appl/rcp/rcp.c b/crypto/heimdal/appl/rcp/rcp.c
new file mode 100644
index 0000000..1c532ad
--- /dev/null
+++ b/crypto/heimdal/appl/rcp/rcp.c
@@ -0,0 +1,807 @@
+/*
+ * Copyright (c) 1983, 1990, 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "rcp_locl.h"
+
+#define RSH_PROGRAM "rsh"
+#define	OPTIONS "5dfKpP:rtxz"
+
+struct  passwd *pwd;
+uid_t	userid;
+int     errs, remin, remout;
+int     pflag, iamremote, iamrecursive, targetshouldbedirectory;
+int     doencrypt, noencrypt;
+int     usebroken, usekrb5;
+char    *port;
+
+#define	CMDNEEDS	64
+char cmd[CMDNEEDS];		/* must hold "rcp -r -p -d\0" */
+
+int	 response (void);
+void	 rsource (char *, struct stat *);
+void	 sink (int, char *[]);
+void	 source (int, char *[]);
+void	 tolocal (int, char *[]);
+void	 toremote (char *, int, char *[]);
+void	 usage (void);
+
+int      do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout);
+
+int
+main(argc, argv)
+	int argc;
+	char *argv[];
+{
+	int ch, fflag, tflag;
+	char *targ;
+
+	fflag = tflag = 0;
+	while ((ch = getopt(argc, argv, OPTIONS)) != -1)
+		switch(ch) {			/* User-visible flags. */
+		case '5':
+			usekrb5 = 1;
+			break;
+		case 'K':
+			usebroken = 1;
+			break;
+		case 'P':
+			port = optarg;
+			break;			
+		case 'p':
+			pflag = 1;
+			break;
+		case 'r':
+			iamrecursive = 1;
+			break;
+		case 'x':
+			doencrypt = 1;
+			break;			
+		case 'z':
+			noencrypt = 1;
+			break;
+						/* Server options. */
+		case 'd':
+			targetshouldbedirectory = 1;
+			break;
+		case 'f':			/* "from" */
+			iamremote = 1;
+			fflag = 1;
+			break;
+		case 't':			/* "to" */
+			iamremote = 1;
+			tflag = 1;
+			break;
+		case '?':
+		default:
+			usage();
+		}
+	argc -= optind;
+	argv += optind;
+
+	if ((pwd = getpwuid(userid = getuid())) == NULL)
+		errx(1, "unknown user %d", (int)userid);
+
+	remin = STDIN_FILENO;		/* XXX */
+	remout = STDOUT_FILENO;
+
+	if (fflag) {			/* Follow "protocol", send data. */
+		(void)response();
+		(void)setuid(userid);
+		source(argc, argv);
+		exit(errs);
+	}
+
+	if (tflag) {			/* Receive data. */
+		(void)setuid(userid);
+		sink(argc, argv);
+		exit(errs);
+	}
+
+	if (argc < 2)
+		usage();
+	if (argc > 2)
+		targetshouldbedirectory = 1;
+
+	remin = remout = -1;
+	/* Command to be executed on remote system using "rsh". */
+	(void) sprintf(cmd, "rcp%s%s%s", iamrecursive ? " -r" : "", 
+		       pflag ? " -p" : "", targetshouldbedirectory ? " -d" : "");
+
+	(void)signal(SIGPIPE, lostconn);
+
+	if ((targ = colon(argv[argc - 1])))	/* Dest is remote host. */
+		toremote(targ, argc, argv);
+	else {
+		tolocal(argc, argv);		/* Dest is local host. */
+		if (targetshouldbedirectory)
+			verifydir(argv[argc - 1]);
+	}
+	exit(errs);
+}
+
+void
+toremote(targ, argc, argv)
+	char *targ, *argv[];
+	int argc;
+{
+	int i, len;
+	char *bp, *host, *src, *suser, *thost, *tuser;
+
+	*targ++ = 0;
+	if (*targ == 0)
+		targ = ".";
+
+	if ((thost = strchr(argv[argc - 1], '@'))) {
+		/* user@host */
+		*thost++ = 0;
+		tuser = argv[argc - 1];
+		if (*tuser == '\0')
+			tuser = NULL;
+		else if (!okname(tuser))
+			exit(1);
+	} else {
+		thost = argv[argc - 1];
+		tuser = NULL;
+	}
+
+	for (i = 0; i < argc - 1; i++) {
+		src = colon(argv[i]);
+		if (src) {			/* remote to remote */
+			*src++ = 0;
+			if (*src == 0)
+				src = ".";
+			host = strchr(argv[i], '@');
+			len = strlen(_PATH_RSH) + strlen(argv[i]) +
+			    strlen(src) + (tuser ? strlen(tuser) : 0) +
+			    strlen(thost) + strlen(targ) + CMDNEEDS + 20;
+			if (!(bp = malloc(len)))
+				err(1, "malloc");
+			if (host) {
+				*host++ = 0;
+				suser = argv[i];
+				if (*suser == '\0')
+					suser = pwd->pw_name;
+				else if (!okname(suser))
+					continue;
+				(void)snprintf(bp, len,
+				    "%s %s -l %s -n %s %s '%s%s%s:%s'",
+				    _PATH_RSH, host, suser, cmd, src,
+				    tuser ? tuser : "", tuser ? "@" : "",
+				    thost, targ);
+			} else
+				(void)snprintf(bp, len,
+				    "exec %s %s -n %s %s '%s%s%s:%s'",
+				    _PATH_RSH, argv[i], cmd, src,
+				    tuser ? tuser : "", tuser ? "@" : "",
+				    thost, targ);
+			(void)susystem(bp, userid);
+			(void)free(bp);
+		} else {			/* local to remote */
+			if (remin == -1) {
+				len = strlen(targ) + CMDNEEDS + 20;
+				if (!(bp = malloc(len)))
+					err(1, "malloc");
+				(void)snprintf(bp, len, "%s -t %s", cmd, targ);
+				host = thost;
+
+				if (do_cmd(host, tuser, bp, &remin, &remout) < 0)
+					exit(1);
+
+				if (response() < 0)
+					exit(1);
+				(void)free(bp);
+				(void)setuid(userid);
+			}
+			source(1, argv+i);
+		}
+	}
+}
+
+void
+tolocal(argc, argv)
+	int argc;
+	char *argv[];
+{
+	int i, len;
+	char *bp, *host, *src, *suser;
+
+	for (i = 0; i < argc - 1; i++) {
+		if (!(src = colon(argv[i]))) {		/* Local to local. */
+			len = strlen(_PATH_CP) + strlen(argv[i]) +
+			    strlen(argv[argc - 1]) + 20;
+			if (!(bp = malloc(len)))
+				err(1, "malloc");
+			(void)snprintf(bp, len, "exec %s%s%s %s %s", _PATH_CP,
+			    iamrecursive ? " -PR" : "", pflag ? " -p" : "",
+			    argv[i], argv[argc - 1]);
+			if (susystem(bp, userid))
+				++errs;
+			(void)free(bp);
+			continue;
+		}
+		*src++ = 0;
+		if (*src == 0)
+			src = ".";
+		if ((host = strchr(argv[i], '@')) == NULL) {
+			host = argv[i];
+			suser = pwd->pw_name;
+		} else {
+			*host++ = 0;
+			suser = argv[i];
+			if (*suser == '\0')
+				suser = pwd->pw_name;
+			else if (!okname(suser))
+				continue;
+		}
+		len = strlen(src) + CMDNEEDS + 20;
+		if ((bp = malloc(len)) == NULL)
+			err(1, "malloc");
+		(void)snprintf(bp, len, "%s -f %s", cmd, src);
+		if (do_cmd(host, suser, bp, &remin, &remout) < 0) {
+			(void)free(bp);
+			++errs;
+			continue;
+		}
+		(void)free(bp);
+		sink(1, argv + argc - 1);
+		(void)seteuid(0);
+		(void)close(remin);
+		remin = remout = -1;
+	}
+}
+
+void
+source(argc, argv)
+	int argc;
+	char *argv[];
+{
+	struct stat stb;
+	static BUF buffer;
+	BUF *bp;
+	off_t i;
+	int amt, fd, haderr, indx, result;
+	char *last, *name, buf[BUFSIZ];
+
+	for (indx = 0; indx < argc; ++indx) {
+                name = argv[indx];
+		if ((fd = open(name, O_RDONLY, 0)) < 0)
+			goto syserr;
+		if (fstat(fd, &stb)) {
+syserr:			run_err("%s: %s", name, strerror(errno));
+			goto next;
+		}
+		switch (stb.st_mode & S_IFMT) {
+		case S_IFREG:
+			break;
+		case S_IFDIR:
+			if (iamrecursive) {
+				rsource(name, &stb);
+				goto next;
+			}
+			/* FALLTHROUGH */
+		default:
+			run_err("%s: not a regular file", name);
+			goto next;
+		}
+		if ((last = strrchr(name, '/')) == NULL)
+			last = name;
+		else
+			++last;
+		if (pflag) {
+			/*
+			 * Make it compatible with possible future
+			 * versions expecting microseconds.
+			 */
+			(void)snprintf(buf, sizeof(buf), "T%ld 0 %ld 0\n",
+			    (long)stb.st_mtime,
+			    (long)stb.st_atime);
+			(void)write(remout, buf, strlen(buf));
+			if (response() < 0)
+				goto next;
+		}
+#define	MODEMASK	(S_ISUID|S_ISGID|S_ISVTX|S_IRWXU|S_IRWXG|S_IRWXO)
+		(void)snprintf(buf, sizeof(buf), "C%04o %lu %s\n",
+		    stb.st_mode & MODEMASK, (unsigned long)stb.st_size, last);
+		(void)write(remout, buf, strlen(buf));
+		if (response() < 0)
+			goto next;
+		if ((bp = allocbuf(&buffer, fd, BUFSIZ)) == NULL) {
+next:			(void)close(fd);
+			continue;
+		}
+
+		/* Keep writing after an error so that we stay sync'd up. */
+		for (haderr = i = 0; i < stb.st_size; i += bp->cnt) {
+			amt = bp->cnt;
+			if (i + amt > stb.st_size)
+				amt = stb.st_size - i;
+			if (!haderr) {
+				result = read(fd, bp->buf, amt);
+				if (result != amt)
+					haderr = result >= 0 ? EIO : errno;
+			}
+			if (haderr)
+				(void)write(remout, bp->buf, amt);
+			else {
+				result = write(remout, bp->buf, amt);
+				if (result != amt)
+					haderr = result >= 0 ? EIO : errno;
+			}
+		}
+		if (close(fd) && !haderr)
+			haderr = errno;
+		if (!haderr)
+			(void)write(remout, "", 1);
+		else
+			run_err("%s: %s", name, strerror(haderr));
+		(void)response();
+	}
+}
+
+void
+rsource(name, statp)
+	char *name;
+	struct stat *statp;
+{
+	DIR *dirp;
+	struct dirent *dp;
+	char *last, *vect[1], path[MAXPATHLEN];
+
+	if (!(dirp = opendir(name))) {
+		run_err("%s: %s", name, strerror(errno));
+		return;
+	}
+	last = strrchr(name, '/');
+	if (last == 0)
+		last = name;
+	else
+		last++;
+	if (pflag) {
+		(void)snprintf(path, sizeof(path), "T%ld 0 %ld 0\n",
+		    (long)statp->st_mtime,
+		    (long)statp->st_atime);
+		(void)write(remout, path, strlen(path));
+		if (response() < 0) {
+			closedir(dirp);
+			return;
+		}
+	}
+	(void)snprintf(path, sizeof(path),
+	    "D%04o %d %s\n", statp->st_mode & MODEMASK, 0, last);
+	(void)write(remout, path, strlen(path));
+	if (response() < 0) {
+		closedir(dirp);
+		return;
+	}
+	while ((dp = readdir(dirp))) {
+		if (dp->d_ino == 0)
+			continue;
+		if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, ".."))
+			continue;
+		if (strlen(name) + 1 + strlen(dp->d_name) >= MAXPATHLEN - 1) {
+			run_err("%s/%s: name too long", name, dp->d_name);
+			continue;
+		}
+		(void)snprintf(path, sizeof(path), "%s/%s", name, dp->d_name);
+		vect[0] = path;
+		source(1, vect);
+	}
+	(void)closedir(dirp);
+	(void)write(remout, "E\n", 2);
+	(void)response();
+}
+
+void
+sink(argc, argv)
+	int argc;
+	char *argv[];
+{
+	static BUF buffer;
+	struct stat stb;
+	struct timeval tv[2];
+	enum { YES, NO, DISPLAYED } wrerr;
+	BUF *bp;
+	off_t i, j, size;
+	int amt, count, exists, first, mask, mode, ofd, omode;
+	int setimes, targisdir, wrerrno = 0;
+	char ch, *cp, *np, *targ, *why, *vect[1], buf[BUFSIZ];
+
+#define	atime	tv[0]
+#define	mtime	tv[1]
+#define	SCREWUP(str)	{ why = str; goto screwup; }
+
+	setimes = targisdir = 0;
+	mask = umask(0);
+	if (!pflag)
+		(void)umask(mask);
+	if (argc != 1) {
+		run_err("ambiguous target");
+		exit(1);
+	}
+	targ = *argv;
+	if (targetshouldbedirectory)
+		verifydir(targ);
+	(void)write(remout, "", 1);
+	if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
+		targisdir = 1;
+	for (first = 1;; first = 0) {
+		cp = buf;
+		if (read(remin, cp, 1) <= 0)
+			return;
+		if (*cp++ == '\n')
+			SCREWUP("unexpected <newline>");
+		do {
+			if (read(remin, &ch, sizeof(ch)) != sizeof(ch))
+				SCREWUP("lost connection");
+			*cp++ = ch;
+		} while (cp < &buf[BUFSIZ - 1] && ch != '\n');
+		*cp = 0;
+
+		if (buf[0] == '\01' || buf[0] == '\02') {
+			if (iamremote == 0)
+				(void)write(STDERR_FILENO,
+				    buf + 1, strlen(buf + 1));
+			if (buf[0] == '\02')
+				exit(1);
+			++errs;
+			continue;
+		}
+		if (buf[0] == 'E') {
+			(void)write(remout, "", 1);
+			return;
+		}
+
+		if (ch == '\n')
+			*--cp = 0;
+
+		cp = buf;
+		if (*cp == 'T') {
+			setimes++;
+			cp++;
+			mtime.tv_sec = strtol(cp, &cp, 10);
+			if (!cp || *cp++ != ' ')
+				SCREWUP("mtime.sec not delimited");
+			mtime.tv_usec = strtol(cp, &cp, 10);
+			if (!cp || *cp++ != ' ')
+				SCREWUP("mtime.usec not delimited");
+			atime.tv_sec = strtol(cp, &cp, 10);
+			if (!cp || *cp++ != ' ')
+				SCREWUP("atime.sec not delimited");
+			atime.tv_usec = strtol(cp, &cp, 10);
+			if (!cp || *cp++ != '\0')
+				SCREWUP("atime.usec not delimited");
+			(void)write(remout, "", 1);
+			continue;
+		}
+		if (*cp != 'C' && *cp != 'D') {
+			/*
+			 * Check for the case "rcp remote:foo\* local:bar".
+			 * In this case, the line "No match." can be returned
+			 * by the shell before the rcp command on the remote is
+			 * executed so the ^Aerror_message convention isn't
+			 * followed.
+			 */
+			if (first) {
+				run_err("%s", cp);
+				exit(1);
+			}
+			SCREWUP("expected control record");
+		}
+		mode = 0;
+		for (++cp; cp < buf + 5; cp++) {
+			if (*cp < '0' || *cp > '7')
+				SCREWUP("bad mode");
+			mode = (mode << 3) | (*cp - '0');
+		}
+		if (*cp++ != ' ')
+			SCREWUP("mode not delimited");
+
+		for (size = 0; isdigit(*cp);)
+			size = size * 10 + (*cp++ - '0');
+		if (*cp++ != ' ')
+			SCREWUP("size not delimited");
+		if (targisdir) {
+			static char *namebuf;
+			static int cursize;
+			size_t need;
+
+			need = strlen(targ) + strlen(cp) + 250;
+			if (need > cursize) {
+				if (!(namebuf = malloc(need)))
+					run_err("%s", strerror(errno));
+			}
+			(void)snprintf(namebuf, need, "%s%s%s", targ,
+			    *targ ? "/" : "", cp);
+			np = namebuf;
+		} else
+			np = targ;
+		exists = stat(np, &stb) == 0;
+		if (buf[0] == 'D') {
+			int mod_flag = pflag;
+			if (exists) {
+				if (!S_ISDIR(stb.st_mode)) {
+					errno = ENOTDIR;
+					goto bad;
+				}
+				if (pflag)
+					(void)chmod(np, mode);
+			} else {
+				/* Handle copying from a read-only directory */
+				mod_flag = 1;
+				if (mkdir(np, mode | S_IRWXU) < 0)
+					goto bad;
+			}
+			vect[0] = np;
+			sink(1, vect);
+			if (setimes) {
+				setimes = 0;
+				if (utimes(np, tv) < 0)
+				    run_err("%s: set times: %s",
+					np, strerror(errno));
+			}
+			if (mod_flag)
+				(void)chmod(np, mode);
+			continue;
+		}
+		omode = mode;
+		mode |= S_IWRITE;
+		if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) {
+bad:			run_err("%s: %s", np, strerror(errno));
+			continue;
+		}
+		(void)write(remout, "", 1);
+		if ((bp = allocbuf(&buffer, ofd, BUFSIZ)) == NULL) {
+			(void)close(ofd);
+			continue;
+		}
+		cp = bp->buf;
+		wrerr = NO;
+		for (count = i = 0; i < size; i += BUFSIZ) {
+			amt = BUFSIZ;
+			if (i + amt > size)
+				amt = size - i;
+			count += amt;
+			do {
+				j = read(remin, cp, amt);
+				if (j <= 0) {
+					run_err("%s", j ? strerror(errno) :
+					    "dropped connection");
+					exit(1);
+				}
+				amt -= j;
+				cp += j;
+			} while (amt > 0);
+			if (count == bp->cnt) {
+				/* Keep reading so we stay sync'd up. */
+				if (wrerr == NO) {
+					j = write(ofd, bp->buf, count);
+					if (j != count) {
+						wrerr = YES;
+						wrerrno = j >= 0 ? EIO : errno;
+					}
+				}
+				count = 0;
+				cp = bp->buf;
+			}
+		}
+		if (count != 0 && wrerr == NO &&
+		    (j = write(ofd, bp->buf, count)) != count) {
+			wrerr = YES;
+			wrerrno = j >= 0 ? EIO : errno;
+		}
+		if (ftruncate(ofd, size)) {
+			run_err("%s: truncate: %s", np, strerror(errno));
+			wrerr = DISPLAYED;
+		}
+		if (pflag) {
+			if (exists || omode != mode)
+				if (fchmod(ofd, omode))
+					run_err("%s: set mode: %s",
+					    np, strerror(errno));
+		} else {
+			if (!exists && omode != mode)
+				if (fchmod(ofd, omode & ~mask))
+					run_err("%s: set mode: %s",
+					    np, strerror(errno));
+		}
+		(void)close(ofd);
+		(void)response();
+		if (setimes && wrerr == NO) {
+			setimes = 0;
+			if (utimes(np, tv) < 0) {
+				run_err("%s: set times: %s",
+				    np, strerror(errno));
+				wrerr = DISPLAYED;
+			}
+		}
+		switch(wrerr) {
+		case YES:
+			run_err("%s: %s", np, strerror(wrerrno));
+			break;
+		case NO:
+			(void)write(remout, "", 1);
+			break;
+		case DISPLAYED:
+			break;
+		}
+	}
+screwup:
+	run_err("protocol error: %s", why);
+	exit(1);
+}
+
+int
+response()
+{
+	char ch, *cp, resp, rbuf[BUFSIZ];
+
+	if (read(remin, &resp, sizeof(resp)) != sizeof(resp))
+		lostconn(0);
+
+	cp = rbuf;
+	switch(resp) {
+	case 0:				/* ok */
+		return (0);
+	default:
+		*cp++ = resp;
+		/* FALLTHROUGH */
+	case 1:				/* error, followed by error msg */
+	case 2:				/* fatal error, "" */
+		do {
+			if (read(remin, &ch, sizeof(ch)) != sizeof(ch))
+				lostconn(0);
+			*cp++ = ch;
+		} while (cp < &rbuf[BUFSIZ] && ch != '\n');
+
+		if (!iamremote)
+			(void)write(STDERR_FILENO, rbuf, cp - rbuf);
+		++errs;
+		if (resp == 1)
+			return (-1);
+		exit(1);
+	}
+	/* NOTREACHED */
+}
+
+void
+usage()
+{
+	(void)fprintf(stderr, "%s\n%s\n",
+		      "usage: rcp [-5FKpx] [-P port] f1 f2",
+		      "       rcp [-5FKprx] [-P port] f1 ... fn directory");
+	exit(1);
+}
+
+#include <stdarg.h>
+
+void
+run_err(const char *fmt, ...)
+{
+	static FILE *fp;
+	va_list ap;
+	va_start(ap, fmt);
+
+	++errs;
+	if (fp == NULL && !(fp = fdopen(remout, "w")))
+		return;
+	(void)fprintf(fp, "%c", 0x01);
+	(void)fprintf(fp, "rcp: ");
+	(void)vfprintf(fp, fmt, ap);
+	(void)fprintf(fp, "\n");
+	(void)fflush(fp);
+
+	if (!iamremote)
+		vwarnx(fmt, ap);
+
+	va_end(ap);
+}
+
+/*
+ * This function executes the given command as the specified user on the
+ * given host.  This returns < 0 if execution fails, and >= 0 otherwise. This
+ * assigns the input and output file descriptors on success.
+ *
+ * If it cannot create necessary pipes it exits with error message.
+ */
+
+int 
+do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout)
+{
+	int pin[2], pout[2], reserved[2];
+
+	/*
+	 * Reserve two descriptors so that the real pipes won't get
+	 * descriptors 0 and 1 because that will screw up dup2 below.
+	 */
+	pipe(reserved);
+
+	/* Create a socket pair for communicating with rsh. */
+	if (pipe(pin) < 0) {
+		perror("pipe");
+		exit(255);
+	}
+	if (pipe(pout) < 0) {
+		perror("pipe");
+		exit(255);
+	}
+
+	/* Free the reserved descriptors. */
+	close(reserved[0]);
+	close(reserved[1]);
+
+	/* For a child to execute the command on the remote host using rsh. */
+	if (fork() == 0) {
+		char *args[100];
+		unsigned int i;
+
+		/* Child. */
+		close(pin[1]);
+		close(pout[0]);
+		dup2(pin[0], 0);
+		dup2(pout[1], 1);
+		close(pin[0]);
+		close(pout[1]);
+
+		i = 0;
+		args[i++] = RSH_PROGRAM;
+		if (usekrb5)
+			args[i++] = "-5";
+		if (usebroken)
+			args[i++] = "-K";
+		if (doencrypt)
+			args[i++] = "-x";
+		if (noencrypt)
+			args[i++] = "-z";
+		if (port != NULL) {
+			args[i++] = "-p";
+			args[i++] = port;
+		}
+		if (remuser != NULL) {
+			args[i++] = "-l";
+			args[i++] = remuser;
+		}
+		args[i++] = host;
+		args[i++] = cmd;
+		args[i++] = NULL;
+
+		execvp(RSH_PROGRAM, args);
+		perror(RSH_PROGRAM);
+		exit(1);
+	}
+	/* Parent.  Close the other side, and return the local side. */
+	close(pin[0]);
+	*fdout = pin[1];
+	close(pout[1]);
+	*fdin = pout[0];
+	return 0;
+}
diff --git a/crypto/heimdal/appl/rcp/rcp_locl.h b/crypto/heimdal/appl/rcp/rcp_locl.h
new file mode 100644
index 0000000..4397c9f
--- /dev/null
+++ b/crypto/heimdal/appl/rcp/rcp_locl.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: rcp_locl.h,v 1.3 2001/01/29 05:59:24 assar Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/wait.h>
+
+#include <ctype.h>
+#include <dirent.h>
+#include <err.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <pwd.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <roken.h>
+
+#include "extern.h"
+
+#define	_PATH_CP	"/bin/cp"
+#define	_PATH_RSH	"/usr/bin/rsh"
diff --git a/crypto/heimdal/appl/rcp/util.c b/crypto/heimdal/appl/rcp/util.c
new file mode 100644
index 0000000..9d0f6d5
--- /dev/null
+++ b/crypto/heimdal/appl/rcp/util.c
@@ -0,0 +1,165 @@
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#if 0
+#ifndef lint
+#if 0
+static char sccsid[] = "@(#)util.c	8.2 (Berkeley) 4/2/94";
+#endif
+static const char rcsid[] =
+  "$FreeBSD$";
+#endif /* not lint */
+#endif
+
+#include "rcp_locl.h"
+
+RCSID("$Id: util.c,v 1.5 2001/01/29 23:36:37 assar Exp $");
+
+char *
+colon(cp)
+	char *cp;
+{
+	if (*cp == ':')		/* Leading colon is part of file name. */
+		return (0);
+
+	for (; *cp; ++cp) {
+		if (*cp == ':')
+			return (cp);
+		if (*cp == '/')
+			return (0);
+	}
+	return (0);
+}
+
+void
+verifydir(cp)
+	char *cp;
+{
+	struct stat stb;
+
+	if (!stat(cp, &stb)) {
+		if (S_ISDIR(stb.st_mode))
+			return;
+		errno = ENOTDIR;
+	}
+	run_err("%s: %s", cp, strerror(errno));
+	exit(1);
+}
+
+int
+okname(cp0)
+	char *cp0;
+{
+	int c;
+	char *cp;
+
+	cp = cp0;
+	do {
+		c = *cp;
+		if (c & 0200)
+			goto bad;
+		if (!isalpha(c) && !isdigit(c) && c != '_' && c != '-')
+			goto bad;
+	} while (*++cp);
+	return (1);
+
+bad:	warnx("%s: invalid user name", cp0);
+	return (0);
+}
+
+int
+susystem(s, userid)
+	int userid;
+	char *s;
+{
+	void (*istat)(int), (*qstat)(int);
+	int status;
+	pid_t pid;
+
+	pid = fork();
+	switch (pid) {
+	case -1:
+		return (127);
+
+	case 0:
+		(void)setuid(userid);
+		execl(_PATH_BSHELL, "sh", "-c", s, NULL);
+		_exit(127);
+	}
+	istat = signal(SIGINT, SIG_IGN);
+	qstat = signal(SIGQUIT, SIG_IGN);
+	if (waitpid(pid, &status, 0) < 0)
+		status = -1;
+	(void)signal(SIGINT, istat);
+	(void)signal(SIGQUIT, qstat);
+	return (status);
+}
+
+#ifndef roundup
+#define	roundup(x, y)	((((x)+((y)-1))/(y))*(y))
+#endif
+
+BUF *
+allocbuf(bp, fd, blksize)
+	BUF *bp;
+	int fd, blksize;
+{
+	struct stat stb;
+	size_t size;
+
+	if (fstat(fd, &stb) < 0) {
+		run_err("fstat: %s", strerror(errno));
+		return (0);
+	}
+	size = roundup(stb.st_blksize, blksize);
+	if (size == 0)
+		size = blksize;
+	if (bp->cnt >= size)
+		return (bp);
+	if ((bp->buf = realloc(bp->buf, size)) == NULL) {
+		bp->cnt = 0;
+		run_err("%s", strerror(errno));
+		return (0);
+	}
+	bp->cnt = size;
+	return (bp);
+}
+
+void
+lostconn(signo)
+	int signo;
+{
+	if (!iamremote)
+		warnx("lost connection");
+	exit(1);
+}
diff --git a/crypto/heimdal/appl/rsh/ChangeLog b/crypto/heimdal/appl/rsh/ChangeLog
index 869bc88..4a40ac7 100644
--- a/crypto/heimdal/appl/rsh/ChangeLog
+++ b/crypto/heimdal/appl/rsh/ChangeLog
@@ -1,3 +1,72 @@
+2001-01-09  Assar Westerlund  <assar@sics.se>
+
+	* rshd.c (save_krb5_creds): use krb5_rd_cred2 instead of
+	krb5_rd_cred
+
+2000-12-31  Assar Westerlund  <assar@sics.se>
+
+	* rshd.c (main): handle krb5_init_context failure consistently
+	* rsh.c (main): handle krb5_init_context failure consistently
+
+2000-12-05  Johan Danielsson  <joda@pdc.kth.se>
+
+	* rshd.c: require encryption if passed -x
+
+2000-11-15  Assar Westerlund  <assar@sics.se>
+
+	* rshd.c (loop): check that the fd's aren't too large to select on
+	* rsh.c (loop, proto): check that the fd's aren't too large to
+	select on
+
+2000-08-10  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c: move code to do config/command parsing correctly.
+
+2000-08-09  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c (main): only fetch stuff from krb5.conf when no option has
+	been given
+
+2000-08-01  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c (doit): loop until we create an error socket of an
+	supported socket family
+
+2000-07-02  Assar Westerlund  <assar@sics.se>
+
+	* rshd.c: DCE stuff from Ake Sandgren <ake@cs.umu.se>
+	do not call syslog with a variable as format string
+
+	* rsh_locl.h (_PATH_ETC_ENVIRONMENT): add
+
+2000-06-09  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c (main): work-around for setuid and capabilities bug fixed
+	in Linux 2.2.16
+
+2000-06-06  Johan Danielsson  <joda@pdc.kth.se>
+
+	* rsh.c: nuke long option from -z
+	
+	* rsh.c: don't try to encrypt if auth is broken (Daniel Kouril)
+	
+2000-06-03  Assar Westerlund  <assar@sics.se>
+
+	* rshd.c (doit): check return value of getspnam.  From
+	<haba@pdc.kth.se>
+
+2000-05-23  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c (proto): select on the normal socket when waiting for the
+	daemon to connect back to the stderr port, so that we discover
+	when data arrives there before.  when that happens, we assume that
+	the daemon did not manage to connect (because of NAT/whatever) and
+	continue as if `-e' was given
+	* rshd.c (doit): if we fail to connect back to the stderr port,
+	act as if `-e' was given on the client side, i.e. without the
+	special TCP-connection.  This tries to make things better when
+	running the head against a NAT wall, for example.
+
 2000-02-07  Assar Westerlund  <assar@sics.se>
 
 	* Makefile.am (LDADD): make sure we use the heimdal libdes
diff --git a/crypto/heimdal/appl/rsh/Makefile.am b/crypto/heimdal/appl/rsh/Makefile.am
index c005b9e..3c340ad 100644
--- a/crypto/heimdal/appl/rsh/Makefile.am
+++ b/crypto/heimdal/appl/rsh/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.14 2000/02/07 03:13:00 assar Exp $
+# $Id: Makefile.am,v 1.15 2000/11/15 22:51:10 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
@@ -14,7 +14,6 @@ rshd_SOURCES = rshd.c common.c rsh_locl.h
 
 LDADD = $(LIB_kafs) \
 	$(LIB_krb5) \
-	$(top_builddir)/lib/des/libdes.la \
 	$(LIB_krb4) \
-	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_des) \
 	$(LIB_roken)
diff --git a/crypto/heimdal/appl/rsh/Makefile.in b/crypto/heimdal/appl/rsh/Makefile.in
index 75c989d..0ba1b86 100644
--- a/crypto/heimdal/appl/rsh/Makefile.in
+++ b/crypto/heimdal/appl/rsh/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.14 2000/02/07 03:13:00 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.15 2000/11/15 22:51:10 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4)
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,24 +170,20 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
@@ -181,8 +195,13 @@ rsh_SOURCES = rsh.c common.c rsh_locl.h
 
 rshd_SOURCES = rshd.c common.c rsh_locl.h
 
-LDADD = $(LIB_kafs) 	$(LIB_krb5) 	$(top_builddir)/lib/des/libdes.la 	$(LIB_krb4) 	$(top_builddir)/lib/des/libdes.la 	$(LIB_roken)
+LDADD = $(LIB_kafs) \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(LIB_roken)
 
+subdir = appl/rsh
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -194,71 +213,57 @@ PROGRAMS =  $(bin_PROGRAMS) $(libexec_PROGRAMS)
 DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
-LIBS = @LIBS@
 X_CFLAGS = @X_CFLAGS@
 X_LIBS = @X_LIBS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
-rsh_OBJECTS =  rsh.$(OBJEXT) common.$(OBJEXT)
+am_rsh_OBJECTS =  rsh.$(OBJEXT) common.$(OBJEXT)
+rsh_OBJECTS =  $(am_rsh_OBJECTS)
 rsh_LDADD = $(LDADD)
-@KRB4_TRUE@@KRB5_FALSE@rsh_DEPENDENCIES =  \
-@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la \
-@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la \
-@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la
+@KRB4_FALSE@@KRB5_FALSE@rsh_DEPENDENCIES = 
 @KRB4_FALSE@@KRB5_TRUE@rsh_DEPENDENCIES =  \
 @KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
-@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
-@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la \
-@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la
-@KRB4_FALSE@@KRB5_FALSE@rsh_DEPENDENCIES =  \
-@KRB4_FALSE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la \
-@KRB4_FALSE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_TRUE@@KRB5_FALSE@rsh_DEPENDENCIES =  \
+@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la
 @KRB4_TRUE@@KRB5_TRUE@rsh_DEPENDENCIES =  \
 @KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \
 @KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
-@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
-@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la \
-@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
 rsh_LDFLAGS = 
-rshd_OBJECTS =  rshd.$(OBJEXT) common.$(OBJEXT)
+am_rshd_OBJECTS =  rshd.$(OBJEXT) common.$(OBJEXT)
+rshd_OBJECTS =  $(am_rshd_OBJECTS)
 rshd_LDADD = $(LDADD)
-@KRB4_TRUE@@KRB5_FALSE@rshd_DEPENDENCIES =  \
-@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la \
-@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la \
-@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la
+@KRB4_FALSE@@KRB5_FALSE@rshd_DEPENDENCIES = 
 @KRB4_FALSE@@KRB5_TRUE@rshd_DEPENDENCIES =  \
 @KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
-@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
-@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la \
-@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la
-@KRB4_FALSE@@KRB5_FALSE@rshd_DEPENDENCIES =  \
-@KRB4_FALSE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la \
-@KRB4_FALSE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_TRUE@@KRB5_FALSE@rshd_DEPENDENCIES =  \
+@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la
 @KRB4_TRUE@@KRB5_TRUE@rshd_DEPENDENCIES =  \
 @KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \
 @KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
-@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
-@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la \
-@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
 rshd_LDFLAGS = 
-CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(rsh_SOURCES) $(rshd_SOURCES)
+depcomp = 
 DIST_COMMON =  ChangeLog Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
 SOURCES = $(rsh_SOURCES) $(rshd_SOURCES)
-OBJECTS = $(rsh_OBJECTS) $(rshd_OBJECTS)
+OBJECTS = $(am_rsh_OBJECTS) $(am_rshd_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/rsh/Makefile
 
@@ -281,15 +286,18 @@ install-binPROGRAMS: $(bin_PROGRAMS)
 	$(mkinstalldirs) $(DESTDIR)$(bindir)
 	@list='$(bin_PROGRAMS)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
 	  else :; fi; \
 	done
 
 uninstall-binPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	list='$(bin_PROGRAMS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
 	done
 
 mostlyclean-libexecPROGRAMS:
@@ -306,31 +314,20 @@ install-libexecPROGRAMS: $(libexec_PROGRAMS)
 	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
 	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f; \
 	  else :; fi; \
 	done
 
 uninstall-libexecPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	list='$(libexec_PROGRAMS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \
+	  rm -f $(DESTDIR)$(libexecdir)/$$f; \
 	done
 
-.c.o:
-	$(COMPILE) -c $<
-
-# FIXME: We should only use cygpath when building on Windows,
-# and only if it is available.
-.c.obj:
-	$(COMPILE) -c `cygpath -w $<`
-
-.s.o:
-	$(COMPILE) -c $<
-
-.S.o:
-	$(COMPILE) -c $<
-
 mostlyclean-compile:
 	-rm -f *.o core *.core
 	-rm -f *.$(OBJEXT)
@@ -342,15 +339,6 @@ distclean-compile:
 
 maintainer-clean-compile:
 
-.c.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.s.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.S.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -368,26 +356,36 @@ rsh$(EXEEXT): $(rsh_OBJECTS) $(rsh_DEPENDENCIES)
 rshd$(EXEEXT): $(rshd_OBJECTS) $(rshd_DEPENDENCIES)
 	@rm -f rshd$(EXEEXT)
 	$(LINK) $(rshd_LDFLAGS) $(rshd_OBJECTS) $(rshd_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -400,17 +398,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = appl/rsh
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
@@ -439,7 +436,7 @@ uninstall: uninstall-am
 all-am: Makefile $(PROGRAMS) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
 	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(libexecdir)
 
@@ -453,6 +450,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-libexecPROGRAMS \
 		mostlyclean-compile mostlyclean-libtool \
 		mostlyclean-tags mostlyclean-generic
@@ -493,8 +491,9 @@ clean-tags maintainer-clean-tags distdir info-am info dvi-am dvi \
 check-local check check-am installcheck-am installcheck install-exec-am \
 install-exec install-data-local install-data-am install-data install-am \
 install uninstall-am uninstall all-local all-redirect all-am all \
-installdirs mostlyclean-generic distclean-generic clean-generic \
-maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+install-strip installdirs mostlyclean-generic distclean-generic \
+clean-generic maintainer-clean-generic clean mostlyclean distclean \
+maintainer-clean
 
 
 install-suid-programs:
@@ -502,7 +501,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -514,8 +516,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -584,87 +586,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/appl/rsh/rsh.c b/crypto/heimdal/appl/rsh/rsh.c
index 5033c4f..7b97f58 100644
--- a/crypto/heimdal/appl/rsh/rsh.c
+++ b/crypto/heimdal/appl/rsh/rsh.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,12 +32,12 @@
  */
 
 #include "rsh_locl.h"
-RCSID("$Id: rsh.c,v 1.47 2000/02/06 05:58:55 assar Exp $");
+RCSID("$Id: rsh.c,v 1.57 2000/12/31 07:36:54 assar Exp $");
 
 enum auth_method auth_method;
-int do_encrypt;
-int do_forward;
-int do_forwardable;
+int do_encrypt       = -1;
+int do_forward       = -1;
+int do_forwardable   = -1;
 int do_unique_tkfile = 0;
 char *unique_tkfile  = NULL;
 char tkfile[MAXPATHLEN];
@@ -62,6 +62,9 @@ loop (int s, int errsock)
     fd_set real_readset;
     int count = 1;
 
+    if (s >= FD_SETSIZE || errsock >= FD_SETSIZE)
+	errx (1, "fd too large");
+    
     FD_ZERO(&real_readset);
     FD_SET(s, &real_readset);
     if (errsock != -1) {
@@ -404,7 +407,7 @@ proto (int s, int errsock,
     struct sockaddr *thataddr = (struct sockaddr *)&thataddr_ss;
     struct sockaddr_storage erraddr_ss;
     struct sockaddr *erraddr = (struct sockaddr *)&erraddr_ss;
-    int addrlen;
+    socklen_t addrlen;
     int ret;
 
     addrlen = sizeof(thisaddr_ss);
@@ -441,14 +444,48 @@ proto (int s, int errsock,
 	    return 1;
 	}
 
-	errsock2 = accept (errsock, NULL, NULL);
-	if (errsock2 < 0) {
-	    warn ("accept");
-	    close (errsock);
-	    return 1;
-	}
-	close (errsock);
 
+	for (;;) {
+	    fd_set fdset;
+
+	    if (errsock >= FD_SETSIZE || s >= FD_SETSIZE)
+		errx (1, "fd too large");
+
+	    FD_ZERO(&fdset);
+	    FD_SET(errsock, &fdset);
+	    FD_SET(s, &fdset);
+
+	    ret = select (max(errsock, s) + 1, &fdset, NULL, NULL, NULL);
+	    if (ret < 0) {
+		if (errno == EINTR)
+		    continue;
+		warn ("select");
+		close (errsock);
+		return 1;
+	    }
+	    if (FD_ISSET(errsock, &fdset)) {
+		errsock2 = accept (errsock, NULL, NULL);
+		close (errsock);
+		if (errsock2 < 0) {
+		    warn ("accept");
+		    return 1;
+		}
+		break;
+	    }
+
+	    /*
+	     * there should not arrive any data on this fd so if it's
+	     * readable it probably indicates that the other side when
+	     * away.
+	     */
+
+	    if (FD_ISSET(s, &fdset)) {
+		warnx ("socket closed");
+		close (errsock);
+		errsock2 = -1;
+		break;
+	    }
+	}
     } else {
 	if (net_write (s, "0", 2) != 2) {
 	    warn ("write");
@@ -490,8 +527,7 @@ proto (int s, int errsock,
 
 /*
  * Return in `res' a copy of the concatenation of `argc, argv' into
- * malloced space.
- */
+ * malloced space.  */
 
 static size_t
 construct_command (char **res, int argc, char **argv)
@@ -673,7 +709,7 @@ doit (const char *hostname,
 	    continue;
 	}
 	if (do_errsock) {
-	    struct addrinfo *ea;
+	    struct addrinfo *ea, *eai;
 	    struct addrinfo hints;
 
 	    memset (&hints, 0, sizeof(hints));
@@ -682,15 +718,23 @@ doit (const char *hostname,
 	    hints.ai_family   = a->ai_family;
 	    hints.ai_flags    = AI_PASSIVE;
 
-	    error = getaddrinfo (NULL, "0", &hints, &ea);
+	    errsock = -1;
+
+	    error = getaddrinfo (NULL, "0", &hints, &eai);
 	    if (error)
 		errx (1, "getaddrinfo: %s", gai_strerror(error));
-	    errsock = socket (ea->ai_family, ea->ai_socktype, ea->ai_protocol);
+	    for (ea = eai; ea != NULL; ea = ea->ai_next) {
+		errsock = socket (ea->ai_family, ea->ai_socktype,
+				  ea->ai_protocol);
+		if (errsock < 0)
+		    continue;
+		if (bind (errsock, ea->ai_addr, ea->ai_addrlen) < 0)
+		    err (1, "bind");
+		break;
+	    }
 	    if (errsock < 0)
 		err (1, "socket");
-	    if (bind (errsock, ea->ai_addr, ea->ai_addrlen) < 0)
-		err (1, "bind");
-	    freeaddrinfo (ea);
+	    freeaddrinfo (eai);
 	} else
 	    errsock = -1;
     
@@ -732,7 +776,7 @@ struct getargs args[] = {
       NULL },
     { "encrypt", 'x', arg_flag,		&do_encrypt,	"Encrypt connection",
       NULL },
-    { "encrypt", 'z', arg_negative_flag,      &do_encrypt,
+    { NULL, 	'z', arg_negative_flag,      &do_encrypt,
       "Don't encrypt connection", NULL },
     { "forward", 'f', arg_flag,		&do_forward,	"Forward credentials",
       NULL },
@@ -782,12 +826,15 @@ main(int argc, char **argv)
     const char *local_user;
     char *host = NULL;
     int host_index = -1;
-    int status; 
+    int status;
+    uid_t uid;
 
     priv_port1 = priv_port2 = IPPORT_RESERVED-1;
     priv_socket1 = rresvport(&priv_port1);
     priv_socket2 = rresvport(&priv_port2);
-    setuid(getuid());
+    uid = getuid ();
+    if (setuid (uid) || (uid != 0 && setuid(0) == 0))
+	err (1, "setuid");
     
     set_progname (argv[0]);
 
@@ -798,27 +845,32 @@ main(int argc, char **argv)
     
     status = krb5_init_context (&context);
     if (status)
-        errx(1, "krb5_init_context failed: %u", status);
+        errx(1, "krb5_init_context failed: %d", status);
       
-    do_forwardable = krb5_config_get_bool (context, NULL,
-					   "libdefaults",
-					   "forwardable",
-					   NULL);
-	
-    do_forward = krb5_config_get_bool (context, NULL,
-				       "libdefaults",
-				       "forward",
-				       NULL);
-
-    do_encrypt = krb5_config_get_bool (context, NULL,
-				       "libdefaults",
-				       "encrypt",
-				       NULL);
-
     if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
 		&optind))
 	usage (1);
 
+    if (do_forwardable == -1)
+	do_forwardable = krb5_config_get_bool (context, NULL,
+					       "libdefaults",
+					       "forwardable",
+					       NULL);
+	
+    if (do_forward == -1)
+	do_forward = krb5_config_get_bool (context, NULL,
+					   "libdefaults",
+					   "forward",
+					   NULL);
+    else if (do_forward == 0)
+	do_forwardable = 0;
+
+    if (do_encrypt == -1)
+	do_encrypt = krb5_config_get_bool (context, NULL,
+					   "libdefaults",
+					   "encrypt",
+					   NULL);
+
     if (do_forwardable)
 	do_forward = 1;
 
@@ -939,6 +991,8 @@ main(int argc, char **argv)
 	else
 	    tmp_port = krb5_getportbyname(context, "shell", "tcp", 514);
 	auth_method = AUTH_BROKEN;
+	if (do_encrypt)
+	    errx (1, "encryption not supported with priv port authentication");
 	ret = doit_broken (argc, argv, host_index, host,
 			   user, local_user,
 			   tmp_port,
diff --git a/crypto/heimdal/appl/rsh/rsh_locl.h b/crypto/heimdal/appl/rsh/rsh_locl.h
index 7eb1f68..3418abc 100644
--- a/crypto/heimdal/appl/rsh/rsh_locl.h
+++ b/crypto/heimdal/appl/rsh/rsh_locl.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: rsh_locl.h,v 1.23 2000/02/06 05:58:55 assar Exp $ */
+/* $Id: rsh_locl.h,v 1.24 2000/07/02 15:48:46 assar Exp $ */
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
@@ -112,6 +112,10 @@
 #define _PATH_DEFPATH	"/usr/bin:/bin"
 #endif
 
+#ifndef _PATH_ETC_ENVIRONMENT
+#define _PATH_ETC_ENVIRONMENT "/etc/environment"
+#endif
+
 /*
  *
  */
diff --git a/crypto/heimdal/appl/rsh/rshd.c b/crypto/heimdal/appl/rsh/rshd.c
index 9bbdf11..cd7eb7b 100644
--- a/crypto/heimdal/appl/rsh/rshd.c
+++ b/crypto/heimdal/appl/rsh/rshd.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,7 +32,7 @@
  */
 
 #include "rsh_locl.h"
-RCSID("$Id: rshd.c,v 1.30 2000/02/06 05:58:56 assar Exp $");
+RCSID("$Id: rshd.c,v 1.39 2001/01/09 18:44:29 assar Exp $");
 
 enum auth_method auth_method;
 
@@ -63,6 +63,13 @@ static int do_newpag = 1;
 static int do_version;
 static int do_help = 0;
 
+#if defined(DCE)
+int dfsk5ok = 0;
+int dfspag = 0;
+int dfsfwd = 0;
+krb5_ticket *user_ticket;
+#endif
+
 static void
 syslog_and_die (const char *m, ...)
 {
@@ -215,7 +222,7 @@ save_krb5_creds (int s,
     }
   
     krb5_cc_initialize(context,ccache,client);
-    ret = krb5_rd_cred(context, auth_context, ccache,&remote_cred);
+    ret = krb5_rd_cred2(context, auth_context, ccache, &remote_cred);
     krb5_data_free (&remote_cred);
     if (ret)
 	return 0;
@@ -356,6 +363,8 @@ recv_krb5_auth (int s, u_char *buf,
 	do_encrypt = 1;
 	memmove (cmd, cmd + 3, strlen(cmd) - 2);
     } else {
+	if(do_encrypt)
+	    fatal (s, "Encryption required");
 	do_encrypt = 0;
     }
 
@@ -381,6 +390,10 @@ recv_krb5_auth (int s, u_char *buf,
 	}
     }	   
 
+#if defined(DCE)
+    user_ticket = ticket;
+#endif
+
     return 0;
 }
 
@@ -393,6 +406,9 @@ loop (int from0, int to0,
     int max_fd;
     int count = 2;
 
+    if(from0 >= FD_SETSIZE || from1 >= FD_SETSIZE || from2 >= FD_SETSIZE)
+	errx (1, "fd too large");
+
     FD_ZERO(&real_readset);
     FD_SET(from0, &real_readset);
     FD_SET(from1, &real_readset);
@@ -521,17 +537,42 @@ is_reserved(u_short port)
  */
 
 static void
-setup_environment (char *env[7], struct passwd *pwd)
+setup_environment (char ***env, const struct passwd *pwd)
 {
-    asprintf (&env[0], "USER=%s",  pwd->pw_name);
-    asprintf (&env[1], "HOME=%s",  pwd->pw_dir);
-    asprintf (&env[2], "SHELL=%s", pwd->pw_shell);
-    asprintf (&env[3], "PATH=%s",  _PATH_DEFPATH);
-    asprintf (&env[4], "SSH_CLIENT=only_to_make_bash_happy");
+    int i, j, path;
+    char **e;
+
+    i = 0;
+    path = 0;
+    *env = NULL;
+
+    i = read_environment(_PATH_ETC_ENVIRONMENT, env);
+    e = *env;
+    for (j = 0; j < i; j++) {
+	if (!strncmp(e[j], "PATH=", 5)) {
+	    path = 1;
+	}
+    }
+
+    e = *env;
+    e = realloc(e, (i + 7) * sizeof(char *));
+
+    asprintf (&e[i++], "USER=%s",  pwd->pw_name);
+    asprintf (&e[i++], "HOME=%s",  pwd->pw_dir);
+    asprintf (&e[i++], "SHELL=%s", pwd->pw_shell);
+    if (! path) {
+	asprintf (&e[i++], "PATH=%s",  _PATH_DEFPATH);
+    }
+    asprintf (&e[i++], "SSH_CLIENT=only_to_make_bash_happy");
+#if defined(DCE)
+    if (getenv("KRB5CCNAME"))
+	asprintf (&e[i++], "KRB5CCNAME=%s",  getenv("KRB5CCNAME"));
+#else
     if (do_unique_tkfile)
-       asprintf (&env[5], "KRB5CCNAME=%s", tkfile);
-       else env[5] = NULL;
-    env[6] = NULL;
+	asprintf (&e[i++], "KRB5CCNAME=%s", tkfile);
+#endif
+    e[i++] = NULL;
+    *env = e;
 }
 
 static void
@@ -545,14 +586,14 @@ doit (int do_kerberos, int check_rhosts)
     struct sockaddr *thataddr = (struct sockaddr *)&thataddr_ss;
     struct sockaddr_storage erraddr_ss;
     struct sockaddr *erraddr = (struct sockaddr *)&erraddr_ss;
-    int addrlen;
+    socklen_t addrlen;
     int port;
     int errsock = -1;
     char client_user[COMMAND_SZ], server_user[USERNAME_SZ];
     char cmd[COMMAND_SZ];
     struct passwd *pwd;
     int s = STDIN_FILENO;
-    char *env[7];
+    char **env;
 
     addrlen = sizeof(thisaddr_ss);
     if (getsockname (s, thisaddr, &addrlen) < 0)
@@ -606,8 +647,10 @@ doit (int do_kerberos, int check_rhosts)
 	    syslog_and_die ("socket: %m");
 	if (connect (errsock,
 		     erraddr,
-		     socket_sockaddr_size (erraddr)) < 0)
-	    syslog_and_die ("connect: %m");
+		     socket_sockaddr_size (erraddr)) < 0) {
+	    syslog (LOG_WARNING, "connect: %m");
+	    close (errsock);
+	}
     }
     
     if(do_kerberos) {
@@ -646,6 +689,10 @@ doit (int do_kerberos, int check_rhosts)
 	    syslog_and_die("recv_bsd_auth failed");
     }
 
+#if defined(DCE) && defined(AIX)
+    esetenv("AUTHSTATE", "DCE", 1);
+#endif
+
     pwd = getpwnam (server_user);
     if (pwd == NULL)
 	fatal (s, "Login incorrect.");
@@ -662,30 +709,15 @@ doit (int do_kerberos, int check_rhosts)
 	long    today;
     
 	sp = getspnam(server_user);
-	today = time(0)/(24L * 60 * 60);
-	if (sp->sp_expire > 0) 
-	    if (today > sp->sp_expire) 
-		fatal(s, "Account has expired.");
+	if (sp != NULL) {
+	    today = time(0)/(24L * 60 * 60);
+	    if (sp->sp_expire > 0) 
+		if (today > sp->sp_expire) 
+		    fatal(s, "Account has expired.");
+	}
     }
 #endif
     
-#ifdef HAVE_SETLOGIN
-    if (setlogin(pwd->pw_name) < 0)
-	syslog(LOG_ERR, "setlogin() failed: %m");
-#endif
-
-#ifdef HAVE_SETPCRED
-    if (setpcred (pwd->pw_name, NULL) == -1)
-	syslog(LOG_ERR, "setpcred() failure: %m");
-#endif /* HAVE_SETPCRED */
-    if (initgroups (pwd->pw_name, pwd->pw_gid) < 0)
-	fatal (s, "Login incorrect.");
-
-    if (setgid(pwd->pw_gid) < 0)
-	fatal (s, "Login incorrect.");
-
-    if (setuid (pwd->pw_uid) < 0)
-	fatal (s, "Login incorrect.");
 
 #ifdef KRB5
     {
@@ -703,8 +735,36 @@ doit (int do_kerberos, int check_rhosts)
 	if (kerberos_status)
 	    krb5_start_session();
     }
+    chown(tkfile + 5, pwd->pw_uid, -1);
+
+#if defined(DCE)
+    if (kerberos_status) {
+	esetenv("KRB5CCNAME", tkfile, 1);
+	dfspag = krb5_dfs_pag(context, kerberos_status, user_ticket->client, server_user);
+    }
+#endif
+
 #endif
 
+#ifdef HAVE_SETLOGIN
+    if (setlogin(pwd->pw_name) < 0)
+	syslog(LOG_ERR, "setlogin() failed: %m");
+#endif
+
+#ifdef HAVE_SETPCRED
+    if (setpcred (pwd->pw_name, NULL) == -1)
+	syslog(LOG_ERR, "setpcred() failure: %m");
+#endif /* HAVE_SETPCRED */
+
+    if (initgroups (pwd->pw_name, pwd->pw_gid) < 0)
+	fatal (s, "Login incorrect.");
+
+    if (setgid(pwd->pw_gid) < 0)
+	fatal (s, "Login incorrect.");
+
+    if (setuid (pwd->pw_uid) < 0)
+	fatal (s, "Login incorrect.");
+
     if (chdir (pwd->pw_dir) < 0)
 	fatal (s, "Remote directory.");
 
@@ -714,7 +774,7 @@ doit (int do_kerberos, int check_rhosts)
 	close (errsock);
     }
 
-    setup_environment (env, pwd);
+    setup_environment (&env, pwd);
 
     if (do_encrypt) {
 	setup_copier ();
@@ -736,7 +796,7 @@ doit (int do_kerberos, int check_rhosts)
 
 #ifdef KRB5
 	/* XXX */
-       {
+       if (kerberos_status) {
 	   krb5_ccache ccache;
 	   krb5_error_code status;
 
@@ -811,7 +871,13 @@ main(int argc, char **argv)
     }
 
 #ifdef KRB5
-    krb5_init_context (&context);
+    {
+	krb5_error_code ret;
+
+	ret = krb5_init_context (&context);
+	if (ret)
+	    errx (1, "krb5_init_context failed: %d", ret);
+    }	
 #endif
 
     if(port_str) {
diff --git a/crypto/heimdal/appl/su/ChangeLog b/crypto/heimdal/appl/su/ChangeLog
index 030808d..3eadf65 100644
--- a/crypto/heimdal/appl/su/ChangeLog
+++ b/crypto/heimdal/appl/su/ChangeLog
@@ -1,3 +1,28 @@
+2000-12-31  Assar Westerlund  <assar@sics.se>
+
+	* su.c (krb5_verify): handle krb5_init_context failure
+	consistently
+
+2000-08-28  Johan Danielsson  <joda@pdc.kth.se>
+
+	* su.c: set KRBTKFILE
+
+2000-07-10  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: actually install su
+	* su.c (krb5_verify): try harder freeing.  do not get upset on
+	interrupted password read
+
+2000-06-09  Assar Westerlund  <assar@sics.se>
+
+	* su.c (main): work-around for setuid and capabilities bug fixed
+	in Linux 2.2.16
+
+2000-06-03  Assar Westerlund  <assar@sics.se>
+
+	* su.c (main): just ignore shadow information if getspnam returns
+	NULL
+
 1999-10-20  Assar Westerlund  <assar@sics.se>
 
 	* Makefile.am: use LIB_roken
diff --git a/crypto/heimdal/appl/su/Makefile.am b/crypto/heimdal/appl/su/Makefile.am
index b0fe379..aeb684f 100644
--- a/crypto/heimdal/appl/su/Makefile.am
+++ b/crypto/heimdal/appl/su/Makefile.am
@@ -1,16 +1,16 @@
-# $Id: Makefile.am,v 1.3 1999/10/19 23:00:37 assar Exp $
+# $Id: Makefile.am,v 1.6 2000/11/15 22:51:10 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
 INCLUDES += $(INCLUDE_krb4)
 
-noinst_PROGRAMS = su
-#bin_SUIDS = su
+bin_PROGRAMS = su
+bin_SUIDS = su
 su_SOURCES = su.c
 
 LDADD = $(LIB_kafs) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(LIB_krb4) \
-	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_des) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken)
diff --git a/crypto/heimdal/appl/su/Makefile.in b/crypto/heimdal/appl/su/Makefile.in
index 72b8198..93033f0 100644
--- a/crypto/heimdal/appl/su/Makefile.in
+++ b/crypto/heimdal/appl/su/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.3 1999/10/19 23:00:37 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.6 2000/11/15 22:51:10 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4)
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,76 +170,77 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
-noinst_PROGRAMS = su
-#bin_SUIDS = su
+bin_PROGRAMS = su
+bin_SUIDS = su
 su_SOURCES = su.c
 
-LDADD = $(LIB_kafs) 	$(top_builddir)/lib/krb5/libkrb5.la 	$(LIB_krb4) 	$(top_builddir)/lib/des/libdes.la 	$(top_builddir)/lib/asn1/libasn1.la 	$(LIB_roken)
+LDADD = $(LIB_kafs) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
 
+subdir = appl/su
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../include/config.h
 CONFIG_CLEAN_FILES = 
-noinst_PROGRAMS =  su$(EXEEXT)
-PROGRAMS =  $(noinst_PROGRAMS)
+bin_PROGRAMS =  su$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS)
 
 
 DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
-LIBS = @LIBS@
 X_CFLAGS = @X_CFLAGS@
 X_LIBS = @X_LIBS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
-su_OBJECTS =  su.$(OBJEXT)
+am_su_OBJECTS =  su.$(OBJEXT)
+su_OBJECTS =  $(am_su_OBJECTS)
 su_LDADD = $(LDADD)
+@KRB4_FALSE@su_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
 @KRB4_TRUE@su_DEPENDENCIES =  $(top_builddir)/lib/kafs/libkafs.la \
 @KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
-@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la \
 @KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
-@KRB4_FALSE@su_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
-@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la \
-@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
 su_LDFLAGS = 
-CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(su_SOURCES)
+depcomp = 
 DIST_COMMON =  ChangeLog Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
 SOURCES = $(su_SOURCES)
-OBJECTS = $(su_OBJECTS)
+OBJECTS = $(am_su_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/su/Makefile
 
@@ -230,28 +249,33 @@ Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
 	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
 
 
-mostlyclean-noinstPROGRAMS:
+mostlyclean-binPROGRAMS:
 
-clean-noinstPROGRAMS:
-	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
 
-distclean-noinstPROGRAMS:
+distclean-binPROGRAMS:
 
-maintainer-clean-noinstPROGRAMS:
+maintainer-clean-binPROGRAMS:
 
-.c.o:
-	$(COMPILE) -c $<
-
-# FIXME: We should only use cygpath when building on Windows,
-# and only if it is available.
-.c.obj:
-	$(COMPILE) -c `cygpath -w $<`
-
-.s.o:
-	$(COMPILE) -c $<
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
 
-.S.o:
-	$(COMPILE) -c $<
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
 
 mostlyclean-compile:
 	-rm -f *.o core *.core
@@ -264,15 +288,6 @@ distclean-compile:
 
 maintainer-clean-compile:
 
-.c.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.s.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.S.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -286,26 +301,36 @@ maintainer-clean-libtool:
 su$(EXEEXT): $(su_OBJECTS) $(su_DEPENDENCIES)
 	@rm -f su$(EXEEXT)
 	$(LINK) $(su_LDFLAGS) $(su_OBJECTS) $(su_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -318,17 +343,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = appl/su
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
@@ -341,7 +365,7 @@ check-am: all-am
 check: check-am
 installcheck-am:
 installcheck: installcheck-am
-install-exec-am:
+install-exec-am: install-binPROGRAMS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 install-exec: install-exec-am
@@ -352,13 +376,14 @@ install-data: install-data-am
 install-am: all-am
 	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
 install: install-am
-uninstall-am:
+uninstall-am: uninstall-binPROGRAMS
 uninstall: uninstall-am
 all-am: Makefile $(PROGRAMS) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir)
 
 
 mostlyclean-generic:
@@ -370,25 +395,25 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
-mostlyclean-am:  mostlyclean-noinstPROGRAMS mostlyclean-compile \
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-compile \
 		mostlyclean-libtool mostlyclean-tags \
 		mostlyclean-generic
 
 mostlyclean: mostlyclean-am
 
-clean-am:  clean-noinstPROGRAMS clean-compile clean-libtool clean-tags \
+clean-am:  clean-binPROGRAMS clean-compile clean-libtool clean-tags \
 		clean-generic mostlyclean-am
 
 clean: clean-am
 
-distclean-am:  distclean-noinstPROGRAMS distclean-compile \
-		distclean-libtool distclean-tags distclean-generic \
-		clean-am
+distclean-am:  distclean-binPROGRAMS distclean-compile distclean-libtool \
+		distclean-tags distclean-generic clean-am
 	-rm -f libtool
 
 distclean: distclean-am
 
-maintainer-clean-am:  maintainer-clean-noinstPROGRAMS \
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
 		maintainer-clean-compile maintainer-clean-libtool \
 		maintainer-clean-tags maintainer-clean-generic \
 		distclean-am
@@ -397,8 +422,8 @@ maintainer-clean-am:  maintainer-clean-noinstPROGRAMS \
 
 maintainer-clean: maintainer-clean-am
 
-.PHONY: mostlyclean-noinstPROGRAMS distclean-noinstPROGRAMS \
-clean-noinstPROGRAMS maintainer-clean-noinstPROGRAMS \
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
 mostlyclean-compile distclean-compile clean-compile \
 maintainer-clean-compile mostlyclean-libtool distclean-libtool \
 clean-libtool maintainer-clean-libtool tags mostlyclean-tags \
@@ -406,7 +431,7 @@ distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
 dvi-am dvi check-local check check-am installcheck-am installcheck \
 install-exec-am install-exec install-data-local install-data-am \
 install-data install-am install uninstall-am uninstall all-local \
-all-redirect all-am all installdirs mostlyclean-generic \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
 distclean-generic clean-generic maintainer-clean-generic clean \
 mostlyclean distclean maintainer-clean
 
@@ -416,7 +441,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -428,8 +456,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -498,87 +526,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/appl/su/su.c b/crypto/heimdal/appl/su/su.c
index 049a4d7..a5fd442 100644
--- a/crypto/heimdal/appl/su/su.c
+++ b/crypto/heimdal/appl/su/su.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,7 +32,7 @@
 
 #include <config.h>
 
-RCSID("$Id: su.c,v 1.10 1999/09/28 02:34:17 assar Exp $");
+RCSID("$Id: su.c,v 1.18 2001/01/26 16:02:49 joda Exp $");
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -50,6 +50,7 @@ RCSID("$Id: su.c,v 1.10 1999/09/28 02:34:17 assar Exp $");
 
 #include <pwd.h>
 
+#include <des.h>
 #include <krb5.h>
 #include <kafs.h>
 #include <err.h>
@@ -137,7 +138,7 @@ krb5_verify(struct passwd *login_info, struct passwd *su_info,
     ret = krb5_init_context (&context);
     if (ret) {
 #if 0
-	warnx("krb5_init_context failed: %u", ret);
+	warnx("krb5_init_context failed: %d", ret);
 #endif
 	return 1;
     }
@@ -160,13 +161,16 @@ krb5_verify(struct passwd *login_info, struct passwd *su_info,
 #if 1
 	    krb5_warn(context, ret, "krb5_cc_gen_new");
 #endif
+	    krb5_free_principal (context, p);
 	    return 1;
 	}
 	ret = krb5_verify_user_lrealm(context, p, ccache, NULL, TRUE, NULL);
+	krb5_free_principal (context, p);
 	if(ret) {
-	    krb5_free_principal (context, p);
 	    krb5_cc_destroy(context, ccache);
 	    switch (ret) {
+	    case KRB5_LIBOS_PWDINTR :
+		break;
 	    case KRB5KRB_AP_ERR_BAD_INTEGRITY:
 	    case KRB5KRB_AP_ERR_MODIFIED:
 		krb5_warnx(context, "Password incorrect");
@@ -179,6 +183,7 @@ krb5_verify(struct passwd *login_info, struct passwd *su_info,
 	}
 	return 0;
     }
+    krb5_free_principal (context, p);
 #endif
     return 1;
 }
@@ -201,9 +206,26 @@ krb5_start_session(void)
 
     asprintf(&cc_name, "%s:%s", krb5_cc_get_type(context, ccache2),
 	     krb5_cc_get_name(context, ccache2));
-    setenv("KRB5CCNAME", cc_name, 1);
+    esetenv("KRB5CCNAME", cc_name, 1);
+
+    /* we want to export this even if we don't directly support KRB4 */
+    {
+#ifndef TKT_ROOT
+#define TKT_ROOT "/tmp/tkt"
+#endif
+	int fd;
+	char tkfile[256];
+	strlcpy(tkfile, TKT_ROOT, sizeof(tkfile));
+	strlcat(tkfile, "_XXXXXX", sizeof(tkfile));
+	fd = mkstemp(tkfile);
+	if(fd >= 0) {
+	    close(fd);
+	    esetenv("KRBTKFILE", tkfile, 1);
+	}
+    }
             
 #ifdef KRB4
+    /* convert creds? */
     if(k_hasafs()) {
 	if (k_setpag() == 0)
 	    krb5_afslog(context, ccache2, NULL, NULL);
@@ -224,7 +246,7 @@ verify_unix(struct passwd *su)
     char *pw;
     int r;
     if(su->pw_passwd != NULL && *su->pw_passwd != '\0') {
-	sprintf(prompt, "%s's password: ", su->pw_name);
+	snprintf(prompt, sizeof(prompt), "%s's password: ", su->pw_name);
 	r = des_read_pw_string(pw_buf, sizeof(pw_buf), prompt, 0);
 	if(r != 0)
 	    exit(0);
@@ -311,31 +333,31 @@ main(int argc, char **argv)
    {  struct spwd *sp;
       long    today;
     
-    sp=getspnam(su_info->pw_name);
-    if (sp==NULL)
-        errx(1,"Have not rights to read shadow passwords!");
-    today = time(0)/(24L * 60 * 60);
-    if (sp->sp_expire > 0) {
-        if (today >= sp->sp_expire) {
-            if (login_info->pw_uid) 
-                errx(1,"Your account has expired.");
-            else
-                 printf("Your account has expired.");
+    sp = getspnam(su_info->pw_name);
+    if (sp != NULL) {
+	today = time(0)/(24L * 60 * 60);
+	if (sp->sp_expire > 0) {
+	    if (today >= sp->sp_expire) {
+		if (login_info->pw_uid) 
+		    errx(1,"Your account has expired.");
+		else
+		    printf("Your account has expired.");
             }
             else if (sp->sp_expire - today < 14) 
                 printf("Your account will expire in %d days.\n",
-                   (int)(sp->sp_expire - today));
-    } 
-    if (sp->sp_max > 0) {
-       if (today >= sp->sp_lstchg + sp->sp_max) {
-           if (login_info->pw_uid)    
-               errx(1,"Your password has expired. Choose a new one.");
-           else
-               printf("Your password has expired. Choose a new one.");
-           }
-         else if (today >= sp->sp_lstchg + sp->sp_max - sp->sp_warn)
-             printf("Your account will expire in %d days.\n",
-                   (int)(sp->sp_lstchg + sp->sp_max -today));
+		       (int)(sp->sp_expire - today));
+	} 
+	if (sp->sp_max > 0) {
+	    if (today >= sp->sp_lstchg + sp->sp_max) {
+		if (login_info->pw_uid)    
+		    errx(1,"Your password has expired. Choose a new one.");
+		else
+		    printf("Your password has expired. Choose a new one.");
+	    }
+	    else if (today >= sp->sp_lstchg + sp->sp_max - sp->sp_warn)
+		printf("Your account will expire in %d days.\n",
+		       (int)(sp->sp_lstchg + sp->sp_max -today));
+	}
     }
     }
 #endif
@@ -354,16 +376,16 @@ main(int argc, char **argv)
 	    if (environ == NULL)
 		err (1, "malloc");
 	    environ[0] = NULL;
-	    setenv ("PATH", _PATH_DEFPATH, 1);
+	    esetenv ("PATH", _PATH_DEFPATH, 1);
 	    if (t)
-		setenv ("TERM", t, 1);
+		esetenv ("TERM", t, 1);
 	    if (chdir (su_info->pw_dir) < 0)
 		errx (1, "no directory");
 	}
 	if (full_login || su_info->pw_uid)
-	    setenv ("USER", su_info->pw_name, 1);
-	setenv("HOME", su_info->pw_dir, 1);
-	setenv("SHELL", shell, 1);
+	    esetenv ("USER", su_info->pw_name, 1);
+	esetenv("HOME", su_info->pw_dir, 1);
+	esetenv("SHELL", shell, 1);
     }
 
     {
@@ -404,7 +426,8 @@ main(int argc, char **argv)
 	    err(1, "setgid");
 	if (initgroups (su_info->pw_name, su_info->pw_gid) < 0)
 	    err (1, "initgroups");
-	if(setuid(su_info->pw_uid) < 0)
+	if(setuid(su_info->pw_uid) < 0
+	   || (su_info->pw_uid != 0 && setuid(0) == 0))
 	    err(1, "setuid");
 
 #ifdef KRB5
diff --git a/crypto/heimdal/appl/telnet/ChangeLog b/crypto/heimdal/appl/telnet/ChangeLog
index b38f16d..6857151 100644
--- a/crypto/heimdal/appl/telnet/ChangeLog
+++ b/crypto/heimdal/appl/telnet/ChangeLog
@@ -1,3 +1,98 @@
+2001-01-09  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/kerberos5.c (kerberos5_is): use krb5_rd_cred2 instead
+	of krb5_rd_cred
+
+2000-12-31  Assar Westerlund  <assar@sics.se>
+
+	* telnet/main.c (krb5_init): check krb5_init_context for success
+	* libtelnet/kerberos5.c (kerberos5_init): check krb5_init_context
+	for success
+
+2000-12-11  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (sourceroute): make it not break if the
+	rfc2292 api does not exist
+
+2000-12-09  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/sys_term.c (scrub_env): add supporting non-file TERMCAP
+	variables
+
+2000-12-07  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/sys_term.c (scrub_env): remove some const-ness
+	* telnetd/sys_term.c (scrub_env): add LOGNAME and POSIXLY_CORRECT
+	to the list of authorized environment variables to be compatible
+	with linux-telnetd
+
+	* telnetd/sys_term.c (scrub_env): change filtering algoritm from
+	allowing everything except a few bad cases to not allowing
+	anything except a few non-dangerous cases
+
+2000-12-06  Johan Danielsson  <joda@pdc.kth.se>
+
+	* libtelnet/kerberos5.c: de-pointerise auth_context parameter to
+	krb5_mk_rep
+
+2000-11-23  Johan Danielsson  <joda@pdc.kth.se>
+
+	* libtelnet/kerberos5.c: print the principal we're trying to use
+
+	* libtelnet/kerberos.c: print the principal we're trying to use
+
+2000-11-16  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/misc-proto.h (telnet_getenv): const-ize some
+
+2000-11-08  Johan Danielsson  <joda@pdc.kth.se>
+
+	* telnet/telnet.c: fake entry if no tgetent
+
+2000-10-08  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/utility.c (stilloob): check that fds are not too large
+	to select on
+	(ttloop): remove confusing output of errno
+	* telnetd/telnetd.c (my_telnet): check that fds are not too large
+	to select on
+	* telnet/utilities.c (EmptyTerminal): check that fds are not too
+	large to select on
+	* telnet/sys_bsd.c (process_rings): check that fds are not too
+	large to select on
+	* telnet/network.c (stilloob): check that fds are not too large to
+	select on
+
+2000-06-09  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c: remove all setuid(getuid()).  we do not
+	support telnet being setuid root
+
+2000-05-05  Assar Westerlund  <assar@sics.se>
+
+	* telnet/externs.h (sourceroute): update prototype
+	* telnet/commands.c (tn): re-enable source routing
+	(sourceroute): make it work again based on the code from
+	itojun@kame.net
+
+2000-03-28  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (tn): clean-up a tiny little bit.  give-up if
+	we do not manage to connect to any address
+
+2000-03-26  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/sys_term.c (*): make sure to always call time, ctime,
+	and gmtime with `time_t's.  there were some types (like in
+	lastlog) that we believed to always be time_t.  this has proven
+	wrong on Solaris 8 in 64-bit mode, where they are stored as 32-bit
+	quantities but time_t has gone up to 64 bits
+
+2000-03-03  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/kerberos5.c (kerberos5_init): check that we do have a
+	keytab before saying that we will support KERBEROS5
+
 2000-02-12  Assar Westerlund  <assar@sics.se>
 
 	* telnet/commands.c (tn): only set tos for AF_INET.  From
diff --git a/crypto/heimdal/appl/telnet/Makefile.in b/crypto/heimdal/appl/telnet/Makefile.in
index 5a74558..ad4a164 100644
--- a/crypto/heimdal/appl/telnet/Makefile.in
+++ b/crypto/heimdal/appl/telnet/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.6 1999/03/20 13:58:15 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.6 1999/03/20 13:58:15 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,30 +170,27 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
 SUBDIRS = libtelnet telnet telnetd
 
 EXTRA_DIST = README.ORIG telnet.state
+subdir = appl/telnet
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -183,13 +198,14 @@ CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES = 
+depcomp = 
 DIST_COMMON =  ChangeLog Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
 all: all-redirect
 .SUFFIXES:
@@ -209,8 +225,6 @@ Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
 #     (which will cause the Makefiles to be regenerated when you run `make');
 # (2) otherwise, pass the desired values on the `make' command line.
 
-@SET_MAKE@
-
 all-recursive install-data-recursive install-exec-recursive \
 installdirs-recursive install-recursive uninstall-recursive  \
 check-recursive installcheck-recursive info-recursive dvi-recursive:
@@ -238,7 +252,7 @@ maintainer-clean-recursive:
 	dot_seen=no; \
 	rev=''; list='$(SUBDIRS)'; for subdir in $$list; do \
 	  rev="$$subdir $$rev"; \
-	  test "$$subdir" = "." && dot_seen=yes; \
+	  if test "$$subdir" = "."; then dot_seen=yes; else :; fi; \
 	done; \
 	test "$$dot_seen" = "no" && rev=". $$rev"; \
 	target=`echo $@ | sed s/-recursive//`; \
@@ -259,15 +273,17 @@ tags-recursive:
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
 	list='$(SUBDIRS)'; for subdir in $$list; do \
@@ -275,12 +291,14 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
 	    test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \
    fi; \
 	done; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -293,17 +311,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = appl/telnet
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	for subdir in $(SUBDIRS); do \
@@ -311,7 +328,6 @@ distdir: $(DISTFILES)
 	    test -d $(distdir)/$$subdir \
 	    || mkdir $(distdir)/$$subdir \
 	    || exit 1; \
-	    chmod 777 $(distdir)/$$subdir; \
 	    (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$(top_distdir) distdir=../$(distdir)/$$subdir distdir) \
 	      || exit 1; \
 	  fi; \
@@ -342,7 +358,7 @@ uninstall: uninstall-recursive
 all-am: Makefile all-local
 all-redirect: all-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs: installdirs-recursive
 installdirs-am:
 
@@ -356,6 +372,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-tags mostlyclean-generic
 
 mostlyclean: mostlyclean-recursive
@@ -376,19 +393,19 @@ maintainer-clean-am:  maintainer-clean-tags maintainer-clean-generic \
 
 maintainer-clean: maintainer-clean-recursive
 
-.PHONY: install-data-recursive uninstall-data-recursive \
-install-exec-recursive uninstall-exec-recursive installdirs-recursive \
-uninstalldirs-recursive all-recursive check-recursive \
-installcheck-recursive info-recursive dvi-recursive \
-mostlyclean-recursive distclean-recursive clean-recursive \
+.PHONY: install-recursive uninstall-recursive install-data-recursive \
+uninstall-data-recursive install-exec-recursive \
+uninstall-exec-recursive installdirs-recursive uninstalldirs-recursive \
+all-recursive check-recursive installcheck-recursive info-recursive \
+dvi-recursive mostlyclean-recursive distclean-recursive clean-recursive \
 maintainer-clean-recursive tags tags-recursive mostlyclean-tags \
 distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
 dvi-am dvi check-local check check-am installcheck-am installcheck \
 install-exec-am install-exec install-data-local install-data-am \
 install-data install-am install uninstall-am uninstall all-local \
-all-redirect all-am all installdirs-am installdirs mostlyclean-generic \
-distclean-generic clean-generic maintainer-clean-generic clean \
-mostlyclean distclean maintainer-clean
+all-redirect all-am all install-strip installdirs-am installdirs \
+mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
 
 
 install-suid-programs:
@@ -396,7 +413,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -408,8 +428,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -478,87 +498,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/appl/telnet/libtelnet/Makefile.in b/crypto/heimdal/appl/telnet/libtelnet/Makefile.in
index f38a68d..a43a6d5 100644
--- a/crypto/heimdal/appl/telnet/libtelnet/Makefile.in
+++ b/crypto/heimdal/appl/telnet/libtelnet/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.8 1999/03/20 13:58:15 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.8 1999/03/20 13:58:15 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include -I$(srcdir)/.. $(INCLUDE_krb4)
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/.. $(INCLUDE_krb4)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,33 +170,43 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
 noinst_LIBRARIES = libtelnet.a
 
-libtelnet_a_SOURCES =  	auth-proto.h		auth.c			auth.h			enc-proto.h		enc_des.c		encrypt.c		encrypt.h		genget.c		kerberos.c		kerberos5.c		misc-proto.h		misc.c			misc.h
+libtelnet_a_SOURCES = \
+	auth-proto.h	\
+	auth.c		\
+	auth.h		\
+	enc-proto.h	\
+	enc_des.c	\
+	encrypt.c	\
+	encrypt.h	\
+	genget.c	\
+	kerberos.c	\
+	kerberos5.c	\
+	misc-proto.h	\
+	misc.c		\
+	misc.h
 
 
 EXTRA_DIST = krb4encpwd.c rsaencpwd.c spx.c
+subdir = appl/telnet/libtelnet
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -188,34 +216,36 @@ LIBRARIES =  $(noinst_LIBRARIES)
 DEFS = @DEFS@ -I. -I$(srcdir) -I../../../include
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
-LIBS = @LIBS@
 X_CFLAGS = @X_CFLAGS@
 X_LIBS = @X_LIBS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
+libtelnet_a_AR = $(AR) cru
 libtelnet_a_LIBADD = 
-libtelnet_a_OBJECTS =  auth.$(OBJEXT) enc_des.$(OBJEXT) \
+am_libtelnet_a_OBJECTS =  auth.$(OBJEXT) enc_des.$(OBJEXT) \
 encrypt.$(OBJEXT) genget.$(OBJEXT) kerberos.$(OBJEXT) \
 kerberos5.$(OBJEXT) misc.$(OBJEXT)
+libtelnet_a_OBJECTS =  $(am_libtelnet_a_OBJECTS)
 AR = ar
-CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(libtelnet_a_SOURCES)
+depcomp = 
 DIST_COMMON =  Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
 SOURCES = $(libtelnet_a_SOURCES)
-OBJECTS = $(libtelnet_a_OBJECTS)
+OBJECTS = $(am_libtelnet_a_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/telnet/libtelnet/Makefile
 
@@ -233,20 +263,6 @@ distclean-noinstLIBRARIES:
 
 maintainer-clean-noinstLIBRARIES:
 
-.c.o:
-	$(COMPILE) -c $<
-
-# FIXME: We should only use cygpath when building on Windows,
-# and only if it is available.
-.c.obj:
-	$(COMPILE) -c `cygpath -w $<`
-
-.s.o:
-	$(COMPILE) -c $<
-
-.S.o:
-	$(COMPILE) -c $<
-
 mostlyclean-compile:
 	-rm -f *.o core *.core
 	-rm -f *.$(OBJEXT)
@@ -258,15 +274,6 @@ distclean-compile:
 
 maintainer-clean-compile:
 
-.c.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.s.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.S.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -279,28 +286,38 @@ maintainer-clean-libtool:
 
 libtelnet.a: $(libtelnet_a_OBJECTS) $(libtelnet_a_DEPENDENCIES)
 	-rm -f libtelnet.a
-	$(AR) cru libtelnet.a $(libtelnet_a_OBJECTS) $(libtelnet_a_LIBADD)
+	$(libtelnet_a_AR) libtelnet.a $(libtelnet_a_OBJECTS) $(libtelnet_a_LIBADD)
 	$(RANLIB) libtelnet.a
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -313,17 +330,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = appl/telnet/libtelnet
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
@@ -352,7 +368,7 @@ uninstall: uninstall-am
 all-am: Makefile $(LIBRARIES) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
 
 
@@ -365,6 +381,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-noinstLIBRARIES mostlyclean-compile \
 		mostlyclean-libtool mostlyclean-tags \
 		mostlyclean-generic
@@ -401,7 +418,7 @@ distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
 dvi-am dvi check-local check check-am installcheck-am installcheck \
 install-exec-am install-exec install-data-local install-data-am \
 install-data install-am install uninstall-am uninstall all-local \
-all-redirect all-am all installdirs mostlyclean-generic \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
 distclean-generic clean-generic maintainer-clean-generic clean \
 mostlyclean distclean maintainer-clean
 
@@ -411,7 +428,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -423,8 +443,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -493,87 +513,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/appl/telnet/libtelnet/kerberos.c b/crypto/heimdal/appl/telnet/libtelnet/kerberos.c
index c6b02de..a003007 100644
--- a/crypto/heimdal/appl/telnet/libtelnet/kerberos.c
+++ b/crypto/heimdal/appl/telnet/libtelnet/kerberos.c
@@ -55,7 +55,7 @@
 #include <config.h>
 #endif
 
-RCSID("$Id: kerberos.c,v 1.47 2000/02/07 03:14:19 assar Exp $");
+RCSID("$Id: kerberos.c,v 1.50 2000/11/23 02:28:06 joda Exp $");
 
 #ifdef	KRB4
 #ifdef HAVE_SYS_TYPES_H
@@ -170,7 +170,6 @@ kerberos4_send(char *name, Authenticator *ap)
     CREDENTIALS cred;
     int r;
 
-    printf("[ Trying %s ... ]\r\n", name);
     if (!UserNameRequested) {
 	if (auth_debug_mode) {
 	    printf("Kerberos V4: no user name supplied\r\n");
@@ -190,6 +189,8 @@ kerberos4_send(char *name, Authenticator *ap)
 	printf("Kerberos V4: no realm for %s\r\n", RemoteHostName);
 	return(0);
     }
+    printf("[ Trying %s (%s.%s@%s) ... ]\r\n", name, 
+	   KRB_SERVICE_NAME, instance, realm);
     r = krb_mk_req(&auth, KRB_SERVICE_NAME, instance, realm, 0L);
     if (r) {
 	printf("mk_req failed: %s\r\n", krb_get_err_text(r));
@@ -272,7 +273,7 @@ kerberos4_is(Authenticator *ap, unsigned char *data, int cnt)
     char realm[REALM_SZ];
     char instance[INST_SZ];
     int r;
-    int addr_len;
+    socklen_t addr_len;
 
     if (cnt-- < 1)
 	return;
@@ -331,7 +332,7 @@ kerberos4_is(Authenticator *ap, unsigned char *data, int cnt)
 			 "%s%u",
 			 TKT_ROOT,
 			 (unsigned)pw->pw_uid);
-		setenv("KRBTKFILE", ts, 1);
+		esetenv("KRBTKFILE", ts, 1);
 
 		if (pw->pw_uid == 0)
 		    syslog(LOG_INFO|LOG_AUTH,
diff --git a/crypto/heimdal/appl/telnet/libtelnet/kerberos5.c b/crypto/heimdal/appl/telnet/libtelnet/kerberos5.c
index 2e6e2e5..f819904 100644
--- a/crypto/heimdal/appl/telnet/libtelnet/kerberos5.c
+++ b/crypto/heimdal/appl/telnet/libtelnet/kerberos5.c
@@ -53,7 +53,7 @@
 
 #include <config.h>
 
-RCSID("$Id: kerberos5.c,v 1.39 2000/02/01 00:32:05 assar Exp $");
+RCSID("$Id: kerberos5.c,v 1.47 2001/01/09 18:45:33 assar Exp $");
 
 #ifdef	KRB5
 
@@ -78,6 +78,12 @@ RCSID("$Id: kerberos5.c,v 1.39 2000/02/01 00:32:05 assar Exp $");
 #include "auth.h"
 #include "misc.h"
 
+#if defined(DCE)
+int dfsk5ok = 0;
+int dfspag = 0;
+int dfsfwd = 0;
+#endif
+
 int forward_flags = 0;  /* Flags get set in telnet/main.c on -f and -F */
 
 /* These values need to be the same as those defined in telnet/main.c. */
@@ -139,14 +145,34 @@ Data(Authenticator *ap, int type, void *d, int c)
 int
 kerberos5_init(Authenticator *ap, int server)
 {
-    if (server)
+    krb5_error_code ret;
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	return 0;
+    if (server) {
+	krb5_keytab kt;
+	krb5_kt_cursor cursor;
+
+	ret = krb5_kt_default(context, &kt);
+	if (ret)
+	    return 0;
+
+	ret = krb5_kt_start_seq_get (context, kt, &cursor);
+	if (ret) {
+	    krb5_kt_close (context, kt);
+	    return 0;
+	}
+	krb5_kt_end_seq_get (context, kt, &cursor);
+	krb5_kt_close (context, kt);
+
 	str_data[3] = TELQUAL_REPLY;
-    else
+    } else
 	str_data[3] = TELQUAL_IS;
-    krb5_init_context(&context);
     return(1);
 }
 
+extern int net;
 static int
 kerberos5_send(char *name, Authenticator *ap)
 {
@@ -155,9 +181,7 @@ kerberos5_send(char *name, Authenticator *ap)
     int ap_opts;
     krb5_data cksum_data;
     char foo[2];
-    extern int net;
     
-    printf("[ Trying %s ... ]\r\n", name);
     if (!UserNameRequested) {
 	if (auth_debug_mode) {
 	    printf("Kerberos V5: no user name supplied\r\n");
@@ -207,10 +231,42 @@ kerberos5_send(char *name, Authenticator *ap)
 
     cksum_data.length = sizeof(foo);
     cksum_data.data   = foo;
-    ret = krb5_mk_req(context, &auth_context, ap_opts,
-		      "host", RemoteHostName, 
-		      &cksum_data, ccache, &auth);
 
+
+    {
+	krb5_principal service;
+	char sname[128];
+
+
+	ret = krb5_sname_to_principal (context,
+				       RemoteHostName,
+				       NULL,
+				       KRB5_NT_SRV_HST,
+				       &service);
+	if(ret) {
+	    if (auth_debug_mode) {
+		printf ("Kerberos V5:"
+			" krb5_sname_to_principal(%s) failed (%s)\r\n",
+			RemoteHostName, krb5_get_err_text(context, ret));
+	    }
+	    return 0;
+	}
+	ret = krb5_unparse_name_fixed(context, service, sname, sizeof(sname));
+	if(ret) {
+	    if (auth_debug_mode) {
+		printf ("Kerberos V5:"
+			" krb5_unparse_name_fixed failed (%s)\r\n",
+			krb5_get_err_text(context, ret));
+	    }
+	    return 0;
+	}
+	printf("[ Trying %s (%s)... ]\r\n", name, sname);
+	ret = krb5_mk_req_exact(context, &auth_context, ap_opts,
+				service, 
+				&cksum_data, ccache, &auth);
+	krb5_free_principal (context, service);
+
+    }
     if (ret) {
 	if (1 || auth_debug_mode) {
 	    printf("Kerberos V5: mk_req failed (%s)\r\n",
@@ -312,8 +368,8 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
 			  NULL,
 			  NULL,
 			  &ticket);
-	krb5_free_principal (context, server);
 
+	krb5_free_principal (context, server);
 	if (ret) {
 	    char *errbuf;
 
@@ -364,7 +420,7 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
 	}
 
 	if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
-	    ret = krb5_mk_rep(context, &auth_context, &outbuf);
+	    ret = krb5_mk_rep(context, auth_context, &outbuf);
 	    if (ret) {
 		Data(ap, KRB_REJECT,
 		     "krb5_mk_rep failed", -1);
@@ -454,10 +510,13 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
 	    break;
 	}
 
-	ret = krb5_rd_cred (context,
-			    auth_context,
-			    ccache,
-			    &inbuf);
+#if defined(DCE)
+	esetenv("KRB5CCNAME", ccname, 1);
+#endif
+	ret = krb5_rd_cred2 (context,
+			     auth_context,
+			     ccache,
+			     &inbuf);
 	if(ret) {
 	    char *errbuf;
 
@@ -472,8 +531,12 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
 		printf("Could not read forwarded credentials: %s\r\n",
 		       errbuf);
 	    free (errbuf);
-	} else
+	} else {
 	    Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
+#if defined(DCE)
+	    dfsfwd = 1;
+#endif
+	}
 	chown (ccname + 5, pwd->pw_uid, -1);
 	if (auth_debug_mode)
 	    printf("Forwarded credentials obtained\r\n");
@@ -590,6 +653,9 @@ kerberos5_status(Authenticator *ap, char *name, size_t name_sz, int level)
 		     UserNameRequested))
 	{
 	    strlcpy(name, UserNameRequested, name_sz);
+#if defined(DCE)
+	    dfsk5ok = 1;
+#endif
 	    return(AUTH_VALID);
 	} else
 	    return(AUTH_USER);
@@ -733,4 +799,16 @@ kerberos5_forward(Authenticator *ap)
     }
 }
 
+#if defined(DCE)
+/* if this was a K5 authentication try and join a PAG for the user. */
+void
+kerberos5_dfspag(void)
+{
+    if (dfsk5ok) {
+	dfspag = krb5_dfs_pag(context, dfsfwd, ticket->client,
+			      UserNameRequested);
+    }
+}
+#endif
+
 #endif /* KRB5 */
diff --git a/crypto/heimdal/appl/telnet/libtelnet/misc-proto.h b/crypto/heimdal/appl/telnet/libtelnet/misc-proto.h
index 71d91b6..7bbafa5 100644
--- a/crypto/heimdal/appl/telnet/libtelnet/misc-proto.h
+++ b/crypto/heimdal/appl/telnet/libtelnet/misc-proto.h
@@ -53,7 +53,7 @@
  * or implied warranty.
  */
 
-/* $Id: misc-proto.h,v 1.8 2000/01/18 03:11:07 assar Exp $ */
+/* $Id: misc-proto.h,v 1.9 2000/11/15 23:00:21 assar Exp $ */
 
 #ifndef	__MISC_PROTO__
 #define	__MISC_PROTO__
@@ -73,7 +73,7 @@ int Ambiguous(void *s);
 int telnet_net_write (unsigned char *, int);
 void net_encrypt (void);
 int telnet_spin (void);
-char *telnet_getenv (char *);
+char *telnet_getenv (const char *);
 char *telnet_gets (char *, char *, int, int);
 void printsub(int direction, unsigned char *pointer, int length);
 #endif
diff --git a/crypto/heimdal/appl/telnet/telnet/Makefile.am b/crypto/heimdal/appl/telnet/telnet/Makefile.am
index 73f3a99..7dd9c19 100644
--- a/crypto/heimdal/appl/telnet/telnet/Makefile.am
+++ b/crypto/heimdal/appl/telnet/telnet/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.13 2000/01/06 15:12:11 assar Exp $
+# $Id: Makefile.am,v 1.14 2000/11/15 22:51:11 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
@@ -17,6 +17,6 @@ man_MANS = telnet.1
 LDADD = ../libtelnet/libtelnet.a \
 	$(LIB_krb5) \
 	$(LIB_krb4) \
-	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_des) \
 	$(LIB_tgetent) \
 	$(LIB_roken)
diff --git a/crypto/heimdal/appl/telnet/telnet/Makefile.in b/crypto/heimdal/appl/telnet/telnet/Makefile.in
index 25a3814..0a23fd9 100644
--- a/crypto/heimdal/appl/telnet/telnet/Makefile.in
+++ b/crypto/heimdal/appl/telnet/telnet/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.13 2000/01/06 15:12:11 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.14 2000/11/15 22:51:11 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include -I$(srcdir)/.. $(INCLUDE_krb4)
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/.. $(INCLUDE_krb4)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,36 +170,40 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = 
 
 bin_PROGRAMS = telnet
 
-telnet_SOURCES = authenc.c commands.c main.c network.c ring.c 		  sys_bsd.c telnet.c terminal.c 		  utilities.c defines.h externs.h ring.h telnet_locl.h types.h
+telnet_SOURCES = authenc.c commands.c main.c network.c ring.c \
+		  sys_bsd.c telnet.c terminal.c \
+		  utilities.c defines.h externs.h ring.h telnet_locl.h types.h
 
 
 man_MANS = telnet.1
 
-LDADD = ../libtelnet/libtelnet.a 	$(LIB_krb5) 	$(LIB_krb4) 	$(top_builddir)/lib/des/libdes.la 	$(LIB_tgetent) 	$(LIB_roken)
+LDADD = ../libtelnet/libtelnet.a \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(LIB_tgetent) \
+	$(LIB_roken)
 
+subdir = appl/telnet/telnet
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -192,42 +214,41 @@ PROGRAMS =  $(bin_PROGRAMS)
 DEFS = @DEFS@ -I. -I$(srcdir) -I../../../include
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
-LIBS = @LIBS@
 X_CFLAGS = @X_CFLAGS@
 X_LIBS = @X_LIBS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
-telnet_OBJECTS =  authenc.$(OBJEXT) commands.$(OBJEXT) main.$(OBJEXT) \
+am_telnet_OBJECTS =  authenc.$(OBJEXT) commands.$(OBJEXT) main.$(OBJEXT) \
 network.$(OBJEXT) ring.$(OBJEXT) sys_bsd.$(OBJEXT) telnet.$(OBJEXT) \
 terminal.$(OBJEXT) utilities.$(OBJEXT)
+telnet_OBJECTS =  $(am_telnet_OBJECTS)
 telnet_LDADD = $(LDADD)
+@KRB5_FALSE@telnet_DEPENDENCIES =  ../libtelnet/libtelnet.a
 @KRB5_TRUE@telnet_DEPENDENCIES =  ../libtelnet/libtelnet.a \
 @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
-@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
-@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la
-@KRB5_FALSE@telnet_DEPENDENCIES =  ../libtelnet/libtelnet.a \
-@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la
+@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
 telnet_LDFLAGS = 
-CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(telnet_SOURCES)
 man1dir = $(mandir)/man1
 MANS = $(man_MANS)
+depcomp = 
 DIST_COMMON =  Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
 SOURCES = $(telnet_SOURCES)
-OBJECTS = $(telnet_OBJECTS)
+OBJECTS = $(am_telnet_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/telnet/telnet/Makefile
 
@@ -250,31 +271,20 @@ install-binPROGRAMS: $(bin_PROGRAMS)
 	$(mkinstalldirs) $(DESTDIR)$(bindir)
 	@list='$(bin_PROGRAMS)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
 	  else :; fi; \
 	done
 
 uninstall-binPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	list='$(bin_PROGRAMS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
 	done
 
-.c.o:
-	$(COMPILE) -c $<
-
-# FIXME: We should only use cygpath when building on Windows,
-# and only if it is available.
-.c.obj:
-	$(COMPILE) -c `cygpath -w $<`
-
-.s.o:
-	$(COMPILE) -c $<
-
-.S.o:
-	$(COMPILE) -c $<
-
 mostlyclean-compile:
 	-rm -f *.o core *.core
 	-rm -f *.$(OBJEXT)
@@ -286,15 +296,6 @@ distclean-compile:
 
 maintainer-clean-compile:
 
-.c.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.s.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.S.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -308,6 +309,12 @@ maintainer-clean-libtool:
 telnet$(EXEEXT): $(telnet_OBJECTS) $(telnet_DEPENDENCIES)
 	@rm -f telnet$(EXEEXT)
 	$(LINK) $(telnet_LDFLAGS) $(telnet_OBJECTS) $(telnet_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
 
 install-man1:
 	$(mkinstalldirs) $(DESTDIR)$(man1dir)
@@ -322,6 +329,7 @@ install-man1:
 	  else file=$$i; fi; \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
 	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
 	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \
 	  $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \
@@ -337,6 +345,7 @@ uninstall-man1:
 	for i in $$list; do \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
 	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
 	  echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \
 	  rm -f $(DESTDIR)$(man1dir)/$$inst; \
@@ -350,23 +359,27 @@ uninstall-man:
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -379,17 +392,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = appl/telnet/telnet
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
@@ -418,7 +430,7 @@ uninstall: uninstall-am
 all-am: Makefile $(PROGRAMS) $(MANS) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
 	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1
 
@@ -432,6 +444,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-compile \
 		mostlyclean-libtool mostlyclean-tags \
 		mostlyclean-generic
@@ -468,8 +481,9 @@ clean-tags maintainer-clean-tags distdir info-am info dvi-am dvi \
 check-local check check-am installcheck-am installcheck install-exec-am \
 install-exec install-data-local install-data-am install-data install-am \
 install uninstall-am uninstall all-local all-redirect all-am all \
-installdirs mostlyclean-generic distclean-generic clean-generic \
-maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+install-strip installdirs mostlyclean-generic distclean-generic \
+clean-generic maintainer-clean-generic clean mostlyclean distclean \
+maintainer-clean
 
 
 install-suid-programs:
@@ -477,7 +491,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -489,8 +506,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -559,87 +576,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/appl/telnet/telnet/authenc.c b/crypto/heimdal/appl/telnet/telnet/authenc.c
index 6150fc7..ffce23c 100644
--- a/crypto/heimdal/appl/telnet/telnet/authenc.c
+++ b/crypto/heimdal/appl/telnet/telnet/authenc.c
@@ -33,7 +33,7 @@
 
 #include "telnet_locl.h"
 
-RCSID("$Id: authenc.c,v 1.10 1999/09/16 20:41:35 assar Exp $");
+RCSID("$Id: authenc.c,v 1.11 2000/11/15 23:00:58 assar Exp $");
 
 #if	defined(AUTHENTICATION) || defined(ENCRYPTION)
 int
@@ -66,7 +66,7 @@ telnet_spin(void)
 }
 
 char *
-telnet_getenv(char *val)
+telnet_getenv(const char *val)
 {
 	return((char *)env_getvalue((unsigned char *)val));
 }
diff --git a/crypto/heimdal/appl/telnet/telnet/commands.c b/crypto/heimdal/appl/telnet/telnet/commands.c
index dd78636..7d71979 100644
--- a/crypto/heimdal/appl/telnet/telnet/commands.c
+++ b/crypto/heimdal/appl/telnet/telnet/commands.c
@@ -33,7 +33,7 @@
 
 #include "telnet_locl.h"
 
-RCSID("$Id: commands.c,v 1.60 2000/02/12 16:00:07 assar Exp $");
+RCSID("$Id: commands.c,v 1.64 2000/12/11 01:44:01 assar Exp $");
 
 #if	defined(IPPROTO_IP) && defined(IP_TOS)
 int tos = -1;
@@ -2063,11 +2063,6 @@ int
 tn(int argc, char **argv)
 {
     struct servent *sp = 0;
-    extern char *inet_ntoa();
-#if defined(IP_OPTIONS) && defined(IPPROTO_IP)
-    char *srp = 0;
-    int srlen;
-#endif
     char *cmd, *hostp = 0, *portp = 0;
     char *user = 0;
     int port = 0;
@@ -2076,7 +2071,6 @@ tn(int argc, char **argv)
 
     if (connected) {
 	printf("?Already connected to %s\r\n", hostname);
-	setuid(getuid());
 	return 0;
     }
     if (argc < 2) {
@@ -2117,12 +2111,27 @@ tn(int argc, char **argv)
 	}
     usage:
 	printf("usage: %s [-l user] [-a] host-name [port]\r\n", cmd);
-	setuid(getuid());
 	return 0;
     }
     if (hostp == 0)
 	goto usage;
 
+    strlcpy (_hostname, hostp, sizeof(_hostname));
+    if (hostp[0] == '@' || hostp[0] == '!') {
+	char *p;
+	hostname = NULL;
+	for (p = hostp + 1; *p; p++) {
+	    if (*p == ',' || *p == '@')
+		hostname = p;
+	}
+	if (hostname == NULL) {
+	    fprintf(stderr, "%s: bad source route specification\n", hostp);
+	    return 0;
+	}
+	*hostname++ = '\0';
+    } else
+	hostname = hostp;
+
     if (portp) {
 	if (*portp == '-') {
 	    portp++;
@@ -2136,7 +2145,6 @@ tn(int argc, char **argv)
 		port = sp->s_port;
 	    else {
 		printf("%s: bad port number\r\n", portp);
-		setuid(getuid());
 		return 0;
 	    }
 	} else {
@@ -2147,7 +2155,6 @@ tn(int argc, char **argv)
 	    sp = roken_getservbyname("telnet", "tcp");
 	    if (sp == 0) {
 		fprintf(stderr, "telnet: tcp/telnet: unknown service\r\n");
-		setuid(getuid());
 		return 0;
 	    }
 	    port = sp->s_port;
@@ -2167,14 +2174,11 @@ tn(int argc, char **argv)
 
 	snprintf (portstr, sizeof(portstr), "%u", ntohs(port));
 
-	error = getaddrinfo (hostp, portstr, &hints, &ai);
+	error = getaddrinfo (hostname, portstr, &hints, &ai);
 	if (error) {
-	    fprintf (stderr, "%s: %s\r\n", hostp, gai_strerror (error));
-	    setuid (getuid ());
+	    fprintf (stderr, "%s: %s\r\n", hostname, gai_strerror (error));
 	    return 0;
 	}
-	strlcpy (_hostname, hostp, sizeof(_hostname));
-	hostname = _hostname;
 
 	for (a = ai; a != NULL && connected == 0; a = a->ai_next) {
 	    char addrstr[256];
@@ -2190,16 +2194,27 @@ tn(int argc, char **argv)
 	    printf("Trying %s...\r\n", addrstr);
 
 	    net = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
-	    setuid (getuid ());
 	    if (net < 0) {
-		warn ("telnet: socket");
+		warn ("socket");
 		continue;
 	    }
+
 #if	defined(IP_OPTIONS) && defined(IPPROTO_IP) && defined(HAVE_SETSOCKOPT)
-	    if (srp && setsockopt(net, IPPROTO_IP, IP_OPTIONS,
-				      (void *)srp, srlen) < 0)
-		perror("setsockopt (IP_OPTIONS)");
+	if (hostp[0] == '@' || hostp[0] == '!') {
+	    char *srp = 0;
+	    int srlen;
+	    int proto, opt;
+
+	    if ((srlen = sourceroute(a, hostp, &srp, &proto, &opt)) < 0) {
+		(void) NetClose(net);
+		net = -1;
+		continue;
+	    }
+	    if (srp && setsockopt(net, proto, opt, srp, srlen) < 0)
+		perror("setsockopt (source route)");
+	}
 #endif
+
 #if	defined(IPPROTO_IP) && defined(IP_TOS)
 	    if (a->ai_family == AF_INET) {
 # if	defined(HAVE_GETTOSBYNAME)
@@ -2236,6 +2251,9 @@ tn(int argc, char **argv)
 	    auth_encrypt_connect(connected);
 #endif
 	}
+	freeaddrinfo (ai);
+	if (connected == 0)
+	    return 0;
     }
     cmdrc(hostp, hostname);
     if (autologin && user == NULL)
@@ -2448,16 +2466,15 @@ help(int argc, char **argv)
 }
 
 
-#if 0 /* XXX - broken */
-
 #if	defined(IP_OPTIONS) && defined(IPPROTO_IP)
 
 /*
  * Source route is handed in as
- *	[!]@hop1@hop2...[@|:]dst
- * If the leading ! is present, it is a
- * strict source route, otherwise it is
- * assmed to be a loose source route.
+ *	[!]@hop1@hop2...@dst
+ *
+ * If the leading ! is present, it is a strict source route, otherwise it is
+ * assmed to be a loose source route.  Note that leading ! is effective
+ * only for IPv4 case.
  *
  * We fill in the source route option as
  *	hop1,hop2,hop3...dest
@@ -2465,134 +2482,202 @@ help(int argc, char **argv)
  * be the address to connect() to.
  *
  * Arguments:
- *	arg:	pointer to route list to decipher
+ *	ai:	The address (by struct addrinfo) for the final destination.
  *
- *	cpp: 	If *cpp is not equal to NULL, this is a
- *		pointer to a pointer to a character array
- *		that should be filled in with the option.
+ *	arg:	Pointer to route list to decipher
  *
+ *	cpp: 	Pointer to a pointer, so that sourceroute() can return
+ *		the address of result buffer (statically alloc'ed).
+ *
+ *	protop/optp:
+ *		Pointer to an integer.  The pointed variable
  *	lenp:	pointer to an integer that contains the
  *		length of *cpp if *cpp != NULL.
  *
  * Return values:
  *
- *	Returns the address of the host to connect to.  If the
+ *	Returns the length of the option pointed to by *cpp.  If the
  *	return value is -1, there was a syntax error in the
- *	option, either unknown characters, or too many hosts.
- *	If the return value is 0, one of the hostnames in the
- *	path is unknown, and *cpp is set to point to the bad
- *	hostname.
+ *	option, either arg contained unknown characters or too many hosts,
+ *	or hostname cannot be resolved.
+ *
+ *	The caller needs to pass return value (len), *cpp, *protop and *optp
+ *	to setsockopt(2).
  *
- *	*cpp:	If *cpp was equal to NULL, it will be filled
- *		in with a pointer to our static area that has
- *		the option filled in.  This will be 32bit aligned.
+ *	*cpp:	Points to the result buffer.  The region is statically
+ *		allocated by the function.
  *
- *	*lenp:	This will be filled in with how long the option
- *		pointed to by *cpp is.
+ *	*protop:
+ *		protocol # to be passed to setsockopt(2).
+ *
+ *	*optp:	option # to be passed to setsockopt(2).
  *
  */
-unsigned long
-sourceroute(char *arg, char **cpp, int *lenp)
+int
+sourceroute(struct addrinfo *ai,
+	    char *arg,
+	    char **cpp,
+	    int *protop,
+	    int *optp)
 {
-	static char lsr[44];
 	char *cp, *cp2, *lsrp, *lsrep;
-	int tmp;
-	struct in_addr sin_addr;
-	struct hostent *host = 0;
-	char c;
+	struct addrinfo hints, *res;
+	int len, error;
+	struct sockaddr_in *sin;
+	register char c;
+	static char lsr[44];
+#ifdef INET6
+	struct cmsghdr *cmsg;
+	struct sockaddr_in6 *sin6;
+	static char rhbuf[1024];
+#endif
 
 	/*
-	 * Verify the arguments, and make sure we have
-	 * at least 7 bytes for the option.
-	 */
-	if (cpp == NULL || lenp == NULL)
-		return((unsigned long)-1);
-	if (*cpp != NULL && *lenp < 7)
-		return((unsigned long)-1);
-	/*
-	 * Decide whether we have a buffer passed to us,
-	 * or if we need to use our own static buffer.
+	 * Verify the arguments.
 	 */
-	if (*cpp) {
-		lsrp = *cpp;
-		lsrep = lsrp + *lenp;
-	} else {
-		*cpp = lsrp = lsr;
-		lsrep = lsrp + 44;
-	}
+	if (cpp == NULL)
+		return -1;
 
 	cp = arg;
 
-	/*
-	 * Next, decide whether we have a loose source
-	 * route or a strict source route, and fill in
-	 * the begining of the option.
-	 */
-	if (*cp == '!') {
-		cp++;
-		*lsrp++ = IPOPT_SSRR;
-	} else
-		*lsrp++ = IPOPT_LSRR;
-
-	if (*cp != '@')
-		return((unsigned long)-1);
+	*cpp = NULL;
+	switch (ai->ai_family) {
+	case AF_INET:
+		lsrp = lsr;
+		lsrep = lsrp + sizeof(lsr);
 
-	lsrp++;		/* skip over length, we'll fill it in later */
-	*lsrp++ = 4;
-
-	cp++;
+		/*
+		 * Next, decide whether we have a loose source
+		 * route or a strict source route, and fill in
+		 * the begining of the option.
+		 */
+		if (*cp == '!') {
+			cp++;
+			*lsrp++ = IPOPT_SSRR;
+		} else
+			*lsrp++ = IPOPT_LSRR;
+		if (*cp != '@')
+			return -1;
+		lsrp++;		/* skip over length, we'll fill it in later */
+		*lsrp++ = 4;
+		cp++;
+		*protop = IPPROTO_IP;
+		*optp = IP_OPTIONS;
+		break;
+#ifdef INET6
+	case AF_INET6:
+/* this needs to be updated for rfc2292bis */
+#ifdef IPV6_PKTOPTIONS
+		cmsg = inet6_rthdr_init(rhbuf, IPV6_RTHDR_TYPE_0);
+		if (*cp != '@')
+			return -1;
+		cp++;
+		*protop = IPPROTO_IPV6;
+		*optp = IPV6_PKTOPTIONS;
+		break;
+#else
+		return -1;
+#endif
+#endif
+	default:
+		return -1;
+	}
 
-	sin_addr.s_addr = 0;
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = ai->ai_family;
+	hints.ai_socktype = SOCK_STREAM;
 
 	for (c = 0;;) {
 		if (c == ':')
 			cp2 = 0;
-		else for (cp2 = cp; (c = *cp2); cp2++) {
+		else for (cp2 = cp; (c = *cp2) != '\0'; cp2++) {
 			if (c == ',') {
 				*cp2++ = '\0';
 				if (*cp2 == '@')
 					cp2++;
 			} else if (c == '@') {
 				*cp2++ = '\0';
-			} else if (c == ':') {
+			}
+#if 0	/*colon conflicts with IPv6 address*/
+			else if (c == ':') {
 				*cp2++ = '\0';
-			} else
+			}
+#endif
+			else
 				continue;
 			break;
 		}
 		if (!c)
 			cp2 = 0;
 
-		if ((tmp = inet_addr(cp)) != -1) {
-			sin_addr.s_addr = tmp;
-		} else if ((host = roken_gethostbyname(cp))) {
-			memmove(&sin_addr,
-				host->h_addr_list[0],
-				sizeof(sin_addr));
-		} else {
-			*cpp = cp;
-			return(0);
+		error = getaddrinfo(cp, NULL, &hints, &res);
+		if (error) {
+			fprintf(stderr, "%s: %s\n", cp, gai_strerror(error));
+			return -1;
+		}
+		if (ai->ai_family != res->ai_family) {
+			freeaddrinfo(res);
+			return -1;
+		}
+		if (ai->ai_family == AF_INET) {
+			/*
+			 * Check to make sure there is space for address
+			 */
+			if (lsrp + 4 > lsrep) {
+				freeaddrinfo(res);
+				return -1;
+			}
+			sin = (struct sockaddr_in *)res->ai_addr;
+			memcpy(lsrp, &sin->sin_addr, sizeof(struct in_addr));
+			lsrp += sizeof(struct in_addr);
+		}
+#ifdef INET6
+		else if (ai->ai_family == AF_INET6) {
+			sin6 = (struct sockaddr_in6 *)res->ai_addr;
+			inet6_rthdr_add(cmsg, &sin6->sin6_addr,
+				IPV6_RTHDR_LOOSE);
+		}
+#endif
+		else {
+			freeaddrinfo(res);
+			return -1;
 		}
-		memmove(lsrp, &sin_addr, 4);
-		lsrp += 4;
+		freeaddrinfo(res);
 		if (cp2)
 			cp = cp2;
 		else
 			break;
-		/*
-		 * Check to make sure there is space for next address
-		 */
+	}
+	if (ai->ai_family == AF_INET) {
+		/* record the last hop */
 		if (lsrp + 4 > lsrep)
-			return((unsigned long)-1);
+			return -1;
+		sin = (struct sockaddr_in *)ai->ai_addr;
+		memcpy(lsrp, &sin->sin_addr, sizeof(struct in_addr));
+		lsrp += sizeof(struct in_addr);
+#ifndef	sysV88
+		lsr[IPOPT_OLEN] = lsrp - lsr;
+		if (lsr[IPOPT_OLEN] <= 7 || lsr[IPOPT_OLEN] > 40)
+			return -1;
+		*lsrp++ = IPOPT_NOP;	/*32bit word align*/
+		len = lsrp - lsr;
+		*cpp = lsr;
+#else
+		ipopt.io_len = lsrp - lsr;
+		if (ipopt.io_len <= 5)	/*is 3 better?*/
+			return -1;
+		*cpp = (char 8)&ipopt;
+#endif
 	}
-	if ((*(*cpp+IPOPT_OLEN) = lsrp - *cpp) <= 7) {
-		*cpp = 0;
-		*lenp = 0;
-		return((unsigned long)-1);
+#ifdef INET6
+	else if (ai->ai_family == AF_INET6) {
+		inet6_rthdr_lasthop(cmsg, IPV6_RTHDR_LOOSE);
+		len = cmsg->cmsg_len;
+		*cpp = rhbuf;
 	}
-	*lsrp++ = IPOPT_NOP; /* 32 bit word align it */
-	*lenp = lsrp - *cpp;
-	return(sin_addr.s_addr);
-}
 #endif
+	else
+		return -1;
+	return len;
+}
 #endif
diff --git a/crypto/heimdal/appl/telnet/telnet/externs.h b/crypto/heimdal/appl/telnet/telnet/externs.h
index f8b1668..10d8dcc 100644
--- a/crypto/heimdal/appl/telnet/telnet/externs.h
+++ b/crypto/heimdal/appl/telnet/telnet/externs.h
@@ -33,7 +33,7 @@
  *	@(#)externs.h	8.3 (Berkeley) 5/30/95
  */
 
-/* $Id: externs.h,v 1.18 1998/07/09 23:16:36 assar Exp $ */
+/* $Id: externs.h,v 1.20 2000/11/15 23:01:29 assar Exp $ */
 
 #ifndef	BSD
 # define BSD 43
@@ -182,7 +182,7 @@ extern jmp_buf
 int telnet_net_write(unsigned char *str, int len);
 void net_encrypt(void);
 int telnet_spin(void);
-char *telnet_getenv(char *val);
+char *telnet_getenv(const char *val);
 char *telnet_gets(char *prompt, char *result, int length, int echo);
 #endif
 
@@ -200,7 +200,8 @@ unsigned char * env_default(int init, int welldefined);
 unsigned char * env_getvalue(unsigned char *var);
 
 void set_escape_char(char *s);
-unsigned long sourceroute(char *arg, char **cpp, int *lenp);
+int sourceroute(struct addrinfo *ai, char *arg, char **cpp,
+		int *prototp, int *optp);
 
 #if	defined(AUTHENTICATION)
 int auth_enable (char *);
diff --git a/crypto/heimdal/appl/telnet/telnet/main.c b/crypto/heimdal/appl/telnet/telnet/main.c
index ea60ae9..533c561 100644
--- a/crypto/heimdal/appl/telnet/telnet/main.c
+++ b/crypto/heimdal/appl/telnet/telnet/main.c
@@ -38,7 +38,7 @@ static char *copyright[] = {
 };
 
 #include "telnet_locl.h"
-RCSID("$Id: main.c,v 1.30 1999/11/13 06:30:11 assar Exp $");
+RCSID("$Id: main.c,v 1.31 2000/12/31 07:40:17 assar Exp $");
 
 /* These values need to be the same as defined in libtelnet/kerberos5.c */
 /* Either define them in both places, or put in some common header file. */
@@ -103,7 +103,11 @@ static void
 krb5_init(void)
 {
     krb5_context context;
-    krb5_init_context(&context);
+    krb5_error_code ret;
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	return;
 
 #if defined(AUTHENTICATION) && defined(KRB5) && defined(FORWARD)
     if (krb5_config_get_bool (context, NULL,
diff --git a/crypto/heimdal/appl/telnet/telnet/network.c b/crypto/heimdal/appl/telnet/telnet/network.c
index faacc30..53818f0 100644
--- a/crypto/heimdal/appl/telnet/telnet/network.c
+++ b/crypto/heimdal/appl/telnet/telnet/network.c
@@ -33,7 +33,7 @@
 
 #include "telnet_locl.h"
 
-RCSID("$Id: network.c,v 1.10 1997/05/04 04:01:08 assar Exp $");
+RCSID("$Id: network.c,v 1.11 2000/10/08 13:28:21 assar Exp $");
 
 Ring		netoring, netiring;
 unsigned char	netobuf[2*BUFSIZ], netibuf[BUFSIZ];
@@ -69,6 +69,8 @@ stilloob(void)
 
     do {
 	FD_ZERO(&excepts);
+	if (net >= FD_SETSIZE)
+	    errx (1, "fd too large");
 	FD_SET(net, &excepts);
 	value = select(net+1, 0, 0, &excepts, &timeout);
     } while ((value == -1) && (errno == EINTR));
diff --git a/crypto/heimdal/appl/telnet/telnet/sys_bsd.c b/crypto/heimdal/appl/telnet/telnet/sys_bsd.c
index 334ef04..e47079e 100644
--- a/crypto/heimdal/appl/telnet/telnet/sys_bsd.c
+++ b/crypto/heimdal/appl/telnet/telnet/sys_bsd.c
@@ -33,7 +33,7 @@
 
 #include "telnet_locl.h"
 
-RCSID("$Id: sys_bsd.c,v 1.23 1998/06/09 19:24:46 joda Exp $");
+RCSID("$Id: sys_bsd.c,v 1.26 2000/10/19 21:19:57 assar Exp $");
 
 /*
  * The following routines try to encapsulate what is system dependent
@@ -314,10 +314,10 @@ TerminalRestoreState()
 
 
 #ifdef	SIGTSTP
-static RETSIGTYPE susp();
+static RETSIGTYPE susp(int);
 #endif	/* SIGTSTP */
 #ifdef	SIGINFO
-static RETSIGTYPE ayt();
+static RETSIGTYPE ayt(int);
 #endif
 
 void
@@ -495,7 +495,7 @@ TerminalNewMode(int f)
     } else {
         sigset_t sm;
 #ifdef	SIGINFO
-	RETSIGTYPE ayt_status();
+	RETSIGTYPE ayt_status(int);
 
 	signal(SIGINFO, ayt_status);
 #endif
@@ -774,6 +774,11 @@ process_rings(int netin,
     int returnValue = 0;
     static struct timeval TimeValue = { 0 };
 
+    if (net >= FD_SETSIZE
+	|| tout >= FD_SETSIZE
+	|| tin >= FD_SETSIZE)
+	errx (1, "fd too large");
+
     if (netout) {
 	FD_SET(net, &obits);
     }
@@ -791,7 +796,7 @@ process_rings(int netin,
 	FD_SET(net, &xbits);
     }
 #endif
-    if ((c = select(16, &ibits, &obits, &xbits,
+    if ((c = select(FD_SETSIZE, &ibits, &obits, &xbits,
 			(poll == 0)? (struct timeval *)0 : &TimeValue)) < 0) {
 	if (c == -1) {
 		    /*
diff --git a/crypto/heimdal/appl/telnet/telnet/telnet.1 b/crypto/heimdal/appl/telnet/telnet/telnet.1
index 2b3198e..7170386 100644
--- a/crypto/heimdal/appl/telnet/telnet/telnet.1
+++ b/crypto/heimdal/appl/telnet/telnet/telnet.1
@@ -1251,10 +1251,12 @@ has ever been enabled, then
 is sent as
 .Ic abort  ,
 and
-.Ic eof and
-.B suspend
+.Ic eof
+and
+.Ic suspend
 are sent as
-.Ic eof and
+.Ic eof
+and
 .Ic susp ,
 see
 .Ic send
diff --git a/crypto/heimdal/appl/telnet/telnet/telnet.c b/crypto/heimdal/appl/telnet/telnet/telnet.c
index 792f018..e705a7b 100644
--- a/crypto/heimdal/appl/telnet/telnet/telnet.c
+++ b/crypto/heimdal/appl/telnet/telnet/telnet.c
@@ -36,7 +36,7 @@
 #include <termcap.h>
 #endif
 
-RCSID("$Id: telnet.c,v 1.27 2000/01/01 11:53:24 assar Exp $");
+RCSID("$Id: telnet.c,v 1.28 2000/11/08 17:32:43 joda Exp $");
 
 #define	strip(x) (eight ? (x) : ((x) & 0x7f))
 
@@ -637,15 +637,21 @@ static char termbuf[1024];
 static int
 telnet_setupterm(const char *tname, int fd, int *errp)
 {
-	if (tgetent(termbuf, tname) == 1) {
-		termbuf[1023] = '\0';
-		if (errp)
-			*errp = 1;
-		return(0);
-	}
+#ifdef HAVE_TGETENT
+    if (tgetent(termbuf, tname) == 1) {
+	termbuf[1023] = '\0';
 	if (errp)
-		*errp = 0;
-	return(-1);
+	    *errp = 1;
+	return(0);
+    }
+    if (errp)
+	*errp = 0;
+    return(-1);
+#else
+    strlcpy(termbuf, tname, sizeof(termbuf));
+    if(errp) *errp = 1;
+    return 0;
+#endif
 }
 
 int resettermname = 1;
diff --git a/crypto/heimdal/appl/telnet/telnet/utilities.c b/crypto/heimdal/appl/telnet/telnet/utilities.c
index 32788a9..a933261 100644
--- a/crypto/heimdal/appl/telnet/telnet/utilities.c
+++ b/crypto/heimdal/appl/telnet/telnet/utilities.c
@@ -37,7 +37,7 @@
 
 #include "telnet_locl.h"
 
-RCSID("$Id: utilities.c,v 1.22 1999/09/16 20:41:36 assar Exp $");
+RCSID("$Id: utilities.c,v 1.24 2000/10/08 22:30:15 assar Exp $");
 
 FILE	*NetTrace = 0;		/* Not in bss, since needs to stay */
 int	prettydump;
@@ -817,6 +817,9 @@ EmptyTerminal(void)
 
     FD_ZERO(&outs);
 
+    if (tout >= FD_SETSIZE)
+	ExitString("fd too large", 1);
+
     if (TTYBYTES() == 0) {
 	FD_SET(tout, &outs);
 	select(tout+1, 0, &outs, 0,
diff --git a/crypto/heimdal/appl/telnet/telnetd/Makefile.am b/crypto/heimdal/appl/telnet/telnetd/Makefile.am
index f94a435..d8497c3 100644
--- a/crypto/heimdal/appl/telnet/telnetd/Makefile.am
+++ b/crypto/heimdal/appl/telnet/telnetd/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.13 2000/01/06 15:12:46 assar Exp $
+# $Id: Makefile.am,v 1.14 2000/11/15 22:51:11 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
@@ -17,7 +17,7 @@ LDADD = \
 	../libtelnet/libtelnet.a \
 	$(LIB_krb5) \
 	$(LIB_krb4) \
-	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_des) \
 	$(LIB_tgetent) \
 	$(LIB_logwtmp) \
 	$(LIB_roken)
diff --git a/crypto/heimdal/appl/telnet/telnetd/Makefile.in b/crypto/heimdal/appl/telnet/telnetd/Makefile.in
index 52ccb60..07ac35b 100644
--- a/crypto/heimdal/appl/telnet/telnetd/Makefile.in
+++ b/crypto/heimdal/appl/telnet/telnetd/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.13 2000/01/06 15:12:46 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.14 2000/11/15 22:51:11 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include -I$(srcdir)/.. $(INCLUDE_krb4)
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/.. $(INCLUDE_krb4)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,36 +170,41 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = 
 
 libexec_PROGRAMS = telnetd
 
-telnetd_SOURCES = telnetd.c state.c termstat.c slc.c sys_term.c 		   utility.c global.c authenc.c defs.h ext.h telnetd.h
+telnetd_SOURCES = telnetd.c state.c termstat.c slc.c sys_term.c \
+		   utility.c global.c authenc.c defs.h ext.h telnetd.h
 
 
 man_MANS = telnetd.8
 
-LDADD =  	../libtelnet/libtelnet.a 	$(LIB_krb5) 	$(LIB_krb4) 	$(top_builddir)/lib/des/libdes.la 	$(LIB_tgetent) 	$(LIB_logwtmp) 	$(LIB_roken)
+LDADD = \
+	../libtelnet/libtelnet.a \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(LIB_tgetent) \
+	$(LIB_logwtmp) \
+	$(LIB_roken)
 
+subdir = appl/telnet/telnetd
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -192,42 +215,41 @@ PROGRAMS =  $(libexec_PROGRAMS)
 DEFS = @DEFS@ -I. -I$(srcdir) -I../../../include
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
-LIBS = @LIBS@
 X_CFLAGS = @X_CFLAGS@
 X_LIBS = @X_LIBS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
-telnetd_OBJECTS =  telnetd.$(OBJEXT) state.$(OBJEXT) termstat.$(OBJEXT) \
-slc.$(OBJEXT) sys_term.$(OBJEXT) utility.$(OBJEXT) global.$(OBJEXT) \
-authenc.$(OBJEXT)
+am_telnetd_OBJECTS =  telnetd.$(OBJEXT) state.$(OBJEXT) \
+termstat.$(OBJEXT) slc.$(OBJEXT) sys_term.$(OBJEXT) utility.$(OBJEXT) \
+global.$(OBJEXT) authenc.$(OBJEXT)
+telnetd_OBJECTS =  $(am_telnetd_OBJECTS)
 telnetd_LDADD = $(LDADD)
+@KRB5_FALSE@telnetd_DEPENDENCIES =  ../libtelnet/libtelnet.a
 @KRB5_TRUE@telnetd_DEPENDENCIES =  ../libtelnet/libtelnet.a \
 @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
-@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
-@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la
-@KRB5_FALSE@telnetd_DEPENDENCIES =  ../libtelnet/libtelnet.a \
-@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la
+@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
 telnetd_LDFLAGS = 
-CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(telnetd_SOURCES)
 man8dir = $(mandir)/man8
 MANS = $(man_MANS)
+depcomp = 
 DIST_COMMON =  Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
 SOURCES = $(telnetd_SOURCES)
-OBJECTS = $(telnetd_OBJECTS)
+OBJECTS = $(am_telnetd_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/telnet/telnetd/Makefile
 
@@ -250,31 +272,20 @@ install-libexecPROGRAMS: $(libexec_PROGRAMS)
 	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
 	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f; \
 	  else :; fi; \
 	done
 
 uninstall-libexecPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	list='$(libexec_PROGRAMS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \
+	  rm -f $(DESTDIR)$(libexecdir)/$$f; \
 	done
 
-.c.o:
-	$(COMPILE) -c $<
-
-# FIXME: We should only use cygpath when building on Windows,
-# and only if it is available.
-.c.obj:
-	$(COMPILE) -c `cygpath -w $<`
-
-.s.o:
-	$(COMPILE) -c $<
-
-.S.o:
-	$(COMPILE) -c $<
-
 mostlyclean-compile:
 	-rm -f *.o core *.core
 	-rm -f *.$(OBJEXT)
@@ -286,15 +297,6 @@ distclean-compile:
 
 maintainer-clean-compile:
 
-.c.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.s.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.S.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -308,6 +310,12 @@ maintainer-clean-libtool:
 telnetd$(EXEEXT): $(telnetd_OBJECTS) $(telnetd_DEPENDENCIES)
 	@rm -f telnetd$(EXEEXT)
 	$(LINK) $(telnetd_LDFLAGS) $(telnetd_OBJECTS) $(telnetd_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
 
 install-man8:
 	$(mkinstalldirs) $(DESTDIR)$(man8dir)
@@ -322,6 +330,7 @@ install-man8:
 	  else file=$$i; fi; \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
 	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
 	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \
 	  $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \
@@ -337,6 +346,7 @@ uninstall-man8:
 	for i in $$list; do \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
 	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
 	  echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \
 	  rm -f $(DESTDIR)$(man8dir)/$$inst; \
@@ -350,23 +360,27 @@ uninstall-man:
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -379,17 +393,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = appl/telnet/telnetd
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
@@ -418,7 +431,7 @@ uninstall: uninstall-am
 all-am: Makefile $(PROGRAMS) $(MANS) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
 	$(mkinstalldirs)  $(DESTDIR)$(libexecdir) $(DESTDIR)$(mandir)/man8
 
@@ -432,6 +445,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-libexecPROGRAMS mostlyclean-compile \
 		mostlyclean-libtool mostlyclean-tags \
 		mostlyclean-generic
@@ -469,8 +483,8 @@ uninstall-man tags mostlyclean-tags distclean-tags clean-tags \
 maintainer-clean-tags distdir info-am info dvi-am dvi check-local check \
 check-am installcheck-am installcheck install-exec-am install-exec \
 install-data-local install-data-am install-data install-am install \
-uninstall-am uninstall all-local all-redirect all-am all installdirs \
-mostlyclean-generic distclean-generic clean-generic \
+uninstall-am uninstall all-local all-redirect all-am all install-strip \
+installdirs mostlyclean-generic distclean-generic clean-generic \
 maintainer-clean-generic clean mostlyclean distclean maintainer-clean
 
 
@@ -479,7 +493,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -491,8 +508,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -561,87 +578,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/appl/telnet/telnetd/authenc.c b/crypto/heimdal/appl/telnet/telnetd/authenc.c
index ec5f2dc..14594ea2 100644
--- a/crypto/heimdal/appl/telnet/telnetd/authenc.c
+++ b/crypto/heimdal/appl/telnet/telnetd/authenc.c
@@ -33,7 +33,7 @@
 
 #include "telnetd.h"
 
-RCSID("$Id: authenc.c,v 1.9 1999/09/05 19:14:50 assar Exp $");
+RCSID("$Id: authenc.c,v 1.10 2000/11/15 23:20:43 assar Exp $");
 
 #ifdef AUTHENTICATION
 
@@ -67,9 +67,8 @@ telnet_spin(void)
 }
 
 char *
-telnet_getenv(char *val)
+telnet_getenv(const char *val)
 {
-    extern char *getenv(const char *);
     return(getenv(val));
 }
 
diff --git a/crypto/heimdal/appl/telnet/telnetd/ext.h b/crypto/heimdal/appl/telnet/telnetd/ext.h
index 8f5edf1..4c122f8 100644
--- a/crypto/heimdal/appl/telnet/telnetd/ext.h
+++ b/crypto/heimdal/appl/telnet/telnetd/ext.h
@@ -33,7 +33,7 @@
  *	@(#)ext.h	8.2 (Berkeley) 12/15/93
  */
 
-/* $Id: ext.h,v 1.19 1999/09/05 19:15:21 assar Exp $ */
+/* $Id: ext.h,v 1.20 2000/11/15 23:03:38 assar Exp $ */
 
 #ifndef __EXT_H__
 #define __EXT_H__
@@ -78,7 +78,7 @@ extern int	SYNCHing;		/* we are in TELNET SYNCH mode */
 int telnet_net_write (unsigned char *str, int len);
 void net_encrypt (void);
 int telnet_spin (void);
-char *telnet_getenv (char *val);
+char *telnet_getenv (const char *val);
 char *telnet_gets (char *prompt, char *result, int length, int echo);
 void get_slc_defaults (void);
 void telrcv (void);
diff --git a/crypto/heimdal/appl/telnet/telnetd/state.c b/crypto/heimdal/appl/telnet/telnetd/state.c
index 80b90ea..987d99b 100644
--- a/crypto/heimdal/appl/telnet/telnetd/state.c
+++ b/crypto/heimdal/appl/telnet/telnetd/state.c
@@ -33,7 +33,7 @@
 
 #include "telnetd.h"
 
-RCSID("$Id: state.c,v 1.13 1999/05/13 23:12:50 assar Exp $");
+RCSID("$Id: state.c,v 1.14 2000/10/02 05:06:02 assar Exp $");
 
 unsigned char	doopt[] = { IAC, DO, '%', 'c', 0 };
 unsigned char	dont[] = { IAC, DONT, '%', 'c', 0 };
@@ -1016,7 +1016,7 @@ suboption(void)
 	    return;
 	settimer(xdisplocsubopt);
 	subpointer[SB_LEN()] = '\0';
-	setenv("DISPLAY", (char *)subpointer, 1);
+	esetenv("DISPLAY", (char *)subpointer, 1);
 	break;
     }  /* end of case TELOPT_XDISPLOC */
 
@@ -1183,7 +1183,7 @@ suboption(void)
 	    case ENV_USERVAR:
 		*cp = '\0';
 		if (valp)
-		    setenv(varp, valp, 1);
+		    esetenv(varp, valp, 1);
 		else
 		    unsetenv(varp);
 		cp = varp = (char *)subpointer;
@@ -1202,7 +1202,7 @@ suboption(void)
 	}
 	*cp = '\0';
 	if (valp)
-	    setenv(varp, valp, 1);
+	    esetenv(varp, valp, 1);
 	else
 	    unsetenv(varp);
 	break;
diff --git a/crypto/heimdal/appl/telnet/telnetd/sys_term.c b/crypto/heimdal/appl/telnet/telnetd/sys_term.c
index bbacb05..7c529af 100644
--- a/crypto/heimdal/appl/telnet/telnetd/sys_term.c
+++ b/crypto/heimdal/appl/telnet/telnetd/sys_term.c
@@ -33,7 +33,7 @@
 
 #include "telnetd.h"
 
-RCSID("$Id: sys_term.c,v 1.90 2000/01/01 11:53:59 assar Exp $");
+RCSID("$Id: sys_term.c,v 1.97 2000/12/08 23:32:06 assar Exp $");
 
 #if defined(_CRAY) || (defined(__hpux) && !defined(HAVE_UTMPX_H))
 # define PARENT_DOES_UTMP
@@ -1154,7 +1154,7 @@ startslave(char *host, int autologin, char *autoname)
 	/*
 	 * Create utmp entry for child
 	 */
-	time(&wtmp.ut_time);
+	wtmp.ut_time = time(NULL);
 	wtmp.ut_type = LOGIN_PROCESS;
 	wtmp.ut_pid = pid;
 	strncpy(wtmp.ut_user,  "LOGIN", sizeof(wtmp.ut_user));
@@ -1177,6 +1177,10 @@ startslave(char *host, int autologin, char *autoname)
 # endif	/* PARENT_DOES_UTMP */
     } else {
 	getptyslave();
+#if defined(DCE)
+	/* if we authenticated via K5, try and join the PAG */
+	kerberos5_dfspag();
+#endif
 	start_login(host, autologin, autoname);
 	/*NOTREACHED*/
     }
@@ -1205,26 +1209,50 @@ init_env(void)
 /*
  * scrub_env()
  *
- * Remove variables from the environment that might cause login to
- * behave in a bad manner. To avoid this, login should be staticly
- * linked.
+ * We only accept the environment variables listed below.
  */
 
-static void scrub_env(void)
+static void
+scrub_env(void)
 {
-    static char *remove[] = { "LD_", "_RLD_", "LIBPATH=", "IFS=", NULL };
+    static const char *reject[] = {
+	"TERMCAP=/",
+	NULL
+    };
+
+    static const char *accept[] = {
+	"XAUTH=", "XAUTHORITY=", "DISPLAY=",
+	"TERM=",
+	"EDITOR=",
+	"PAGER=",
+	"PRINTER=",
+	"LOGNAME=",
+	"POSIXLY_CORRECT=",
+	"TERMCAP=",
+	NULL
+    };
 
     char **cpp, **cpp2;
-    char **p;
+    const char **p;
   
     for (cpp2 = cpp = environ; *cpp; cpp++) {
-	for(p = remove; *p; p++)
+	int reject_it = 0;
+
+	for(p = reject; *p; p++)
+	    if(strncmp(*cpp, *p, strlen(*p)) == 0) {
+		reject_it = 1;
+		break;
+	    }
+	if (reject_it)
+	    continue;
+
+	for(p = accept; *p; p++)
 	    if(strncmp(*cpp, *p, strlen(*p)) == 0)
 		break;
-	if(*p == NULL)
+	if(*p != NULL)
 	    *cpp2++ = *cpp;
     }
-    *cpp2 = 0;
+    *cpp2 = NULL;
 }
 
 
@@ -1423,7 +1451,7 @@ rmut(void)
 #ifdef HAVE_STRUCT_UTMP_UT_HOST
 	    strncpy(wtmp.ut_host,  "", sizeof(wtmp.ut_host));
 #endif
-	    time(&wtmp.ut_time);
+	    wtmp.ut_time = time(NULL);
 	    write(f, &wtmp, sizeof(wtmp));
 	    close(f);
 	  }
@@ -1467,7 +1495,7 @@ rmut(void)
 #ifdef HAVE_STRUCT_UTMP_UT_HOST
 		strncpy(u->ut_host,  "", sizeof(u->ut_host));
 #endif
-		time(&u->ut_time);
+		u->ut_time = time(NULL);
 		write(f, u, sizeof(wtmp));
 		found++;
 	    }
@@ -1482,7 +1510,7 @@ rmut(void)
 #ifdef HAVE_STRUCT_UTMP_UT_HOST
 	    strncpy(wtmp.ut_host,  "", sizeof(wtmp.ut_host));
 #endif
-	    time(&wtmp.ut_time);
+	    wtmp.ut_time = time(NULL);
 	    write(f, &wtmp, sizeof(wtmp));
 	    close(f);
 	}
diff --git a/crypto/heimdal/appl/telnet/telnetd/telnetd.8 b/crypto/heimdal/appl/telnet/telnetd/telnetd.8
index 62cc4cd..81c187f 100644
--- a/crypto/heimdal/appl/telnet/telnetd/telnetd.8
+++ b/crypto/heimdal/appl/telnet/telnetd/telnetd.8
@@ -298,7 +298,9 @@ DO TIMING-MARK
 .Ed
 .Pp
 The pseudo-terminal allocated to the client is configured
-to operate in \*(lqcooked\*(rq mode, and with
+to operate in
+.Dq cooked
+mode, and with
 .Dv XTABS and
 .Dv CRMOD
 enabled (see
diff --git a/crypto/heimdal/appl/telnet/telnetd/telnetd.c b/crypto/heimdal/appl/telnet/telnetd/telnetd.c
index 678b508..b788574 100644
--- a/crypto/heimdal/appl/telnet/telnetd/telnetd.c
+++ b/crypto/heimdal/appl/telnet/telnetd/telnetd.c
@@ -33,7 +33,7 @@
 
 #include "telnetd.h"
 
-RCSID("$Id: telnetd.c,v 1.60 1999/12/05 10:59:52 assar Exp $");
+RCSID("$Id: telnetd.c,v 1.63 2000/10/08 13:32:28 assar Exp $");
 
 #ifdef _SC_CRAY_SECURE_SYS
 #include <sys/sysv.h>
@@ -143,7 +143,8 @@ main(int argc, char **argv)
 {
     struct sockaddr_storage __ss;
     struct sockaddr *sa = (struct sockaddr *)&__ss;
-    int on = 1, sa_size;
+    int on = 1;
+    socklen_t sa_size;
     int ch;
 #if	defined(IPPROTO_IP) && defined(IP_TOS)
     int tos = -1;
@@ -362,9 +363,9 @@ main(int argc, char **argv)
      *	Get socket's security label
      */
     if (secflag)  {
-	int szss = sizeof(ss);
+	socklen_t szss = sizeof(ss);
 	int sock_multi;
-	int szi = sizeof(int);
+	socklen_t szi = sizeof(int);
 
 	memset(&dv, 0, sizeof(dv));
 
@@ -737,7 +738,7 @@ Please contact your net administrator");
      */
     *user_name = 0;
     level = getterminaltype(user_name, sizeof(user_name));
-    setenv("TERM", terminaltype ? terminaltype : "network", 1);
+    esetenv("TERM", terminaltype ? terminaltype : "network", 1);
 
 #ifdef _SC_CRAY_SECURE_SYS
     if (secflag) {
@@ -968,6 +969,11 @@ my_telnet(int f, int p, char *host, int level, char *autoname)
 	FD_ZERO(&ibits);
 	FD_ZERO(&obits);
 	FD_ZERO(&xbits);
+
+	if (f >= FD_SETSIZE
+	    || p >= FD_SETSIZE)
+	    fatal(net, "fd too large");
+
 	/*
 	 * Never look for input if there's still
 	 * stuff in the corresponding output buffer
diff --git a/crypto/heimdal/appl/telnet/telnetd/telnetd.h b/crypto/heimdal/appl/telnet/telnetd/telnetd.h
index 5ad5bd8..fdda3d7 100644
--- a/crypto/heimdal/appl/telnet/telnetd/telnetd.h
+++ b/crypto/heimdal/appl/telnet/telnetd/telnetd.h
@@ -124,10 +124,6 @@
 
 #include "defs.h"
 
-#ifdef HAVE_ARPA_TELNET_H
-#include <arpa/telnet.h>
-#endif
-
 #ifndef _POSIX_VDISABLE
 # ifdef VDISABLE
 #  define _POSIX_VDISABLE VDISABLE
@@ -152,12 +148,16 @@
 #include <sys/utsname.h>
 #endif
 
-#include "ext.h"
-
 #ifdef HAVE_PATHS_H
 #include <paths.h>
 #endif
 
+#ifdef HAVE_ARPA_TELNET_H
+#include <arpa/telnet.h>
+#endif
+
+#include "ext.h"
+
 #ifdef SOCKS
 #include <socks.h>
 /* This doesn't belong here. */
diff --git a/crypto/heimdal/appl/telnet/telnetd/utility.c b/crypto/heimdal/appl/telnet/telnetd/utility.c
index 1e9be5c..a2e542d 100644
--- a/crypto/heimdal/appl/telnet/telnetd/utility.c
+++ b/crypto/heimdal/appl/telnet/telnetd/utility.c
@@ -34,7 +34,7 @@
 #define PRINTOPTIONS
 #include "telnetd.h"
 
-RCSID("$Id: utility.c,v 1.22 1999/09/16 20:41:38 assar Exp $");
+RCSID("$Id: utility.c,v 1.23 2000/10/08 13:34:27 assar Exp $");
 
 /*
  * utility functions performing io related tasks
@@ -68,7 +68,7 @@ ttloop(void)
 	syslog(LOG_INFO, "ttloop:  read: %m\n");
 	exit(1);
     } else if (ncc == 0) {
-	syslog(LOG_INFO, "ttloop:  peer died: %m\n");
+	syslog(LOG_INFO, "ttloop:  peer died\n");
 	exit(1);
     }
     DIAG(TD_REPORT, {
@@ -93,6 +93,9 @@ stilloob(int s)
     fd_set	excepts;
     int value;
 
+    if (s >= FD_SETSIZE)
+	fatal(ourpty, "fd too large");
+
     do {
 	FD_ZERO(&excepts);
 	FD_SET(s, &excepts);
diff --git a/crypto/heimdal/appl/test/Makefile.am b/crypto/heimdal/appl/test/Makefile.am
index 9ae5cba..154b407 100644
--- a/crypto/heimdal/appl/test/Makefile.am
+++ b/crypto/heimdal/appl/test/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.13 1999/09/21 05:06:19 assar Exp $
+# $Id: Makefile.am,v 1.14 2000/11/15 22:51:11 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
@@ -32,6 +32,6 @@ nt_gss_client_LDADD = $(gssapi_server_LDADD)
 nt_gss_server_LDADD = $(nt_gss_client_LDADD)
 
 LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
-	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_des) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken)
diff --git a/crypto/heimdal/appl/test/Makefile.in b/crypto/heimdal/appl/test/Makefile.in
index acada82..b95c37a 100644
--- a/crypto/heimdal/appl/test/Makefile.in
+++ b/crypto/heimdal/appl/test/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.13 1999/09/21 05:06:19 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.14 2000/11/15 22:51:11 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,38 +170,37 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
-noinst_PROGRAMS = tcp_client tcp_server gssapi_server gssapi_client 	uu_server uu_client nt_gss_server nt_gss_client
+noinst_PROGRAMS = tcp_client tcp_server gssapi_server gssapi_client \
+	uu_server uu_client nt_gss_server nt_gss_client
 
 
 tcp_client_SOURCES = tcp_client.c common.c test_locl.h
 
 tcp_server_SOURCES = tcp_server.c common.c test_locl.h
 
-gssapi_server_SOURCES = gssapi_server.c gss_common.c common.c 	gss_common.h test_locl.h
+gssapi_server_SOURCES = gssapi_server.c gss_common.c common.c \
+	gss_common.h test_locl.h
 
 
-gssapi_client_SOURCES = gssapi_client.c gss_common.c common.c 	gss_common.h test_locl.h
+gssapi_client_SOURCES = gssapi_client.c gss_common.c common.c \
+	gss_common.h test_locl.h
 
 
 uu_server_SOURCES = uu_server.c common.c test_locl.h
@@ -202,8 +219,12 @@ nt_gss_client_LDADD = $(gssapi_server_LDADD)
 
 nt_gss_server_LDADD = $(nt_gss_client_LDADD)
 
-LDADD = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/des/libdes.la 	$(top_builddir)/lib/asn1/libasn1.la 	$(LIB_roken)
+LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
 
+subdir = appl/test
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -216,72 +237,79 @@ PROGRAMS =  $(noinst_PROGRAMS)
 DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
-LIBS = @LIBS@
 X_CFLAGS = @X_CFLAGS@
 X_LIBS = @X_LIBS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
-tcp_client_OBJECTS =  tcp_client.$(OBJEXT) common.$(OBJEXT)
+am_gssapi_client_OBJECTS =  gssapi_client.$(OBJEXT) gss_common.$(OBJEXT) \
+common.$(OBJEXT)
+gssapi_client_OBJECTS =  $(am_gssapi_client_OBJECTS)
+gssapi_client_DEPENDENCIES =  $(top_builddir)/lib/gssapi/libgssapi.la \
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/asn1/libasn1.la
+gssapi_client_LDFLAGS = 
+am_gssapi_server_OBJECTS =  gssapi_server.$(OBJEXT) gss_common.$(OBJEXT) \
+common.$(OBJEXT)
+gssapi_server_OBJECTS =  $(am_gssapi_server_OBJECTS)
+gssapi_server_DEPENDENCIES =  $(top_builddir)/lib/gssapi/libgssapi.la \
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/asn1/libasn1.la
+gssapi_server_LDFLAGS = 
+am_nt_gss_client_OBJECTS =  nt_gss_client.$(OBJEXT) \
+nt_gss_common.$(OBJEXT) common.$(OBJEXT)
+nt_gss_client_OBJECTS =  $(am_nt_gss_client_OBJECTS)
+nt_gss_client_DEPENDENCIES =  $(top_builddir)/lib/gssapi/libgssapi.la \
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/asn1/libasn1.la
+nt_gss_client_LDFLAGS = 
+am_nt_gss_server_OBJECTS =  nt_gss_server.$(OBJEXT) \
+nt_gss_common.$(OBJEXT)
+nt_gss_server_OBJECTS =  $(am_nt_gss_server_OBJECTS)
+nt_gss_server_DEPENDENCIES =  $(top_builddir)/lib/gssapi/libgssapi.la \
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/asn1/libasn1.la
+nt_gss_server_LDFLAGS = 
+am_tcp_client_OBJECTS =  tcp_client.$(OBJEXT) common.$(OBJEXT)
+tcp_client_OBJECTS =  $(am_tcp_client_OBJECTS)
 tcp_client_LDADD = $(LDADD)
 tcp_client_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
-$(top_builddir)/lib/des/libdes.la $(top_builddir)/lib/asn1/libasn1.la
+$(top_builddir)/lib/asn1/libasn1.la
 tcp_client_LDFLAGS = 
-tcp_server_OBJECTS =  tcp_server.$(OBJEXT) common.$(OBJEXT)
+am_tcp_server_OBJECTS =  tcp_server.$(OBJEXT) common.$(OBJEXT)
+tcp_server_OBJECTS =  $(am_tcp_server_OBJECTS)
 tcp_server_LDADD = $(LDADD)
 tcp_server_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
-$(top_builddir)/lib/des/libdes.la $(top_builddir)/lib/asn1/libasn1.la
-tcp_server_LDFLAGS = 
-gssapi_server_OBJECTS =  gssapi_server.$(OBJEXT) gss_common.$(OBJEXT) \
-common.$(OBJEXT)
-gssapi_server_DEPENDENCIES =  $(top_builddir)/lib/gssapi/libgssapi.la \
-$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/des/libdes.la \
 $(top_builddir)/lib/asn1/libasn1.la
-gssapi_server_LDFLAGS = 
-gssapi_client_OBJECTS =  gssapi_client.$(OBJEXT) gss_common.$(OBJEXT) \
-common.$(OBJEXT)
-gssapi_client_DEPENDENCIES =  $(top_builddir)/lib/gssapi/libgssapi.la \
-$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/des/libdes.la \
-$(top_builddir)/lib/asn1/libasn1.la
-gssapi_client_LDFLAGS = 
-uu_server_OBJECTS =  uu_server.$(OBJEXT) common.$(OBJEXT)
-uu_server_LDADD = $(LDADD)
-uu_server_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
-$(top_builddir)/lib/des/libdes.la $(top_builddir)/lib/asn1/libasn1.la
-uu_server_LDFLAGS = 
-uu_client_OBJECTS =  uu_client.$(OBJEXT) common.$(OBJEXT)
+tcp_server_LDFLAGS = 
+am_uu_client_OBJECTS =  uu_client.$(OBJEXT) common.$(OBJEXT)
+uu_client_OBJECTS =  $(am_uu_client_OBJECTS)
 uu_client_LDADD = $(LDADD)
 uu_client_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
-$(top_builddir)/lib/des/libdes.la $(top_builddir)/lib/asn1/libasn1.la
-uu_client_LDFLAGS = 
-nt_gss_server_OBJECTS =  nt_gss_server.$(OBJEXT) nt_gss_common.$(OBJEXT)
-nt_gss_server_DEPENDENCIES =  $(top_builddir)/lib/gssapi/libgssapi.la \
-$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/des/libdes.la \
 $(top_builddir)/lib/asn1/libasn1.la
-nt_gss_server_LDFLAGS = 
-nt_gss_client_OBJECTS =  nt_gss_client.$(OBJEXT) nt_gss_common.$(OBJEXT) \
-common.$(OBJEXT)
-nt_gss_client_DEPENDENCIES =  $(top_builddir)/lib/gssapi/libgssapi.la \
-$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/des/libdes.la \
+uu_client_LDFLAGS = 
+am_uu_server_OBJECTS =  uu_server.$(OBJEXT) common.$(OBJEXT)
+uu_server_OBJECTS =  $(am_uu_server_OBJECTS)
+uu_server_LDADD = $(LDADD)
+uu_server_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
 $(top_builddir)/lib/asn1/libasn1.la
-nt_gss_client_LDFLAGS = 
-CFLAGS = @CFLAGS@
+uu_server_LDFLAGS = 
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(gssapi_client_SOURCES) $(gssapi_server_SOURCES) \
+$(nt_gss_client_SOURCES) $(nt_gss_server_SOURCES) $(tcp_client_SOURCES) \
+$(tcp_server_SOURCES) $(uu_client_SOURCES) $(uu_server_SOURCES)
+depcomp = 
 DIST_COMMON =  Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
-SOURCES = $(tcp_client_SOURCES) $(tcp_server_SOURCES) $(gssapi_server_SOURCES) $(gssapi_client_SOURCES) $(uu_server_SOURCES) $(uu_client_SOURCES) $(nt_gss_server_SOURCES) $(nt_gss_client_SOURCES)
-OBJECTS = $(tcp_client_OBJECTS) $(tcp_server_OBJECTS) $(gssapi_server_OBJECTS) $(gssapi_client_OBJECTS) $(uu_server_OBJECTS) $(uu_client_OBJECTS) $(nt_gss_server_OBJECTS) $(nt_gss_client_OBJECTS)
+SOURCES = $(gssapi_client_SOURCES) $(gssapi_server_SOURCES) $(nt_gss_client_SOURCES) $(nt_gss_server_SOURCES) $(tcp_client_SOURCES) $(tcp_server_SOURCES) $(uu_client_SOURCES) $(uu_server_SOURCES)
+OBJECTS = $(am_gssapi_client_OBJECTS) $(am_gssapi_server_OBJECTS) $(am_nt_gss_client_OBJECTS) $(am_nt_gss_server_OBJECTS) $(am_tcp_client_OBJECTS) $(am_tcp_server_OBJECTS) $(am_uu_client_OBJECTS) $(am_uu_server_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/test/Makefile
 
@@ -299,20 +327,6 @@ distclean-noinstPROGRAMS:
 
 maintainer-clean-noinstPROGRAMS:
 
-.c.o:
-	$(COMPILE) -c $<
-
-# FIXME: We should only use cygpath when building on Windows,
-# and only if it is available.
-.c.obj:
-	$(COMPILE) -c `cygpath -w $<`
-
-.s.o:
-	$(COMPILE) -c $<
-
-.S.o:
-	$(COMPILE) -c $<
-
 mostlyclean-compile:
 	-rm -f *.o core *.core
 	-rm -f *.$(OBJEXT)
@@ -324,15 +338,6 @@ distclean-compile:
 
 maintainer-clean-compile:
 
-.c.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.s.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.S.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -343,6 +348,22 @@ distclean-libtool:
 
 maintainer-clean-libtool:
 
+gssapi_client$(EXEEXT): $(gssapi_client_OBJECTS) $(gssapi_client_DEPENDENCIES)
+	@rm -f gssapi_client$(EXEEXT)
+	$(LINK) $(gssapi_client_LDFLAGS) $(gssapi_client_OBJECTS) $(gssapi_client_LDADD) $(LIBS)
+
+gssapi_server$(EXEEXT): $(gssapi_server_OBJECTS) $(gssapi_server_DEPENDENCIES)
+	@rm -f gssapi_server$(EXEEXT)
+	$(LINK) $(gssapi_server_LDFLAGS) $(gssapi_server_OBJECTS) $(gssapi_server_LDADD) $(LIBS)
+
+nt_gss_client$(EXEEXT): $(nt_gss_client_OBJECTS) $(nt_gss_client_DEPENDENCIES)
+	@rm -f nt_gss_client$(EXEEXT)
+	$(LINK) $(nt_gss_client_LDFLAGS) $(nt_gss_client_OBJECTS) $(nt_gss_client_LDADD) $(LIBS)
+
+nt_gss_server$(EXEEXT): $(nt_gss_server_OBJECTS) $(nt_gss_server_DEPENDENCIES)
+	@rm -f nt_gss_server$(EXEEXT)
+	$(LINK) $(nt_gss_server_LDFLAGS) $(nt_gss_server_OBJECTS) $(nt_gss_server_LDADD) $(LIBS)
+
 tcp_client$(EXEEXT): $(tcp_client_OBJECTS) $(tcp_client_DEPENDENCIES)
 	@rm -f tcp_client$(EXEEXT)
 	$(LINK) $(tcp_client_LDFLAGS) $(tcp_client_OBJECTS) $(tcp_client_LDADD) $(LIBS)
@@ -351,49 +372,43 @@ tcp_server$(EXEEXT): $(tcp_server_OBJECTS) $(tcp_server_DEPENDENCIES)
 	@rm -f tcp_server$(EXEEXT)
 	$(LINK) $(tcp_server_LDFLAGS) $(tcp_server_OBJECTS) $(tcp_server_LDADD) $(LIBS)
 
-gssapi_server$(EXEEXT): $(gssapi_server_OBJECTS) $(gssapi_server_DEPENDENCIES)
-	@rm -f gssapi_server$(EXEEXT)
-	$(LINK) $(gssapi_server_LDFLAGS) $(gssapi_server_OBJECTS) $(gssapi_server_LDADD) $(LIBS)
-
-gssapi_client$(EXEEXT): $(gssapi_client_OBJECTS) $(gssapi_client_DEPENDENCIES)
-	@rm -f gssapi_client$(EXEEXT)
-	$(LINK) $(gssapi_client_LDFLAGS) $(gssapi_client_OBJECTS) $(gssapi_client_LDADD) $(LIBS)
-
-uu_server$(EXEEXT): $(uu_server_OBJECTS) $(uu_server_DEPENDENCIES)
-	@rm -f uu_server$(EXEEXT)
-	$(LINK) $(uu_server_LDFLAGS) $(uu_server_OBJECTS) $(uu_server_LDADD) $(LIBS)
-
 uu_client$(EXEEXT): $(uu_client_OBJECTS) $(uu_client_DEPENDENCIES)
 	@rm -f uu_client$(EXEEXT)
 	$(LINK) $(uu_client_LDFLAGS) $(uu_client_OBJECTS) $(uu_client_LDADD) $(LIBS)
 
-nt_gss_server$(EXEEXT): $(nt_gss_server_OBJECTS) $(nt_gss_server_DEPENDENCIES)
-	@rm -f nt_gss_server$(EXEEXT)
-	$(LINK) $(nt_gss_server_LDFLAGS) $(nt_gss_server_OBJECTS) $(nt_gss_server_LDADD) $(LIBS)
-
-nt_gss_client$(EXEEXT): $(nt_gss_client_OBJECTS) $(nt_gss_client_DEPENDENCIES)
-	@rm -f nt_gss_client$(EXEEXT)
-	$(LINK) $(nt_gss_client_LDFLAGS) $(nt_gss_client_OBJECTS) $(nt_gss_client_LDADD) $(LIBS)
+uu_server$(EXEEXT): $(uu_server_OBJECTS) $(uu_server_DEPENDENCIES)
+	@rm -f uu_server$(EXEEXT)
+	$(LINK) $(uu_server_LDFLAGS) $(uu_server_OBJECTS) $(uu_server_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -406,17 +421,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = appl/test
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
@@ -445,7 +459,7 @@ uninstall: uninstall-am
 all-am: Makefile $(PROGRAMS) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
 
 
@@ -458,6 +472,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-noinstPROGRAMS mostlyclean-compile \
 		mostlyclean-libtool mostlyclean-tags \
 		mostlyclean-generic
@@ -494,7 +509,7 @@ distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
 dvi-am dvi check-local check check-am installcheck-am installcheck \
 install-exec-am install-exec install-data-local install-data-am \
 install-data install-am install uninstall-am uninstall all-local \
-all-redirect all-am all installdirs mostlyclean-generic \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
 distclean-generic clean-generic maintainer-clean-generic clean \
 mostlyclean distclean maintainer-clean
 
@@ -504,7 +519,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -516,8 +534,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -586,87 +604,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/appl/test/common.c b/crypto/heimdal/appl/test/common.c
index 30b2e2d..58b9fdf 100644
--- a/crypto/heimdal/appl/test/common.c
+++ b/crypto/heimdal/appl/test/common.c
@@ -33,17 +33,20 @@
 
 #include "test_locl.h"
 
-RCSID("$Id: common.c,v 1.10 2000/02/12 21:30:47 assar Exp $");
+RCSID("$Id: common.c,v 1.11 2000/08/27 04:29:34 assar Exp $");
 
 static int help_flag;
 static int version_flag;
 static char *port_str;
+static char *keytab_str;
+krb5_keytab keytab;
 char *service = SERVICE;
 int fork_flag;
 
 static struct getargs args[] = {
     { "port", 'p', arg_string, &port_str, "port to listen to", "port" },
     { "service", 's', arg_string, &service, "service to use", "service" },
+    { "keytab", 'k', arg_string, &keytab_str, "keytab to use", "keytab" },
     { "fork", 'f', arg_flag, &fork_flag, "do fork" },
     { "help", 'h', arg_flag, &help_flag },
     { "version", 0, arg_flag, &version_flag }
@@ -104,8 +107,16 @@ int
 server_setup(krb5_context *context, int argc, char **argv)
 {
     int port = common_setup(context, &argc, argv, server_usage);
+    krb5_error_code ret;
+
     if(argv[argc] != NULL)
 	server_usage(1, args, num_args);
+    if (keytab_str != NULL)
+	ret = krb5_kt_resolve (*context, keytab_str, &keytab);
+    else
+	ret = krb5_kt_default (*context, &keytab);
+    if (ret)
+	krb5_err (*context, 1, ret, "krb5_kt_resolve/default");
     return port;
 }
 
diff --git a/crypto/heimdal/appl/test/gss_common.c b/crypto/heimdal/appl/test/gss_common.c
index 821114b..4b5319a 100644
--- a/crypto/heimdal/appl/test/gss_common.c
+++ b/crypto/heimdal/appl/test/gss_common.c
@@ -34,7 +34,7 @@
 #include "test_locl.h"
 #include <gssapi.h>
 #include "gss_common.h"
-RCSID("$Id: gss_common.c,v 1.7 2000/02/12 21:31:38 assar Exp $");
+RCSID("$Id: gss_common.c,v 1.9 2000/11/15 23:05:27 assar Exp $");
 
 void
 write_token (int sock, gss_buffer_t buf)
@@ -46,28 +46,36 @@ write_token (int sock, gss_buffer_t buf)
 
     net_len = htonl(len);
 
-    if (write (sock, &net_len, 4) != 4)
+    if (net_write (sock, &net_len, 4) != 4)
 	err (1, "write");
-    if (write (sock, buf->value, len) != len)
+    if (net_write (sock, buf->value, len) != len)
 	err (1, "write");
 
     gss_release_buffer (&min_stat, buf);
 }
 
+static void
+enet_read(int fd, void *buf, size_t len)
+{
+    ssize_t ret;
+
+    ret = net_read (fd, buf, len);
+    if (ret == 0)
+	errx (1, "EOF in read");
+    else if (ret < 0)
+	errx (1, "read");
+}
+
 void
 read_token (int sock, gss_buffer_t buf)
 {
     u_int32_t len, net_len;
 
-    if (read(sock, &net_len, 4) != 4)
-	err (1, "read");
+    enet_read (sock, &net_len, 4);
     len = ntohl(net_len);
     buf->length = len;
-    buf->value  = malloc(len);
-    if (buf->value == NULL)
-	err (1, "malloc %u", len);
-    if (read (sock, buf->value, len) != len)
-	err (1, "read");
+    buf->value  = emalloc(len);
+    enet_read (sock, buf->value, len);
 }
 
 void
diff --git a/crypto/heimdal/appl/test/gssapi_client.c b/crypto/heimdal/appl/test/gssapi_client.c
index ed3c43a..126ce91 100644
--- a/crypto/heimdal/appl/test/gssapi_client.c
+++ b/crypto/heimdal/appl/test/gssapi_client.c
@@ -34,7 +34,7 @@
 #include "test_locl.h"
 #include <gssapi.h>
 #include "gss_common.h"
-RCSID("$Id: gssapi_client.c,v 1.12 2000/02/12 21:33:17 assar Exp $");
+RCSID("$Id: gssapi_client.c,v 1.16 2000/08/09 20:53:06 assar Exp $");
 
 static int
 do_trans (int sock, gss_ctx_id_t context_hdl)
@@ -85,7 +85,7 @@ static int
 proto (int sock, const char *hostname, const char *service)
 {
     struct sockaddr_in remote, local;
-    int addrlen;
+    socklen_t addrlen;
 
     int context_established = 0;
     gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
@@ -95,6 +95,9 @@ proto (int sock, const char *hostname, const char *service)
     OM_uint32 maj_stat, min_stat;
     gss_name_t server;
     gss_buffer_desc name_token;
+    struct gss_channel_bindings_struct input_chan_bindings;
+    u_char init_buf[4];
+    u_char acct_buf[4];
 
     name_token.length = asprintf ((char **)&name_token.value,
 				  "%s@%s", service, hostname);
@@ -120,6 +123,32 @@ proto (int sock, const char *hostname, const char *service)
     input_token->length = 0;
     output_token->length = 0;
 
+    input_chan_bindings.initiator_addrtype = GSS_C_AF_INET;
+    input_chan_bindings.initiator_address.length = 4;
+    init_buf[0] = (local.sin_addr.s_addr >> 24) & 0xFF;
+    init_buf[1] = (local.sin_addr.s_addr >> 16) & 0xFF;
+    init_buf[2] = (local.sin_addr.s_addr >>  8) & 0xFF;
+    init_buf[3] = (local.sin_addr.s_addr >>  0) & 0xFF;
+    input_chan_bindings.initiator_address.value = init_buf;
+
+    input_chan_bindings.acceptor_addrtype = GSS_C_AF_INET;
+    input_chan_bindings.acceptor_address.length = 4;
+    acct_buf[0] = (remote.sin_addr.s_addr >> 24) & 0xFF;
+    acct_buf[1] = (remote.sin_addr.s_addr >> 16) & 0xFF;
+    acct_buf[2] = (remote.sin_addr.s_addr >>  8) & 0xFF;
+    acct_buf[3] = (remote.sin_addr.s_addr >>  0) & 0xFF;
+    input_chan_bindings.acceptor_address.value = acct_buf;
+    
+#if 0
+    input_chan_bindings.application_data.value = emalloc(4);
+    * (unsigned short*)input_chan_bindings.application_data.value = local.sin_port;
+    * ((unsigned short *)input_chan_bindings.application_data.value + 1) = remote.sin_port;
+    input_chan_bindings.application_data.length = 4;
+#else
+    input_chan_bindings.application_data.length = 0;
+    input_chan_bindings.application_data.value = NULL;
+#endif
+
     while(!context_established) {
 	maj_stat =
 	    gss_init_sec_context(&min_stat,
@@ -127,9 +156,10 @@ proto (int sock, const char *hostname, const char *service)
 				 &context_hdl,
 				 server,
 				 GSS_C_NO_OID,
-				 GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG,
+				 GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG
+				 | GSS_C_DELEG_FLAG,
 				 0,
-				 GSS_C_NO_CHANNEL_BINDINGS,
+				 &input_chan_bindings,
 				 input_token,
 				 NULL,
 				 output_token,
diff --git a/crypto/heimdal/appl/test/gssapi_server.c b/crypto/heimdal/appl/test/gssapi_server.c
index 01aa769..3d4affd 100644
--- a/crypto/heimdal/appl/test/gssapi_server.c
+++ b/crypto/heimdal/appl/test/gssapi_server.c
@@ -34,7 +34,7 @@
 #include "test_locl.h"
 #include <gssapi.h>
 #include "gss_common.h"
-RCSID("$Id: gssapi_server.c,v 1.12 2000/02/12 21:34:11 assar Exp $");
+RCSID("$Id: gssapi_server.c,v 1.15 2000/08/09 20:53:07 assar Exp $");
 
 static int
 process_it(int sock,
@@ -105,13 +105,18 @@ static int
 proto (int sock, const char *service)
 {
     struct sockaddr_in remote, local;
-    int addrlen;
+    socklen_t addrlen;
     gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
     gss_buffer_desc real_input_token, real_output_token;
     gss_buffer_t input_token = &real_input_token,
 	output_token = &real_output_token;
     OM_uint32 maj_stat, min_stat;
     gss_name_t client_name;
+    struct gss_channel_bindings_struct input_chan_bindings;
+    gss_cred_id_t delegated_cred_handle = NULL;
+    krb5_ccache ccache;
+    u_char init_buf[4];
+    u_char acct_buf[4];
 
     addrlen = sizeof(local);
     if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0
@@ -123,6 +128,37 @@ proto (int sock, const char *service)
 	|| addrlen != sizeof(remote))
 	err (1, "getpeername");
 
+    input_chan_bindings.initiator_addrtype = GSS_C_AF_INET;
+    input_chan_bindings.initiator_address.length = 4;
+    init_buf[0] = (remote.sin_addr.s_addr >> 24) & 0xFF;
+    init_buf[1] = (remote.sin_addr.s_addr >> 16) & 0xFF;
+    init_buf[2] = (remote.sin_addr.s_addr >>  8) & 0xFF;
+    init_buf[3] = (remote.sin_addr.s_addr >>  0) & 0xFF;
+
+    input_chan_bindings.initiator_address.value = init_buf;
+    input_chan_bindings.acceptor_addrtype = GSS_C_AF_INET;
+
+    input_chan_bindings.acceptor_address.length = 4;
+    acct_buf[0] = (local.sin_addr.s_addr >> 24) & 0xFF;
+    acct_buf[1] = (local.sin_addr.s_addr >> 16) & 0xFF;
+    acct_buf[2] = (local.sin_addr.s_addr >>  8) & 0xFF;
+    acct_buf[3] = (local.sin_addr.s_addr >>  0) & 0xFF;
+    input_chan_bindings.acceptor_address.value = acct_buf;
+    input_chan_bindings.application_data.value = emalloc(4);
+#if 0
+    * (unsigned short *)input_chan_bindings.application_data.value =
+                          remote.sin_port;
+    * ((unsigned short *)input_chan_bindings.application_data.value + 1) =
+                          local.sin_port;
+    input_chan_bindings.application_data.length = 4;
+#else
+    input_chan_bindings.application_data.length = 0;
+    input_chan_bindings.application_data.value = NULL;
+#endif
+    
+    delegated_cred_handle = emalloc(sizeof(*delegated_cred_handle));
+    memset((char*)delegated_cred_handle, 0, sizeof(*delegated_cred_handle));
+    
     do {
 	read_token (sock, input_token);
 	maj_stat =
@@ -130,13 +166,13 @@ proto (int sock, const char *service)
 				    &context_hdl,
 				    GSS_C_NO_CREDENTIAL,
 				    input_token,
-				    GSS_C_NO_CHANNEL_BINDINGS,
+				    &input_chan_bindings,
 				    &client_name,
 				    NULL,
 				    output_token,
 				    NULL,
 				    NULL,
-				    NULL);
+				    /*&delegated_cred_handle*/ NULL);
 	if(GSS_ERROR(maj_stat))
 	    gss_err (1, min_stat, "gss_accept_sec_context");
 	if (output_token->length != 0)
@@ -149,6 +185,17 @@ proto (int sock, const char *service)
 	    break;
 	}
     } while(maj_stat & GSS_S_CONTINUE_NEEDED);
+    
+    if (delegated_cred_handle->ccache) {
+       krb5_context context;
+
+       maj_stat = krb5_init_context(&context);
+       maj_stat = krb5_cc_resolve(context, "FILE:/tmp/krb5cc_test", &ccache);
+       maj_stat = krb5_cc_copy_cache(context,
+                                      delegated_cred_handle->ccache, ccache);
+       krb5_cc_close(context, ccache);
+       krb5_cc_destroy(context, delegated_cred_handle->ccache);
+    }
 
     if (fork_flag) {
 	pid_t pid;
diff --git a/crypto/heimdal/appl/test/nt_gss_client.c b/crypto/heimdal/appl/test/nt_gss_client.c
index e77f9f2..4fabd66 100644
--- a/crypto/heimdal/appl/test/nt_gss_client.c
+++ b/crypto/heimdal/appl/test/nt_gss_client.c
@@ -35,7 +35,7 @@
 #include <gssapi.h>
 #include "nt_gss_common.h"
 
-RCSID("$Id: nt_gss_client.c,v 1.3 1999/12/04 18:16:19 assar Exp $");
+RCSID("$Id: nt_gss_client.c,v 1.4 2000/08/09 20:53:07 assar Exp $");
 
 /*
  * This program tries to act as a client for the sample in `Sample
@@ -46,7 +46,7 @@ static int
 proto (int sock, const char *hostname, const char *service)
 {
     struct sockaddr_in remote, local;
-    int addrlen;
+    socklen_t addrlen;
 
     int context_established = 0;
     gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
diff --git a/crypto/heimdal/appl/test/nt_gss_server.c b/crypto/heimdal/appl/test/nt_gss_server.c
index 9781ed1..05b6bcb 100644
--- a/crypto/heimdal/appl/test/nt_gss_server.c
+++ b/crypto/heimdal/appl/test/nt_gss_server.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -36,13 +36,13 @@
 #include <krb5.h>
 #include "nt_gss_common.h"
 
-RCSID("$Id: nt_gss_server.c,v 1.3 1999/12/16 10:29:58 assar Exp $");
+RCSID("$Id: nt_gss_server.c,v 1.5 2000/08/09 20:53:07 assar Exp $");
 
 /*
  * This program tries to act as a server for the sample in `Sample
  * SSPI Code' in Windows 2000 RC1 SDK.
  *
- * use --dump-add to get a binary dump of the authorization data in the ticket
+ * use --dump-auth to get a binary dump of the authorization data in the ticket
  */
 
 static int help_flag;
@@ -66,7 +66,7 @@ static int
 proto (int sock, const char *service)
 {
     struct sockaddr_in remote, local;
-    int addrlen;
+    socklen_t addrlen;
     gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
     gss_buffer_t input_token, output_token;
     gss_buffer_desc real_input_token, real_output_token;
diff --git a/crypto/heimdal/appl/test/test_locl.h b/crypto/heimdal/appl/test/test_locl.h
index 5c4ca36..56f8745 100644
--- a/crypto/heimdal/appl/test/test_locl.h
+++ b/crypto/heimdal/appl/test/test_locl.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: test_locl.h,v 1.8 2000/02/14 02:52:55 assar Exp $ */
+/* $Id: test_locl.h,v 1.9 2000/08/27 04:29:54 assar Exp $ */
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
@@ -79,6 +79,7 @@
 #define PORT "test"
 
 extern char *service;
+extern krb5_keytab keytab;
 extern int fork_flag;
 int server_setup(krb5_context*, int, char**);
 int client_setup(krb5_context*, int*, char**);
diff --git a/crypto/heimdal/appl/test/uu_client.c b/crypto/heimdal/appl/test/uu_client.c
index 204f919..fae5bcb 100644
--- a/crypto/heimdal/appl/test/uu_client.c
+++ b/crypto/heimdal/appl/test/uu_client.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,7 +32,7 @@
  */
 
 #include "test_locl.h"
-RCSID("$Id: uu_client.c,v 1.5 1999/12/04 18:17:26 assar Exp $");
+RCSID("$Id: uu_client.c,v 1.7 2000/12/31 07:41:39 assar Exp $");
 
 krb5_context context;
 
@@ -40,7 +40,7 @@ static int
 proto (int sock, const char *hostname, const char *service)
 {
     struct sockaddr_in remote, local;
-    int addrlen;
+    socklen_t addrlen;
     krb5_address remote_addr, local_addr;
     krb5_context context;
     krb5_ccache ccache;
@@ -63,7 +63,7 @@ proto (int sock, const char *hostname, const char *service)
 
     status = krb5_init_context(&context);
     if (status)
-	krb5_err(context, 1, status, "krb5_init_context");
+	errx(1, "krb5_init_context failed: %d", status);
 
     status = krb5_cc_default (context, &ccache);
     if (status)
diff --git a/crypto/heimdal/appl/test/uu_server.c b/crypto/heimdal/appl/test/uu_server.c
index fabfea2..34a0927 100644
--- a/crypto/heimdal/appl/test/uu_server.c
+++ b/crypto/heimdal/appl/test/uu_server.c
@@ -32,7 +32,7 @@
  */
 
 #include "test_locl.h"
-RCSID("$Id: uu_server.c,v 1.6 1999/12/16 10:32:44 assar Exp $");
+RCSID("$Id: uu_server.c,v 1.7 2000/08/09 20:53:08 assar Exp $");
 
 krb5_context context;
 
@@ -40,7 +40,7 @@ static int
 proto (int sock, const char *service)
 {
     struct sockaddr_in remote, local;
-    int addrlen;
+    socklen_t addrlen;
     krb5_address remote_addr, local_addr;
     krb5_ccache ccache;
     krb5_auth_context auth_context;
diff --git a/crypto/heimdal/cf/ChangeLog b/crypto/heimdal/cf/ChangeLog
index 2c21ce2..77eec6d 100644
--- a/crypto/heimdal/cf/ChangeLog
+++ b/crypto/heimdal/cf/ChangeLog
@@ -1,3 +1,159 @@
+2000-12-26  Assar Westerlund  <assar@sics.se>
+
+	* krb-ipv6.m4: remove some dnl that weren't the correct with
+	modern autoconf
+
+2000-12-15  Assar Westerlund  <assar@sics.se>
+
+	* roken-frag.m4 (inet_ntoa, inet_ntop, inet_pton): add necessary
+	includes when testing
+	* broken2.m4: new variant of broken, with includes and arguments
+
+	* test-package.m4: s/ifval/m4_ifval/ to keep in sync with
+ 	autoconf.  from Ake Sandgren <ake@cs.umu.se>
+	* check-var.m4: s/ifval/m4_ifval/ to keep in sync with autoconf.
+  	from Ake Sandgren <ake@cs.umu.se>
+
+2000-12-13  Assar Westerlund  <assar@sics.se>
+
+	* krb-irix.m4: need to set irix to no first.  From Ake Sandgren
+	<ake@cs.umu.se>
+
+2000-12-12  Johan Danielsson  <joda@pdc.kth.se>
+
+	* roken-frag.m4: move sa_len test to before test for broken
+	getnameinfo
+
+2000-12-12  Assar Westerlund  <assar@sics.se>
+
+	* roken-frag.m4: only test for broken getnameinfo if it exists
+
+2000-12-10  Johan Danielsson  <joda@pdc.kth.se>
+
+	* roken-frag.m4: ifaddrs.h
+
+2000-12-06  Johan Danielsson  <joda@pdc.kth.se>
+
+	* roken-frag.m4: test for unvis, and vis.h
+
+	* roken-frag.m4: test for strvis*
+
+2000-12-05  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am.common: just warn if we fail to setuid a program
+
+	* broken-getnameinfo.m4: add more quotes
+
+	* roken-frag.m4: test for getifaddrs
+
+	* roken-frag.m4: test for broken AIX getnameinfo
+
+	* broken-getnameinfo.m4: test for broken getnameinfo
+
+2000-12-01  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am.common: add kludge for LIBS
+
+2000-11-30  Johan Danielsson  <joda@pdc.kth.se>
+
+	* check-man.m4: update this after recent changes
+
+	* Makefile.am.common: use install-catman.sh
+
+	* install-catman.sh: script to install preformatted manual pages
+
+	* Makefile.am.common: change cat handling
+
+2000-11-29  Johan Danielsson  <joda@pdc.kth.se>
+
+	* roken-frag.m4: don't use AC_CONFIG_FILES here, since it doesn't
+	work with automake
+
+2000-11-15  Assar Westerlund  <assar@sics.se>
+
+	* krb-readline.m4: link against the libtool-versions of
+	libeditline and libel_compat
+
+	* Makefile.am.common (INCLUDES): add $(INCLUDES_roken)
+	* roken-frag.m4 (CPPFLAGS_roken): rename to INCLUDES_roken
+
+2000-11-05  Johan Danielsson  <joda@pdc.kth.se>
+
+	* aix.m4: set aix
+
+2000-08-19  Assar Westerlund  <assar@sics.se>
+
+	* krb-bigendian.m4: merge from arla: make it work better
+
+2000-08-07  Johan Danielsson  <joda@pdc.kth.se>
+
+	* roken-frag.m4: check getsockname for proto compat
+
+2000-08-04  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am.common: add library for pidfile
+
+	* roken-frag.m4: tests for util.h and pidfile
+
+2000-07-19  Johan Danielsson  <joda@pdc.kth.se>
+
+	* check-var.m4: rename to rk_CHECK_VAR, transposing the arguments,
+	and making the second optional, AU_DEFINE AC_CHECK_VAR to
+	rk_CHECK_VAR
+
+	* roken-frag.m4: other roken tests
+
+	* db.m4: db tests
+
+2000-07-18  Johan Danielsson  <joda@pdc.kth.se>
+
+	* mips-abi.m4: AC_ERROR -> AC_MSG_ERROR
+
+	* check-netinet-ip-and-tcp.m4: use cache_check, and make this work
+	with new autoconf
+
+	* aix.m4: don't subst AFS_EXTRA_LD
+
+2000-07-15  Johan Danielsson  <joda@pdc.kth.se>
+
+	* check-var.m4: workaround feature of newer autoconf
+
+	* find-func-no-libs2.m4: use cleaner autoheader trick
+
+	* have-type.m4: use cleaner autoheader trick
+
+	* have-types.m4: use cleaner autoheader trick
+
+	* test-package.m4: add 6th parameter for now
+
+	* broken.m4: use cleaner autoheader trick
+
+	* retsigtype.m4: test for signal handler return type
+
+	* broken-realloc.m4: test for broken realloc
+
+2000-07-08  Assar Westerlund  <assar@sics.se>
+
+	* roken.m4: set CPPFLAGS_roken and call AC_CONFIG_SUBDIRS
+
+2000-07-02  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am.common (CP): set and use
+
+2000-04-05  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am.common (INCLUDE_openldap, LIB_openldap): add
+
+2000-03-28  Assar Westerlund  <assar@sics.se>
+
+	* krb-prog-yacc.m4: AC_MSG_WARNING should be AC_MSG_WARN
+
+	* shared-libs.m4: try to update to freebsd5 (and elf)
+
+2000-03-16  Assar Westerlund  <assar@sics.se>
+
+	* krb-prog-yacc.m4: warn we do not find any yacc
+
 2000-01-08  Assar Westerlund  <assar@sics.se>
 
 	* krb-bigendian.m4: new file, replacement for ac_c_bigendian
@@ -17,6 +173,10 @@
  	which we use in the code.  This test avoids false positives on
  	OpenBSD
 
+1999-11-29  Johan Danielsson  <joda@pdc.kth.se>
+
+	* grok-type.m4: inttypes.h
+
 1999-11-05  Assar Westerlund  <assar@sics.se>
 
 	* check-x.m4: include X_PRE_LIBS and X_EXTRA_LIBS when testing
diff --git a/crypto/heimdal/cf/Makefile.am.common b/crypto/heimdal/cf/Makefile.am.common
index e7d747b..6e31c74 100644
--- a/crypto/heimdal/cf/Makefile.am.common
+++ b/crypto/heimdal/cf/Makefile.am.common
@@ -1,13 +1,15 @@
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h
 
-INCLUDES = -I$(top_builddir)/include
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
 
 AM_CFLAGS += $(WFLAGS)
 
+CP	= cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 ## set build_HEADERZ to headers that should just be installed in build tree
@@ -30,6 +32,7 @@ LIB_getsockopt		= @LIB_getsockopt@
 LIB_logout		= @LIB_logout@
 LIB_logwtmp		= @LIB_logwtmp@
 LIB_odm_initialize	= @LIB_odm_initialize@
+LIB_pidfile		= @LIB_pidfile@
 LIB_readline		= @LIB_readline@
 LIB_res_search		= @LIB_res_search@
 LIB_setpcred		= @LIB_setpcred@
@@ -38,6 +41,8 @@ LIB_socket		= @LIB_socket@
 LIB_syslog		= @LIB_syslog@
 LIB_tgetent		= @LIB_tgetent@
 
+LIBS			= @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -46,6 +51,9 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 LIB_readline = @LIB_readline@
 
@@ -56,7 +64,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -68,21 +79,13 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
 all-local: install-build-headers
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 SUFFIXES += .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
 
 NROFF_MAN = groff -mandoc -Tascii
@@ -152,88 +155,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-	
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-	
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-	
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/cf/aix.m4 b/crypto/heimdal/cf/aix.m4
new file mode 100644
index 0000000..25aaa2a
--- /dev/null
+++ b/crypto/heimdal/cf/aix.m4
@@ -0,0 +1,39 @@
+dnl
+dnl $Id: aix.m4,v 1.5 2000/11/05 17:15:46 joda Exp $
+dnl
+
+AC_DEFUN(KRB_AIX,[
+aix=no
+case "$host" in 
+*-*-aix3*)
+	aix=3
+	;;
+*-*-aix4*)
+	aix=4
+	;;
+esac
+AM_CONDITIONAL(AIX, test "$aix" != no)dnl
+AM_CONDITIONAL(AIX4, test "$aix" = 4)
+aix_dynamic_afs=yes
+AM_CONDITIONAL(AIX_DYNAMIC_AFS, test "$aix_dynamic_afs" = yes)dnl
+
+AC_FIND_FUNC_NO_LIBS(dlopen, dl)
+
+if test "$aix" != no; then
+	if test "$aix_dynamic_afs" = yes; then
+		if test "$ac_cv_funclib_dlopen" = yes; then
+			AIX_EXTRA_KAFS=
+		elif test "$ac_cv_funclib_dlopen" != no; then
+			AIX_EXTRA_KAFS="$ac_cv_funclib_dlopen"
+		else
+			AIX_EXTRA_KAFS=-lld
+		fi
+	else
+		AIX_EXTRA_KAFS=
+	fi
+fi
+
+AM_CONDITIONAL(HAVE_DLOPEN, test "$ac_cv_funclib_dlopen" != no)dnl
+AC_SUBST(AIX_EXTRA_KAFS)dnl
+
+])
\ No newline at end of file
diff --git a/crypto/heimdal/cf/broken-getnameinfo.m4 b/crypto/heimdal/cf/broken-getnameinfo.m4
new file mode 100644
index 0000000..da206c0
--- /dev/null
+++ b/crypto/heimdal/cf/broken-getnameinfo.m4
@@ -0,0 +1,28 @@
+dnl $Id: broken-getnameinfo.m4,v 1.2 2000/12/05 09:09:00 joda Exp $
+dnl
+dnl test for broken AIX getnameinfo
+
+AC_DEFUN(rk_BROKEN_GETNAMEINFO,[
+AC_CACHE_CHECK([if getnameinfo is broken], ac_cv_func_getnameinfo_broken,
+AC_TRY_RUN([[#include <stdio.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netdb.h>
+
+int
+main(int argc, char **argv)
+{
+  struct sockaddr_in sin;
+  char host[256];
+  memset(&sin, 0, sizeof(sin));
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+  sin.sin_len = sizeof(sin);
+#endif
+  sin.sin_family = AF_INET;
+  sin.sin_addr.s_addr = 0xffffffff;
+  sin.sin_port = 0;
+  return getnameinfo((struct sockaddr*)&sin, sizeof(sin), host, sizeof(host),
+	      NULL, 0, 0);
+}
+]], ac_cv_func_getnameinfo_broken=no, ac_cv_func_getnameinfo_broken=yes))])
diff --git a/crypto/heimdal/cf/broken-realloc.m4 b/crypto/heimdal/cf/broken-realloc.m4
new file mode 100644
index 0000000..1569255
--- /dev/null
+++ b/crypto/heimdal/cf/broken-realloc.m4
@@ -0,0 +1,26 @@
+dnl
+dnl $Id: broken-realloc.m4,v 1.1 2000/07/15 18:05:36 joda Exp $
+dnl
+dnl Test for realloc that doesn't handle NULL as first parameter
+dnl
+AC_DEFUN(rk_BROKEN_REALLOC, [
+AC_CACHE_CHECK(if realloc if broken, ac_cv_func_realloc_broken, [
+ac_cv_func_realloc_broken=no
+AC_TRY_RUN([
+#include <stddef.h>
+#include <stdlib.h>
+
+int main()
+{
+	return realloc(NULL, 17) == NULL;
+}
+],:, ac_cv_func_realloc_broken=yes, :)
+])
+if test "$ac_cv_func_realloc_broken" = yes ; then
+	AC_DEFINE(BROKEN_REALLOC, 1, [Define if realloc(NULL) doesn't work.])
+fi
+AH_BOTTOM([#ifdef BROKEN_REALLOC
+#define realloc(X, Y) isoc_realloc((X), (Y))
+#define isoc_realloc(X, Y) ((X) ? realloc((X), (Y)) : malloc(Y))
+#endif])
+])
diff --git a/crypto/heimdal/cf/broken.m4 b/crypto/heimdal/cf/broken.m4
index 4044064..911ed27 100644
--- a/crypto/heimdal/cf/broken.m4
+++ b/crypto/heimdal/cf/broken.m4
@@ -1,4 +1,4 @@
-dnl $Id: broken.m4,v 1.3 1998/03/16 22:16:19 joda Exp $
+dnl $Id: broken.m4,v 1.4 2000/07/15 18:06:36 joda Exp $
 dnl
 dnl
 dnl Same as AC _REPLACE_FUNCS, just define HAVE_func if found in normal
@@ -10,10 +10,9 @@ do
 AC_CHECK_FUNC($ac_func, [
 ac_tr_func=HAVE_[]upcase($ac_func)
 AC_DEFINE_UNQUOTED($ac_tr_func)],[LIBOBJS[]="$LIBOBJS ${ac_func}.o"])
-dnl autoheader tricks *sigh*
-: << END
-@@@funcs="$funcs $1"@@@
-END
+if false; then
+	AC_CHECK_FUNCS($1)
+fi
 done
 AC_SUBST(LIBOBJS)dnl
 ])
diff --git a/crypto/heimdal/cf/broken2.m4 b/crypto/heimdal/cf/broken2.m4
new file mode 100644
index 0000000..78a3dcb
--- /dev/null
+++ b/crypto/heimdal/cf/broken2.m4
@@ -0,0 +1,35 @@
+dnl $Id: broken2.m4,v 1.1 2000/12/15 14:27:33 assar Exp $
+dnl
+dnl AC_BROKEN but with more arguments
+
+dnl AC_BROKEN2(func, includes, arguments)
+AC_DEFUN(AC_BROKEN2,
+[for ac_func in $1
+do
+AC_MSG_CHECKING([for $ac_func])
+AC_CACHE_VAL(ac_cv_func_$ac_func,
+[AC_TRY_LINK([$2],
+[
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$1) || defined (__stub___$1)
+choke me
+#else
+$ac_func($3)
+#endif
+], [eval "ac_cv_func_$ac_func=yes"], [eval "ac_cv_func_$ac_func=no"])])
+if eval "test \"\${ac_cv_func_$ac_func}\" = yes"; then
+  ac_tr_func=HAVE_[]upcase($ac_func)
+  AC_DEFINE_UNQUOTED($ac_tr_func)
+  AC_MSG_RESULT(yes)
+else
+  AC_MSG_RESULT(no)
+  LIBOBJS[]="$LIBOBJS ${ac_func}.o"
+fi
+done
+if false; then
+	AC_CHECK_FUNCS($1)
+fi
+AC_SUBST(LIBOBJS)dnl
+])
diff --git a/crypto/heimdal/cf/check-man.m4 b/crypto/heimdal/cf/check-man.m4
index 2133069..adf5477 100644
--- a/crypto/heimdal/cf/check-man.m4
+++ b/crypto/heimdal/cf/check-man.m4
@@ -1,8 +1,8 @@
-dnl $Id: check-man.m4,v 1.2 1999/03/21 14:30:50 joda Exp $
+dnl $Id: check-man.m4,v 1.3 2000/11/30 01:47:17 joda Exp $
 dnl check how to format manual pages
 dnl
 
-AC_DEFUN(AC_CHECK_MAN,
+AC_DEFUN(rk_CHECK_MAN,
 [AC_PATH_PROG(NROFF, nroff)
 AC_PATH_PROG(GROFF, groff)
 AC_CACHE_CHECK(how to format man pages,ac_cv_sys_man_format,
@@ -50,10 +50,9 @@ else
 fi
 ])
 if test "$ac_cv_sys_catman_ext" = number; then
-	CATMANEXT='$$ext'
+	CATMANEXT='$$section'
 else
 	CATMANEXT=0
 fi
 AC_SUBST(CATMANEXT)
-
 ])
\ No newline at end of file
diff --git a/crypto/heimdal/cf/check-netinet-ip-and-tcp.m4 b/crypto/heimdal/cf/check-netinet-ip-and-tcp.m4
index 8cb529d..70b58f5 100644
--- a/crypto/heimdal/cf/check-netinet-ip-and-tcp.m4
+++ b/crypto/heimdal/cf/check-netinet-ip-and-tcp.m4
@@ -1,5 +1,5 @@
 dnl
-dnl $Id: check-netinet-ip-and-tcp.m4,v 1.2 1999/05/14 13:15:40 assar Exp $
+dnl $Id: check-netinet-ip-and-tcp.m4,v 1.3 2000/07/18 10:33:02 joda Exp $
 dnl
 
 dnl extra magic check for netinet/{ip.h,tcp.h} because on irix 6.5.3
@@ -12,8 +12,7 @@ for i in netinet/ip.h netinet/tcp.h; do
 
 cv=`echo "$i" | sed 'y%./+-%__p_%'`
 
-AC_MSG_CHECKING([for $i])
-AC_CACHE_VAL([ac_cv_header_$cv],
+AC_CACHE_CHECK([for $i],ac_cv_header_$cv,
 [AC_TRY_CPP([\
 #ifdef HAVE_STANDARDS_H
 #include <standards.h>
@@ -22,17 +21,13 @@ AC_CACHE_VAL([ac_cv_header_$cv],
 ],
 eval "ac_cv_header_$cv=yes",
 eval "ac_cv_header_$cv=no")])
-AC_MSG_RESULT(`eval echo \\$ac_cv_header_$cv`)
-changequote(, )dnl
-if test `eval echo \\$ac_cv_header_$cv` = yes; then
-  ac_tr_hdr=HAVE_`echo $i | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
-changequote([, ])dnl
-  AC_DEFINE_UNQUOTED($ac_tr_hdr, 1)
+ac_res=`eval echo \\$ac_cv_header_$cv`
+if test "$ac_res" = yes; then
+	ac_tr_hdr=HAVE_`echo $i | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+	AC_DEFINE_UNQUOTED($ac_tr_hdr, 1)
 fi
 done
-dnl autoheader tricks *sigh*
-: << END
-@@@headers="$headers netinet/ip.h netinet/tcp.h"@@@
-END
-
+if false;then
+	AC_CHECK_HEADERS(netinet/ip.h netinet/tcp.h)
+fi
 ])
diff --git a/crypto/heimdal/cf/check-var.m4 b/crypto/heimdal/cf/check-var.m4
index 9f37366..8041c32 100644
--- a/crypto/heimdal/cf/check-var.m4
+++ b/crypto/heimdal/cf/check-var.m4
@@ -1,20 +1,22 @@
-dnl $Id: check-var.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
+dnl $Id: check-var.m4,v 1.5 2000/12/15 04:54:06 assar Exp $
 dnl
-dnl AC_CHECK_VAR(includes, variable)
-AC_DEFUN(AC_CHECK_VAR, [
-AC_MSG_CHECKING(for $2)
-AC_CACHE_VAL(ac_cv_var_$2, [
-AC_TRY_LINK([extern int $2;
-int foo() { return $2; }],
+dnl rk_CHECK_VAR(variable, includes)
+AC_DEFUN([rk_CHECK_VAR], [
+AC_MSG_CHECKING(for $1)
+AC_CACHE_VAL(ac_cv_var_$1, [
+AC_TRY_LINK([extern int $1;
+int foo() { return $1; }],
 	    [foo()],
-	    ac_cv_var_$2=yes, ac_cv_var_$2=no)
+	    ac_cv_var_$1=yes, ac_cv_var_$1=no)
 ])
-define([foo], [HAVE_]translit($2, [a-z], [A-Z]))
-
-AC_MSG_RESULT(`eval echo \\$ac_cv_var_$2`)
-if test `eval echo \\$ac_cv_var_$2` = yes; then
-	AC_DEFINE_UNQUOTED(foo, 1, [define if you have $2])
-	AC_CHECK_DECLARATION([$1],[$2])
+ac_foo=`eval echo \\$ac_cv_var_$1`
+AC_MSG_RESULT($ac_foo)
+if test "$ac_foo" = yes; then
+	AC_DEFINE_UNQUOTED(AC_TR_CPP(HAVE_[]$1), 1, 
+		[Define if you have the `]$1[' variable.])
+	m4_ifval([$2], AC_CHECK_DECLARATION([$2],[$1]))
 fi
-undefine([foo])
 ])
+
+AC_WARNING_ENABLE([obsolete])
+AU_DEFUN([AC_CHECK_VAR], [rk_CHECK_VAR([$2], [$1])], [foo])
\ No newline at end of file
diff --git a/crypto/heimdal/cf/db.m4 b/crypto/heimdal/cf/db.m4
new file mode 100644
index 0000000..c147569
--- /dev/null
+++ b/crypto/heimdal/cf/db.m4
@@ -0,0 +1,40 @@
+dnl $Id: db.m4,v 1.1 2000/07/19 11:21:07 joda Exp $
+dnl
+dnl tests for various db libraries
+dnl
+AC_DEFUN([rk_DB],[berkeley_db=db
+AC_ARG_WITH(berkeley-db,
+[  --without-berkeley-db   if you don't want berkeley db],[
+if test "$withval" = no; then
+	berkeley_db=""
+fi
+])
+if test "$berkeley_db"; then
+  AC_CHECK_HEADERS([				\
+	db.h					\
+	db_185.h				\
+  ])
+fi
+
+AC_FIND_FUNC_NO_LIBS2(dbopen, $berkeley_db, [
+#include <stdio.h>
+#if defined(HAVE_DB_185_H)
+#include <db_185.h>
+#elif defined(HAVE_DB_H)
+#include <db.h>
+#endif
+],[NULL, 0, 0, 0, NULL])
+
+AC_FIND_FUNC_NO_LIBS(dbm_firstkey, $berkeley_db gdbm ndbm)
+AC_FIND_FUNC_NO_LIBS(db_create, $berkeley_db)
+
+DBLIB="$LIB_dbopen"
+if test "$LIB_dbopen" != "$LIB_db_create"; then
+        DBLIB="$DBLIB $LIB_db_create"
+fi
+if test "$LIB_dbopen" != "$LIB_dbm_firstkey"; then
+	DBLIB="$DBLIB $LIB_dbm_firstkey"
+fi
+AC_SUBST(DBLIB)dnl
+
+])
diff --git a/crypto/heimdal/cf/find-func-no-libs2.m4 b/crypto/heimdal/cf/find-func-no-libs2.m4
index c404a7c..87e8984 100644
--- a/crypto/heimdal/cf/find-func-no-libs2.m4
+++ b/crypto/heimdal/cf/find-func-no-libs2.m4
@@ -1,4 +1,4 @@
-dnl $Id: find-func-no-libs2.m4,v 1.3 1999/10/30 21:09:53 assar Exp $
+dnl $Id: find-func-no-libs2.m4,v 1.4 2000/07/15 18:10:19 joda Exp $
 dnl
 dnl
 dnl Look for function in any of the specified libraries
@@ -28,12 +28,10 @@ fi
 
 eval "ac_res=\$ac_cv_funclib_$1"
 
-dnl autoheader tricks *sigh*
-: << END
-@@@funcs="$funcs $1"@@@
-@@@libs="$libs $2"@@@
-END
-
+if false; then
+	AC_CHECK_FUNCS($1)
+dnl	AC_CHECK_LIBS($2, foo)
+fi
 # $1
 eval "ac_tr_func=HAVE_[]upcase($1)"
 eval "ac_tr_lib=HAVE_LIB[]upcase($ac_res | sed -e 's/-l//')"
diff --git a/crypto/heimdal/cf/have-type.m4 b/crypto/heimdal/cf/have-type.m4
index e882847..4b79e1e 100644
--- a/crypto/heimdal/cf/have-type.m4
+++ b/crypto/heimdal/cf/have-type.m4
@@ -1,4 +1,4 @@
-dnl $Id: have-type.m4,v 1.5 1999/12/31 03:10:22 assar Exp $
+dnl $Id: have-type.m4,v 1.6 2000/07/15 18:10:00 joda Exp $
 dnl
 dnl check for existance of a type
 
@@ -18,15 +18,13 @@ $2],
 [$1 foo;],
 eval "ac_cv_type_$cv=yes",
 eval "ac_cv_type_$cv=no"))dnl
-AC_MSG_RESULT(`eval echo \\$ac_cv_type_$cv`)
-if test `eval echo \\$ac_cv_type_$cv` = yes; then
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+AC_MSG_RESULT($ac_foo)
+if test "$ac_foo" = yes; then
   ac_tr_hdr=HAVE_`echo $1 | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
-dnl autoheader tricks *sigh*
-define(foo,translit($1, [ ], [_]))
-: << END
-@@@funcs="$funcs foo"@@@
-END
-undefine([foo])
-  AC_DEFINE_UNQUOTED($ac_tr_hdr, 1)
+if false; then
+	AC_CHECK_TYPES($1)
+fi
+  AC_DEFINE_UNQUOTED($ac_tr_hdr, 1, [Define if you have type `$1'])
 fi
 ])
diff --git a/crypto/heimdal/cf/have-types.m4 b/crypto/heimdal/cf/have-types.m4
index 7c85c5d..b968d4b 100644
--- a/crypto/heimdal/cf/have-types.m4
+++ b/crypto/heimdal/cf/have-types.m4
@@ -1,14 +1,12 @@
 dnl
-dnl $Id: have-types.m4,v 1.1 1999/07/24 18:38:58 assar Exp $
+dnl $Id: have-types.m4,v 1.2 2000/07/15 18:09:16 joda Exp $
 dnl
 
 AC_DEFUN(AC_HAVE_TYPES, [
 for i in $1; do
         AC_HAVE_TYPE($i)
 done
-: << END
-changequote(`,')dnl
-@@@funcs="$funcs $1"@@@
-changequote([,])dnl
-END
+if false;then
+	AC_CHECK_FUNCS($1)
+fi
 ])
diff --git a/crypto/heimdal/cf/install-catman.sh b/crypto/heimdal/cf/install-catman.sh
new file mode 100755
index 0000000..c48cc20
--- /dev/null
+++ b/crypto/heimdal/cf/install-catman.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+#
+# $Id: install-catman.sh,v 1.1 2000/11/30 01:38:17 joda Exp $
+#
+# install preformatted manual pages
+
+INSTALL_DATA="$1"; shift
+mkinstalldirs="$1"; shift
+srcdir="$1"; shift
+mandir="$1"; shift
+suffix="$1"; shift
+
+for f in "$@"; do
+	base=`echo "$f" | sed 's/\(.*\)\.\([^.]*\)$/\1/'`
+	section=`echo "$f" | sed 's/\(.*\)\.\([^.]*\)$/\2/'`
+	catdir="$mandir/cat$section"
+	c="$base.cat$section"
+	if test -f "$srcdir/$c"; then
+		if test \! -d "$catdir"; then
+			eval "$mkinstalldirs $catdir"
+		fi
+		eval "echo $INSTALL_DATA $srcdir/$c $catdir/$base.$suffix"
+		eval "$INSTALL_DATA $srcdir/$c $catdir/$base.$suffix"
+	fi
+done
diff --git a/crypto/heimdal/cf/krb-bigendian.m4 b/crypto/heimdal/cf/krb-bigendian.m4
index 0efbbd0..ab16931 100644
--- a/crypto/heimdal/cf/krb-bigendian.m4
+++ b/crypto/heimdal/cf/krb-bigendian.m4
@@ -1,5 +1,5 @@
 dnl
-dnl $Id: krb-bigendian.m4,v 1.5 2000/01/08 10:34:44 assar Exp $
+dnl $Id: krb-bigendian.m4,v 1.6 2000/08/19 15:37:00 assar Exp $
 dnl
 
 dnl check if this computer is little or big-endian
@@ -22,34 +22,30 @@ krb_cv_c_bigendian_compile,
 #if !BYTE_ORDER || !BIG_ENDIAN || !LITTLE_ENDIAN
  bogus endian macros
 #endif], krb_cv_c_bigendian_compile=yes, krb_cv_c_bigendian_compile=no)])
-if test "$krb_cv_c_bigendian_compile" = "no"; then
-  AC_CACHE_CHECK(whether byte ordering is bigendian, krb_cv_c_bigendian,[
-  if test "$krb_cv_c_bigendian" = ""; then
-    krb_cv_c_bigendian=unknown
-  fi
-  AC_TRY_COMPILE([
+AC_CACHE_CHECK(whether byte ordering is bigendian, krb_cv_c_bigendian,[
+  if test "$krb_cv_c_bigendian_compile" = "yes"; then
+    AC_TRY_COMPILE([
 #include <sys/types.h>
 #include <sys/param.h>],[
 #if BYTE_ORDER != BIG_ENDIAN
   not big endian
 #endif], krb_cv_c_bigendian=yes, krb_cv_c_bigendian=no)
-  if test "$krb_cv_c_bigendian" = "unknown"; then
+  else
     AC_TRY_RUN([main () {
       /* Are we little or big endian?  From Harbison&Steele.  */
       union
       {
 	long l;
 	char c[sizeof (long)];
-      } u;
-      u.l = 1;
-      exit (u.c[sizeof (long) - 1] == 1);
-    }], krb_cv_c_bigendian=no, krb_cv_c_bigendian=yes,
-    AC_MSG_ERROR([specify either --enable-bigendian or --enable-littleendian]))
-  fi
-  ])
-  if test "$krb_cv_c_bigendian" = "yes"; then
-    AC_DEFINE(WORDS_BIGENDIAN, 1, [define if target is big endian])dnl
+    } u;
+    u.l = 1;
+    exit (u.c[sizeof (long) - 1] == 1);
+  }], krb_cv_c_bigendian=no, krb_cv_c_bigendian=yes,
+  AC_MSG_ERROR([specify either --enable-bigendian or --enable-littleendian]))
   fi
+])
+if test "$krb_cv_c_bigendian" = "yes"; then
+  AC_DEFINE(WORDS_BIGENDIAN, 1, [define if target is big endian])dnl
 fi
 if test "$krb_cv_c_bigendian_compile" = "yes"; then
   AC_DEFINE(ENDIANESS_IN_SYS_PARAM_H, 1, [define if sys/param.h defines the endiness])dnl
diff --git a/crypto/heimdal/cf/krb-find-db.m4 b/crypto/heimdal/cf/krb-find-db.m4
index 5080049..5d38f2e 100644
--- a/crypto/heimdal/cf/krb-find-db.m4
+++ b/crypto/heimdal/cf/krb-find-db.m4
@@ -1,4 +1,4 @@
-dnl $Id: krb-find-db.m4,v 1.5 1999/05/08 02:24:04 assar Exp $
+dnl $Id: krb-find-db.m4,v 1.6 2000/08/16 03:58:51 assar Exp $
 dnl
 dnl find a suitable database library
 dnl
@@ -28,6 +28,8 @@ for i in $1; do
 #include <fcntl.h>
 #if defined(HAVE_NDBM_H)
 #include <ndbm.h>
+#elif defined(HAVE_GDBM_NDBM_H)
+#include <gdbm/ndbm.h>
 #elif defined(HAVE_DBM_H)
 #include <dbm.h>
 #elif defined(HAVE_RPCSVC_DBM_H)
diff --git a/crypto/heimdal/cf/krb-ipv6.m4 b/crypto/heimdal/cf/krb-ipv6.m4
index 1644da3..785d69e 100644
--- a/crypto/heimdal/cf/krb-ipv6.m4
+++ b/crypto/heimdal/cf/krb-ipv6.m4
@@ -1,4 +1,4 @@
-dnl $Id: krb-ipv6.m4,v 1.8 2000/01/01 11:44:45 assar Exp $
+dnl $Id: krb-ipv6.m4,v 1.9 2000/12/26 20:27:30 assar Exp $
 dnl
 dnl test for IPv6
 dnl
@@ -17,7 +17,7 @@ AC_MSG_CHECKING([ipv6 stack type])
 for i in v6d toshiba kame inria zeta linux; do
 	case $i in
 	v6d)
-		AC_EGREP_CPP(yes, [dnl
+		AC_EGREP_CPP(yes, [
 #include </usr/local/v6/include/sys/types.h>
 #ifdef __V6D__
 yes
@@ -27,7 +27,7 @@ yes
 			CFLAGS="-I/usr/local/v6/include $CFLAGS"])
 		;;
 	toshiba)
-		AC_EGREP_CPP(yes, [dnl
+		AC_EGREP_CPP(yes, [
 #include <sys/param.h>
 #ifdef _TOSHIBA_INET6
 yes
@@ -37,7 +37,7 @@ yes
 			CFLAGS="-DINET6 $CFLAGS"])
 		;;
 	kame)
-		AC_EGREP_CPP(yes, [dnl
+		AC_EGREP_CPP(yes, [
 #include <netinet/in.h>
 #ifdef __KAME__
 yes
@@ -47,7 +47,7 @@ yes
 			CFLAGS="-DINET6 $CFLAGS"])
 		;;
 	inria)
-		AC_EGREP_CPP(yes, [dnl
+		AC_EGREP_CPP(yes, [
 #include <netinet/in.h>
 #ifdef IPV6_INRIA_VERSION
 yes
@@ -55,7 +55,7 @@ yes
 			[v6type=$i; CFLAGS="-DINET6 $CFLAGS"])
 		;;
 	zeta)
-		AC_EGREP_CPP(yes, [dnl
+		AC_EGREP_CPP(yes, [
 #include <sys/param.h>
 #ifdef _ZETA_MINAMI_INET6
 yes
diff --git a/crypto/heimdal/cf/krb-irix.m4 b/crypto/heimdal/cf/krb-irix.m4
new file mode 100644
index 0000000..cdde69c
--- /dev/null
+++ b/crypto/heimdal/cf/krb-irix.m4
@@ -0,0 +1,12 @@
+dnl
+dnl $Id: krb-irix.m4,v 1.2 2000/12/13 12:48:45 assar Exp $
+dnl
+
+dnl requires AC_CANONICAL_HOST
+AC_DEFUN(KRB_IRIX,[
+irix=no
+case "$host_os" in
+irix*) irix=yes ;;
+esac
+AM_CONDITIONAL(IRIX, test "$irix" != no)dnl
+])
diff --git a/crypto/heimdal/cf/krb-prog-yacc.m4 b/crypto/heimdal/cf/krb-prog-yacc.m4
index 28ae59c..f0b6e44 100644
--- a/crypto/heimdal/cf/krb-prog-yacc.m4
+++ b/crypto/heimdal/cf/krb-prog-yacc.m4
@@ -1,8 +1,12 @@
-dnl $Id: krb-prog-yacc.m4,v 1.1 1997/12/14 15:59:02 joda Exp $
+dnl $Id: krb-prog-yacc.m4,v 1.3 2000/03/28 12:12:23 assar Exp $
 dnl
 dnl
 dnl We prefer byacc or yacc because they do not use `alloca'
 dnl
 
 AC_DEFUN(AC_KRB_PROG_YACC,
-[AC_CHECK_PROGS(YACC, byacc yacc 'bison -y')])
+[AC_CHECK_PROGS(YACC, byacc yacc 'bison -y')
+if test "$YACC" = ""; then
+  AC_MSG_WARN([yacc not found - some stuff will not build])
+fi
+])
diff --git a/crypto/heimdal/cf/krb-readline.m4 b/crypto/heimdal/cf/krb-readline.m4
new file mode 100644
index 0000000..6d0f0b2
--- /dev/null
+++ b/crypto/heimdal/cf/krb-readline.m4
@@ -0,0 +1,43 @@
+dnl $Id: krb-readline.m4,v 1.2 2000/11/15 00:47:08 assar Exp $
+dnl
+dnl Tests for readline functions
+dnl
+
+dnl el_init
+
+AC_DEFUN(KRB_READLINE,[
+AC_FIND_FUNC_NO_LIBS(el_init, edit, [], [], [$LIB_tgetent])
+if test "$ac_cv_func_el_init" = yes ; then
+	AC_CACHE_CHECK(for four argument el_init, ac_cv_func_el_init_four,[
+		AC_TRY_COMPILE([#include <stdio.h>
+			#include <histedit.h>],
+			[el_init("", NULL, NULL, NULL);],
+			ac_cv_func_el_init_four=yes,
+			ac_cv_func_el_init_four=no)])
+	if test "$ac_cv_func_el_init_four" = yes; then
+		AC_DEFINE(HAVE_FOUR_VALUED_EL_INIT, 1, [Define if el_init takes four arguments.])
+	fi
+fi
+
+dnl readline
+
+ac_foo=no
+if test "$with_readline" = yes; then
+	:
+elif test "$ac_cv_func_readline" = yes; then
+	:
+elif test "$ac_cv_func_el_init" = yes; then
+	ac_foo=yes
+	LIB_readline="\$(top_builddir)/lib/editline/libel_compat.la $LIB_el_init"
+else
+	LIB_readline='$(top_builddir)/lib/editline/libeditline.la'
+fi
+AM_CONDITIONAL(el_compat, test "$ac_foo" = yes)
+if test "$readline_libdir"; then
+	LIB_readline="-rpath $readline_libdir $LIB_readline"
+fi
+LIB_readline="$LIB_readline \$(LIB_tgetent)"
+AC_DEFINE(HAVE_READLINE, 1, 
+	[Define if you have a readline compatible library.])dnl
+
+])
\ No newline at end of file
diff --git a/crypto/heimdal/cf/krb-sys-nextstep.m4 b/crypto/heimdal/cf/krb-sys-nextstep.m4
index 31dc907..5dec8b1 100644
--- a/crypto/heimdal/cf/krb-sys-nextstep.m4
+++ b/crypto/heimdal/cf/krb-sys-nextstep.m4
@@ -1,21 +1,21 @@
-dnl $Id: krb-sys-nextstep.m4,v 1.2 1998/06/03 23:48:40 joda Exp $
-dnl
+dnl $Id: krb-sys-nextstep.m4,v 1.3 2000/07/15 17:56:45 joda Exp $
 dnl
 dnl NEXTSTEP is not posix compliant by default,
 dnl you need a switch -posix to the compiler
 dnl
 
-AC_DEFUN(AC_KRB_SYS_NEXTSTEP, [
-AC_MSG_CHECKING(for NEXTSTEP)
-AC_CACHE_VAL(krb_cv_sys_nextstep,
+AC_DEFUN(rk_SYS_NEXTSTEP, [
+AC_CACHE_CHECK(for NeXTSTEP, rk_cv_sys_nextstep, [
 AC_EGREP_CPP(yes, 
 [#if defined(NeXT) && !defined(__APPLE__)
 	yes
 #endif 
-], krb_cv_sys_nextstep=yes, krb_cv_sys_nextstep=no) )
-if test "$krb_cv_sys_nextstep" = "yes"; then
+], rk_cv_sys_nextstep=yes, rk_cv_sys_nextstep=no)])
+if test "$rk_cv_sys_nextstep" = "yes"; then
   CFLAGS="$CFLAGS -posix"
   LIBS="$LIBS -posix"
 fi
-AC_MSG_RESULT($krb_cv_sys_nextstep)
+AH_BOTTOM([#if defined(HAVE_SGTTY_H) && defined(__NeXT__)
+#define SGTTY
+#endif])
 ])
diff --git a/crypto/heimdal/cf/krb-version.m4 b/crypto/heimdal/cf/krb-version.m4
index a4a1221..9907ed1 100644
--- a/crypto/heimdal/cf/krb-version.m4
+++ b/crypto/heimdal/cf/krb-version.m4
@@ -1,4 +1,4 @@
-dnl $Id: krb-version.m4,v 1.1 1997/12/14 15:59:03 joda Exp $
+dnl $Id: krb-version.m4,v 1.2 2000/08/27 05:42:19 assar Exp $
 dnl
 dnl
 dnl output a C header-file with some version strings
@@ -6,8 +6,8 @@ dnl
 AC_DEFUN(AC_KRB_VERSION,[
 dnl AC_OUTPUT_COMMANDS([
 cat > include/newversion.h.in <<FOOBAR
-char *${PACKAGE}_long_version = "@(#)\$Version: $PACKAGE-$VERSION by @USER@ on @HOST@ ($host) @DATE@ \$";
-char *${PACKAGE}_version = "$PACKAGE-$VERSION";
+const char *${PACKAGE}_long_version = "@(#)\$Version: $PACKAGE-$VERSION by @USER@ on @HOST@ ($host) @DATE@ \$";
+const char *${PACKAGE}_version = "$PACKAGE-$VERSION";
 FOOBAR
 
 if test -f include/version.h && cmp -s include/newversion.h.in include/version.h.in; then
diff --git a/crypto/heimdal/cf/mips-abi.m4 b/crypto/heimdal/cf/mips-abi.m4
index c7b8815..afd3fc0 100644
--- a/crypto/heimdal/cf/mips-abi.m4
+++ b/crypto/heimdal/cf/mips-abi.m4
@@ -1,4 +1,4 @@
-dnl $Id: mips-abi.m4,v 1.4 1998/05/16 20:44:15 joda Exp $
+dnl $Id: mips-abi.m4,v 1.5 2000/07/18 15:01:42 joda Exp $
 dnl
 dnl
 dnl Check for MIPS/IRIX ABI flags. Sets $abi and $abilibdirext to some
@@ -27,7 +27,7 @@ case "${with_mips_abi}" in
        n32|yes) abi='-mabi=n32'; abilibdirext='32'  ;;
         64) abi='-mabi=64';  abilibdirext='64'   ;;
 	no) abi=''; abilibdirext='';;
-         *) AC_ERROR("Invalid ABI specified") ;;
+         *) AC_MSG_ERROR("Invalid ABI specified") ;;
 esac
 if test -n "$abi" ; then
 ac_foo=krb_cv_gcc_`echo $abi | tr =- __`
@@ -54,7 +54,7 @@ case $abi in
 	CLAGS="$save_CFLAGS"
 	if test $ac_res = yes; then
 		# New GCC
-		AC_ERROR([$CC does not support the $with_mips_abi ABI])
+		AC_MSG_ERROR([$CC does not support the $with_mips_abi ABI])
 	fi
 	# Old GCC
 	abi=''
@@ -67,7 +67,7 @@ case $abi in
 			abilibdirext=''
 		else
 			# Some broken GCC
-			AC_ERROR([$CC does not support the $with_mips_abi ABI])
+			AC_MSG_ERROR([$CC does not support the $with_mips_abi ABI])
 		fi
 	;;
 esac
@@ -79,7 +79,7 @@ case "${with_mips_abi}" in
        n32|yes) abi='-n32'; abilibdirext='32'  ;;
         64) abi='-64'; abilibdirext='64'   ;;
 	no) abi=''; abilibdirext='';;
-         *) AC_ERROR("Invalid ABI specified") ;;
+         *) AC_MSG_ERROR("Invalid ABI specified") ;;
 esac
 fi #if test -n "$GCC"; then
 ;;
diff --git a/crypto/heimdal/cf/misc.m4 b/crypto/heimdal/cf/misc.m4
index 0be97a4..c8c3804 100644
--- a/crypto/heimdal/cf/misc.m4
+++ b/crypto/heimdal/cf/misc.m4
@@ -1,3 +1,27 @@
-dnl $Id: misc.m4,v 1.1 1997/12/14 15:59:04 joda Exp $
+dnl $Id: misc.m4,v 1.2 2000/07/19 15:04:00 joda Exp $
 dnl
-define(upcase,`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`)dnl
+AC_DEFUN([upcase],[`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`])dnl
+AC_DEFUN([rk_CONFIG_HEADER],[AH_TOP([#ifndef RCSID
+#define RCSID(msg) \
+static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
+#endif
+
+#undef BINDIR 
+#undef LIBDIR
+#undef LIBEXECDIR
+#undef SBINDIR
+
+#undef HAVE_INT8_T
+#undef HAVE_INT16_T
+#undef HAVE_INT32_T
+#undef HAVE_INT64_T
+#undef HAVE_U_INT8_T
+#undef HAVE_U_INT16_T
+#undef HAVE_U_INT32_T
+#undef HAVE_U_INT64_T
+
+/* Maximum values on all known systems */
+#define MaxHostNameLen (64+4)
+#define MaxPathLen (1024+4)
+
+])])
\ No newline at end of file
diff --git a/crypto/heimdal/cf/retsigtype.m4 b/crypto/heimdal/cf/retsigtype.m4
new file mode 100644
index 0000000..4c3ecbd
--- /dev/null
+++ b/crypto/heimdal/cf/retsigtype.m4
@@ -0,0 +1,18 @@
+dnl
+dnl $Id: retsigtype.m4,v 1.1 2000/07/15 18:05:56 joda Exp $
+dnl
+dnl Figure out return type of signal handlers, and define SIGRETURN macro
+dnl that can be used to return from one
+dnl
+AC_DEFUN(rk_RETSIGTYPE,[
+AC_TYPE_SIGNAL
+if test "$ac_cv_type_signal" = "void" ; then
+	AC_DEFINE(VOID_RETSIGTYPE, 1, [Define if signal handlers return void.])
+fi
+AC_SUBST(VOID_RETSIGTYPE)
+AH_BOTTOM([#ifdef VOID_RETSIGTYPE
+#define SIGRETURN(x) return
+#else
+#define SIGRETURN(x) return (RETSIGTYPE)(x)
+#endif])
+])
\ No newline at end of file
diff --git a/crypto/heimdal/cf/roken-frag.m4 b/crypto/heimdal/cf/roken-frag.m4
new file mode 100644
index 0000000..c6b552e
--- /dev/null
+++ b/crypto/heimdal/cf/roken-frag.m4
@@ -0,0 +1,586 @@
+dnl $Id: roken-frag.m4,v 1.19 2000/12/15 14:29:54 assar Exp $
+dnl
+dnl some code to get roken working
+dnl
+dnl rk_ROKEN(subdir)
+dnl
+AC_DEFUN(rk_ROKEN, [
+
+AC_REQUIRE([rk_CONFIG_HEADER])
+
+DIR_roken=roken
+LIB_roken='$(top_builddir)/$1/libroken.la'
+INCLUDES_roken='-I$(top_builddir)/$1 -I$(top_srcdir)/$1'
+
+dnl Checks for programs
+AC_REQUIRE([AC_PROG_CC])
+AC_REQUIRE([AC_PROG_AWK])
+AC_REQUIRE([AC_OBJEXT])
+AC_REQUIRE([AC_EXEEXT])
+AC_REQUIRE([AC_PROG_LIBTOOL])
+
+AC_REQUIRE([AC_MIPS_ABI])
+
+dnl C characteristics
+
+AC_REQUIRE([AC_C___ATTRIBUTE__])
+AC_REQUIRE([AC_C_INLINE])
+AC_REQUIRE([AC_C_CONST])
+AC_WFLAGS(-Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs)
+
+AC_REQUIRE([rk_DB])
+
+dnl C types
+
+AC_REQUIRE([AC_TYPE_SIZE_T])
+AC_CHECK_TYPE_EXTRA(ssize_t, int, [#include <unistd.h>])
+AC_REQUIRE([AC_TYPE_PID_T])
+AC_REQUIRE([AC_TYPE_UID_T])
+AC_HAVE_TYPE([long long])
+
+AC_REQUIRE([rk_RETSIGTYPE])
+
+dnl Checks for header files.
+AC_REQUIRE([AC_HEADER_STDC])
+AC_REQUIRE([AC_HEADER_TIME])
+
+AC_CHECK_HEADERS([\
+	arpa/inet.h				\
+	arpa/nameser.h				\
+	config.h				\
+	crypt.h					\
+	dbm.h					\
+	db.h					\
+	dirent.h				\
+	errno.h					\
+	err.h					\
+	fcntl.h					\
+	gdbm/ndbm.h				\
+	grp.h					\
+	ifaddrs.h				\
+	ndbm.h					\
+	net/if.h				\
+	netdb.h					\
+	netinet/in.h				\
+	netinet/in6.h				\
+	netinet/in_systm.h			\
+	netinet6/in6.h				\
+	netinet6/in6_var.h			\
+	paths.h					\
+	pwd.h					\
+	resolv.h				\
+	rpcsvc/dbm.h				\
+	rpcsvc/ypclnt.h				\
+	shadow.h				\
+	sys/ioctl.h				\
+	sys/param.h				\
+	sys/proc.h				\
+	sys/resource.h				\
+	sys/socket.h				\
+	sys/sockio.h				\
+	sys/stat.h				\
+	sys/sysctl.h				\
+	sys/time.h				\
+	sys/tty.h				\
+	sys/types.h				\
+	sys/uio.h				\
+	sys/utsname.h				\
+	sys/wait.h				\
+	syslog.h				\
+	termios.h				\
+	unistd.h				\
+	userconf.h				\
+	usersec.h				\
+	util.h					\
+	vis.h					\
+	winsock.h				\
+])
+	
+AC_REQUIRE([CHECK_NETINET_IP_AND_TCP])
+
+AM_CONDITIONAL(have_err_h, test "$ac_cv_header_err_h" = yes)
+AM_CONDITIONAL(have_fnmatch_h, test "$ac_cv_header_fnmatch_h" = yes)
+AM_CONDITIONAL(have_ifaddrs_h, test "$ac_cv_header_ifaddrs_h" = yes)
+AM_CONDITIONAL(have_vis_h, test "$ac_cv_header_vis_h" = yes)
+
+dnl Check for functions and libraries
+
+AC_KRB_IPV6
+
+AC_FIND_FUNC(socket, socket)
+AC_FIND_FUNC(gethostbyname, nsl)
+AC_FIND_FUNC(syslog, syslog)
+AC_FIND_FUNC(gethostbyname2, inet6 ip6)
+
+AC_FIND_FUNC(res_search, resolv,
+[
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+],
+[0,0,0,0,0])
+
+AC_FIND_FUNC(dn_expand, resolv,
+[
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+],
+[0,0,0,0,0])
+
+AC_BROKEN_SNPRINTF
+AC_BROKEN_VSNPRINTF
+
+AC_BROKEN_GLOB
+if test "$ac_cv_func_glob_working" != yes; then
+	LIBOBJS="$LIBOBJS glob.o"
+fi
+AM_CONDITIONAL(have_glob_h, test "$ac_cv_func_glob_working" = yes)
+
+
+AC_CHECK_FUNCS([				\
+	asnprintf				\
+	asprintf				\
+	cgetent					\
+	getconfattr				\
+	getrlimit				\
+	getspnam				\
+	strsvis					\
+	strunvis				\
+	strvis					\
+	strvisx					\
+	svis					\
+	sysconf					\
+	sysctl					\
+	uname					\
+	unvis					\
+	vasnprintf				\
+	vasprintf				\
+	vis					\
+])
+
+if test "$ac_cv_func_cgetent" = no; then
+	LIBOBJS="$LIBOBJS getcap.o"
+fi
+
+AC_REQUIRE([AC_FUNC_GETLOGIN])
+
+AC_FIND_FUNC_NO_LIBS(getsockopt,,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif],
+[0,0,0,0,0])
+AC_FIND_FUNC_NO_LIBS(setsockopt,,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif],
+[0,0,0,0,0])
+
+AC_FIND_IF_NOT_BROKEN(hstrerror, resolv,
+[#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif],
+17)
+if test "$ac_cv_func_hstrerror" = yes; then
+AC_NEED_PROTO([
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif],
+hstrerror)
+fi
+
+dnl sigh, wish this could be done in a loop
+if test "$ac_cv_func_asprintf" = yes; then
+AC_NEED_PROTO([
+#include <stdio.h>
+#include <string.h>],
+asprintf)dnl
+fi
+if test "$ac_cv_func_vasprintf" = yes; then
+AC_NEED_PROTO([
+#include <stdio.h>
+#include <string.h>],
+vasprintf)dnl
+fi
+if test "$ac_cv_func_asnprintf" = yes; then
+AC_NEED_PROTO([
+#include <stdio.h>
+#include <string.h>],
+asnprintf)dnl
+fi
+if test "$ac_cv_func_vasnprintf" = yes; then
+AC_NEED_PROTO([
+#include <stdio.h>
+#include <string.h>],
+vasnprintf)dnl
+fi
+
+AC_FIND_FUNC_NO_LIBS(pidfile,util,
+[#ifdef HAVE_UTIL_H
+#include <util.h>
+#endif],0)
+
+AC_BROKEN([					\
+	chown					\
+	copyhostent				\
+	daemon					\
+	err					\
+	errx					\
+	fchown					\
+	flock					\
+	fnmatch					\
+	freeaddrinfo				\
+	freehostent				\
+	gai_strerror				\
+	getaddrinfo				\
+	getcwd					\
+	getdtablesize				\
+	getegid					\
+	geteuid					\
+	getgid					\
+	gethostname				\
+	getifaddrs				\
+	getipnodebyaddr				\
+	getipnodebyname				\
+	getnameinfo				\
+	getopt					\
+	gettimeofday				\
+	getuid					\
+	getusershell				\
+	initgroups				\
+	innetgr					\
+	iruserok				\
+	lstat					\
+	memmove					\
+	mkstemp					\
+	putenv					\
+	rcmd					\
+	readv					\
+	recvmsg					\
+	sendmsg					\
+	setegid					\
+	setenv					\
+	seteuid					\
+	strcasecmp				\
+	strdup					\
+	strerror				\
+	strftime				\
+	strlcat					\
+	strlcpy					\
+	strlwr					\
+	strncasecmp				\
+	strndup					\
+	strnlen					\
+	strptime				\
+	strsep					\
+	strsep_copy				\
+	strtok_r				\
+	strupr					\
+	swab					\
+	unsetenv				\
+	verr					\
+	verrx					\
+	vsyslog					\
+	vwarn					\
+	vwarnx					\
+	warn					\
+	warnx					\
+	writev					\
+])
+
+AC_BROKEN2(inet_aton,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif],
+[0,0])
+
+AC_BROKEN2(inet_ntop,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif],
+[0, 0, 0, 0])
+
+AC_BROKEN2(inet_pton,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif],
+[0,0,0])
+
+dnl
+dnl Check for sa_len in struct sockaddr, 
+dnl needs to come before the getnameinfo test
+dnl
+AC_HAVE_STRUCT_FIELD(struct sockaddr, sa_len, [#include <sys/types.h>
+#include <sys/socket.h>])
+
+if test "$ac_cv_func_getnameinfo" = "yes"; then
+  rk_BROKEN_GETNAMEINFO
+  if test "$ac_cv_func_getnameinfo_broken" = yes; then
+    LIBOBJS="$LIBOBJS getnameinfo.o"
+  fi
+fi
+
+AC_NEED_PROTO([#include <stdlib.h>], setenv)
+AC_NEED_PROTO([#include <stdlib.h>], unsetenv)
+AC_NEED_PROTO([#include <unistd.h>], gethostname)
+AC_NEED_PROTO([#include <unistd.h>], mkstemp)
+AC_NEED_PROTO([#include <unistd.h>], getusershell)
+
+AC_NEED_PROTO([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif],
+inet_aton)
+
+AC_FIND_FUNC_NO_LIBS(crypt, crypt)dnl
+
+AC_REQUIRE([rk_BROKEN_REALLOC])dnl
+
+dnl AC_KRB_FUNC_GETCWD_BROKEN
+
+dnl
+dnl Checks for prototypes and declarations
+dnl
+
+AC_PROTO_COMPAT([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+],
+gethostbyname, struct hostent *gethostbyname(const char *))
+
+AC_PROTO_COMPAT([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+],
+gethostbyaddr, struct hostent *gethostbyaddr(const void *, size_t, int))
+
+AC_PROTO_COMPAT([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+],
+getservbyname, struct servent *getservbyname(const char *, const char *))
+
+AC_PROTO_COMPAT([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+],
+getsockname, int getsockname(int, struct sockaddr*, socklen_t*))
+
+AC_PROTO_COMPAT([
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#endif
+],
+openlog, void openlog(const char *, int, int))
+
+AC_NEED_PROTO([
+#ifdef HAVE_CRYPT_H
+#include <crypt.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+],
+crypt)
+
+AC_NEED_PROTO([
+#include <string.h>
+],
+strtok_r)
+
+AC_NEED_PROTO([
+#include <string.h>
+],
+strsep)
+
+dnl variables
+
+rk_CHECK_VAR(h_errno, 
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif])
+
+rk_CHECK_VAR(h_errlist, 
+[#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif])
+
+rk_CHECK_VAR(h_nerr, 
+[#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif])
+
+rk_CHECK_VAR([__progname], 
+[#ifdef HAVE_ERR_H
+#include <err.h>
+#endif])
+
+AC_CHECK_DECLARATION([#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif], optarg)
+AC_CHECK_DECLARATION([#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif], optind)
+AC_CHECK_DECLARATION([#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif], opterr)
+AC_CHECK_DECLARATION([#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif], optopt)
+
+AC_CHECK_DECLARATION([#include <stdlib.h>], environ)
+
+dnl
+dnl Check for fields in struct tm
+dnl
+
+AC_HAVE_STRUCT_FIELD(struct tm, tm_gmtoff, [#include <time.h>])
+AC_HAVE_STRUCT_FIELD(struct tm, tm_zone, [#include <time.h>])
+
+dnl
+dnl or do we have a variable `timezone' ?
+dnl
+
+rk_CHECK_VAR(timezone,[#include <time.h>])
+
+AC_HAVE_TYPE([sa_family_t],[#include <sys/socket.h>])
+AC_HAVE_TYPE([socklen_t],[#include <sys/socket.h>])
+AC_HAVE_TYPE([struct sockaddr], [#include <sys/socket.h>])
+AC_HAVE_TYPE([struct sockaddr_storage], [#include <sys/socket.h>])
+AC_HAVE_TYPE([struct addrinfo], [#include <netdb.h>])
+AC_HAVE_TYPE([struct ifaddrs], [#include <ifaddrs.h>])
+
+dnl
+dnl Check for struct winsize
+dnl
+
+AC_KRB_STRUCT_WINSIZE
+
+dnl
+dnl Check for struct spwd
+dnl
+
+AC_KRB_STRUCT_SPWD
+
+dnl won't work with automake
+dnl moved to AC_OUTPUT in configure.in
+dnl AC_CONFIG_FILES($1/Makefile)
+
+LIB_roken="${LIB_roken} \$(LIB_crypt) \$(LIB_dbopen)"
+
+AC_SUBST(DIR_roken)dnl
+AC_SUBST(LIB_roken)dnl
+AC_SUBST(INCLUDES_roken)dnl
+])
\ No newline at end of file
diff --git a/crypto/heimdal/cf/roken.m4 b/crypto/heimdal/cf/roken.m4
new file mode 100644
index 0000000..f5a8678
--- /dev/null
+++ b/crypto/heimdal/cf/roken.m4
@@ -0,0 +1,64 @@
+dnl $Id: roken.m4,v 1.2 2000/07/08 15:50:34 assar Exp $
+dnl
+dnl try to look for an installed roken library with sufficient stuff
+dnl
+dnl set LIB_roken to the what we should link with
+dnl set DIR_roken to if the directory should be built
+dnl set CPPFLAGS_roken to stuff to add to CPPFLAGS
+
+dnl AC_ROKEN(version,directory-to-try,roken-dir,fallback-library,fallback-cppflags)
+AC_DEFUN(AC_ROKEN, [
+
+AC_ARG_WITH(roken,
+[  --with-roken=dir	use the roken library in dir],
+[if test "$withval" = "no"; then
+  AC_MSG_ERROR(roken is required)
+fi])
+
+save_CPPFLAGS="${CPPFLAGS}"
+
+case $with_roken in
+yes|"")
+  dirs="$2" ;;
+*)
+  dirs="$with_roken" ;;
+esac
+
+roken_installed=no
+
+for i in $dirs; do
+
+AC_MSG_CHECKING(for roken in $i)
+
+CPPFLAGS="-I$i/include ${CPPFLAGS}"
+
+AC_TRY_CPP(
+[#include <roken.h>
+#if ROKEN_VERSION < $1
+#error old roken version, should be $1
+fail
+#endif
+],[roken_installed=yes; break])
+
+AC_MSG_RESULT($roken_installed)
+
+done
+
+CPPFLAGS="$save_CPPFLAGS"
+
+if test "$roken_installed" != "yes"; then
+  DIR_roken="roken"
+  LIB_roken='$4'
+  CPPFLAGS_roken='$5'
+  AC_CONFIG_SUBDIRS(lib/roken)
+else
+  LIB_roken="$i/lib/libroken.la"
+  CPPFLAGS_roken="-I$i/include"
+fi
+
+LIB_roken="${LIB_roken} \$(LIB_crypt) \$(LIB_dbopen)"
+
+AC_SUBST(LIB_roken)dnl
+AC_SUBST(DIR_roken)dnl
+AC_SUBST(CPPFLAGS_roken)dnl
+])
diff --git a/crypto/heimdal/cf/shared-libs.m4 b/crypto/heimdal/cf/shared-libs.m4
index 9fe576f..bddc121 100644
--- a/crypto/heimdal/cf/shared-libs.m4
+++ b/crypto/heimdal/cf/shared-libs.m4
@@ -1,5 +1,5 @@
 dnl
-dnl $Id: shared-libs.m4,v 1.4 1999/07/13 17:47:09 assar Exp $
+dnl $Id: shared-libs.m4,v 1.6 2000/11/17 02:59:27 assar Exp $
 dnl
 dnl Shared library stuff has to be different everywhere
 dnl
@@ -65,7 +65,7 @@ case "${host}" in
 	install_symlink_command2='$(LN_S) -f $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so.'"${SHLIB_SONAME}"';$(LN_S) -f $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so'
 	;;
 changequote(,)dnl
-*-*-freebsd[34]*)
+*-*-freebsd[345]* | *-*-freebsdelf[345]*)
 changequote([,])dnl
 	REAL_SHLIBEXT=so.$SHLIB_VERSION
 	REAL_LD_FLAGS='-Wl,-R$(libdir)'
@@ -84,9 +84,14 @@ changequote([,])dnl
 	LDSHARED='ld -shared -expect_unresolved \*'
 	;;
 *-*-solaris2*)
+	LDSHARED='$(CC) -shared -Wl,-soname,$(LIBNAME).so.'"${SHLIB_SONAME}"
+	REAL_SHLIBEXT=so.$SHLIB_VERSION
+	build_symlink_command='$(LN_S) [$][@] $(LIBNAME).so'
+	install_symlink_command='$(LN_S) $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so.'"${SHLIB_SONAME}"';$(LN_S) $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so'
+	install_symlink_command2='$(LN_S) $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so.'"${SHLIB_SONAME}"';$(LN_S) $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so'
 	REAL_LD_FLAGS='-Wl,-R$(libdir)'
 	if test -z "$GCC"; then
-		LDSHARED='$(CC) -G'
+		LDSHARED='$(CC) -G -h$(LIBNAME).so.'"${SHLIB_SONAME}"
 		REAL_PICFLAGS="-Kpic"
 	fi
 	;;
diff --git a/crypto/heimdal/cf/test-package.m4 b/crypto/heimdal/cf/test-package.m4
index 6bae158..6aac770 100644
--- a/crypto/heimdal/cf/test-package.m4
+++ b/crypto/heimdal/cf/test-package.m4
@@ -1,6 +1,6 @@
-dnl $Id: test-package.m4,v 1.7 1999/04/19 13:33:05 assar Exp $
+dnl $Id: test-package.m4,v 1.9 2000/12/15 04:54:24 assar Exp $
 dnl
-dnl AC_TEST_PACKAGE_NEW(package,headers,libraries,extra libs,default locations)
+dnl AC_TEST_PACKAGE_NEW(package,headers,libraries,extra libs,default locations, conditional)
 
 AC_DEFUN(AC_TEST_PACKAGE,[AC_TEST_PACKAGE_NEW($1,[#include <$2>],$4,,$5)])
 
@@ -74,7 +74,9 @@ if test "$ires" -a "$lres" -a "$with_$1" != "no"; then
 	$1_libdir="$lres"
 	INCLUDE_$1="-I$$1_includedir"
 	LIB_$1="-L$$1_libdir $3"
-	AC_DEFINE_UNQUOTED(upcase($1),1,[Define if you have the $1 package.])
+	m4_ifval([$6],
+		AC_DEFINE_UNQUOTED($6,1,[Define if you have the $1 package.]),
+		AC_DEFINE_UNQUOTED(upcase($1),1,[Define if you have the $1 package.]))
 	with_$1=yes
 	AC_MSG_RESULT([headers $ires, libraries $lres])
 else
@@ -83,6 +85,9 @@ else
 	with_$1=no
 	AC_MSG_RESULT($with_$1)
 fi
+dnl m4_ifval([$6],
+dnl 	AM_CONDITIONAL($6, test "$with_$1" = yes)
+dnl 	AM_CONDITIONAL(upcase($1), test "$with_$1" = yes))
 AC_SUBST(INCLUDE_$1)
 AC_SUBST(LIB_$1)
 ])
diff --git a/crypto/heimdal/config.guess b/crypto/heimdal/config.guess
index 4e5345f..265ea69 100755
--- a/crypto/heimdal/config.guess
+++ b/crypto/heimdal/config.guess
@@ -1,7 +1,10 @@
 #! /bin/sh
 # Attempt to guess a canonical system name.
-#   Copyright (C) 1992, 93, 94, 95, 96, 97, 1998 Free Software Foundation, Inc.
-#
+#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000
+#   Free Software Foundation, Inc.
+
+version='2000-09-05'
+
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2 of the License, or
@@ -22,7 +25,7 @@
 # the same distribution terms that you use for the rest of that program.
 
 # Written by Per Bothner <bothner@cygnus.com>.
-# The master version of this file is at the FSF in /home/gd/gnu/lib.
+# Please send patches to <config-patches@gnu.org>.
 #
 # This script attempts to guess a canonical system name similar to
 # config.sub.  If it succeeds, it prints the system name on stdout, and
@@ -35,6 +38,60 @@
 # (but try to keep the structure clean).
 #
 
+me=`echo "$0" | sed -e 's,.*/,,'`
+
+usage="\
+Usage: $0 [OPTION]
+
+Output the configuration name of this system.
+
+Operation modes:
+  -h, --help               print this help, then exit
+  -V, --version            print version number, then exit"
+
+help="
+Try \`$me --help' for more information."
+
+# Parse command line
+while test $# -gt 0 ; do
+  case "$1" in
+    --version | --vers* | -V )
+       echo "$version" ; exit 0 ;;
+    --help | --h* | -h )
+       echo "$usage"; exit 0 ;;
+    -- )     # Stop option processing
+       shift; break ;;
+    - )	# Use stdin as input.
+       break ;;
+    -* )
+       exec >&2
+       echo "$me: invalid option $1"
+       echo "$help"
+       exit 1 ;;
+    * )
+       break ;;
+  esac
+done
+
+if test $# != 0; then
+  echo "$me: too many arguments$help" >&2
+  exit 1
+fi
+
+# Use $HOST_CC if defined. $CC may point to a cross-compiler
+if test x"$CC_FOR_BUILD" = x; then
+  if test x"$HOST_CC" != x; then
+    CC_FOR_BUILD="$HOST_CC"
+  else
+    if test x"$CC" != x; then
+      CC_FOR_BUILD="$CC"
+    else
+      CC_FOR_BUILD=cc
+    fi
+  fi
+fi
+
+
 # This is needed to find uname on a Pyramid OSx when run in the BSD universe.
 # (ghazi@noc.rutgers.edu 8/24/94.)
 if (test -f /.attbin/uname) >/dev/null 2>&1 ; then
@@ -52,6 +109,43 @@ trap 'rm -f $dummy.c $dummy.o $dummy; exit 1' 1 2 15
 # Note: order is significant - the case branches are not exclusive.
 
 case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
+    *:NetBSD:*:*)
+	# Netbsd (nbsd) targets should (where applicable) match one or
+	# more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
+	# *-*-netbsdecoff* and *-*-netbsd*.  For targets that recently
+	# switched to ELF, *-*-netbsd* would select the old
+	# object file format.  This provides both forward
+	# compatibility and a consistent mechanism for selecting the
+	# object file format.
+	# Determine the machine/vendor (is the vendor relevant).
+	case "${UNAME_MACHINE}" in
+	    amiga) machine=m68k-unknown ;;
+	    arm32) machine=arm-unknown ;;
+	    atari*) machine=m68k-atari ;;
+	    sun3*) machine=m68k-sun ;;
+	    mac68k) machine=m68k-apple ;;
+	    macppc) machine=powerpc-apple ;;
+	    hp3[0-9][05]) machine=m68k-hp ;;
+	    ibmrt|romp-ibm) machine=romp-ibm ;;
+	    *) machine=${UNAME_MACHINE}-unknown ;;
+	esac
+	# The Operating System including object format.
+	if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
+		| grep __ELF__ >/dev/null
+	then
+	    # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout).
+	    # Return netbsd for either.  FIX?
+	    os=netbsd
+	else
+	    os=netbsdelf
+	fi
+	# The OS release
+	release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
+	# Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM:
+	# contains redundant information, the shorter form:
+	# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
+	echo "${machine}-${os}${release}"
+	exit 0 ;;
     alpha:OSF1:*:*)
 	if test $UNAME_RELEASE = "V4.0"; then
 		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
@@ -61,55 +155,68 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	# A Xn.n version is an unreleased experimental baselevel.
 	# 1.2 uses "1.2" for uname -r.
 	cat <<EOF >$dummy.s
+	.data
+\$Lformat:
+	.byte 37,100,45,37,120,10,0	# "%d-%x\n"
+
+	.text
 	.globl main
+	.align 4
 	.ent main
 main:
-	.frame \$30,0,\$26,0
-	.prologue 0
-	.long 0x47e03d80 # implver $0
-	lda \$2,259
-	.long 0x47e20c21 # amask $2,$1
-	srl \$1,8,\$2
-	sll \$2,2,\$2
-	sll \$0,3,\$0
-	addl \$1,\$0,\$0
-	addl \$2,\$0,\$0
-	ret \$31,(\$26),1
+	.frame \$30,16,\$26,0
+	ldgp \$29,0(\$27)
+	.prologue 1
+	.long 0x47e03d80 # implver \$0
+	lda \$2,-1
+	.long 0x47e20c21 # amask \$2,\$1
+	lda \$16,\$Lformat
+	mov \$0,\$17
+	not \$1,\$18
+	jsr \$26,printf
+	ldgp \$29,0(\$26)
+	mov 0,\$16
+	jsr \$26,exit
 	.end main
 EOF
-	${CC-cc} $dummy.s -o $dummy 2>/dev/null
+	$CC_FOR_BUILD $dummy.s -o $dummy 2>/dev/null
 	if test "$?" = 0 ; then
-		./$dummy
-		case "$?" in
-			7)
+		case `./$dummy` in
+			0-0)
 				UNAME_MACHINE="alpha"
 				;;
-			15)
+			1-0)
 				UNAME_MACHINE="alphaev5"
 				;;
-			14)
+			1-1)
 				UNAME_MACHINE="alphaev56"
 				;;
-			10)
+			1-101)
 				UNAME_MACHINE="alphapca56"
 				;;
-			16)
+			2-303)
 				UNAME_MACHINE="alphaev6"
 				;;
+			2-307)
+				UNAME_MACHINE="alphaev67"
+				;;
 		esac
 	fi
 	rm -f $dummy.s $dummy
-	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[VTX]//' | tr [[A-Z]] [[a-z]]`
+	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[VTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+	exit 0 ;;
+    Alpha\ *:Windows_NT*:*)
+	# How do we know it's Interix rather than the generic POSIX subsystem?
+	# Should we change UNAME_MACHINE based on the output of uname instead
+	# of the specific Alpha model?
+	echo alpha-pc-interix
 	exit 0 ;;
     21064:Windows_NT:50:3)
 	echo alpha-dec-winnt3.5
 	exit 0 ;;
     Amiga*:UNIX_System_V:4.0:*)
-	echo m68k-cbm-sysv4
+	echo m68k-unknown-sysv4
 	exit 0;;
-    amiga:NetBSD:*:*)
-      echo m68k-cbm-netbsd${UNAME_RELEASE}
-      exit 0 ;;
     amiga:OpenBSD:*:*)
 	echo m68k-unknown-openbsd${UNAME_RELEASE}
 	exit 0 ;;
@@ -134,16 +241,16 @@ EOF
     wgrisc:OpenBSD:*:*)
 	echo mipsel-unknown-openbsd${UNAME_RELEASE}
 	exit 0 ;;
+    *:OS/390:*:*)
+	echo i370-ibm-openedition
+	exit 0 ;;
     arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
 	echo arm-acorn-riscix${UNAME_RELEASE}
 	exit 0;;
-    arm32:NetBSD:*:*)
-	echo arm-unknown-netbsd`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
-	exit 0 ;;
     SR2?01:HI-UX/MPP:*:*)
 	echo hppa1.1-hitachi-hiuxmpp
 	exit 0;;
-    Pyramid*:OSx*:*:*|MIS*:OSx*:*:*|MIS*:SMP_DC-OSx*:*:*)
+    Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*)
 	# akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE.
 	if test "`(/bin/universe) 2>/dev/null`" = att ; then
 		echo pyramid-pyramid-sysv3
@@ -151,7 +258,7 @@ EOF
 		echo pyramid-pyramid-bsd
 	fi
 	exit 0 ;;
-    NILE:*:*:dcosx)
+    NILE*:*:*:dcosx)
 	echo pyramid-pyramid-svr4
 	exit 0 ;;
     sun4H:SunOS:5.*:*)
@@ -196,21 +303,38 @@ EOF
     aushp:SunOS:*:*)
 	echo sparc-auspex-sunos${UNAME_RELEASE}
 	exit 0 ;;
-    atari*:NetBSD:*:*)
-	echo m68k-atari-netbsd${UNAME_RELEASE}
-	exit 0 ;;
     atari*:OpenBSD:*:*)
 	echo m68k-unknown-openbsd${UNAME_RELEASE}
 	exit 0 ;;
-    sun3*:NetBSD:*:*)
-	echo m68k-sun-netbsd${UNAME_RELEASE}
+    # The situation for MiNT is a little confusing.  The machine name
+    # can be virtually everything (everything which is not
+    # "atarist" or "atariste" at least should have a processor 
+    # > m68000).  The system name ranges from "MiNT" over "FreeMiNT"
+    # to the lowercase version "mint" (or "freemint").  Finally
+    # the system name "TOS" denotes a system which is actually not
+    # MiNT.  But MiNT is downward compatible to TOS, so this should
+    # be no problem.
+    atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
+        echo m68k-atari-mint${UNAME_RELEASE}
+	exit 0 ;;
+    atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
+	echo m68k-atari-mint${UNAME_RELEASE}
+        exit 0 ;;
+    *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
+        echo m68k-atari-mint${UNAME_RELEASE}
 	exit 0 ;;
+    milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
+        echo m68k-milan-mint${UNAME_RELEASE}
+        exit 0 ;;
+    hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
+        echo m68k-hades-mint${UNAME_RELEASE}
+        exit 0 ;;
+    *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
+        echo m68k-unknown-mint${UNAME_RELEASE}
+        exit 0 ;;
     sun3*:OpenBSD:*:*)
 	echo m68k-unknown-openbsd${UNAME_RELEASE}
 	exit 0 ;;
-    mac68k:NetBSD:*:*)
-	echo m68k-apple-netbsd${UNAME_RELEASE}
-	exit 0 ;;
     mac68k:OpenBSD:*:*)
 	echo m68k-unknown-openbsd${UNAME_RELEASE}
 	exit 0 ;;
@@ -223,9 +347,6 @@ EOF
     powerpc:machten:*:*)
 	echo powerpc-apple-machten${UNAME_RELEASE}
 	exit 0 ;;
-    macppc:NetBSD:*:*)
-        echo powerpc-apple-netbsd${UNAME_RELEASE}
-        exit 0 ;;
     RISC*:Mach:*:*)
 	echo mips-dec-mach_bsd4.3
 	exit 0 ;;
@@ -235,12 +356,17 @@ EOF
     VAX*:ULTRIX*:*:*)
 	echo vax-dec-ultrix${UNAME_RELEASE}
 	exit 0 ;;
-    2020:CLIX:*:*)
+    2020:CLIX:*:* | 2430:CLIX:*:*)
 	echo clipper-intergraph-clix${UNAME_RELEASE}
 	exit 0 ;;
     mips:*:*:UMIPS | mips:*:*:RISCos)
 	sed 's/^	//' << EOF >$dummy.c
-	int main (argc, argv) int argc; char **argv; {
+#ifdef __cplusplus
+#include <stdio.h>  /* for printf() prototype */
+	int main (int argc, char *argv[]) {
+#else
+	int main (argc, argv) int argc; char *argv[]; {
+#endif
 	#if defined (host_mips) && defined (MIPSEB)
 	#if defined (SYSTYPE_SYSV)
 	  printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0);
@@ -255,7 +381,7 @@ EOF
 	  exit (-1);
 	}
 EOF
-	${CC-cc} $dummy.c -o $dummy \
+	$CC_FOR_BUILD $dummy.c -o $dummy \
 	  && ./$dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \
 	  && rm $dummy.c $dummy && exit 0
 	rm -f $dummy.c $dummy
@@ -276,15 +402,18 @@ EOF
     AViiON:dgux:*:*)
         # DG/UX returns AViiON for all architectures
         UNAME_PROCESSOR=`/usr/bin/uname -p`
-        if [ $UNAME_PROCESSOR = mc88100 -o $UNAME_PROCESSOR = mc88110 ] ; then
-	if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx \
-	     -o ${TARGET_BINARY_INTERFACE}x = x ] ; then
+	if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110]
+	then
+	    if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
+	       [ ${TARGET_BINARY_INTERFACE}x = x ]
+	    then
 		echo m88k-dg-dgux${UNAME_RELEASE}
-	else
+	    else
 		echo m88k-dg-dguxbcs${UNAME_RELEASE}
+	    fi
+	else
+	    echo i586-dg-dgux${UNAME_RELEASE}
 	fi
-        else echo i586-dg-dgux${UNAME_RELEASE}
-        fi
  	exit 0 ;;
     M88*:DolphinOS:*:*)	# DolphinOS (SVR3)
 	echo m88k-dolphin-sysv3
@@ -321,7 +450,7 @@ EOF
 			exit(0);
 			}
 EOF
-		${CC-cc} $dummy.c -o $dummy && ./$dummy && rm $dummy.c $dummy && exit 0
+		$CC_FOR_BUILD $dummy.c -o $dummy && ./$dummy && rm $dummy.c $dummy && exit 0
 		rm -f $dummy.c $dummy
 		echo rs6000-ibm-aix3.2.5
 	elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then
@@ -350,7 +479,7 @@ EOF
     ibmrt:4.4BSD:*|romp-ibm:BSD:*)
 	echo romp-ibm-bsd4.4
 	exit 0 ;;
-    ibmrt:*BSD:*|romp-ibm:BSD:*)            # covers RT/PC NetBSD and
+    ibmrt:*BSD:*|romp-ibm:BSD:*)            # covers RT/PC BSD and
 	echo romp-ibm-bsd${UNAME_RELEASE}   # 4.3 with uname added to
 	exit 0 ;;                           # report: romp-ibm BSD 4.3
     *:BOSX:*:*)
@@ -369,25 +498,27 @@ EOF
 	case "${UNAME_MACHINE}" in
 	    9000/31? )            HP_ARCH=m68000 ;;
 	    9000/[34]?? )         HP_ARCH=m68k ;;
-	    9000/6?? | 9000/7?? | 9000/80[24] | 9000/8?[13679] | 9000/892 )
+	    9000/[678][0-9][0-9])
               sed 's/^              //' << EOF >$dummy.c
+
+              #define _HPUX_SOURCE
               #include <stdlib.h>
               #include <unistd.h>
-              
+
               int main ()
               {
               #if defined(_SC_KERNEL_BITS)
                   long bits = sysconf(_SC_KERNEL_BITS);
-              #endif 
+              #endif
                   long cpu  = sysconf (_SC_CPU_VERSION);
-              
-                  switch (cpu) 
+
+                  switch (cpu)
               	{
               	case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
               	case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
-              	case CPU_PA_RISC2_0: 
+              	case CPU_PA_RISC2_0:
               #if defined(_SC_KERNEL_BITS)
-              	    switch (bits) 
+              	    switch (bits)
               		{
               		case 64: puts ("hppa2.0w"); break;
               		case 32: puts ("hppa2.0n"); break;
@@ -395,13 +526,13 @@ EOF
               		} break;
               #else  /* !defined(_SC_KERNEL_BITS) */
               	    puts ("hppa2.0"); break;
-              #endif 
+              #endif
               	default: puts ("hppa1.0"); break;
               	}
                   exit (0);
               }
 EOF
-	(${CC-cc} $dummy.c -o $dummy 2>/dev/null ) && HP_ARCH=`./$dummy`
+	(CCOPTS= $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null ) && HP_ARCH=`./$dummy`
 	rm -f $dummy.c $dummy
 	esac
 	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
@@ -433,7 +564,7 @@ EOF
 	  exit (0);
 	}
 EOF
-	${CC-cc} $dummy.c -o $dummy && ./$dummy && rm $dummy.c $dummy && exit 0
+	$CC_FOR_BUILD $dummy.c -o $dummy && ./$dummy && rm $dummy.c $dummy && exit 0
 	rm -f $dummy.c $dummy
 	echo unknown-hitachi-hiuxwe2
 	exit 0 ;;
@@ -443,6 +574,9 @@ EOF
     9000/8??:4.3bsd:*:*)
 	echo hppa1.0-hp-bsd
 	exit 0 ;;
+    *9??*:MPE/iX:*:*)
+	echo hppa1.0-hp-mpeix
+	exit 0 ;;
     hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* )
 	echo hppa1.1-hp-osf
 	exit 0 ;;
@@ -459,6 +593,9 @@ EOF
     parisc*:Lites*:*:*)
 	echo hppa1.1-hp-lites
 	exit 0 ;;
+    hppa*:OpenBSD:*:*)
+	echo hppa-unknown-openbsd
+	exit 0 ;;
     C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
 	echo c1-convex-bsd
         exit 0 ;;
@@ -489,43 +626,40 @@ EOF
 	      -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/
 	exit 0 ;;
     CRAY*TS:*:*:*)
-	echo t90-cray-unicos${UNAME_RELEASE}
+	echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
 	exit 0 ;;
     CRAY*T3E:*:*:*)
-	echo t3e-cray-unicosmk${UNAME_RELEASE}
+	echo alpha-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit 0 ;;
+    CRAY*SV1:*:*:*)
+	echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'    
 	exit 0 ;;
     CRAY-2:*:*:*)
 	echo cray2-cray-unicos
         exit 0 ;;
     F300:UNIX_System_V:*:*)
-        FUJITSU_SYS=`uname -p | tr [A-Z] [a-z] | sed -e 's/\///'`
+        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
         FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
         echo "f300-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
         exit 0 ;;
     F301:UNIX_System_V:*:*)
        echo f301-fujitsu-uxpv`echo $UNAME_RELEASE | sed 's/ .*//'`
        exit 0 ;;
-    hp3[0-9][05]:NetBSD:*:*)
-	echo m68k-hp-netbsd${UNAME_RELEASE}
-	exit 0 ;;
     hp300:OpenBSD:*:*)
 	echo m68k-unknown-openbsd${UNAME_RELEASE}
 	exit 0 ;;
+    i?86:BSD/386:*:* | i?86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
+	echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
+	exit 0 ;;
     sparc*:BSD/OS:*:*)
 	echo sparc-unknown-bsdi${UNAME_RELEASE}
 	exit 0 ;;
-    i?86:BSD/386:*:* | i?86:BSD/OS:*:*)
-	echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
-	exit 0 ;;
     *:BSD/OS:*:*)
 	echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
 	exit 0 ;;
     *:FreeBSD:*:*)
 	echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
 	exit 0 ;;
-    *:NetBSD:*:*)
-	echo ${UNAME_MACHINE}-unknown-netbsd`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
-	exit 0 ;;
     *:OpenBSD:*:*)
 	echo ${UNAME_MACHINE}-unknown-openbsd`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
 	exit 0 ;;
@@ -535,6 +669,18 @@ EOF
     i*:MINGW*:*)
 	echo ${UNAME_MACHINE}-pc-mingw32
 	exit 0 ;;
+    i*:PW*:*)
+	echo ${UNAME_MACHINE}-pc-pw32
+	exit 0 ;;
+    i*:Windows_NT*:* | Pentium*:Windows_NT*:*)
+	# How do we know it's Interix rather than the generic POSIX subsystem?
+	# It also conflicts with pre-2.0 versions of AT&T UWIN. Should we
+	# UNAME_MACHINE based on the output of uname instead of i386?
+	echo i386-pc-interix
+	exit 0 ;;
+    i*:UWIN*:*)
+	echo ${UNAME_MACHINE}-pc-uwin
+	exit 0 ;;
     p*:CYGWIN*:*)
 	echo powerpcle-unknown-cygwin
 	exit 0 ;;
@@ -544,16 +690,15 @@ EOF
     *:GNU:*:*)
 	echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
 	exit 0 ;;
+    i*86:Minix:*:*)
+	echo ${UNAME_MACHINE}-pc-minix
+	exit 0 ;;
     *:Linux:*:*)
-	# uname on the ARM produces all sorts of strangeness, and we need to
-	# filter it out.
-	case "$UNAME_MACHINE" in
-	  arm* | sa110*)	      UNAME_MACHINE="arm" ;;
-	esac
 
 	# The BFD linker knows what the default object file format is, so
-	# first see if it will tell us.
-	ld_help_string=`ld --help 2>&1`
+	# first see if it will tell us. cd to the root directory to prevent
+	# problems with other programs or directories called `ld' in the path.
+	ld_help_string=`cd /; ld --help 2>&1`
 	ld_supported_emulations=`echo $ld_help_string \
 			 | sed -ne '/supported emulations:/!d
 				    s/[ 	][ 	]*/ /g
@@ -561,68 +706,145 @@ EOF
 				    s/ .*//
 				    p'`
         case "$ld_supported_emulations" in
-	  i?86linux)  echo "${UNAME_MACHINE}-pc-linux-gnuaout"      ; exit 0 ;;
-	  i?86coff)   echo "${UNAME_MACHINE}-pc-linux-gnucoff"      ; exit 0 ;;
-	  sparclinux) echo "${UNAME_MACHINE}-unknown-linux-gnuaout" ; exit 0 ;;
-	  armlinux)   echo "${UNAME_MACHINE}-unknown-linux-gnuaout" ; exit 0 ;;
-	  m68klinux)  echo "${UNAME_MACHINE}-unknown-linux-gnuaout" ; exit 0 ;;
-	  elf32ppc)   echo "powerpc-unknown-linux-gnu"              ; exit 0 ;;
+	  *ia64)
+		echo "${UNAME_MACHINE}-unknown-linux"
+		exit 0
+		;;
+	  i?86linux)
+		echo "${UNAME_MACHINE}-pc-linux-gnuaout"
+		exit 0
+		;;
+	  elf_i?86)
+		TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu"
+		;;
+	  i?86coff)
+		echo "${UNAME_MACHINE}-pc-linux-gnucoff"
+		exit 0
+		;;
+	  sparclinux)
+		echo "${UNAME_MACHINE}-unknown-linux-gnuaout"
+		exit 0
+		;;
+	  armlinux)
+		echo "${UNAME_MACHINE}-unknown-linux-gnuaout"
+		exit 0
+		;;
+	  elf32arm*)
+		echo "${UNAME_MACHINE}-unknown-linux-gnuoldld"
+		exit 0
+		;;
+	  armelf_linux*)
+		echo "${UNAME_MACHINE}-unknown-linux-gnu"
+		exit 0
+		;;
+	  m68klinux)
+		echo "${UNAME_MACHINE}-unknown-linux-gnuaout"
+		exit 0
+		;;
+	  elf32ppc | elf32ppclinux)
+		# Determine Lib Version
+		cat >$dummy.c <<EOF
+#include <features.h>
+#if defined(__GLIBC__)
+extern char __libc_version[];
+extern char __libc_release[];
+#endif
+main(argc, argv)
+     int argc;
+     char *argv[];
+{
+#if defined(__GLIBC__)
+  printf("%s %s\n", __libc_version, __libc_release);
+#else
+  printf("unkown\n");
+#endif
+  return 0;
+}
+EOF
+		LIBC=""
+		$CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null
+		if test "$?" = 0 ; then
+			./$dummy | grep 1\.99 > /dev/null
+			if test "$?" = 0 ; then
+				LIBC="libc1"
+			fi
+		fi	
+		rm -f $dummy.c $dummy
+		echo powerpc-unknown-linux-gnu${LIBC}
+		exit 0
+		;;
+	  shelf_linux)
+		echo "${UNAME_MACHINE}-unknown-linux-gnu"
+		exit 0
+		;;
 	esac
 
 	if test "${UNAME_MACHINE}" = "alpha" ; then
-		sed 's/^	//'  <<EOF >$dummy.s
-		.globl main
-		.ent main
-	main:
-		.frame \$30,0,\$26,0
-		.prologue 0
-		.long 0x47e03d80 # implver $0
-		lda \$2,259
-		.long 0x47e20c21 # amask $2,$1
-		srl \$1,8,\$2
-		sll \$2,2,\$2
-		sll \$0,3,\$0
-		addl \$1,\$0,\$0
-		addl \$2,\$0,\$0
-		ret \$31,(\$26),1
-		.end main
+		cat <<EOF >$dummy.s
+			.data
+		\$Lformat:
+			.byte 37,100,45,37,120,10,0	# "%d-%x\n"
+
+			.text
+			.globl main
+			.align 4
+			.ent main
+		main:
+			.frame \$30,16,\$26,0
+			ldgp \$29,0(\$27)
+			.prologue 1
+			.long 0x47e03d80 # implver \$0
+			lda \$2,-1
+			.long 0x47e20c21 # amask \$2,\$1
+			lda \$16,\$Lformat
+			mov \$0,\$17
+			not \$1,\$18
+			jsr \$26,printf
+			ldgp \$29,0(\$26)
+			mov 0,\$16
+			jsr \$26,exit
+			.end main
 EOF
 		LIBC=""
-		${CC-cc} $dummy.s -o $dummy 2>/dev/null
+		$CC_FOR_BUILD $dummy.s -o $dummy 2>/dev/null
 		if test "$?" = 0 ; then
-			./$dummy
-			case "$?" in
-			7)
+			case `./$dummy` in
+			0-0)
 				UNAME_MACHINE="alpha"
 				;;
-			15)
+			1-0)
 				UNAME_MACHINE="alphaev5"
 				;;
-			14)
+			1-1)
 				UNAME_MACHINE="alphaev56"
 				;;
-			10)
+			1-101)
 				UNAME_MACHINE="alphapca56"
 				;;
-			16)
+			2-303)
 				UNAME_MACHINE="alphaev6"
 				;;
-			esac	
+			2-307)
+				UNAME_MACHINE="alphaev67"
+				;;
+			esac
 
 			objdump --private-headers $dummy | \
 			  grep ld.so.1 > /dev/null
 			if test "$?" = 0 ; then
 				LIBC="libc1"
 			fi
-		fi	
+		fi
 		rm -f $dummy.s $dummy
 		echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} ; exit 0
 	elif test "${UNAME_MACHINE}" = "mips" ; then
 	  cat >$dummy.c <<EOF
-main(argc, argv)
-     int argc;
-     char *argv[];
-{
+#ifdef __cplusplus
+#include <stdio.h>  /* for printf() prototype */
+	int main (int argc, char *argv[]) {
+#else
+	int main (argc, argv) int argc; char *argv[]; {
+#endif
 #ifdef __MIPSEB__
   printf ("%s-unknown-linux-gnu\n", argv[1]);
 #endif
@@ -632,8 +854,12 @@ main(argc, argv)
   return 0;
 }
 EOF
-	  ${CC-cc} $dummy.c -o $dummy 2>/dev/null && ./$dummy "${UNAME_MACHINE}" && rm $dummy.c $dummy && exit 0
+	  $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy "${UNAME_MACHINE}" && rm $dummy.c $dummy && exit 0
 	  rm -f $dummy.c $dummy
+	elif test "${UNAME_MACHINE}" = "s390"; then
+	  echo s390-ibm-linux && exit 0
+	elif test "${UNAME_MACHINE}" = "x86_64"; then
+	  echo x86_64-unknown-linux-gnu && exit 0
 	else
 	  # Either a pre-BFD a.out linker (linux-gnuoldld)
 	  # or one that does not give us useful --help.
@@ -654,10 +880,12 @@ EOF
 	  # Determine whether the default compiler is a.out or elf
 	  cat >$dummy.c <<EOF
 #include <features.h>
-main(argc, argv)
-     int argc;
-     char *argv[];
-{
+#ifdef __cplusplus
+#include <stdio.h>  /* for printf() prototype */
+	int main (int argc, char *argv[]) {
+#else
+	int main (argc, argv) int argc; char *argv[]; {
+#endif
 #ifdef __ELF__
 # ifdef __GLIBC__
 #  if __GLIBC__ >= 2
@@ -674,8 +902,9 @@ main(argc, argv)
   return 0;
 }
 EOF
-	  ${CC-cc} $dummy.c -o $dummy 2>/dev/null && ./$dummy "${UNAME_MACHINE}" && rm $dummy.c $dummy && exit 0
+	  $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy "${UNAME_MACHINE}" && rm $dummy.c $dummy && exit 0
 	  rm -f $dummy.c $dummy
+	  test x"${TENTATIVE}" != x && echo "${TENTATIVE}" && exit 0
 	fi ;;
 # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.  earlier versions
 # are messed up and put the nodename in both sysname and nodename.
@@ -691,10 +920,20 @@ EOF
 	echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
 	exit 0 ;;
     i?86:*:4.*:* | i?86:SYSTEM_V:4.*:*)
+	UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'`
 	if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then
-		echo ${UNAME_MACHINE}-univel-sysv${UNAME_RELEASE}
+		echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL}
+	else
+		echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL}
+	fi
+	exit 0 ;;
+    i?86:*:5:7*)
+        # Fixed at (any) Pentium or better
+        UNAME_MACHINE=i586
+        if [ ${UNAME_SYSTEM} = "UnixWare" ] ; then
+	    echo ${UNAME_MACHINE}-sco-sysv${UNAME_RELEASE}uw${UNAME_VERSION}
 	else
-		echo ${UNAME_MACHINE}-pc-sysv${UNAME_RELEASE}
+	    echo ${UNAME_MACHINE}-pc-sysv${UNAME_RELEASE}
 	fi
 	exit 0 ;;
     i?86:*:3.2:*)
@@ -706,19 +945,20 @@ EOF
 		(/bin/uname -X|egrep i80486 >/dev/null) && UNAME_MACHINE=i486
 		(/bin/uname -X|egrep '^Machine.*Pentium' >/dev/null) \
 			&& UNAME_MACHINE=i586
+		(/bin/uname -X|egrep '^Machine.*Pent ?II' >/dev/null) \
+			&& UNAME_MACHINE=i686
+		(/bin/uname -X|egrep '^Machine.*Pentium Pro' >/dev/null) \
+			&& UNAME_MACHINE=i686
 		echo ${UNAME_MACHINE}-pc-sco$UNAME_REL
 	else
 		echo ${UNAME_MACHINE}-pc-sysv32
 	fi
 	exit 0 ;;
-    i?86:UnixWare:*:*)
-	if /bin/uname -X 2>/dev/null >/dev/null ; then
-	  (/bin/uname -X|egrep '^Machine.*Pentium' >/dev/null) \
-	    && UNAME_MACHINE=i586
-	fi
-	echo ${UNAME_MACHINE}-unixware-${UNAME_RELEASE}-${UNAME_VERSION}
+    i?86:*DOS:*:*)
+	echo ${UNAME_MACHINE}-pc-msdosdjgpp
 	exit 0 ;;
     pc:*:*:*)
+	# Left here for compatibility:
         # uname -m prints for DJGPP always 'pc', but it prints nothing about
         # the processor, so we play safe by assuming i386.
 	echo i386-pc-msdosdjgpp
@@ -759,7 +999,7 @@ EOF
     mc68030:UNIX_System_V:4.*:*)
 	echo m68k-atari-sysv4
 	exit 0 ;;
-    i?86:LynxOS:2.*:*)
+    i?86:LynxOS:2.*:* | i?86:LynxOS:3.[01]*:*)
 	echo i386-unknown-lynxos${UNAME_RELEASE}
 	exit 0 ;;
     TSUNAMI:LynxOS:2.*:*)
@@ -771,6 +1011,9 @@ EOF
     SM[BE]S:UNIX_SV:*:*)
 	echo mips-dde-sysv${UNAME_RELEASE}
 	exit 0 ;;
+    RM*:ReliantUNIX-*:*:*)
+	echo mips-sni-sysv4
+	exit 0 ;;
     RM*:SINIX-*:*:*)
 	echo mips-sni-sysv4
 	exit 0 ;;
@@ -798,10 +1041,10 @@ EOF
     mc68*:A/UX:*:*)
 	echo m68k-apple-aux${UNAME_RELEASE}
 	exit 0 ;;
-    news*:NEWS-OS:*:6*)
+    news*:NEWS-OS:6*:*)
 	echo mips-sony-newsos6
 	exit 0 ;;
-    R3000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R4000:UNIX_SV:*:*)
+    R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
 	if [ -d /usr/nec ]; then
 	        echo mips-nec-sysv${UNAME_RELEASE}
 	else
@@ -829,6 +1072,40 @@ EOF
     *:Rhapsody:*:*)
 	echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE}
 	exit 0 ;;
+    *:Darwin:*:*)
+	echo `uname -p`-apple-darwin${UNAME_RELEASE}
+	exit 0 ;;
+    *:procnto*:*:* | *:QNX:[0123456789]*:*)
+	if test "${UNAME_MACHINE}" = "x86pc"; then
+		UNAME_MACHINE=pc
+	fi
+	echo `uname -p`-${UNAME_MACHINE}-nto-qnx
+	exit 0 ;;
+    *:QNX:*:4*)
+	echo i386-pc-qnx
+	exit 0 ;;
+    NSR-[KW]:NONSTOP_KERNEL:*:*)
+	echo nsr-tandem-nsk${UNAME_RELEASE}
+	exit 0 ;;
+    BS2000:POSIX*:*:*)
+	echo bs2000-siemens-sysv
+	exit 0 ;;
+    DS/*:UNIX_System_V:*:*)
+	echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE}
+	exit 0 ;;
+    *:Plan9:*:*)
+	# "uname -m" is not consistent, so use $cputype instead. 386
+	# is converted to i386 for consistency with other x86
+	# operating systems.
+	if test "$cputype" = "386"; then
+	    UNAME_MACHINE=i386
+	else
+	    UNAME_MACHINE="$cputype"
+	fi
+	echo ${UNAME_MACHINE}-unknown-plan9
+	exit 0 ;;
+    *:OS/2:*:*)
+	echo ${UNAME_MACHINE}-pc-os2_emx
 esac
 
 #echo '(No uname command or uname output not recognized.)' 1>&2
@@ -935,7 +1212,7 @@ main ()
 }
 EOF
 
-${CC-cc} $dummy.c -o $dummy 2>/dev/null && ./$dummy && rm $dummy.c $dummy && exit 0
+$CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy && rm $dummy.c $dummy && exit 0
 rm -f $dummy.c $dummy
 
 # Apollos put the system type in the environment.
@@ -968,6 +1245,47 @@ then
     esac
 fi
 
-#echo '(Unable to guess system type)' 1>&2
+cat >&2 <<EOF
+$0: unable to guess system type
+
+The $version version of this script cannot recognize your system type.
+Please download the most up to date version of the config scripts:
+
+    ftp://ftp.gnu.org/pub/gnu/config/
+
+If the version you run ($0) is already up to date, please
+send the following data and any information you think might be
+pertinent to <config-patches@gnu.org> in order to provide the needed
+information to handle your system.
+
+config.guess version = $version
+
+uname -m = `(uname -m) 2>/dev/null || echo unknown`
+uname -r = `(uname -r) 2>/dev/null || echo unknown`
+uname -s = `(uname -s) 2>/dev/null || echo unknown`
+uname -v = `(uname -v) 2>/dev/null || echo unknown`
+
+/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null`
+/bin/uname -X     = `(/bin/uname -X) 2>/dev/null`
+
+hostinfo               = `(hostinfo) 2>/dev/null`
+/bin/universe          = `(/bin/universe) 2>/dev/null`
+/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null`
+/bin/arch              = `(/bin/arch) 2>/dev/null`
+/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null`
+/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null`
+
+UNAME_MACHINE = ${UNAME_MACHINE}
+UNAME_RELEASE = ${UNAME_RELEASE}
+UNAME_SYSTEM  = ${UNAME_SYSTEM}
+UNAME_VERSION = ${UNAME_VERSION}
+EOF
 
 exit 1
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "version='"
+# time-stamp-format: "%:y-%02m-%02d"
+# time-stamp-end: "'"
+# End:
diff --git a/crypto/heimdal/config.sub b/crypto/heimdal/config.sub
index 7a40495..42fc991 100755
--- a/crypto/heimdal/config.sub
+++ b/crypto/heimdal/config.sub
@@ -1,6 +1,10 @@
 #! /bin/sh
 # Configuration validation subroutine script, version 1.1.
-#   Copyright (C) 1991, 92-97, 1998 Free Software Foundation, Inc.
+#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000
+#   Free Software Foundation, Inc.
+
+version='2000-09-11'
+
 # This file is (in principle) common to ALL GNU software.
 # The presence of a machine in this file suggests that SOME GNU software
 # can handle that machine.  It does not imply ALL GNU software can.
@@ -25,6 +29,8 @@
 # configuration script generated by Autoconf, you may include it under
 # the same distribution terms that you use for the rest of that program.
 
+# Please send patches to <config-patches@gnu.org>.
+#
 # Configuration subroutine to validate and canonicalize a configuration type.
 # Supply the specified configuration type as an argument.
 # If it is invalid, we print an error message on stderr and exit with code 1.
@@ -45,30 +51,61 @@
 #	CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM
 # It is wrong to echo any other type of specification.
 
-if [ x$1 = x ]
-then
-	echo Configuration name missing. 1>&2
-	echo "Usage: $0 CPU-MFR-OPSYS" 1>&2
-	echo "or     $0 ALIAS" 1>&2
-	echo where ALIAS is a recognized configuration type. 1>&2
-	exit 1
-fi
+me=`echo "$0" | sed -e 's,.*/,,'`
 
-# First pass through any local machine types.
-case $1 in
-	*local*)
-		echo $1
-		exit 0
-		;;
-	*)
-	;;
+usage="\
+Usage: $0 [OPTION] CPU-MFR-OPSYS
+       $0 [OPTION] ALIAS
+
+Canonicalize a configuration name.
+
+Operation modes:
+  -h, --help               print this help, then exit
+  -V, --version            print version number, then exit"
+
+help="
+Try \`$me --help' for more information."
+
+# Parse command line
+while test $# -gt 0 ; do
+  case "$1" in
+    --version | --vers* | -V )
+       echo "$version" ; exit 0 ;;
+    --help | --h* | -h )
+       echo "$usage"; exit 0 ;;
+    -- )     # Stop option processing
+       shift; break ;;
+    - )	# Use stdin as input.
+       break ;;
+    -* )
+       exec >&2
+       echo "$me: invalid option $1"
+       echo "$help"
+       exit 1 ;;
+
+    *local*)
+       # First pass through any local machine types.
+       echo $1
+       exit 0;;
+
+    * )
+       break ;;
+  esac
+done
+
+case $# in
+ 0) echo "$me: missing argument$help" >&2
+    exit 1;;
+ 1) ;;
+ *) echo "$me: too many arguments$help" >&2
+    exit 1;;
 esac
 
 # Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any).
 # Here we must recognize all the valid KERNEL-OS combinations.
 maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
 case $maybe_os in
-  linux-gnu*)
+  nto-qnx* | linux-gnu*)
     os=-$maybe_os
     basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
     ;;
@@ -94,15 +131,25 @@ case $os in
 	-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
 	-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
 	-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
-	-apple)
+	-apple | -axis)
 		os=
 		basic_machine=$1
 		;;
+	-sim | -cisco | -oki | -wec | -winbond)
+		os=
+		basic_machine=$1
+		;;
+	-scout)
+		;;
+	-wrs)
+		os=-vxworks
+		basic_machine=$1
+		;;
 	-hiux*)
 		os=-hiuxwe2
 		;;
 	-sco5)
-		os=sco3.2v5
+		os=-sco3.2v5
 		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
 		;;
 	-sco4)
@@ -121,6 +168,9 @@ case $os in
 		os=-sco3.2v2
 		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
 		;;
+	-udk*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
 	-isc)
 		os=-isc2.2
 		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
@@ -143,26 +193,46 @@ case $os in
 	-psos*)
 		os=-psos
 		;;
+	-mint | -mint[0-9]*)
+		basic_machine=m68k-atari
+		os=-mint
+		;;
 esac
 
 # Decode aliases for certain CPU-COMPANY combinations.
 case $basic_machine in
 	# Recognize the basic CPU types without company name.
 	# Some are omitted here because they have special meanings below.
-	tahoe | i860 | m32r | m68k | m68000 | m88k | ns32k | arc | arm \
-		| arme[lb] | pyramid | mn10200 | mn10300 | tron | a29k \
-		| 580 | i960 | h8300 | hppa | hppa1.0 | hppa1.1 | hppa2.0 \
-		| alpha | alphaev5 | alphaev56 | we32k | ns16k | clipper \
-		| i370 | sh | powerpc | powerpcle | 1750a | dsp16xx | pdp11 \
-		| mips64 | mipsel | mips64el | mips64orion | mips64orionel \
-		| mipstx39 | mipstx39el \
-		| sparc | sparclet | sparclite | sparc64 | v850)
+	tahoe | i860 | ia64 | m32r | m68k | m68000 | m88k | ns32k | arc | arm \
+		| arme[lb] | armv[2345] | armv[345][lb] | pyramid | mn10200 | mn10300 | tron | a29k \
+		| 580 | i960 | h8300 \
+		| x86 | ppcbe | mipsbe | mipsle | shbe | shle | armbe | armle \
+		| hppa | hppa1.0 | hppa1.1 | hppa2.0 | hppa2.0w | hppa2.0n \
+		| hppa64 \
+		| alpha | alphaev[4-8] | alphaev56 | alphapca5[67] \
+		| alphaev6[78] \
+		| we32k | ns16k | clipper | i370 | sh | sh[34] \
+		| powerpc | powerpcle \
+		| 1750a | dsp16xx | pdp11 | mips16 | mips64 | mipsel | mips64el \
+		| mips64orion | mips64orionel | mipstx39 | mipstx39el \
+		| mips64vr4300 | mips64vr4300el | mips64vr4100 | mips64vr4100el \
+		| mips64vr5000 | miprs64vr5000el | mcore \
+		| sparc | sparclet | sparclite | sparc64 | sparcv9 | v850 | c4x \
+		| thumb | d10v | d30v | fr30 | avr)
 		basic_machine=$basic_machine-unknown
 		;;
+	m6811 | m68hc11 | m6812 | m68hc12)
+		# Motorola 68HC11/12.
+		basic_machine=$basic_machine-unknown
+		os=-none
+		;;
+	m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | z8k | v70 | h8500 | w65 | pj | pjl)
+		;;
+
 	# We use `pc' rather than `unknown'
 	# because (1) that's what they normally are, and
 	# (2) the word "unknown" tends to confuse beginning users.
-	i[34567]86)
+	i[234567]86 | x86_64)
 	  basic_machine=$basic_machine-pc
 	  ;;
 	# Object if more than one company name word.
@@ -171,27 +241,49 @@ case $basic_machine in
 		exit 1
 		;;
 	# Recognize the basic CPU types with company name.
-	vax-* | tahoe-* | i[34567]86-* | i860-* | m32r-* | m68k-* | m68000-* \
+	# FIXME: clean up the formatting here.
+	vax-* | tahoe-* | i[234567]86-* | i860-* | ia64-* | m32r-* | m68k-* | m68000-* \
 	      | m88k-* | sparc-* | ns32k-* | fx80-* | arc-* | arm-* | c[123]* \
 	      | mips-* | pyramid-* | tron-* | a29k-* | romp-* | rs6000-* \
-	      | power-* | none-* | 580-* | cray2-* | h8300-* | i960-* \
-	      | xmp-* | ymp-* | hppa-* | hppa1.0-* | hppa1.1-* | hppa2.0-* \
-	      | alpha-* | alphaev5-* | alphaev56-* | we32k-* | cydra-* \
-	      | ns16k-* | pn-* | np1-* | xps100-* | clipper-* | orion-* \
+	      | power-* | none-* | 580-* | cray2-* | h8300-* | h8500-* | i960-* \
+	      | xmp-* | ymp-* \
+	      | x86-* | ppcbe-* | mipsbe-* | mipsle-* | shbe-* | shle-* | armbe-* | armle-* \
+	      | hppa-* | hppa1.0-* | hppa1.1-* | hppa2.0-* | hppa2.0w-* \
+	      | hppa2.0n-* | hppa64-* \
+	      | alpha-* | alphaev[4-8]-* | alphaev56-* | alphapca5[67]-* \
+	      | alphaev6[78]-* \
+	      | we32k-* | cydra-* | ns16k-* | pn-* | np1-* | xps100-* \
+	      | clipper-* | orion-* \
 	      | sparclite-* | pdp11-* | sh-* | powerpc-* | powerpcle-* \
-	      | sparc64-* | mips64-* | mipsel-* \
-	      | mips64el-* | mips64orion-* | mips64orionel-*  \
-	      | mipstx39-* | mipstx39el-* \
-	      | f301-*)
+	      | sparc64-* | sparcv9-* | sparc86x-* | mips16-* | mips64-* | mipsel-* \
+	      | mips64el-* | mips64orion-* | mips64orionel-* \
+	      | mips64vr4100-* | mips64vr4100el-* | mips64vr4300-* | mips64vr4300el-* \
+	      | mipstx39-* | mipstx39el-* | mcore-* \
+	      | f301-* | armv*-* | s390-* | sv1-* | t3e-* \
+	      | m88110-* | m680[01234]0-* | m683?2-* | m68360-* | z8k-* | d10v-* \
+	      | thumb-* | v850-* | d30v-* | tic30-* | c30-* | fr30-* \
+	      | bs2000-* | tic54x-* | c54x-* | x86_64-*)
 		;;
 	# Recognize the various machine names and aliases which stand
 	# for a CPU type and a company and sometimes even an OS.
+	386bsd)
+		basic_machine=i386-unknown
+		os=-bsd
+		;;
 	3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc)
 		basic_machine=m68000-att
 		;;
 	3b*)
 		basic_machine=we32k-att
 		;;
+	a29khif)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	adobe68k)
+		basic_machine=m68010-adobe
+		os=-scout
+		;;
 	alliant | fx80)
 		basic_machine=fx80-alliant
 		;;
@@ -207,20 +299,24 @@ case $basic_machine in
 		os=-sysv
 		;;
 	amiga | amiga-*)
-		basic_machine=m68k-cbm
+		basic_machine=m68k-unknown
 		;;
 	amigaos | amigados)
-		basic_machine=m68k-cbm
+		basic_machine=m68k-unknown
 		os=-amigaos
 		;;
 	amigaunix | amix)
-		basic_machine=m68k-cbm
+		basic_machine=m68k-unknown
 		os=-sysv4
 		;;
 	apollo68)
 		basic_machine=m68k-apollo
 		os=-sysv
 		;;
+	apollo68bsd)
+		basic_machine=m68k-apollo
+		os=-bsd
+		;;
 	aux)
 		basic_machine=m68k-apple
 		os=-aux
@@ -258,13 +354,15 @@ case $basic_machine in
 		os=-unicos
 		;;
 	[ctj]90-cray)
-		#basic_machine=c90-cray
-		os=`echo $os | sed -e 's/\(unicos[0-9]*\.[0-9]*\).*/\1/'`
-		#os=-unicos
+		basic_machine=c90-cray
+		os=-unicos
 		;;
 	crds | unos)
 		basic_machine=m68k-crds
 		;;
+	cris | cris-* | etrax*)
+		basic_machine=cris-axis
+		;;
 	da30 | da30-*)
 		basic_machine=m68k-da30
 		;;
@@ -298,6 +396,10 @@ case $basic_machine in
 	encore | umax | mmax)
 		basic_machine=ns32k-encore
 		;;
+	es1800 | OSE68k | ose68k | ose | OSE)
+		basic_machine=m68k-ericsson
+		os=-ose
+		;;
 	fx2800)
 		basic_machine=i860-alliant
 		;;
@@ -316,6 +418,14 @@ case $basic_machine in
 		basic_machine=h8300-hitachi
 		os=-hms
 		;;
+	h8300xray)
+		basic_machine=h8300-hitachi
+		os=-xray
+		;;
+	h8500hms)
+		basic_machine=h8500-hitachi
+		os=-hms
+		;;
 	harris)
 		basic_machine=m88k-harris
 		os=-sysv3
@@ -331,13 +441,30 @@ case $basic_machine in
 		basic_machine=m68k-hp
 		os=-hpux
 		;;
+	hp3k9[0-9][0-9] | hp9[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
 	hp9k2[0-9][0-9] | hp9k31[0-9])
 		basic_machine=m68000-hp
 		;;
 	hp9k3[2-9][0-9])
 		basic_machine=m68k-hp
 		;;
-	hp9k7[0-9][0-9] | hp7[0-9][0-9] | hp9k8[0-9]7 | hp8[0-9]7)
+	hp9k6[0-9][0-9] | hp6[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hp9k7[0-79][0-9] | hp7[0-79][0-9])
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k78[0-9] | hp78[0-9])
+		# FIXME: really hppa2.0-hp
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893)
+		# FIXME: really hppa2.0-hp
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[0-9][13679] | hp8[0-9][13679])
 		basic_machine=hppa1.1-hp
 		;;
 	hp9k8[0-9][0-9] | hp8[0-9][0-9])
@@ -346,9 +473,16 @@ case $basic_machine in
 	hppa-next)
 		os=-nextstep3
 		;;
+	hppaosf)
+		basic_machine=hppa1.1-hp
+		os=-osf
+		;;
+	hppro)
+		basic_machine=hppa1.1-hp
+		os=-proelf
+		;;
 	i370-ibm* | ibm*)
 		basic_machine=i370-ibm
-		os=-mvs
 		;;
 # I'm not sure what "Sysv32" means.  Should this be sysv3.2?
 	i[34567]86v32)
@@ -367,6 +501,26 @@ case $basic_machine in
 		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
 		os=-solaris2
 		;;
+	i386mach)
+		basic_machine=i386-mach
+		os=-mach
+		;;
+	i386-vsta | vsta)
+		basic_machine=i386-unknown
+		os=-vsta
+		;;
+	i386-go32 | go32)
+		basic_machine=i386-unknown
+		os=-go32
+		;;
+	i386-mingw32 | mingw32)
+		basic_machine=i386-unknown
+		os=-mingw32
+		;;
+	i[34567]86-pw32 | pw32)
+		basic_machine=i586-unknown
+		os=-pw32
+		;;
 	iris | iris4d)
 		basic_machine=mips-sgi
 		case $os in
@@ -395,6 +549,10 @@ case $basic_machine in
 	miniframe)
 		basic_machine=m68000-convergent
 		;;
+	*mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*)
+		basic_machine=m68k-atari
+		os=-mint
+		;;
 	mipsel*-linux*)
 		basic_machine=mipsel-unknown
 		os=-linux-gnu
@@ -409,10 +567,34 @@ case $basic_machine in
 	mips3*)
 		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
 		;;
+	mmix*)
+		basic_machine=mmix-knuth
+		os=-mmixware
+		;;
+	monitor)
+		basic_machine=m68k-rom68k
+		os=-coff
+		;;
+	msdos)
+		basic_machine=i386-unknown
+		os=-msdos
+		;;
+	mvs)
+		basic_machine=i370-ibm
+		os=-mvs
+		;;
 	ncr3000)
 		basic_machine=i486-ncr
 		os=-sysv4
 		;;
+	netbsd386)
+		basic_machine=i386-unknown
+		os=-netbsd
+		;;
+	netwinder)
+		basic_machine=armv4l-rebel
+		os=-linux
+		;;
 	news | news700 | news800 | news900)
 		basic_machine=m68k-sony
 		os=-newsos
@@ -425,6 +607,10 @@ case $basic_machine in
 		basic_machine=mips-sony
 		os=-newsos
 		;;
+	necv70)
+		basic_machine=v70-nec
+		os=-sysv
+		;;
 	next | m*-next )
 		basic_machine=m68k-next
 		case $os in
@@ -450,9 +636,28 @@ case $basic_machine in
 		basic_machine=i960-intel
 		os=-nindy
 		;;
+	mon960)
+		basic_machine=i960-intel
+		os=-mon960
+		;;
 	np1)
 		basic_machine=np1-gould
 		;;
+	nsr-tandem)
+		basic_machine=nsr-tandem
+		;;
+	op50n-* | op60c-*)
+		basic_machine=hppa1.1-oki
+		os=-proelf
+		;;
+	OSE68000 | ose68000)
+		basic_machine=m68000-ericsson
+		os=-ose
+		;;
+	os68k)
+		basic_machine=m68k-none
+		os=-os68k
+		;;
 	pa-hitachi)
 		basic_machine=hppa1.1-hitachi
 		os=-hiuxwe2
@@ -470,19 +675,19 @@ case $basic_machine in
         pc532 | pc532-*)
 		basic_machine=ns32k-pc532
 		;;
-	pentium | p5 | k5 | nexen)
+	pentium | p5 | k5 | k6 | nexen)
 		basic_machine=i586-pc
 		;;
-	pentiumpro | p6 | k6 | 6x86)
+	pentiumpro | p6 | 6x86 | athlon)
 		basic_machine=i686-pc
 		;;
 	pentiumii | pentium2)
 		basic_machine=i786-pc
 		;;
-	pentium-* | p5-* | k5-* | nexen-*)
+	pentium-* | p5-* | k5-* | k6-* | nexen-*)
 		basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'`
 		;;
-	pentiumpro-* | p6-* | k6-* | 6x86-*)
+	pentiumpro-* | p6-* | 6x86-* | athlon-*)
 		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
 		;;
 	pentiumii-* | pentium2-*)
@@ -506,12 +711,20 @@ case $basic_machine in
 	ps2)
 		basic_machine=i386-ibm
 		;;
+	rom68k)
+		basic_machine=m68k-rom68k
+		os=-coff
+		;;
 	rm[46]00)
 		basic_machine=mips-siemens
 		;;
 	rtpc | rtpc-*)
 		basic_machine=romp-ibm
 		;;
+	sa29200)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
 	sequent)
 		basic_machine=i386-sequent
 		;;
@@ -519,6 +732,10 @@ case $basic_machine in
 		basic_machine=sh-hitachi
 		os=-hms
 		;;
+	sparclite-wrs)
+		basic_machine=sparclite-wrs
+		os=-vxworks
+		;;
 	sps7)
 		basic_machine=m68k-bull
 		os=-sysv2
@@ -526,6 +743,13 @@ case $basic_machine in
 	spur)
 		basic_machine=spur-unknown
 		;;
+	st2000)
+		basic_machine=m68k-tandem
+		;;
+	stratus)
+		basic_machine=i860-stratus
+		os=-sysv4
+		;;
 	sun2)
 		basic_machine=m68000-sun
 		;;
@@ -566,10 +790,22 @@ case $basic_machine in
 	sun386 | sun386i | roadrunner)
 		basic_machine=i386-sun
 		;;
+	sv1)
+		basic_machine=sv1-cray
+		os=-unicos
+		;;
 	symmetry)
 		basic_machine=i386-sequent
 		os=-dynix
 		;;
+	t3e)
+		basic_machine=t3e-cray
+		os=-unicos
+		;;
+	tic54x | c54x*)
+		basic_machine=tic54x-unknown
+		os=-coff
+		;;
 	tx39)
 		basic_machine=mipstx39-unknown
 		;;
@@ -587,6 +823,10 @@ case $basic_machine in
 		basic_machine=a29k-nyu
 		os=-sym1
 		;;
+	v810 | necv810)
+		basic_machine=v810-nec
+		os=-none
+		;;
 	vaxv)
 		basic_machine=vax-dec
 		os=-sysv
@@ -610,6 +850,14 @@ case $basic_machine in
 		basic_machine=a29k-wrs
 		os=-vxworks
 		;;
+	w65*)
+		basic_machine=w65-wdc
+		os=-none
+		;;
+	w89k-*)
+		basic_machine=hppa1.1-winbond
+		os=-proelf
+		;;
 	xmp)
 		basic_machine=xmp-cray
 		os=-unicos
@@ -617,6 +865,10 @@ case $basic_machine in
         xps | xps100)
 		basic_machine=xps100-honeywell
 		;;
+	z8k-*-coff)
+		basic_machine=z8k-unknown
+		os=-sim
+		;;
 	none)
 		basic_machine=none-none
 		os=-none
@@ -624,6 +876,15 @@ case $basic_machine in
 
 # Here we handle the default manufacturer of certain CPU types.  It is in
 # some cases the only manufacturer, in others, it is the most popular.
+	w89k)
+		basic_machine=hppa1.1-winbond
+		;;
+	op50n)
+		basic_machine=hppa1.1-oki
+		;;
+	op60c)
+		basic_machine=hppa1.1-oki
+		;;
 	mips)
 		if [ x$os = x-linux-gnu ]; then
 			basic_machine=mips-unknown
@@ -646,7 +907,10 @@ case $basic_machine in
 	we32k)
 		basic_machine=we32k-att
 		;;
-	sparc)
+	sh3 | sh4)
+		base_machine=sh-unknown
+		;;
+	sparc | sparcv9)
 		basic_machine=sparc-sun
 		;;
         cydra)
@@ -658,6 +922,16 @@ case $basic_machine in
 	orion105)
 		basic_machine=clipper-highlevel
 		;;
+	mac | mpw | mac-mpw)
+		basic_machine=m68k-apple
+		;;
+	pmac | pmac-mpw)
+		basic_machine=powerpc-apple
+		;;
+	c4x*)
+		basic_machine=c4x-none
+		os=-coff
+		;;
 	*)
 		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
 		exit 1
@@ -711,14 +985,34 @@ case $os in
 	      | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
 	      | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
 	      | -hiux* | -386bsd* | -netbsd* | -openbsd* | -freebsd* | -riscix* \
-	      | -lynxos* | -bosx* | -nextstep* | -cxux* | -aout* | -elf* \
+	      | -lynxos* | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
 	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
 	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
 	      | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
-	      | -mingw32* | -linux-gnu* | -uxpv* | -beos* | -rhapsody* \
-	      | -openstep*)
+	      | -mingw32* | -linux-gnu* | -uxpv* | -beos* | -mpeix* | -udk* \
+	      | -interix* | -uwin* | -rhapsody* | -darwin* | -opened* \
+	      | -openstep* | -oskit* | -conix* | -pw32*)
 	# Remember, each alternative MUST END IN *, to match a version number.
 		;;
+	-qnx*)
+		case $basic_machine in
+		    x86-* | i[34567]86-*)
+			;;
+		    *)
+			os=-nto$os
+			;;
+		esac
+		;;
+	-nto*)
+		os=-nto-qnx
+		;;
+	-sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \
+	      | -windows* | -osx | -abug | -netware* | -os9* | -beos* \
+	      | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*)
+		;;
+	-mac*)
+		os=`echo $os | sed -e 's|mac|macos|'`
+		;;
 	-linux*)
 		os=`echo $os | sed -e 's|linux|linux-gnu|'`
 		;;
@@ -728,6 +1022,12 @@ case $os in
 	-sunos6*)
 		os=`echo $os | sed -e 's|sunos6|solaris3|'`
 		;;
+	-opened*)
+		os=-openedition
+		;;
+	-wince*)
+		os=-wince
+		;;
 	-osfrose*)
 		os=-osfrose
 		;;
@@ -743,12 +1043,18 @@ case $os in
 	-acis*)
 		os=-aos
 		;;
+	-386bsd)
+		os=-bsd
+		;;
 	-ctix* | -uts*)
 		os=-sysv
 		;;
 	-ns2 )
 	        os=-nextstep2
 		;;
+	-nsk*)
+		os=-nsk
+		;;
 	# Preserve the version number of sinix5.
 	-sinix5.*)
 		os=`echo $os | sed -e 's|sinix|sysv|'`
@@ -774,9 +1080,18 @@ case $os in
 	# This must come after -sysvr4.
 	-sysv*)
 		;;
+	-ose*)
+		os=-ose
+		;;
+	-es1800*)
+		os=-ose
+		;;
 	-xenix)
 		os=-xenix
 		;;
+        -*mint | -*MiNT)
+	        os=-mint
+		;;
 	-none)
 		;;
 	*)
@@ -802,6 +1117,9 @@ case $basic_machine in
 	*-acorn)
 		os=-riscix1.2
 		;;
+	arm*-rebel)
+		os=-linux
+		;;
 	arm*-semi)
 		os=-aout
 		;;
@@ -823,6 +1141,15 @@ case $basic_machine in
 		# default.
 		# os=-sunos4
 		;;
+	m68*-cisco)
+		os=-aout
+		;;
+	mips*-cisco)
+		os=-elf
+		;;
+	mips*-*)
+		os=-elf
+		;;
 	*-tti)	# must be before sparc entry or we get the wrong os.
 		os=-sysv3
 		;;
@@ -835,6 +1162,15 @@ case $basic_machine in
 	*-ibm)
 		os=-aix
 		;;
+	*-wec)
+		os=-proelf
+		;;
+	*-winbond)
+		os=-proelf
+		;;
+	*-oki)
+		os=-proelf
+		;;
 	*-hp)
 		os=-hpux
 		;;
@@ -898,6 +1234,18 @@ case $basic_machine in
 	f301-fujitsu)
 		os=-uxpv
 		;;
+	*-rom68k)
+		os=-coff
+		;;
+	*-*bug)
+		os=-coff
+		;;
+	*-apple)
+		os=-macos
+		;;
+	*-atari*)
+		os=-mint
+		;;
 	*)
 		os=-none
 		;;
@@ -919,9 +1267,15 @@ case $basic_machine in
 			-aix*)
 				vendor=ibm
 				;;
+			-beos*)
+				vendor=be
+				;;
 			-hpux*)
 				vendor=hp
 				;;
+			-mpeix*)
+				vendor=hp
+				;;
 			-hiux*)
 				vendor=hitachi
 				;;
@@ -937,7 +1291,7 @@ case $basic_machine in
 			-genix*)
 				vendor=ns
 				;;
-			-mvs*)
+			-mvs* | -opened*)
 				vendor=ibm
 				;;
 			-ptx*)
@@ -949,9 +1303,26 @@ case $basic_machine in
 			-aux*)
 				vendor=apple
 				;;
+			-hms*)
+				vendor=hitachi
+				;;
+			-mpw* | -macos*)
+				vendor=apple
+				;;
+			-*mint | -*MiNT)
+				vendor=atari
+				;;
 		esac
 		basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"`
 		;;
 esac
 
 echo $basic_machine$os
+exit 0
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "version='"
+# time-stamp-format: "%:y-%02m-%02d"
+# time-stamp-end: "'"
+# End:
diff --git a/crypto/heimdal/configure b/crypto/heimdal/configure
index 24e63e1..31b792f 100755
--- a/crypto/heimdal/configure
+++ b/crypto/heimdal/configure
@@ -1,242 +1,214 @@
 #! /bin/sh
-
-# From configure.in Revision: 1.218 
-
-
-
-
-
-# Like AC_CONFIG_HEADER, but automatically create stamp file.
-
-
-
-# Do all the work for Automake.  This macro actually does too much --
-# some checks are only needed if your package does certain things.
-# But this isn't really a big deal.
-
-# serial 1
-
-
-
-
+# From configure.in Revision: 1.270 .
+# Guess values for system-dependent variables and create Makefiles.
+# Generated by Autoconf 2.49d for heimdal 0.3e.
 #
-# Check to make sure that the build environment is sane.
+# Report bugs to <heimdal-bugs@pdc.kth.se>.
 #
+# Copyright 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This configure script is free software; the Free Software Foundation
+# gives unlimited permission to copy, distribute and modify it.
 
+# Be Bourne compatible
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+elif test -n "${BASH_VERSION+set}" && (set -o posix) >/dev/null 2>&1; then
+  set -o posix
+fi
 
+if expr a : '\(a\)' >/dev/null 2>&1; then
+  as_expr=expr
+else
+  as_expr=false
+fi
 
+rm -f conftest conftest.exe conftest.file
+echo >conftest.file
+if ln -s conftest.file conftest 2>/dev/null; then
+  # We could just check for DJGPP; but this test a) works b) is more generic
+  # and c) will remain valid once DJGPP supports symlinks (DJGPP 2.04).
+  if test -f conftest.exe; then
+    # Don't use ln at all; we don't have any links
+    as_ln_s='cp -p'
+  else
+    as_ln_s='ln -s'
+  fi
+elif ln conftest.file conftest 2>/dev/null; then
+  as_ln_s=ln
+else
+  as_ln_s='cp -p'
+fi
+rm -f conftest conftest.exe conftest.file
 
+# Find out how to test for executable files. Don't use a zero-byte file,
+# as systems may use methods other than mode bits to determine executability.
+cat >conftest.file <<_ASEOF
+#! /bin/sh
+exit 0
+_ASEOF
+chmod +x conftest.file
+if test -x conftest.file >/dev/null 2>&1; then
+  as_executable_p="test -x"
+elif test -f conftest.file >/dev/null 2>&1; then
+  as_executable_p="test -f"
+else
+  { { echo "$as_me:57: error: cannot check whether a file is executable on this system" >&5
+echo "$as_me: error: cannot check whether a file is executable on this system" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+rm -f conftest.file
 
+# Support unset when possible.
+if (FOO=FOO; unset FOO) >/dev/null 2>&1; then
+  as_unset=unset
+else
+  as_unset=false
+fi
 
+# NLS nuisances.
+$as_unset LANG || test "${LANG+set}" != set || { LANG=C; export LANG; }
+$as_unset LC_ALL || test "${LC_ALL+set}" != set || { LC_ALL=C; export LC_ALL; }
+$as_unset LC_TIME || test "${LC_TIME+set}" != set || { LC_TIME=C; export LC_TIME; }
+$as_unset LC_CTYPE || test "${LC_CTYPE+set}" != set || { LC_CTYPE=C; export LC_CTYPE; }
+$as_unset LANGUAGE || test "${LANGUAGE+set}" != set || { LANGUAGE=C; export LANGUAGE; }
+$as_unset LC_COLLATE || test "${LC_COLLATE+set}" != set || { LC_COLLATE=C; export LC_COLLATE; }
+$as_unset LC_NUMERIC || test "${LC_NUMERIC+set}" != set || { LC_NUMERIC=C; export LC_NUMERIC; }
+$as_unset LC_MESSAGES || test "${LC_MESSAGES+set}" != set || { LC_MESSAGES=C; export LC_MESSAGES; }
+
+# IFS
+# We need space, tab and new line, in precisely that order.
+as_nl='
+'
+IFS=" 	$as_nl"
+
+# CDPATH.
+$as_unset CDPATH || test "${CDPATH+set}" != set || { CDPATH=:; export CDPATH; }
+
+# Name of the host.
+# hostname on some systems (SVR3.2, Linux) returns a bogus exit status,
+# so uname gets run too.
+ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q`
+
+# Name of the executable.
+as_me=`echo "$0" | sed 's,.*/,,'`
+
+cat >config.log <<EOF
+This file contains any messages produced by compilers while
+running configure, to aid debugging if configure makes a mistake.
 
+It was created by $as_me (heimdal 0.3e) 2.49d, executed with
+ > $0 $@
 
+EOF
+{
+cat <<_ASUNAME
+## ---------- ##
+## Platform.  ##
+## ---------- ##
 
+hostname = `(hostname || uname -n) 2>/dev/null | sed 1q`
+uname -m = `(uname -m) 2>/dev/null || echo unknown`
+uname -r = `(uname -r) 2>/dev/null || echo unknown`
+uname -s = `(uname -s) 2>/dev/null || echo unknown`
+uname -v = `(uname -v) 2>/dev/null || echo unknown`
 
+/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown`
+/bin/uname -X     = `(/bin/uname -X) 2>/dev/null     || echo unknown`
 
+/bin/arch              = `(/bin/arch) 2>/dev/null              || echo unknown`
+/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null       || echo unknown`
+/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown`
+hostinfo               = `(hostinfo) 2>/dev/null               || echo unknown`
+/bin/machine           = `(/bin/machine) 2>/dev/null           || echo unknown`
+/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null       || echo unknown`
+/bin/universe          = `(/bin/universe) 2>/dev/null          || echo unknown`
 
+PATH = $PATH
 
+_ASUNAME
+} >>config.log
 
+cat >>config.log <<EOF
+## ------------ ##
+## Core tests.  ##
+## ------------ ##
 
+EOF
 
+# File descriptor usage:
+# 0 standard input
+# 1 file creation
+# 2 errors and warnings
+# 5 compiler messages saved in config.log
+# 6 checking for... messages and results
+exec 5>>config.log
+exec 6>&1
 
+#
+# Initializations.
+#
+ac_default_prefix=/usr/local
+cross_compiling=no
+subdirs=
+MFLAGS= MAKEFLAGS=
+SHELL=${CONFIG_SHELL-/bin/sh}
 
+# Maximum number of lines to put in a shell here document.
+# This variable seems obsolete.  It should probably be removed, and
+# only ac_max_sed_lines should be used.
+: ${ac_max_here_lines=38}
 
+# Avoid depending upon Character Ranges.
+ac_cr_az='abcdefghijklmnopqrstuvwxyz'
+ac_cr_AZ='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+ac_cr_09='0123456789'
+ac_cr_alnum=$ac_cr_az$ac_cr_AZ$ac_cr_09
 
+# Sed expression to map a string onto a valid sh and CPP variable names.
+ac_tr_sh="sed y%*+%pp%;s%[^_$ac_cr_alnum]%_%g"
+ac_tr_cpp="sed y%*$ac_cr_az%P$ac_cr_AZ%;s%[^_$ac_cr_alnum]%_%g"
 
-# serial 25 AM_PROG_LIBTOOL
-
-
-# AM_ENABLE_SHARED - implement the --enable-shared flag
-# Usage: AM_ENABLE_SHARED[(DEFAULT)]
-#   Where DEFAULT is either `yes' or `no'.  If omitted, it defaults to
-#   `yes'.
-
-
-# AM_DISABLE_SHARED - set the default shared flag to --disable-shared
-
-
-# AM_DISABLE_STATIC - set the default static flag to --disable-static
-
-
-# AM_ENABLE_STATIC - implement the --enable-static flag
-# Usage: AM_ENABLE_STATIC[(DEFAULT)]
-#   Where DEFAULT is either `yes' or `no'.  If omitted, it defaults to
-#   `yes'.
-
-
-
-# AM_PROG_LD - find the path to the GNU or non-GNU linker
-
-
-
-
-# AM_PROG_NM - find the path to a BSD-compatible name lister
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-# Define a conditional.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-# Guess values for system-dependent variables and create Makefiles.
-# Generated automatically using autoconf version 2.13 
-# Copyright (C) 1992, 93, 94, 95, 96 Free Software Foundation, Inc.
-#
-# This configure script is free software; the Free Software Foundation
-# gives unlimited permission to copy, distribute and modify it.
-
-# Defaults:
-ac_help=
-ac_default_prefix=/usr/local
-# Any additions from configure.in:
 ac_default_prefix=/usr/heimdal
-ac_help="$ac_help
-  --with-mips-abi=abi     ABI to use for IRIX (32, n32, or 64)"
-ac_help="$ac_help
-  --enable-shared[=PKGS]  build shared libraries [default=no]"
-ac_help="$ac_help
-  --enable-static[=PKGS]  build static libraries [default=yes]"
-ac_help="$ac_help
-  --with-gnu-ld           assume the C compiler uses GNU ld [default=no]"
-ac_help="$ac_help
-  --without-berkeley-db   if you don't want berkeley db"
-ac_help="$ac_help
-  --with-krb4=dir                use krb4 in dir"
-ac_help="$ac_help
-  --with-krb4-lib=dir            use krb4 libraries in dir"
-ac_help="$ac_help
-  --with-krb4-include=dir        use krb4 headers in dir"
-ac_help="$ac_help
-  --enable-kaserver	  if you want the KDC to try to emulate a kaserver"
-ac_help="$ac_help
-  --enable-kaserver-db	  if you want support for reading kaserver databases in hprop"
-ac_help="$ac_help
-  --disable-otp          if you don't want OTP support"
-ac_help="$ac_help
-  --enable-osfc2          enable some OSF C2 support"
-ac_help="$ac_help
-  --with-readline=dir                use readline in dir"
-ac_help="$ac_help
-  --with-readline-lib=dir            use readline libraries in dir"
-ac_help="$ac_help
-  --with-readline-include=dir        use readline headers in dir"
-ac_help="$ac_help
-  --with-hesiod=dir                use hesiod in dir"
-ac_help="$ac_help
-  --with-hesiod-lib=dir            use hesiod libraries in dir"
-ac_help="$ac_help
-  --with-hesiod-include=dir        use hesiod headers in dir"
-ac_help="$ac_help
-  --enable-bigendian	the target is big endian"
-ac_help="$ac_help
-  --enable-littleendian	the target is little endian"
-ac_help="$ac_help
-  --with-x                use the X Window System"
-ac_help="$ac_help
-  --enable-netinfo      enable netinfo for configuration lookup"
-ac_help="$ac_help
-  --without-ipv6	do not enable IPv6 support"
+# Factoring default headers for most tests.
+ac_includes_default="\
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#if STDC_HEADERS
+# include <stdlib.h>
+# include <stddef.h>
+#else
+# if HAVE_STDLIB_H
+#  include <stdlib.h>
+# endif
+#endif
+#if HAVE_STRING_H
+# if !STDC_HEADERS && HAVE_MEMORY_H
+#  include <memory.h>
+# endif
+# include <string.h>
+#else
+# if HAVE_STRINGS_H
+#  include <strings.h>
+# endif
+#endif
+#if HAVE_INTTYPES_H
+# include <inttypes.h>
+#endif
+#if HAVE_UNISTD_H
+# include <unistd.h>
+#endif"
 
 # Initialize some variables set by options.
+ac_init_help=
+ac_init_version=false
 # The variables have the same names as the options, with
 # dashes changed to underlines.
-build=NONE
-cache_file=./config.cache
+cache_file=/dev/null
 exec_prefix=NONE
-host=NONE
 no_create=
-nonopt=NONE
 no_recursion=
 prefix=NONE
 program_prefix=NONE
@@ -245,10 +217,15 @@ program_transform_name=s,x,x,
 silent=
 site=
 srcdir=
-target=NONE
 verbose=
 x_includes=NONE
 x_libraries=NONE
+
+# Installation directory options.
+# These are left unexpanded so users can "make install exec_prefix=/foo"
+# and all the variables that are supposed to be based on exec_prefix
+# by default will actually change.
+# Use braces instead of parens because sh, perl, etc. also accept them.
 bindir='${exec_prefix}/bin'
 sbindir='${exec_prefix}/sbin'
 libexecdir='${exec_prefix}/libexec'
@@ -262,17 +239,16 @@ oldincludedir='/usr/include'
 infodir='${prefix}/info'
 mandir='${prefix}/man'
 
-# Initialize some other variables.
-subdirs=
-MFLAGS= MAKEFLAGS=
-SHELL=${CONFIG_SHELL-/bin/sh}
-# Maximum number of lines to put in a shell here document.
-ac_max_here_lines=12
+# Identity of this package.
+PACKAGE_NAME='heimdal'
+PACKAGE_TARNAME='heimdal'
+PACKAGE_VERSION='0.3e'
+PACKAGE_STRING='heimdal 0.3e'
+PACKAGE_BUGREPORT='heimdal-bugs@pdc.kth.se'
 
 ac_prev=
 for ac_option
 do
-
   # If the previous option needs an argument, assign it.
   if test -n "$ac_prev"; then
     eval "$ac_prev=\$ac_option"
@@ -280,59 +256,61 @@ do
     continue
   fi
 
-  case "$ac_option" in
-  -*=*) ac_optarg=`echo "$ac_option" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
-  *) ac_optarg= ;;
-  esac
+  ac_optarg=`expr "x$ac_option" : 'x[^=]*=\(.*\)'`
 
   # Accept the important Cygnus configure options, so we can diagnose typos.
 
-  case "$ac_option" in
+  case $ac_option in
 
   -bindir | --bindir | --bindi | --bind | --bin | --bi)
     ac_prev=bindir ;;
   -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*)
-    bindir="$ac_optarg" ;;
+    bindir=$ac_optarg ;;
 
   -build | --build | --buil | --bui | --bu)
-    ac_prev=build ;;
+    ac_prev=build_alias ;;
   -build=* | --build=* | --buil=* | --bui=* | --bu=*)
-    build="$ac_optarg" ;;
+    build_alias=$ac_optarg ;;
 
   -cache-file | --cache-file | --cache-fil | --cache-fi \
   | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c)
     ac_prev=cache_file ;;
   -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \
   | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*)
-    cache_file="$ac_optarg" ;;
+    cache_file=$ac_optarg ;;
+
+  --config-cache | -C)
+    cache_file=config.cache ;;
 
   -datadir | --datadir | --datadi | --datad | --data | --dat | --da)
     ac_prev=datadir ;;
   -datadir=* | --datadir=* | --datadi=* | --datad=* | --data=* | --dat=* \
   | --da=*)
-    datadir="$ac_optarg" ;;
+    datadir=$ac_optarg ;;
 
   -disable-* | --disable-*)
-    ac_feature=`echo $ac_option|sed -e 's/-*disable-//'`
+    ac_feature=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
     # Reject names that are not valid shell variable names.
-    if test -n "`echo $ac_feature| sed 's/[-a-zA-Z0-9_]//g'`"; then
-      { echo "configure: error: $ac_feature: invalid feature name" 1>&2; exit 1; }
-    fi
-    ac_feature=`echo $ac_feature| sed 's/-/_/g'`
-    eval "enable_${ac_feature}=no" ;;
+    expr "x$ac_feature" : ".*[^-_$ac_cr_alnum]" >/dev/null &&
+      { { echo "$as_me:295: error: invalid feature name: $ac_feature" >&5
+echo "$as_me: error: invalid feature name: $ac_feature" >&2;}
+   { (exit 1); exit 1; }; }
+    ac_feature=`echo $ac_feature | sed 's/-/_/g'`
+    eval "enable_$ac_feature=no" ;;
 
   -enable-* | --enable-*)
-    ac_feature=`echo $ac_option|sed -e 's/-*enable-//' -e 's/=.*//'`
+    ac_feature=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
     # Reject names that are not valid shell variable names.
-    if test -n "`echo $ac_feature| sed 's/[-_a-zA-Z0-9]//g'`"; then
-      { echo "configure: error: $ac_feature: invalid feature name" 1>&2; exit 1; }
-    fi
-    ac_feature=`echo $ac_feature| sed 's/-/_/g'`
-    case "$ac_option" in
-      *=*) ;;
+    expr "x$ac_feature" : ".*[^-_$ac_cr_alnum]" >/dev/null &&
+      { { echo "$as_me:305: error: invalid feature name: $ac_feature" >&5
+echo "$as_me: error: invalid feature name: $ac_feature" >&2;}
+   { (exit 1); exit 1; }; }
+    ac_feature=`echo $ac_feature | sed 's/-/_/g'`
+    case $ac_option in
+      *=*) ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`;;
       *) ac_optarg=yes ;;
     esac
-    eval "enable_${ac_feature}='$ac_optarg'" ;;
+    eval "enable_$ac_feature='$ac_optarg'" ;;
 
   -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
   | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
@@ -341,95 +319,47 @@ do
   -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \
   | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \
   | --exec=* | --exe=* | --ex=*)
-    exec_prefix="$ac_optarg" ;;
+    exec_prefix=$ac_optarg ;;
 
   -gas | --gas | --ga | --g)
     # Obsolete; use --with-gas.
     with_gas=yes ;;
 
-  -help | --help | --hel | --he)
-    # Omit some internal or obsolete options to make the list less imposing.
-    # This message is too long to be a string in the A/UX 3.1 sh.
-    cat << EOF
-Usage: configure [options] [host]
-Options: [defaults in brackets after descriptions]
-Configuration:
-  --cache-file=FILE       cache test results in FILE
-  --help                  print this message
-  --no-create             do not create output files
-  --quiet, --silent       do not print \`checking...' messages
-  --version               print the version of autoconf that created configure
-Directory and file names:
-  --prefix=PREFIX         install architecture-independent files in PREFIX
-                          [$ac_default_prefix]
-  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
-                          [same as prefix]
-  --bindir=DIR            user executables in DIR [EPREFIX/bin]
-  --sbindir=DIR           system admin executables in DIR [EPREFIX/sbin]
-  --libexecdir=DIR        program executables in DIR [EPREFIX/libexec]
-  --datadir=DIR           read-only architecture-independent data in DIR
-                          [PREFIX/share]
-  --sysconfdir=DIR        read-only single-machine data in DIR [PREFIX/etc]
-  --sharedstatedir=DIR    modifiable architecture-independent data in DIR
-                          [PREFIX/com]
-  --localstatedir=DIR     modifiable single-machine data in DIR [PREFIX/var]
-  --libdir=DIR            object code libraries in DIR [EPREFIX/lib]
-  --includedir=DIR        C header files in DIR [PREFIX/include]
-  --oldincludedir=DIR     C header files for non-gcc in DIR [/usr/include]
-  --infodir=DIR           info documentation in DIR [PREFIX/info]
-  --mandir=DIR            man documentation in DIR [PREFIX/man]
-  --srcdir=DIR            find the sources in DIR [configure dir or ..]
-  --program-prefix=PREFIX prepend PREFIX to installed program names
-  --program-suffix=SUFFIX append SUFFIX to installed program names
-  --program-transform-name=PROGRAM
-                          run sed PROGRAM on installed program names
-EOF
-    cat << EOF
-Host type:
-  --build=BUILD           configure for building on BUILD [BUILD=HOST]
-  --host=HOST             configure for HOST [guessed]
-  --target=TARGET         configure for TARGET [TARGET=HOST]
-Features and packages:
-  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
-  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
-  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
-  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
-  --x-includes=DIR        X include files are in DIR
-  --x-libraries=DIR       X library files are in DIR
-EOF
-    if test -n "$ac_help"; then
-      echo "--enable and --with options recognized:$ac_help"
-    fi
-    exit 0 ;;
+  -help | --help | --hel | --he | -h)
+    ac_init_help=long ;;
+  -help=r* | --help=r* | --hel=r* | --he=r* | -hr*)
+    ac_init_help=recursive ;;
+  -help=s* | --help=s* | --hel=s* | --he=s* | -hs*)
+    ac_init_help=short ;;
 
   -host | --host | --hos | --ho)
-    ac_prev=host ;;
+    ac_prev=host_alias ;;
   -host=* | --host=* | --hos=* | --ho=*)
-    host="$ac_optarg" ;;
+    host_alias=$ac_optarg ;;
 
   -includedir | --includedir | --includedi | --included | --include \
   | --includ | --inclu | --incl | --inc)
     ac_prev=includedir ;;
   -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \
   | --includ=* | --inclu=* | --incl=* | --inc=*)
-    includedir="$ac_optarg" ;;
+    includedir=$ac_optarg ;;
 
   -infodir | --infodir | --infodi | --infod | --info | --inf)
     ac_prev=infodir ;;
   -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*)
-    infodir="$ac_optarg" ;;
+    infodir=$ac_optarg ;;
 
   -libdir | --libdir | --libdi | --libd)
     ac_prev=libdir ;;
   -libdir=* | --libdir=* | --libdi=* | --libd=*)
-    libdir="$ac_optarg" ;;
+    libdir=$ac_optarg ;;
 
   -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \
   | --libexe | --libex | --libe)
     ac_prev=libexecdir ;;
   -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \
   | --libexe=* | --libex=* | --libe=*)
-    libexecdir="$ac_optarg" ;;
+    libexecdir=$ac_optarg ;;
 
   -localstatedir | --localstatedir | --localstatedi | --localstated \
   | --localstate | --localstat | --localsta | --localst \
@@ -438,12 +368,12 @@ EOF
   -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \
   | --localstate=* | --localstat=* | --localsta=* | --localst=* \
   | --locals=* | --local=* | --loca=* | --loc=* | --lo=*)
-    localstatedir="$ac_optarg" ;;
+    localstatedir=$ac_optarg ;;
 
   -mandir | --mandir | --mandi | --mand | --man | --ma | --m)
     ac_prev=mandir ;;
   -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*)
-    mandir="$ac_optarg" ;;
+    mandir=$ac_optarg ;;
 
   -nfp | --nfp | --nf)
     # Obsolete; use --without-fp.
@@ -464,26 +394,26 @@ EOF
   -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \
   | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \
   | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*)
-    oldincludedir="$ac_optarg" ;;
+    oldincludedir=$ac_optarg ;;
 
   -prefix | --prefix | --prefi | --pref | --pre | --pr | --p)
     ac_prev=prefix ;;
   -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*)
-    prefix="$ac_optarg" ;;
+    prefix=$ac_optarg ;;
 
   -program-prefix | --program-prefix | --program-prefi | --program-pref \
   | --program-pre | --program-pr | --program-p)
     ac_prev=program_prefix ;;
   -program-prefix=* | --program-prefix=* | --program-prefi=* \
   | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*)
-    program_prefix="$ac_optarg" ;;
+    program_prefix=$ac_optarg ;;
 
   -program-suffix | --program-suffix | --program-suffi | --program-suff \
   | --program-suf | --program-su | --program-s)
     ac_prev=program_suffix ;;
   -program-suffix=* | --program-suffix=* | --program-suffi=* \
   | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*)
-    program_suffix="$ac_optarg" ;;
+    program_suffix=$ac_optarg ;;
 
   -program-transform-name | --program-transform-name \
   | --program-transform-nam | --program-transform-na \
@@ -500,7 +430,7 @@ EOF
   | --program-transfo=* | --program-transf=* \
   | --program-trans=* | --program-tran=* \
   | --progr-tra=* | --program-tr=* | --program-t=*)
-    program_transform_name="$ac_optarg" ;;
+    program_transform_name=$ac_optarg ;;
 
   -q | -quiet | --quiet | --quie | --qui | --qu | --q \
   | -silent | --silent | --silen | --sile | --sil)
@@ -510,7 +440,7 @@ EOF
     ac_prev=sbindir ;;
   -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
   | --sbi=* | --sb=*)
-    sbindir="$ac_optarg" ;;
+    sbindir=$ac_optarg ;;
 
   -sharedstatedir | --sharedstatedir | --sharedstatedi \
   | --sharedstated | --sharedstate | --sharedstat | --sharedsta \
@@ -521,58 +451,59 @@ EOF
   | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \
   | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \
   | --sha=* | --sh=*)
-    sharedstatedir="$ac_optarg" ;;
+    sharedstatedir=$ac_optarg ;;
 
   -site | --site | --sit)
     ac_prev=site ;;
   -site=* | --site=* | --sit=*)
-    site="$ac_optarg" ;;
+    site=$ac_optarg ;;
 
   -srcdir | --srcdir | --srcdi | --srcd | --src | --sr)
     ac_prev=srcdir ;;
   -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*)
-    srcdir="$ac_optarg" ;;
+    srcdir=$ac_optarg ;;
 
   -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \
   | --syscon | --sysco | --sysc | --sys | --sy)
     ac_prev=sysconfdir ;;
   -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \
   | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*)
-    sysconfdir="$ac_optarg" ;;
+    sysconfdir=$ac_optarg ;;
 
   -target | --target | --targe | --targ | --tar | --ta | --t)
-    ac_prev=target ;;
+    ac_prev=target_alias ;;
   -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*)
-    target="$ac_optarg" ;;
+    target_alias=$ac_optarg ;;
 
   -v | -verbose | --verbose | --verbos | --verbo | --verb)
     verbose=yes ;;
 
-  -version | --version | --versio | --versi | --vers)
-    echo "configure generated by autoconf version 2.13"
-    exit 0 ;;
+  -version | --version | --versio | --versi | --vers | -V)
+    ac_init_version=: ;;
 
   -with-* | --with-*)
-    ac_package=`echo $ac_option|sed -e 's/-*with-//' -e 's/=.*//'`
+    ac_package=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
     # Reject names that are not valid shell variable names.
-    if test -n "`echo $ac_package| sed 's/[-_a-zA-Z0-9]//g'`"; then
-      { echo "configure: error: $ac_package: invalid package name" 1>&2; exit 1; }
-    fi
+    expr "x$ac_package" : ".*[^-_$ac_cr_alnum]" >/dev/null &&
+      { { echo "$as_me:488: error: invalid package name: $ac_package" >&5
+echo "$as_me: error: invalid package name: $ac_package" >&2;}
+   { (exit 1); exit 1; }; }
     ac_package=`echo $ac_package| sed 's/-/_/g'`
-    case "$ac_option" in
-      *=*) ;;
+    case $ac_option in
+      *=*) ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`;;
       *) ac_optarg=yes ;;
     esac
-    eval "with_${ac_package}='$ac_optarg'" ;;
+    eval "with_$ac_package='$ac_optarg'" ;;
 
   -without-* | --without-*)
-    ac_package=`echo $ac_option|sed -e 's/-*without-//'`
+    ac_package=`expr "x$ac_option" : 'x-*without-\(.*\)'`
     # Reject names that are not valid shell variable names.
-    if test -n "`echo $ac_package| sed 's/[-a-zA-Z0-9_]//g'`"; then
-      { echo "configure: error: $ac_package: invalid package name" 1>&2; exit 1; }
-    fi
-    ac_package=`echo $ac_package| sed 's/-/_/g'`
-    eval "with_${ac_package}=no" ;;
+    expr "x$ac_package" : ".*[^-_$ac_cr_alnum]" >/dev/null &&
+      { { echo "$as_me:502: error: invalid package name: $ac_package" >&5
+echo "$as_me: error: invalid package name: $ac_package" >&2;}
+   { (exit 1); exit 1; }; }
+    ac_package=`echo $ac_package | sed 's/-/_/g'`
+    eval "with_$ac_package=no" ;;
 
   --x)
     # Obsolete; use --with-x.
@@ -583,98 +514,98 @@ EOF
     ac_prev=x_includes ;;
   -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \
   | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*)
-    x_includes="$ac_optarg" ;;
+    x_includes=$ac_optarg ;;
 
   -x-libraries | --x-libraries | --x-librarie | --x-librari \
   | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l)
     ac_prev=x_libraries ;;
   -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \
   | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
-    x_libraries="$ac_optarg" ;;
+    x_libraries=$ac_optarg ;;
 
-  -*) { echo "configure: error: $ac_option: invalid option; use --help to show usage" 1>&2; exit 1; }
+  -*) { { echo "$as_me:526: error: unrecognized option: $ac_option
+Try \`$0 --help' for more information." >&5
+echo "$as_me: error: unrecognized option: $ac_option
+Try \`$0 --help' for more information." >&2;}
+   { (exit 1); exit 1; }; }
     ;;
 
+  *=*)
+    ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='`
+    # Reject names that are not valid shell variable names.
+    expr "x$ac_envvar" : ".*[^_$ac_cr_alnum]" >/dev/null &&
+      { { echo "$as_me:537: error: invalid variable name: $ac_envvar" >&5
+echo "$as_me: error: invalid variable name: $ac_envvar" >&2;}
+   { (exit 1); exit 1; }; }
+    ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`
+    eval "$ac_envvar='$ac_optarg'"
+    export $ac_envvar ;;
+
   *)
-    if test -n "`echo $ac_option| sed 's/[-a-z0-9.]//g'`"; then
-      echo "configure: warning: $ac_option: invalid host type" 1>&2
-    fi
-    if test "x$nonopt" != xNONE; then
-      { echo "configure: error: can only configure for one host and one target at a time" 1>&2; exit 1; }
-    fi
-    nonopt="$ac_option"
+    # FIXME: should be removed in autoconf 3.0.
+    { echo "$as_me:546: WARNING: you should use --build, --host, --target" >&5
+echo "$as_me: WARNING: you should use --build, --host, --target" >&2;}
+    expr "x$ac_option" : ".*[^-._$ac_cr_alnum]" >/dev/null &&
+      { echo "$as_me:549: WARNING: invalid host type: $ac_option" >&5
+echo "$as_me: WARNING: invalid host type: $ac_option" >&2;}
+    : ${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}
     ;;
 
   esac
 done
 
 if test -n "$ac_prev"; then
-  { echo "configure: error: missing argument to --`echo $ac_prev | sed 's/_/-/g'`" 1>&2; exit 1; }
-fi
-
-trap 'rm -fr conftest* confdefs* core core.* *.core $ac_clean_files; exit 1' 1 2 15
-
-# File descriptor usage:
-# 0 standard input
-# 1 file creation
-# 2 errors and warnings
-# 3 some systems may open it to /dev/tty
-# 4 used on the Kubota Titan
-# 6 checking for... messages and results
-# 5 compiler messages saved in config.log
-if test "$silent" = yes; then
-  exec 6>/dev/null
-else
-  exec 6>&1
+  ac_option=--`echo $ac_prev | sed 's/_/-/g'`
+  { { echo "$as_me:559: error: missing argument to $ac_option" >&5
+echo "$as_me: error: missing argument to $ac_option" >&2;}
+   { (exit 1); exit 1; }; }
 fi
-exec 5>./config.log
 
-echo "\
-This file contains any messages produced by compilers while
-running configure, to aid debugging if configure makes a mistake.
-" 1>&5
-
-# Strip out --no-create and --no-recursion so they do not pile up.
-# Also quote any args containing shell metacharacters.
-ac_configure_args=
-for ac_arg
+# Be sure to have absolute paths.
+for ac_var in bindir sbindir libexecdir datadir sysconfdir sharedstatedir \
+              localstatedir libdir includedir oldincludedir infodir mandir \
+              exec_prefix prefix
 do
-  case "$ac_arg" in
-  -no-create | --no-create | --no-creat | --no-crea | --no-cre \
-  | --no-cr | --no-c) ;;
-  -no-recursion | --no-recursion | --no-recursio | --no-recursi \
-  | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) ;;
-  *" "*|*"	"*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?]*)
-  ac_configure_args="$ac_configure_args '$ac_arg'" ;;
-  *) ac_configure_args="$ac_configure_args $ac_arg" ;;
+  eval ac_val=$`echo $ac_var`
+  case $ac_val in
+    [\\/$]* | ?:[\\/]* ) ;;
+    NONE ) ;;
+    *)  { { echo "$as_me:573: error: expected an absolute path for --$ac_var: $ac_val" >&5
+echo "$as_me: error: expected an absolute path for --$ac_var: $ac_val" >&2;}
+   { (exit 1); exit 1; }; };;
   esac
 done
 
-# NLS nuisances.
-# Only set these to C if already set.  These must not be set unconditionally
-# because not all systems understand e.g. LANG=C (notably SCO).
-# Fixing LC_MESSAGES prevents Solaris sh from translating var values in `set'!
-# Non-C LC_CTYPE values break the ctype check.
-if test "${LANG+set}"   = set; then LANG=C;   export LANG;   fi
-if test "${LC_ALL+set}" = set; then LC_ALL=C; export LC_ALL; fi
-if test "${LC_MESSAGES+set}" = set; then LC_MESSAGES=C; export LC_MESSAGES; fi
-if test "${LC_CTYPE+set}"    = set; then LC_CTYPE=C;    export LC_CTYPE;    fi
+# There might be people who depend on the old broken behavior: `$host'
+# used to hold the argument of --host etc.
+build=$build_alias
+host=$host_alias
+target=$target_alias
+
+# FIXME: should be removed in autoconf 3.0.
+if test "x$host_alias" != x; then
+  if test "x$build_alias" = x; then
+    cross_compiling=maybe
+    { echo "$as_me:589: WARNING: If you wanted to set the --build type, don't use --host.
+    If a cross compiler is detected then cross compile mode will be used." >&5
+echo "$as_me: WARNING: If you wanted to set the --build type, don't use --host.
+    If a cross compiler is detected then cross compile mode will be used." >&2;}
+  elif test "x$build_alias" != "x$host_alias"; then
+    cross_compiling=yes
+  fi
+fi
 
-# confdefs.h avoids OS command line length limits that DEFS can exceed.
-rm -rf conftest* confdefs.h
-# AIX cpp loses on an empty file, so make sure it contains at least a newline.
-echo > confdefs.h
+ac_tool_prefix=
+test -n "$host_alias" && ac_tool_prefix=$host_alias-
 
-# A filename unique to this package, relative to the directory that
-# configure is in, which we can look for to find out if srcdir is correct.
-ac_unique_file=lib/krb5/send_to_kdc.c
+test "$silent" = yes && exec 6>/dev/null
 
 # Find the source files, if location was not specified.
 if test -z "$srcdir"; then
   ac_srcdir_defaulted=yes
   # Try the directory containing this script, then its parent.
   ac_prog=$0
-  ac_confdir=`echo $ac_prog|sed 's%/[^/][^/]*$%%'`
+  ac_confdir=`echo "$ac_prog" | sed 's%/[^/][^/]*$%%'`
   test "x$ac_confdir" = "x$ac_prog" && ac_confdir=.
   srcdir=$ac_confdir
   if test ! -r $srcdir/$ac_unique_file; then
@@ -685,13 +616,310 @@ else
 fi
 if test ! -r $srcdir/$ac_unique_file; then
   if test "$ac_srcdir_defaulted" = yes; then
-    { echo "configure: error: can not find sources in $ac_confdir or .." 1>&2; exit 1; }
+    { { echo "$as_me:619: error: cannot find sources in $ac_confdir or .." >&5
+echo "$as_me: error: cannot find sources in $ac_confdir or .." >&2;}
+   { (exit 1); exit 1; }; }
   else
-    { echo "configure: error: can not find sources in $srcdir" 1>&2; exit 1; }
+    { { echo "$as_me:623: error: cannot find sources in $srcdir" >&5
+echo "$as_me: error: cannot find sources in $srcdir" >&2;}
+   { (exit 1); exit 1; }; }
   fi
 fi
-srcdir=`echo "${srcdir}" | sed 's%\([^/]\)/*$%\1%'`
+srcdir=`echo "$srcdir" | sed 's%\([^/]\)/*$%\1%'`
+ac_env_build_alias_set=${build_alias+set}
+ac_env_build_alias_value=$build_alias
+ac_cv_env_build_alias_set=${build_alias+set}
+ac_cv_env_build_alias_value=$build_alias
+ac_env_host_alias_set=${host_alias+set}
+ac_env_host_alias_value=$host_alias
+ac_cv_env_host_alias_set=${host_alias+set}
+ac_cv_env_host_alias_value=$host_alias
+ac_env_target_alias_set=${target_alias+set}
+ac_env_target_alias_value=$target_alias
+ac_cv_env_target_alias_set=${target_alias+set}
+ac_cv_env_target_alias_value=$target_alias
+ac_env_CC_set=${CC+set}
+ac_env_CC_value=$CC
+ac_cv_env_CC_set=${CC+set}
+ac_cv_env_CC_value=$CC
+ac_env_CFLAGS_set=${CFLAGS+set}
+ac_env_CFLAGS_value=$CFLAGS
+ac_cv_env_CFLAGS_set=${CFLAGS+set}
+ac_cv_env_CFLAGS_value=$CFLAGS
+ac_env_LDFLAGS_set=${LDFLAGS+set}
+ac_env_LDFLAGS_value=$LDFLAGS
+ac_cv_env_LDFLAGS_set=${LDFLAGS+set}
+ac_cv_env_LDFLAGS_value=$LDFLAGS
+ac_env_CPP_set=${CPP+set}
+ac_env_CPP_value=$CPP
+ac_cv_env_CPP_set=${CPP+set}
+ac_cv_env_CPP_value=$CPP
+ac_env_CPPFLAGS_set=${CPPFLAGS+set}
+ac_env_CPPFLAGS_value=$CPPFLAGS
+ac_cv_env_CPPFLAGS_set=${CPPFLAGS+set}
+ac_cv_env_CPPFLAGS_value=$CPPFLAGS
 
+#
+# Report the --help message.
+#
+if test "$ac_init_help" = "long"; then
+  # Omit some internal or obsolete options to make the list less imposing.
+  # This message is too long to be a string in the A/UX 3.1 sh.
+  cat <<EOF
+\`configure' configures heimdal 0.3e to adapt to many kinds of systems.
+
+Usage: $0 [OPTION]... [VAR=VALUE]...
+
+To assign environment variables (e.g., CC, CFLAGS...), specify them as
+VAR=VALUE.  See below for descriptions of some of the useful variables.
+
+Defaults for the options are specified in brackets.
+
+Configuration:
+  -h, --help              display this help and exit
+      --help=short        display options specific to this package
+      --help=recursive    display the short help of all the included packages
+  -V, --version           display version information and exit
+  -q, --quiet, --silent   do not print \`checking...' messages
+      --cache-file=FILE   cache test results in FILE [disabled]
+  -C, --config-cache      alias for \`--cache-file=config.cache'
+  -n, --no-create         do not create output files
+      --srcdir=DIR        find the sources in DIR [configure dir or \`..']
+
+EOF
+
+  cat <<EOF
+Installation directories:
+  --prefix=PREFIX         install architecture-independent files in PREFIX
+                          [$ac_default_prefix]
+  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
+                          [PREFIX]
+
+By default, \`make install' will install all the files in
+\`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc.  You can specify
+an installation prefix other than \`$ac_default_prefix' using \`--prefix',
+for instance \`--prefix=\$HOME'.
+
+For better control, use the options below.
+
+Fine tuning of the installation directories:
+  --bindir=DIR           user executables [EPREFIX/bin]
+  --sbindir=DIR          system admin executables [EPREFIX/sbin]
+  --libexecdir=DIR       program executables [EPREFIX/libexec]
+  --datadir=DIR          read-only architecture-independent data [PREFIX/share]
+  --sysconfdir=DIR       read-only single-machine data [PREFIX/etc]
+  --sharedstatedir=DIR   modifiable architecture-independent data [PREFIX/com]
+  --localstatedir=DIR    modifiable single-machine data [PREFIX/var]
+  --libdir=DIR           object code libraries [EPREFIX/lib]
+  --includedir=DIR       C header files [PREFIX/include]
+  --oldincludedir=DIR    C header files for non-gcc [/usr/include]
+  --infodir=DIR          info documentation [PREFIX/info]
+  --mandir=DIR           man documentation [PREFIX/man]
+EOF
+
+  cat <<\EOF
+
+Program names:
+  --program-prefix=PREFIX            prepend PREFIX to installed program names
+  --program-suffix=SUFFIX            append SUFFIX to installed program names
+  --program-transform-name=PROGRAM   run sed PROGRAM on installed program names
+
+X features:
+  --x-includes=DIR    X include files are in DIR
+  --x-libraries=DIR   X library files are in DIR
+
+System types:
+  --build=BUILD     configure for building on BUILD [guessed]
+  --host=HOST       build programs to run on HOST [BUILD]
+EOF
+fi
+
+if test -n "$ac_init_help"; then
+  case $ac_init_help in
+     short | recursive ) echo "Configuration of heimdal 0.3e:";;
+   esac
+  cat <<\EOF
+
+Optional Features:
+  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
+  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
+  --disable-dependency-tracking Speeds up one-time builds
+  --enable-dependency-tracking  Do not reject slow dependency extractors
+  --enable-shared=PKGS  build shared libraries default=no
+  --enable-static=PKGS  build static libraries default=yes
+  --enable-fast-install=PKGS  optimize for fast installation default=yes
+  --disable-libtool-lock  avoid locking (might break parallel builds)
+  --enable-dce	if you want support for DCE/DFS PAG's.
+  --enable-kaserver	  if you want the KDC to try to emulate a kaserver
+  --enable-kaserver-db	  if you want support for reading kaserver databases in hprop
+  --disable-otp          if you don't want OTP support
+  --enable-osfc2          enable some OSF C2 support
+  --enable-bigendian	the target is big endian
+  --enable-littleendian	the target is little endian
+  --enable-netinfo      enable netinfo for configuration lookup
+
+Optional Packages:
+  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
+  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
+  --with-mips-abi=abi     ABI to use for IRIX (32, n32, or 64)
+  --with-gnu-ld           assume the C compiler uses GNU ld default=no
+  --with-pic              try to use only PIC/non-PIC objects default=use both
+  --without-berkeley-db   if you don't want berkeley db
+  --without-ipv6	do not enable IPv6 support
+  --with-openldap=dir                use openldap in dir
+  --with-openldap-lib=dir            use openldap libraries in dir
+  --with-openldap-include=dir        use openldap headers in dir
+  --with-krb4=dir                use krb4 in dir
+  --with-krb4-lib=dir            use krb4 libraries in dir
+  --with-krb4-include=dir        use krb4 headers in dir
+  --with-readline=dir                use readline in dir
+  --with-readline-lib=dir            use readline libraries in dir
+  --with-readline-include=dir        use readline headers in dir
+  --with-hesiod=dir                use hesiod in dir
+  --with-hesiod-lib=dir            use hesiod libraries in dir
+  --with-hesiod-include=dir        use hesiod headers in dir
+  --with-x                use the X Window System
+
+Some influential environment variables:
+  CC          C compiler command
+  CFLAGS      C compiler flags
+  LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
+              nonstandard directory <lib dir>
+  CPP         C preprocessor
+  CPPFLAGS    C/C++ preprocessor flags, e.g. -I<include dir> if you have
+              headers in a nonstandard directory <include dir>
+
+Use these variables to override the choices made by `configure' or to help
+it to find libraries and programs with nonstandard names/locations.
+
+Report bugs to <heimdal-bugs@pdc.kth.se>.
+EOF
+fi
+
+if test "$ac_init_help" = "recursive"; then
+  # If there are subdirs, report their specific --help.
+  ac_popdir=`pwd`
+  for ac_subdir in : $ac_subdirs_all; do test "x$ac_subdir" = x: && continue
+    cd $ac_subdir
+    # A "../" for each directory in /$ac_subdir.
+    ac_dots=`echo $ac_subdir |
+             sed 's,^\./,,;s,[^/]$,&/,;s,[^/]*/,../,g'`
+
+    case $srcdir in
+    .) # No --srcdir option.  We are building in place.
+      ac_sub_srcdir=$srcdir ;;
+    [\\/]* | ?:[\\/]* ) # Absolute path.
+      ac_sub_srcdir=$srcdir/$ac_subdir ;;
+    *) # Relative path.
+      ac_sub_srcdir=$ac_dots$srcdir/$ac_subdir ;;
+    esac
+
+    # Check for guested configure; otherwise get Cygnus style configure.
+    if test -f $ac_sub_srcdir/configure.gnu; then
+      echo
+      $SHELL $ac_sub_srcdir/configure.gnu  --help=recursive
+    elif test -f $ac_sub_srcdir/configure; then
+      echo
+      $SHELL $ac_sub_srcdir/configure  --help=recursive
+    elif test -f $ac_sub_srcdir/configure.ac ||
+           test -f $ac_sub_srcdir/configure.in; then
+      echo
+      $ac_configure --help
+    else
+      { echo "$as_me:829: WARNING: no configuration information is in $ac_subdir" >&5
+echo "$as_me: WARNING: no configuration information is in $ac_subdir" >&2;}
+    fi
+    cd $ac_popdir
+  done
+fi
+
+test -n "$ac_init_help" && exit 0
+if $ac_init_version; then
+  cat <<\EOF
+configure (heimdal 0.3e) 2.49d
+
+Copyright 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000
+Free Software Foundation, Inc.
+This configure script is free software; the Free Software Foundation
+gives unlimited permission to copy, distribute and modify it.
+EOF
+  exit 0
+fi
+
+# Keep a trace of the command line.
+# Strip out --no-create and --no-recursion so they do not pile up.
+# Also quote any args containing shell meta-characters.
+ac_configure_args=
+ac_sep=
+for ac_arg
+do
+  case $ac_arg in
+  -no-create | --no-create | --no-creat | --no-crea | --no-cre \
+  | --no-cr | --no-c) ;;
+  -no-recursion | --no-recursion | --no-recursio | --no-recursi \
+  | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) ;;
+  *" "*|*"	"*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?\"\']*)
+    ac_arg=`echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"`
+    ac_configure_args="$ac_configure_args$ac_sep'$ac_arg'"
+    ac_sep=" " ;;
+  *) ac_configure_args="$ac_configure_args$ac_sep$ac_arg"
+     ac_sep=" " ;;
+  esac
+  # Get rid of the leading space.
+done
+
+# When interrupted or exit'd, cleanup temporary files, and complete
+# config.log.  We remove comments because anyway the quotes in there
+# would cause problems or look ugly.
+trap 'exit_status=$?
+  # Save into config.log some information that might help in debugging.
+  echo >&5
+  echo "## ----------------- ##" >&5
+  echo "## Cache variables.  ##" >&5
+  echo "## ----------------- ##" >&5
+  echo >&5
+  # The following way of writing the cache mishandles newlines in values,
+{
+  (set) 2>&1 |
+    case `(ac_space='"'"' '"'"'; set | grep ac_space) 2>&1` in
+    *ac_space=\ *)
+      sed -n \
+        "s/'"'"'/'"'"'\\\\'"'"''"'"'/g;
+    	  s/^\\([_$ac_cr_alnum]*_cv_[_$ac_cr_alnum]*\\)=\\(.*\\)/\\1='"'"'\\2'"'"'/p"
+      ;;
+    *)
+      sed -n \
+        "s/^\\([_$ac_cr_alnum]*_cv_[_$ac_cr_alnum]*\\)=\\(.*\\)/\\1=\\2/p"
+      ;;
+    esac;
+} >&5
+  sed "/^$/d" confdefs.h >conftest.log
+  if test -s conftest.log; then
+    echo >&5
+    echo "## ------------ ##" >&5
+    echo "## confdefs.h.  ##" >&5
+    echo "## ------------ ##" >&5
+    echo >&5
+    cat conftest.log >&5
+  fi
+  (echo; echo) >&5
+  test "$ac_signal" != 0 &&
+    echo "$as_me: caught signal $ac_signal" >&5
+  echo "$as_me: exit $exit_status" >&5
+  rm -rf conftest* confdefs* core core.* *.core $ac_clean_files &&
+    exit $exit_status
+     ' 0
+for ac_signal in 1 2 13 15; do
+  trap 'ac_status=$?; ac_signal='$ac_signal'; { (exit $ac_status); exit $ac_status; }' $ac_signal
+done
+ac_signal=0
+
+# confdefs.h avoids OS command line length limits that DEFS can exceed.
+rm -rf conftest* confdefs.h
+# AIX cpp loses on an empty file, so make sure it contains at least a newline.
+echo >confdefs.h
+
+# Let the site file select an alternate cache file if it wants to.
 # Prefer explicitly selected file to automatically selected ones.
 if test -z "$CONFIG_SITE"; then
   if test "x$prefix" != xNONE; then
@@ -708,38 +936,1025 @@ for ac_site_file in $CONFIG_SITE; do
 done
 
 if test -r "$cache_file"; then
-  echo "loading cache $cache_file"
-  . $cache_file
+  # Some versions of bash will fail to source /dev/null (special
+  # files actually), so we avoid doing that.
+  if test -f "$cache_file"; then
+    { echo "$as_me:942: loading cache $cache_file" >&5
+echo "$as_me: loading cache $cache_file" >&6;}
+    case $cache_file in
+      [\\/]* | ?:[\\/]* ) . $cache_file;;
+      *)                      . ./$cache_file;;
+    esac
+  fi
 else
-  echo "creating cache $cache_file"
-  > $cache_file
+  { echo "$as_me:950: creating cache $cache_file" >&5
+echo "$as_me: creating cache $cache_file" >&6;}
+  >$cache_file
+fi
+
+# Check that the precious variables saved in the cache have kept the same
+# value.
+ac_suggest_removing_cache=false
+for ac_var in `(set) 2>&1 |
+               sed -n 's/^ac_env_\([a-zA-Z_0-9]*\)_set=.*/\1/p'`; do
+  eval ac_old_set=\$ac_cv_env_${ac_var}_set
+  eval ac_new_set=\$ac_env_${ac_var}_set
+  eval ac_old_val="\$ac_cv_env_${ac_var}_value"
+  eval ac_new_val="\$ac_env_${ac_var}_value"
+  case $ac_old_set,$ac_new_set in
+    set,)
+      { echo "$as_me:966: WARNING: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
+echo "$as_me: WARNING: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
+      ac_suggest_removing_cache=: ;;
+    ,set)
+      { echo "$as_me:970: WARNING: \`$ac_var' was not set in the previous run" >&5
+echo "$as_me: WARNING: \`$ac_var' was not set in the previous run" >&2;}
+      ac_suggest_removing_cache=: ;;
+    ,);;
+    *)
+      if test "x$ac_old_val" != "x$ac_new_val"; then
+        { echo "$as_me:976: WARNING: \`$ac_var' has changed since the previous run:" >&5
+echo "$as_me: WARNING: \`$ac_var' has changed since the previous run:" >&2;}
+        { echo "$as_me:978: WARNING:   former value:  $ac_old_val" >&5
+echo "$as_me: WARNING:   former value:  $ac_old_val" >&2;}
+        { echo "$as_me:980: WARNING:   current value: $ac_new_val" >&5
+echo "$as_me: WARNING:   current value: $ac_new_val" >&2;}
+        ac_suggest_removing_cache=:
+      fi;;
+  esac
+done
+if $ac_suggest_removing_cache; then
+  { echo "$as_me:987: WARNING: changes in the environment can compromise the build" >&5
+echo "$as_me: WARNING: changes in the environment can compromise the build" >&2;}
+  { echo "$as_me:989: WARNING: consider removing $cache_file and starting over" >&5
+echo "$as_me: WARNING: consider removing $cache_file and starting over" >&2;}
 fi
 
 ac_ext=c
-# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
 ac_cpp='$CPP $CPPFLAGS'
-ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
-ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
-cross_compiling=$ac_cv_prog_cc_cross
-
-ac_exeext=
-ac_objext=o
-if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null; then
-  # Stardent Vistra SVR4 grep lacks -e, says ghazi@caip.rutgers.edu.
-  if (echo -n testing; echo 1,2,3) | sed s/-n/xn/ | grep xn >/dev/null; then
-    ac_n= ac_c='
-' ac_t='	'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+case `echo "testing\c"; echo 1,2,3`,`echo -n testing; echo 1,2,3` in
+  *c*,-n*) ECHO_N= ECHO_C='
+' ECHO_T='	' ;;
+  *c*,*  ) ECHO_N=-n ECHO_C= ECHO_T= ;;
+  *)      ECHO_N= ECHO_C='\c' ECHO_T= ;;
+esac
+
+ac_config_headers="$ac_config_headers include/config.h"
+
+ac_config_commands="$ac_config_commands default-1"
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
+set dummy ${ac_tool_prefix}gcc; ac_word=$2
+echo "$as_me:1018: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  $as_executable_p "$ac_dir/$ac_word" || continue
+ac_cv_prog_CC="${ac_tool_prefix}gcc"
+break
+done
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  echo "$as_me:1040: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6
+else
+  echo "$as_me:1043: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+fi
+if test -z "$ac_cv_prog_CC"; then
+  ac_ct_CC=$CC
+  # Extract the first word of "gcc", so it can be a program name with args.
+set dummy gcc; ac_word=$2
+echo "$as_me:1052: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_CC"; then
+  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  $as_executable_p "$ac_dir/$ac_word" || continue
+ac_cv_prog_ac_ct_CC="gcc"
+break
+done
+
+fi
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+  echo "$as_me:1074: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6
+else
+  echo "$as_me:1077: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  CC=$ac_ct_CC
+else
+  CC="$ac_cv_prog_CC"
+fi
+
+if test -z "$CC"; then
+  if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
+set dummy ${ac_tool_prefix}cc; ac_word=$2
+echo "$as_me:1090: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  $as_executable_p "$ac_dir/$ac_word" || continue
+ac_cv_prog_CC="${ac_tool_prefix}cc"
+break
+done
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  echo "$as_me:1112: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6
+else
+  echo "$as_me:1115: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+fi
+if test -z "$ac_cv_prog_CC"; then
+  ac_ct_CC=$CC
+  # Extract the first word of "cc", so it can be a program name with args.
+set dummy cc; ac_word=$2
+echo "$as_me:1124: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_CC"; then
+  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  $as_executable_p "$ac_dir/$ac_word" || continue
+ac_cv_prog_ac_ct_CC="cc"
+break
+done
+
+fi
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+  echo "$as_me:1146: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6
+else
+  echo "$as_me:1149: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  CC=$ac_ct_CC
+else
+  CC="$ac_cv_prog_CC"
+fi
+
+fi
+if test -z "$CC"; then
+  # Extract the first word of "cc", so it can be a program name with args.
+set dummy cc; ac_word=$2
+echo "$as_me:1162: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+  ac_prog_rejected=no
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  $as_executable_p "$ac_dir/$ac_word" || continue
+if test "$ac_dir/$ac_word" = "/usr/ucb/cc"; then
+  ac_prog_rejected=yes
+  continue
+fi
+ac_cv_prog_CC="cc"
+break
+done
+
+if test $ac_prog_rejected = yes; then
+  # We found a bogon in the path, so make sure we never use it.
+  set dummy $ac_cv_prog_CC
+  shift
+  if test $# != 0; then
+    # We chose a different compiler from the bogus one.
+    # However, it has the same basename, so the bogon will be chosen
+    # first if we set CC to just the basename; use the full file name.
+    shift
+    set dummy "$ac_dir/$ac_word" ${1+"$@"}
+    shift
+    ac_cv_prog_CC="$@"
+  fi
+fi
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  echo "$as_me:1203: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6
+else
+  echo "$as_me:1206: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+fi
+if test -z "$CC"; then
+  if test -n "$ac_tool_prefix"; then
+  for ac_prog in cl
+  do
+    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
+set dummy $ac_tool_prefix$ac_prog; ac_word=$2
+echo "$as_me:1217: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  $as_executable_p "$ac_dir/$ac_word" || continue
+ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
+break
+done
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  echo "$as_me:1239: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6
+else
+  echo "$as_me:1242: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+    test -n "$CC" && break
+  done
+fi
+if test -z "$CC"; then
+  ac_ct_CC=$CC
+  for ac_prog in cl
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+echo "$as_me:1255: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_CC"; then
+  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  $as_executable_p "$ac_dir/$ac_word" || continue
+ac_cv_prog_ac_ct_CC="$ac_prog"
+break
+done
+
+fi
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+  echo "$as_me:1277: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6
+else
+  echo "$as_me:1280: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  test -n "$ac_ct_CC" && break
+done
+
+  CC=$ac_ct_CC
+fi
+
+fi
+
+test -z "$CC" && { { echo "$as_me:1292: error: no acceptable cc found in \$PATH" >&5
+echo "$as_me: error: no acceptable cc found in \$PATH" >&2;}
+   { (exit 1); exit 1; }; }
+
+echo "$as_me:1296: checking for object suffix" >&5
+echo $ECHO_N "checking for object suffix... $ECHO_C" >&6
+if test "${ac_cv_objext+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 1302 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.o conftest.obj
+if { (eval echo "$as_me:1314: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:1317: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  for ac_file in `(ls conftest.o conftest.obj; ls conftest.*) 2>/dev/null`; do
+  case $ac_file in
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb ) ;;
+    *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'`
+       break;;
+  esac
+done
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+{ { echo "$as_me:1329: error: cannot compute OBJEXT: cannot compile" >&5
+echo "$as_me: error: cannot compute OBJEXT: cannot compile" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+rm -f conftest.$ac_cv_objext conftest.$ac_ext
+fi
+echo "$as_me:1336: result: $ac_cv_objext" >&5
+echo "${ECHO_T}$ac_cv_objext" >&6
+OBJEXT=$ac_cv_objext
+ac_objext=$OBJEXT
+echo "$as_me:1340: checking for executable suffix" >&5
+echo $ECHO_N "checking for executable suffix... $ECHO_C" >&6
+if test "${ac_cv_exeext+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 1346 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+# Try without -o first, disregard a.out.
+ac_link_default=`echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
+if { (eval echo "$as_me:1359: \"$ac_link_default\"") >&5
+  (eval $ac_link_default) 2>&5
+  ac_status=$?
+  echo "$as_me:1362: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  for ac_file in `ls a.exe conftest.exe a.* conftest conftest.* 2>/dev/null`; do
+  case $ac_file in
+    *.$ac_ext | *.out | *.o | *.obj | *.xcoff | *.tds | *.d | *.pdb ) ;;
+    *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
+          export ac_cv_exeext
+          break;;
+    * ) break;;
+  esac
+done
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+fi
+
+rm -f a.out a.exe conftest$ac_cv_exeext
+
+# We have not set ac_exeext yet which is needed by `ac_link'.
+ac_exeext=$ac_cv_exeext
+if { (eval echo "$as_me:1382: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:1385: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  # If both `conftest.exe' and `conftest' are `present' (well, observable)
+# catch `conftest.exe'.  For instance with Cygwin, `ls conftest' will
+# work properly (i.e., refer to `conftest.exe'), while it won't with
+# `rm'.
+for ac_file in `(ls conftest.exe; ls conftest; ls conftest.*) 2>/dev/null`; do
+  case $ac_file in
+    *.$ac_ext | *.o | *.obj | *.xcoff | *.tds | *.d | *.pdb ) ;;
+    *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
+          export ac_cv_exeext
+          break;;
+    * ) break;;
+  esac
+done
+else
+  { { echo "$as_me:1401: error: cannot compute EXEEXT: cannot compile and link" >&5
+echo "$as_me: error: cannot compute EXEEXT: cannot compile and link" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+rm -f conftest.$ac_ext conftest$ac_cv_exeext
+
+fi
+echo "$as_me:1409: result: $ac_cv_exeext" >&5
+echo "${ECHO_T}$ac_cv_exeext" >&6
+EXEEXT=$ac_cv_exeext
+ac_exeext=$EXEEXT
+echo "$as_me:1413: checking whether the C compiler works" >&5
+echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+#line 1416 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:1428: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:1431: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:1433: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:1436: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  # FIXME: these cross compiler hacks should be removed for autoconf 3.0
+# If not cross compiling, check that we can run a simple program.
+if test "$cross_compiling" != yes; then
+  if { (eval echo "$as_me:1441: \"./conftest$ac_exeext\"") >&5
+  (eval ./conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:1444: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+    cross_compiling=no
   else
-    ac_n=-n ac_c= ac_t=
+    if test "$cross_compiling" = maybe; then
+      cross_compiling=yes
+    else
+      { { echo "$as_me:1451: error: cannot run C compiled programs.
+To enable cross compilation, use \`--host'." >&5
+echo "$as_me: error: cannot run C compiled programs.
+To enable cross compilation, use \`--host'." >&2;}
+   { (exit 1); exit 1; }; }
+    fi
   fi
+fi
+echo "$as_me:1459: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+echo "$as_me:1464: result: no" >&5
+echo "${ECHO_T}no" >&6
+{ { echo "$as_me:1466: error: C compiler cannot create executables" >&5
+echo "$as_me: error: C compiler cannot create executables" >&2;}
+   { (exit 77); exit 77; }; }
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+echo "$as_me:1471: checking whether we are cross compiling" >&5
+echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6
+echo "$as_me:1473: result: $cross_compiling" >&5
+echo "${ECHO_T}$cross_compiling" >&6
+
+echo "$as_me:1476: checking whether we are using the GNU C compiler" >&5
+echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6
+if test "${ac_cv_c_compiler_gnu+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 1482 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+#ifndef __GNUC__
+       choke me
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:1497: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:1500: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:1502: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:1505: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_compiler_gnu=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_compiler_gnu=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+ac_cv_c_compiler_gnu=$ac_compiler_gnu
+
+fi
+echo "$as_me:1517: result: $ac_cv_c_compiler_gnu" >&5
+echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6
+GCC=`test $ac_compiler_gnu = yes && echo yes`
+ac_test_CFLAGS=${CFLAGS+set}
+ac_save_CFLAGS=$CFLAGS
+CFLAGS="-g"
+echo "$as_me:1523: checking whether $CC accepts -g" >&5
+echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6
+if test "${ac_cv_prog_cc_g+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 1529 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:1541: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:1544: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:1546: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:1549: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_prog_cc_g=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_prog_cc_g=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:1559: result: $ac_cv_prog_cc_g" >&5
+echo "${ECHO_T}$ac_cv_prog_cc_g" >&6
+if test "$ac_test_CFLAGS" = set; then
+  CFLAGS=$ac_save_CFLAGS
+elif test $ac_cv_prog_cc_g = yes; then
+  if test "$GCC" = yes; then
+    CFLAGS="-g -O2"
+  else
+    CFLAGS="-g"
+  fi
+else
+  if test "$GCC" = yes; then
+    CFLAGS="-O2"
+  else
+    CFLAGS=
+  fi
+fi
+# Some people use a C++ compiler to compile C.  Since we use `exit',
+# in C++ we need to declare it.  In case someone uses the same compiler
+# for both compiling C and C++ we need to have the C++ compiler decide
+# the declaration of exit, since it's the most demanding environment.
+cat >conftest.$ac_ext <<_ACEOF
+#ifndef __cplusplus
+  choke me
+#endif
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:1586: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:1589: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:1591: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:1594: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  for ac_declaration in \
+   ''\
+   '#include <stdlib.h>' \
+   'extern "C" void std::exit (int) throw (); using std::exit;' \
+   'extern "C" void std::exit (int); using std::exit;' \
+   'extern "C" void exit (int) throw ();' \
+   'extern "C" void exit (int);' \
+   'void exit (int);'
+do
+  cat >conftest.$ac_ext <<_ACEOF
+#line 1606 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+$ac_declaration
+int
+main ()
+{
+exit (42);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:1619: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:1622: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:1624: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:1627: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  :
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+continue
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+  cat >conftest.$ac_ext <<_ACEOF
+#line 1637 "configure"
+#include "confdefs.h"
+$ac_declaration
+int
+main ()
+{
+exit (42);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:1649: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:1652: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:1654: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:1657: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  break
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+done
+echo '#ifdef __cplusplus' >>confdefs.h
+echo $ac_declaration      >>confdefs.h
+echo '#endif'             >>confdefs.h
+
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+echo "$as_me:1686: checking how to run the C preprocessor" >&5
+echo $ECHO_N "checking how to run the C preprocessor... $ECHO_C" >&6
+# On Suns, sometimes $CPP names a directory.
+if test -n "$CPP" && test -d "$CPP"; then
+  CPP=
+fi
+if test -z "$CPP"; then
+  if test "${ac_cv_prog_CPP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+      # Double quotes because CPP needs to be expanded
+    for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp"
+    do
+      # Use a header file that comes with gcc, so configuring glibc
+# with a fresh cross-compiler works.
+# On the NeXT, cc -E runs the code through the compiler's parser,
+# not just through cpp. "Syntax error" is here to catch this case.
+ac_c_preproc_warn_flag=maybe
+cat >conftest.$ac_ext <<_ACEOF
+#line 1705 "configure"
+#include "confdefs.h"
+#include <assert.h>
+Syntax error
+_ACEOF
+if { (eval echo "$as_me:1710: \"$ac_cpp conftest.$ac_ext >/dev/null\"") >&5
+  (eval $ac_cpp conftest.$ac_ext >/dev/null) 2>conftest.er1
+  ac_status=$?
+  egrep -v '^ *\+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:1716: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  # Now check whether non-existent headers can be detected and how
+# Skip if ac_cpp_err is not empty - ac_cpp is broken
+if test -z "$ac_cpp_err"; then
+  cat >conftest.$ac_ext <<_ACEOF
+#line 1731 "configure"
+#include "confdefs.h"
+#include <ac_nonexistent.h>
+_ACEOF
+if { (eval echo "$as_me:1735: \"$ac_cpp conftest.$ac_ext >/dev/null\"") >&5
+  (eval $ac_cpp conftest.$ac_ext >/dev/null) 2>conftest.er1
+  ac_status=$?
+  egrep -v '^ *\+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:1741: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  # cannot detect missing includes at all
+ac_cpp_err=yes
 else
-  ac_n= ac_c='\c' ac_t=
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  if test "x$ac_cpp_err" = xmaybe; then
+      ac_c_preproc_warn_flag=yes
+    else
+      ac_c_preproc_warn_flag=
+    fi
+    ac_cpp_err=
+fi
+rm -f conftest.err conftest.$ac_ext
 fi
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
 
+fi
+rm -f conftest.err conftest.$ac_ext
+      if test -z "$ac_cpp_err"; then
+        break
+      fi
+    done
+    ac_cv_prog_CPP=$CPP
 
+fi
+  CPP=$ac_cv_prog_CPP
+else
+  # Use a header file that comes with gcc, so configuring glibc
+# with a fresh cross-compiler works.
+# On the NeXT, cc -E runs the code through the compiler's parser,
+# not just through cpp. "Syntax error" is here to catch this case.
+ac_c_preproc_warn_flag=maybe
+cat >conftest.$ac_ext <<_ACEOF
+#line 1787 "configure"
+#include "confdefs.h"
+#include <assert.h>
+Syntax error
+_ACEOF
+if { (eval echo "$as_me:1792: \"$ac_cpp conftest.$ac_ext >/dev/null\"") >&5
+  (eval $ac_cpp conftest.$ac_ext >/dev/null) 2>conftest.er1
+  ac_status=$?
+  egrep -v '^ *\+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:1798: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  # Now check whether non-existent headers can be detected and how
+# Skip if ac_cpp_err is not empty - ac_cpp is broken
+if test -z "$ac_cpp_err"; then
+  cat >conftest.$ac_ext <<_ACEOF
+#line 1813 "configure"
+#include "confdefs.h"
+#include <ac_nonexistent.h>
+_ACEOF
+if { (eval echo "$as_me:1817: \"$ac_cpp conftest.$ac_ext >/dev/null\"") >&5
+  (eval $ac_cpp conftest.$ac_ext >/dev/null) 2>conftest.er1
+  ac_status=$?
+  egrep -v '^ *\+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:1823: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  # cannot detect missing includes at all
+ac_cpp_err=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  if test "x$ac_cpp_err" = xmaybe; then
+      ac_c_preproc_warn_flag=yes
+    else
+      ac_c_preproc_warn_flag=
+    fi
+    ac_cpp_err=
+fi
+rm -f conftest.err conftest.$ac_ext
+fi
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
 
+fi
+rm -f conftest.err conftest.$ac_ext
+  ac_cv_prog_CPP=$CPP
+fi
+echo "$as_me:1856: result: $CPP" >&5
+echo "${ECHO_T}$CPP" >&6
+if test -n "$ac_cpp_err"; then
+  { { echo "$as_me:1859: error: C preprocessor \"$CPP\" fails sanity check" >&5
+echo "$as_me: error: C preprocessor \"$CPP\" fails sanity check" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+echo "$as_me:1869: checking for $CC option to accept ANSI C" >&5
+echo $ECHO_N "checking for $CC option to accept ANSI C... $ECHO_C" >&6
+if test "${ac_cv_prog_cc_stdc+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_prog_cc_stdc=no
+ac_save_CC=$CC
+cat >conftest.$ac_ext <<_ACEOF
+#line 1877 "configure"
+#include "confdefs.h"
+#include <stdarg.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+/* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
+struct buf { int x; };
+FILE * (*rcsopen) (struct buf *, struct stat *, int);
+static char *e (p, i)
+     char **p;
+     int i;
+{
+  return p[i];
+}
+static char *f (char * (*g) (char **, int), char **p, ...)
+{
+  char *s;
+  va_list v;
+  va_start (v,p);
+  s = g (p, va_arg (v,int));
+  va_end (v);
+  return s;
+}
+int test (int i, double x);
+struct s1 {int (*f) (int a);};
+struct s2 {int (*f) (double a);};
+int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int);
+int argc;
+char **argv;
+int
+main ()
+{
+return f (e, argv, 0) != argv[0]  ||  f (e, argv, 1) != argv[1];
+  ;
+  return 0;
+}
+_ACEOF
+# Don't try gcc -ansi; that turns off useful extensions and
+# breaks some systems' header files.
+# AIX			-qlanglvl=ansi
+# Ultrix and OSF/1	-std1
+# HP-UX 10.20 and later	-Ae
+# HP-UX older versions	-Aa -D_HPUX_SOURCE
+# SVR4			-Xc -D__EXTENSIONS__
+for ac_arg in "" -qlanglvl=ansi -std1 -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
+do
+  CC="$ac_save_CC $ac_arg"
+  rm -f conftest.$ac_objext
+if { (eval echo "$as_me:1926: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:1929: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:1931: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:1934: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_prog_cc_stdc=$ac_arg
+break
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+fi
+rm -f conftest.$ac_objext
+done
+rm -f conftest.$ac_ext conftest.$ac_objext
+CC=$ac_save_CC
 
+fi
 
+case "x$ac_cv_prog_cc_stdc" in
+  x|xno)
+    echo "$as_me:1951: result: none needed" >&5
+echo "${ECHO_T}none needed" >&6 ;;
+  *)
+    echo "$as_me:1954: result: $ac_cv_prog_cc_stdc" >&5
+echo "${ECHO_T}$ac_cv_prog_cc_stdc" >&6
+    CC="$CC $ac_cv_prog_cc_stdc" ;;
+esac
 
 ac_aux_dir=
 for ac_dir in $srcdir $srcdir/.. $srcdir/../..; do
@@ -751,14 +1966,20 @@ for ac_dir in $srcdir $srcdir/.. $srcdir/../..; do
     ac_aux_dir=$ac_dir
     ac_install_sh="$ac_aux_dir/install.sh -c"
     break
+  elif test -f $ac_dir/shtool; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/shtool install -c"
+    break
   fi
 done
 if test -z "$ac_aux_dir"; then
-  { echo "configure: error: can not find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." 1>&2; exit 1; }
+  { { echo "$as_me:1976: error: cannot find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." >&5
+echo "$as_me: error: cannot find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-ac_config_guess=$ac_aux_dir/config.guess
-ac_config_sub=$ac_aux_dir/config.sub
-ac_configure=$ac_aux_dir/configure # This should be Cygnus configure.
+ac_config_guess="$SHELL $ac_aux_dir/config.guess"
+ac_config_sub="$SHELL $ac_aux_dir/config.sub"
+ac_configure="$SHELL $ac_aux_dir/configure" # This should be Cygnus configure.
 
 # Find a good install program.  We prefer a C program (faster),
 # so one script is as good as another.  But avoid the broken or
@@ -767,31 +1988,38 @@ ac_configure=$ac_aux_dir/configure # This should be Cygnus configure.
 # SunOS /usr/etc/install
 # IRIX /sbin/install
 # AIX /bin/install
+# AmigaOS /C/install, which installs bootblocks on floppy discs
 # AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag
 # AFS /usr/afsws/bin/install, which mishandles nonexistent args
 # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
 # ./install, which can be erroneously created by make from ./install.sh.
-echo $ac_n "checking for a BSD compatible install""... $ac_c" 1>&6
-echo "configure:776: checking for a BSD compatible install" >&5
+echo "$as_me:1996: checking for a BSD compatible install" >&5
+echo $ECHO_N "checking for a BSD compatible install... $ECHO_C" >&6
 if test -z "$INSTALL"; then
-if eval "test \"`echo '$''{'ac_cv_path_install'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+if test "${ac_cv_path_install+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-    IFS="${IFS= 	}"; ac_save_IFS="$IFS"; IFS=":"
+    ac_save_IFS=$IFS; IFS=':'
   for ac_dir in $PATH; do
     # Account for people who put trailing slashes in PATH elements.
-    case "$ac_dir/" in
-    /|./|.//|/etc/*|/usr/sbin/*|/usr/etc/*|/sbin/*|/usr/afsws/bin/*|/usr/ucb/*) ;;
+    case $ac_dir/ in
+    / | ./ | .// | /cC/* \
+    | /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* \
+    | /usr/ucb/* ) ;;
     *)
       # OSF1 and SCO ODT 3.0 have their own names for install.
       # Don't use installbsd from OSF since it installs stuff as root
       # by default.
       for ac_prog in ginstall scoinst install; do
-        if test -f $ac_dir/$ac_prog; then
+        if test -f "$ac_dir/$ac_prog"; then
 	  if test $ac_prog = install &&
-            grep dspmsg $ac_dir/$ac_prog >/dev/null 2>&1; then
+            grep dspmsg "$ac_dir/$ac_prog" >/dev/null 2>&1; then
 	    # AIX install.  It has an incompatible calling convention.
 	    :
+	  elif test $ac_prog = install &&
+	    grep pwplus "$ac_dir/$ac_prog" >/dev/null 2>&1; then
+	    # program-specific install script used by HP pwplus--don't use.
+	    :
 	  else
 	    ac_cv_path_install="$ac_dir/$ac_prog -c"
 	    break 2
@@ -801,31 +2029,32 @@ else
       ;;
     esac
   done
-  IFS="$ac_save_IFS"
+  IFS=$ac_save_IFS
 
 fi
   if test "${ac_cv_path_install+set}" = set; then
-    INSTALL="$ac_cv_path_install"
+    INSTALL=$ac_cv_path_install
   else
     # As a last resort, use the slow shell script.  We don't cache a
     # path for INSTALL within a source directory, because that will
     # break other packages using the cache if that directory is
     # removed, or if the path is relative.
-    INSTALL="$ac_install_sh"
+    INSTALL=$ac_install_sh
   fi
 fi
-echo "$ac_t""$INSTALL" 1>&6
+echo "$as_me:2045: result: $INSTALL" >&5
+echo "${ECHO_T}$INSTALL" >&6
 
 # Use test -z because SunOS4 sh mishandles braces in ${var-val}.
 # It thinks the first close brace ends the variable substitution.
 test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}'
 
-test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL_PROGRAM}'
+test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}'
 
 test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
 
-echo $ac_n "checking whether build environment is sane""... $ac_c" 1>&6
-echo "configure:829: checking whether build environment is sane" >&5
+echo "$as_me:2056: checking whether build environment is sane" >&5
+echo $ECHO_N "checking whether build environment is sane... $ECHO_C" >&6
 # Just in case
 sleep 1
 echo timestamp > conftestfile
@@ -847,8 +2076,11 @@ if (
       # if, for instance, CONFIG_SHELL is bash and it inherits a
       # broken ls alias from the environment.  This has actually
       # happened.  Such a system could not be considered "sane".
-      { echo "configure: error: ls -t appears to fail.  Make sure there is not a broken
-alias in your environment" 1>&2; exit 1; }
+      { { echo "$as_me:2079: error: ls -t appears to fail.  Make sure there is not a broken
+alias in your environment" >&5
+echo "$as_me: error: ls -t appears to fail.  Make sure there is not a broken
+alias in your environment" >&2;}
+   { (exit 1); exit 1; }; }
    fi
 
    test "$2" = conftestfile
@@ -857,37 +2089,88 @@ then
    # Ok.
    :
 else
-   { echo "configure: error: newly created file is older than distributed files!
-Check your system clock" 1>&2; exit 1; }
+   { { echo "$as_me:2092: error: newly created file is older than distributed files!
+Check your system clock" >&5
+echo "$as_me: error: newly created file is older than distributed files!
+Check your system clock" >&2;}
+   { (exit 1); exit 1; }; }
 fi
 rm -f conftest*
-echo "$ac_t""yes" 1>&6
+echo "$as_me:2099: result: yes" >&5
+echo "${ECHO_T}yes" >&6
 if test "$program_transform_name" = s,x,x,; then
   program_transform_name=
 else
   # Double any \ or $.  echo might interpret backslashes.
-  cat <<\EOF_SED > conftestsed
+  cat <<\EOF >conftestsed
 s,\\,\\\\,g; s,\$,$$,g
-EOF_SED
-  program_transform_name="`echo $program_transform_name|sed -f conftestsed`"
+EOF
+  program_transform_name=`echo $program_transform_name | sed -f conftestsed`
   rm -f conftestsed
 fi
 test "$program_prefix" != NONE &&
-  program_transform_name="s,^,${program_prefix},; $program_transform_name"
+  program_transform_name="s,^,${program_prefix},;$program_transform_name"
 # Use a double $ so make ignores it.
 test "$program_suffix" != NONE &&
-  program_transform_name="s,\$\$,${program_suffix},; $program_transform_name"
+  program_transform_name="s,\$\$,${program_suffix},;$program_transform_name"
 
 # sed with no file args requires a program.
-test "$program_transform_name" = "" && program_transform_name="s,x,x,"
+test -z "$program_transform_name" && program_transform_name="s,x,x,"
+
+test x"${MISSING+set}" = xset || \
+  MISSING="\${SHELL} `CDPATH=: && cd $ac_aux_dir && pwd`/missing"
+if eval "$MISSING --run :"; then
+  am_missing_run="$MISSING --run "
+else
+  am_missing_run=
+  am_backtick='`'
+  { echo "$as_me:2127: WARNING: ${am_backtick}missing' script is too old or missing" >&5
+echo "$as_me: WARNING: ${am_backtick}missing' script is too old or missing" >&2;}
+fi
 
-echo $ac_n "checking whether ${MAKE-make} sets \${MAKE}""... $ac_c" 1>&6
-echo "configure:886: checking whether ${MAKE-make} sets \${MAKE}" >&5
-set dummy ${MAKE-make}; ac_make=`echo "$2" | sed 'y%./+-%__p_%'`
-if eval "test \"`echo '$''{'ac_cv_prog_make_${ac_make}_set'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+for ac_prog in mawk gawk nawk awk
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+echo "$as_me:2135: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_AWK+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$AWK"; then
+  ac_cv_prog_AWK="$AWK" # Let the user override the test.
 else
-  cat > conftestmake <<\EOF
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  $as_executable_p "$ac_dir/$ac_word" || continue
+ac_cv_prog_AWK="$ac_prog"
+break
+done
+
+fi
+fi
+AWK=$ac_cv_prog_AWK
+if test -n "$AWK"; then
+  echo "$as_me:2157: result: $AWK" >&5
+echo "${ECHO_T}$AWK" >&6
+else
+  echo "$as_me:2160: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  test -n "$AWK" && break
+done
+
+echo "$as_me:2167: checking whether ${MAKE-make} sets \${MAKE}" >&5
+echo $ECHO_N "checking whether ${MAKE-make} sets \${MAKE}... $ECHO_C" >&6
+set dummy ${MAKE-make}; ac_make=`echo "$2" | sed 'y,./+-,__p_,'`
+if eval "test \"\${ac_cv_prog_make_${ac_make}_set+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftestmake <<\EOF
 all:
 	@echo 'ac_maketemp="${MAKE}"'
 EOF
@@ -901,152 +2184,212 @@ fi
 rm -f conftestmake
 fi
 if eval "test \"`echo '$ac_cv_prog_make_'${ac_make}_set`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
+  echo "$as_me:2187: result: yes" >&5
+echo "${ECHO_T}yes" >&6
   SET_MAKE=
 else
-  echo "$ac_t""no" 1>&6
+  echo "$as_me:2191: result: no" >&5
+echo "${ECHO_T}no" >&6
   SET_MAKE="MAKE=${MAKE-make}"
 fi
 
+# Check whether --enable-dependency-tracking or --disable-dependency-tracking was given.
+if test "${enable_dependency_tracking+set}" = set; then
+  enableval="$enable_dependency_tracking"
 
-PACKAGE=heimdal
+fi;
+if test "x$enable_dependency_tracking" = xno; then
+  AMDEP="#"
+else
+  am_depcomp="$ac_aux_dir/depcomp"
+  if test ! -f "$am_depcomp"; then
+    AMDEP="#"
+  else
+    AMDEP=
+  fi
+fi
+
+if test -z "$AMDEP"; then
+  AMDEPBACKSLASH='\'
+else
+  AMDEPBACKSLASH=
+fi
+
+if test -d .deps || mkdir .deps 2> /dev/null || test -d .deps; then
+  DEPDIR=.deps
+else
+  DEPDIR=_deps
+fi
 
-VERSION=0.2p
+ac_config_commands="$ac_config_commands default-2"
 
-if test "`cd $srcdir && pwd`" != "`pwd`" && test -f $srcdir/config.status; then
-  { echo "configure: error: source directory already configured; run "make distclean" there first" 1>&2; exit 1; }
+# test to see if srcdir already configured
+if test "`CDPATH=: && cd $srcdir && pwd`" != "`pwd`" &&
+   test -f $srcdir/config.status; then
+  { { echo "$as_me:2229: error: source directory already configured; run \"make distclean\" there first" >&5
+echo "$as_me: error: source directory already configured; run \"make distclean\" there first" >&2;}
+   { (exit 1); exit 1; }; }
 fi
-cat >> confdefs.h <<EOF
+
+# Define the identity of the package.
+PACKAGE=heimdal
+VERSION=0.3e
+
+cat >>confdefs.h <<EOF
 #define PACKAGE "$PACKAGE"
 EOF
 
-cat >> confdefs.h <<EOF
+cat >>confdefs.h <<EOF
 #define VERSION "$VERSION"
 EOF
 
+# Some tools Automake needs.
 
+ACLOCAL=${ACLOCAL-"${am_missing_run}aclocal"}
 
-missing_dir=`cd $ac_aux_dir && pwd`
-echo $ac_n "checking for working aclocal""... $ac_c" 1>&6
-echo "configure:932: checking for working aclocal" >&5
-# Run test in a subshell; some versions of sh will print an error if
-# an executable is not found, even if stderr is redirected.
-# Redirect stdin to placate older versions of autoconf.  Sigh.
-if (aclocal --version) < /dev/null > /dev/null 2>&1; then
-   ACLOCAL=aclocal
-   echo "$ac_t""found" 1>&6
-else
-   ACLOCAL="$missing_dir/missing aclocal"
-   echo "$ac_t""missing" 1>&6
-fi
+AUTOCONF=${AUTOCONF-"${am_missing_run}autoconf"}
 
-echo $ac_n "checking for working autoconf""... $ac_c" 1>&6
-echo "configure:945: checking for working autoconf" >&5
-# Run test in a subshell; some versions of sh will print an error if
-# an executable is not found, even if stderr is redirected.
-# Redirect stdin to placate older versions of autoconf.  Sigh.
-if (autoconf --version) < /dev/null > /dev/null 2>&1; then
-   AUTOCONF=autoconf
-   echo "$ac_t""found" 1>&6
-else
-   AUTOCONF="$missing_dir/missing autoconf"
-   echo "$ac_t""missing" 1>&6
-fi
+AUTOMAKE=${AUTOMAKE-"${am_missing_run}automake"}
 
-echo $ac_n "checking for working automake""... $ac_c" 1>&6
-echo "configure:958: checking for working automake" >&5
-# Run test in a subshell; some versions of sh will print an error if
-# an executable is not found, even if stderr is redirected.
-# Redirect stdin to placate older versions of autoconf.  Sigh.
-if (automake --version) < /dev/null > /dev/null 2>&1; then
-   AUTOMAKE=automake
-   echo "$ac_t""found" 1>&6
-else
-   AUTOMAKE="$missing_dir/missing automake"
-   echo "$ac_t""missing" 1>&6
-fi
+AUTOHEADER=${AUTOHEADER-"${am_missing_run}autoheader"}
 
-echo $ac_n "checking for working autoheader""... $ac_c" 1>&6
-echo "configure:971: checking for working autoheader" >&5
-# Run test in a subshell; some versions of sh will print an error if
-# an executable is not found, even if stderr is redirected.
-# Redirect stdin to placate older versions of autoconf.  Sigh.
-if (autoheader --version) < /dev/null > /dev/null 2>&1; then
-   AUTOHEADER=autoheader
-   echo "$ac_t""found" 1>&6
-else
-   AUTOHEADER="$missing_dir/missing autoheader"
-   echo "$ac_t""missing" 1>&6
+MAKEINFO=${MAKEINFO-"${am_missing_run}makeinfo"}
+
+AMTAR=${AMTAR-"${am_missing_run}tar"}
+
+if test -z "$install_sh"; then
+   install_sh="$ac_aux_dir/install-sh"
+   test -f "$install_sh" || install_sh="$ac_aux_dir/install.sh"
+   test -f "$install_sh" || install_sh="${am_missing_run}${ac_auxdir}/install-sh"
+         install_sh="`echo $install_sh | sed -e 's/\${SHELL}//'`"
 fi
 
-echo $ac_n "checking for working makeinfo""... $ac_c" 1>&6
-echo "configure:984: checking for working makeinfo" >&5
-# Run test in a subshell; some versions of sh will print an error if
-# an executable is not found, even if stderr is redirected.
-# Redirect stdin to placate older versions of autoconf.  Sigh.
-if (makeinfo --version) < /dev/null > /dev/null 2>&1; then
-   MAKEINFO=makeinfo
-   echo "$ac_t""found" 1>&6
+depcc="$CC"
+depcpp="$CPP"
+echo "$as_me:2269: checking dependency style of $depcc" >&5
+echo $ECHO_N "checking dependency style of $depcc... $ECHO_C" >&6
+if test "${am_cv_CC_dependencies_compiler_type+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-   MAKEINFO="$missing_dir/missing makeinfo"
-   echo "$ac_t""missing" 1>&6
-fi
 
+if test -z "$AMDEP"; then
+  echo '#include "conftest.h"' > conftest.c
+  echo 'int i;' > conftest.h
 
+  am_cv_CC_dependencies_compiler_type=none
+  for depmode in `sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < "$am_depcomp"`; do
+    case "$depmode" in
+    nosideeffect)
+      # after this tag, mechanisms are not by side-effect, so they'll
+      # only be used when explicitly requested
+      if test "x$enable_dependency_tracking" = xyes; then
+	continue
+      else
+	break
+      fi
+      ;;
+    none) break ;;
+    esac
+    if depmode="$depmode" \
+       source=conftest.c object=conftest.o \
+       depfile=conftest.Po tmpdepfile=conftest.TPo \
+       $SHELL $am_depcomp $depcc -c conftest.c 2>/dev/null &&
+       grep conftest.h conftest.Po > /dev/null 2>&1; then
+      am_cv_CC_dependencies_compiler_type="$depmode"
+      break
+    fi
+  done
 
+  rm -f conftest.*
+else
+  am_cv_CC_dependencies_compiler_type=none
+fi
 
+fi
 
+echo "$as_me:2310: result: $am_cv_CC_dependencies_compiler_type" >&5
+echo "${ECHO_T}$am_cv_CC_dependencies_compiler_type" >&6
+CCDEPMODE="depmode=$am_cv_CC_dependencies_compiler_type"
 
 # Make sure we can run config.sub.
-if ${CONFIG_SHELL-/bin/sh} $ac_config_sub sun4 >/dev/null 2>&1; then :
-else { echo "configure: error: can not run $ac_config_sub" 1>&2; exit 1; }
-fi
-
-echo $ac_n "checking host system type""... $ac_c" 1>&6
-echo "configure:1007: checking host system type" >&5
-
-host_alias=$host
-case "$host_alias" in
-NONE)
-  case $nonopt in
-  NONE)
-    if host_alias=`${CONFIG_SHELL-/bin/sh} $ac_config_guess`; then :
-    else { echo "configure: error: can not guess host type; you must specify one" 1>&2; exit 1; }
-    fi ;;
-  *) host_alias=$nonopt ;;
-  esac ;;
-esac
-
-host=`${CONFIG_SHELL-/bin/sh} $ac_config_sub $host_alias`
-host_cpu=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
-host_vendor=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
-host_os=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
-echo "$ac_t""$host" 1>&6
+$ac_config_sub sun4 >/dev/null 2>&1 ||
+  { { echo "$as_me:2316: error: cannot run $ac_config_sub" >&5
+echo "$as_me: error: cannot run $ac_config_sub" >&2;}
+   { (exit 1); exit 1; }; }
+
+echo "$as_me:2320: checking build system type" >&5
+echo $ECHO_N "checking build system type... $ECHO_C" >&6
+if test "${ac_cv_build+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_build_alias=$build_alias
+test -z "$ac_cv_build_alias" &&
+  ac_cv_build_alias=`$ac_config_guess`
+test -z "$ac_cv_build_alias" &&
+  { { echo "$as_me:2329: error: cannot guess build type; you must specify one" >&5
+echo "$as_me: error: cannot guess build type; you must specify one" >&2;}
+   { (exit 1); exit 1; }; }
+ac_cv_build=`$ac_config_sub $ac_cv_build_alias` ||
+  { { echo "$as_me:2333: error: $ac_config_sub $ac_cv_build_alias failed." >&5
+echo "$as_me: error: $ac_config_sub $ac_cv_build_alias failed." >&2;}
+   { (exit 1); exit 1; }; }
+
+fi
+echo "$as_me:2338: result: $ac_cv_build" >&5
+echo "${ECHO_T}$ac_cv_build" >&6
+build=$ac_cv_build
+build_cpu=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
+build_vendor=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
+build_os=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
+
+echo "$as_me:2345: checking host system type" >&5
+echo $ECHO_N "checking host system type... $ECHO_C" >&6
+if test "${ac_cv_host+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_host_alias=$host_alias
+test -z "$ac_cv_host_alias" &&
+  ac_cv_host_alias=$ac_cv_build_alias
+ac_cv_host=`$ac_config_sub $ac_cv_host_alias` ||
+  { { echo "$as_me:2354: error: $ac_config_sub $ac_cv_host_alias failed" >&5
+echo "$as_me: error: $ac_config_sub $ac_cv_host_alias failed" >&2;}
+   { (exit 1); exit 1; }; }
+
+fi
+echo "$as_me:2359: result: $ac_cv_host" >&5
+echo "${ECHO_T}$ac_cv_host" >&6
+host=$ac_cv_host
+host_cpu=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
+host_vendor=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
+host_os=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
 
 CANONICAL_HOST=$host
 
-
 sunos=no
-case "$host" in 
+case "$host" in
 *-*-sunos4*)
 	sunos=40
 	;;
 *-*-solaris2.7)
 	sunos=57
 	;;
+*-*-solaris2.8)
+	sunos=58
+	;;
 *-*-solaris2*)
 	sunos=50
 	;;
 esac
 if test "$sunos" != no; then
-	cat >> confdefs.h <<EOF
+
+cat >>confdefs.h <<EOF
 #define SunOS $sunos
 EOF
 
 fi
 
 aix=no
-case "$host" in 
+case "$host" in
 *-*-aix3*)
 	aix=3
 	;;
@@ -1057,582 +2400,231 @@ esac
 
 #test -z "$CFLAGS" && CFLAGS="-g"
 
-# Extract the first word of "gcc", so it can be a program name with args.
-set dummy gcc; ac_word=$2
-echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1064: checking for $ac_word" >&5
-if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  if test -n "$CC"; then
-  ac_cv_prog_CC="$CC" # Let the user override the test.
-else
-  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
-  ac_dummy="$PATH"
-  for ac_dir in $ac_dummy; do
-    test -z "$ac_dir" && ac_dir=.
-    if test -f $ac_dir/$ac_word; then
-      ac_cv_prog_CC="gcc"
-      break
-    fi
-  done
-  IFS="$ac_save_ifs"
-fi
-fi
-CC="$ac_cv_prog_CC"
-if test -n "$CC"; then
-  echo "$ac_t""$CC" 1>&6
-else
-  echo "$ac_t""no" 1>&6
-fi
-
-if test -z "$CC"; then
-  # Extract the first word of "cc", so it can be a program name with args.
-set dummy cc; ac_word=$2
-echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1094: checking for $ac_word" >&5
-if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  if test -n "$CC"; then
-  ac_cv_prog_CC="$CC" # Let the user override the test.
-else
-  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
-  ac_prog_rejected=no
-  ac_dummy="$PATH"
-  for ac_dir in $ac_dummy; do
-    test -z "$ac_dir" && ac_dir=.
-    if test -f $ac_dir/$ac_word; then
-      if test "$ac_dir/$ac_word" = "/usr/ucb/cc"; then
-        ac_prog_rejected=yes
-	continue
-      fi
-      ac_cv_prog_CC="cc"
-      break
-    fi
-  done
-  IFS="$ac_save_ifs"
-if test $ac_prog_rejected = yes; then
-  # We found a bogon in the path, so make sure we never use it.
-  set dummy $ac_cv_prog_CC
-  shift
-  if test $# -gt 0; then
-    # We chose a different compiler from the bogus one.
-    # However, it has the same basename, so the bogon will be chosen
-    # first if we set CC to just the basename; use the full file name.
-    shift
-    set dummy "$ac_dir/$ac_word" "$@"
-    shift
-    ac_cv_prog_CC="$@"
-  fi
-fi
-fi
-fi
-CC="$ac_cv_prog_CC"
-if test -n "$CC"; then
-  echo "$ac_t""$CC" 1>&6
-else
-  echo "$ac_t""no" 1>&6
-fi
-
-  if test -z "$CC"; then
-    case "`uname -s`" in
-    *win32* | *WIN32*)
-      # Extract the first word of "cl", so it can be a program name with args.
-set dummy cl; ac_word=$2
-echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1145: checking for $ac_word" >&5
-if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  if test -n "$CC"; then
-  ac_cv_prog_CC="$CC" # Let the user override the test.
-else
-  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
-  ac_dummy="$PATH"
-  for ac_dir in $ac_dummy; do
-    test -z "$ac_dir" && ac_dir=.
-    if test -f $ac_dir/$ac_word; then
-      ac_cv_prog_CC="cl"
-      break
-    fi
-  done
-  IFS="$ac_save_ifs"
-fi
-fi
-CC="$ac_cv_prog_CC"
-if test -n "$CC"; then
-  echo "$ac_t""$CC" 1>&6
-else
-  echo "$ac_t""no" 1>&6
-fi
- ;;
-    esac
-  fi
-  test -z "$CC" && { echo "configure: error: no acceptable cc found in \$PATH" 1>&2; exit 1; }
-fi
-
-echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6
-echo "configure:1177: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5
-
-ac_ext=c
-# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
-ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
-cross_compiling=$ac_cv_prog_cc_cross
-
-cat > conftest.$ac_ext << EOF
-
-#line 1188 "configure"
-#include "confdefs.h"
-
-main(){return(0);}
-EOF
-if { (eval echo configure:1193: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  ac_cv_prog_cc_works=yes
-  # If we can't run a trivial program, we are probably using a cross compiler.
-  if (./conftest; exit) 2>/dev/null; then
-    ac_cv_prog_cc_cross=no
-  else
-    ac_cv_prog_cc_cross=yes
-  fi
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  ac_cv_prog_cc_works=no
-fi
-rm -fr conftest*
-ac_ext=c
-# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
-ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
-cross_compiling=$ac_cv_prog_cc_cross
-
-echo "$ac_t""$ac_cv_prog_cc_works" 1>&6
-if test $ac_cv_prog_cc_works = no; then
-  { echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; }
-fi
-echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6
-echo "configure:1219: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5
-echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6
-cross_compiling=$ac_cv_prog_cc_cross
-
-echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6
-echo "configure:1224: checking whether we are using GNU C" >&5
-if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.c <<EOF
-#ifdef __GNUC__
-  yes;
-#endif
-EOF
-if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:1233: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
-  ac_cv_prog_gcc=yes
-else
-  ac_cv_prog_gcc=no
-fi
-fi
-
-echo "$ac_t""$ac_cv_prog_gcc" 1>&6
-
-if test $ac_cv_prog_gcc = yes; then
-  GCC=yes
-else
-  GCC=
-fi
-
-ac_test_CFLAGS="${CFLAGS+set}"
-ac_save_CFLAGS="$CFLAGS"
-CFLAGS=
-echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6
-echo "configure:1252: checking whether ${CC-cc} accepts -g" >&5
-if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  echo 'void f(){}' > conftest.c
-if test -z "`${CC-cc} -g -c conftest.c 2>&1`"; then
-  ac_cv_prog_cc_g=yes
-else
-  ac_cv_prog_cc_g=no
-fi
-rm -f conftest*
-
-fi
-
-echo "$ac_t""$ac_cv_prog_cc_g" 1>&6
-if test "$ac_test_CFLAGS" = set; then
-  CFLAGS="$ac_save_CFLAGS"
-elif test $ac_cv_prog_cc_g = yes; then
-  if test "$GCC" = yes; then
-    CFLAGS="-g -O2"
-  else
-    CFLAGS="-g"
-  fi
-else
-  if test "$GCC" = yes; then
-    CFLAGS="-O2"
-  else
-    CFLAGS=
-  fi
-fi
-
-
-echo $ac_n "checking for Cygwin environment""... $ac_c" 1>&6
-echo "configure:1285: checking for Cygwin environment" >&5
-if eval "test \"`echo '$''{'ac_cv_cygwin'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 1290 "configure"
-#include "confdefs.h"
-
-int main() {
-
-#ifndef __CYGWIN__
-#define __CYGWIN__ __CYGWIN32__
-#endif
-return __CYGWIN__;
-; return 0; }
-EOF
-if { (eval echo configure:1301: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  ac_cv_cygwin=yes
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_cygwin=no
-fi
-rm -f conftest*
-rm -f conftest*
-fi
-
-echo "$ac_t""$ac_cv_cygwin" 1>&6
-CYGWIN=
-test "$ac_cv_cygwin" = yes && CYGWIN=yes
-echo $ac_n "checking for object suffix""... $ac_c" 1>&6
-echo "configure:1318: checking for object suffix" >&5
-if eval "test \"`echo '$''{'ac_cv_objext'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  rm -f conftest*
-echo 'int i = 1;' > conftest.$ac_ext
-if { (eval echo configure:1324: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  for ac_file in conftest.*; do
-    case $ac_file in
-    *.c) ;;
-    *) ac_cv_objext=`echo $ac_file | sed -e s/conftest.//` ;;
-    esac
-  done
-else
-  { echo "configure: error: installation or configuration problem; compiler does not work" 1>&2; exit 1; }
-fi
-rm -f conftest*
-fi
-
-echo "$ac_t""$ac_cv_objext" 1>&6
-OBJEXT=$ac_cv_objext
-ac_objext=$ac_cv_objext
-
-echo $ac_n "checking for mingw32 environment""... $ac_c" 1>&6
-echo "configure:1342: checking for mingw32 environment" >&5
-if eval "test \"`echo '$''{'ac_cv_mingw32'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 1347 "configure"
-#include "confdefs.h"
-
-int main() {
-return __MINGW32__;
-; return 0; }
-EOF
-if { (eval echo configure:1354: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  ac_cv_mingw32=yes
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_mingw32=no
-fi
-rm -f conftest*
-rm -f conftest*
-fi
-
-echo "$ac_t""$ac_cv_mingw32" 1>&6
-MINGW32=
-test "$ac_cv_mingw32" = yes && MINGW32=yes
-
-
-echo $ac_n "checking for executable suffix""... $ac_c" 1>&6
-echo "configure:1373: checking for executable suffix" >&5
-if eval "test \"`echo '$''{'ac_cv_exeext'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  if test "$CYGWIN" = yes || test "$MINGW32" = yes; then
-  ac_cv_exeext=.exe
-else
-  rm -f conftest*
-  echo 'int main () { return 0; }' > conftest.$ac_ext
-  ac_cv_exeext=
-  if { (eval echo configure:1383: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; }; then
-    for file in conftest.*; do
-      case $file in
-      *.c | *.o | *.obj) ;;
-      *) ac_cv_exeext=`echo $file | sed -e s/conftest//` ;;
-      esac
-    done
-  else
-    { echo "configure: error: installation or configuration problem: compiler cannot create executables." 1>&2; exit 1; }
-  fi
-  rm -f conftest*
-  test x"${ac_cv_exeext}" = x && ac_cv_exeext=no
-fi
-fi
-
-EXEEXT=""
-test x"${ac_cv_exeext}" != xno && EXEEXT=${ac_cv_exeext}
-echo "$ac_t""${ac_cv_exeext}" 1>&6
-ac_exeext=$EXEEXT
-
-
 for ac_prog in 'bison -y' byacc
 do
-# Extract the first word of "$ac_prog", so it can be a program name with args.
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1409: checking for $ac_word" >&5
-if eval "test \"`echo '$''{'ac_cv_prog_YACC'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:2407: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_YACC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$YACC"; then
   ac_cv_prog_YACC="$YACC" # Let the user override the test.
 else
-  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
-  ac_dummy="$PATH"
-  for ac_dir in $ac_dummy; do
-    test -z "$ac_dir" && ac_dir=.
-    if test -f $ac_dir/$ac_word; then
-      ac_cv_prog_YACC="$ac_prog"
-      break
-    fi
-  done
-  IFS="$ac_save_ifs"
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  $as_executable_p "$ac_dir/$ac_word" || continue
+ac_cv_prog_YACC="$ac_prog"
+break
+done
+
 fi
 fi
-YACC="$ac_cv_prog_YACC"
+YACC=$ac_cv_prog_YACC
 if test -n "$YACC"; then
-  echo "$ac_t""$YACC" 1>&6
+  echo "$as_me:2429: result: $YACC" >&5
+echo "${ECHO_T}$YACC" >&6
 else
-  echo "$ac_t""no" 1>&6
+  echo "$as_me:2432: result: no" >&5
+echo "${ECHO_T}no" >&6
 fi
 
-test -n "$YACC" && break
+  test -n "$YACC" && break
 done
 test -n "$YACC" || YACC="yacc"
 
-echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6
-echo "configure:1440: checking how to run the C preprocessor" >&5
-# On Suns, sometimes $CPP names a directory.
-if test -n "$CPP" && test -d "$CPP"; then
-  CPP=
-fi
-if test -z "$CPP"; then
-if eval "test \"`echo '$''{'ac_cv_prog_CPP'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-    # This must be in double quotes, not single quotes, because CPP may get
-  # substituted into the Makefile and "${CC-cc}" will confuse make.
-  CPP="${CC-cc} -E"
-  # On the NeXT, cc -E runs the code through the compiler's parser,
-  # not just through cpp.
-  cat > conftest.$ac_ext <<EOF
-#line 1455 "configure"
-#include "confdefs.h"
-#include <assert.h>
-Syntax Error
-EOF
-ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:1461: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
-ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
-if test -z "$ac_err"; then
-  :
-else
-  echo "$ac_err" >&5
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  CPP="${CC-cc} -E -traditional-cpp"
-  cat > conftest.$ac_ext <<EOF
-#line 1472 "configure"
-#include "confdefs.h"
-#include <assert.h>
-Syntax Error
-EOF
-ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:1478: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
-ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
-if test -z "$ac_err"; then
-  :
-else
-  echo "$ac_err" >&5
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  CPP="${CC-cc} -nologo -E"
-  cat > conftest.$ac_ext <<EOF
-#line 1489 "configure"
-#include "confdefs.h"
-#include <assert.h>
-Syntax Error
-EOF
-ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:1495: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
-ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
-if test -z "$ac_err"; then
-  :
-else
-  echo "$ac_err" >&5
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  CPP=/lib/cpp
-fi
-rm -f conftest*
-fi
-rm -f conftest*
-fi
-rm -f conftest*
-  ac_cv_prog_CPP="$CPP"
-fi
-  CPP="$ac_cv_prog_CPP"
-else
-  ac_cv_prog_CPP="$CPP"
-fi
-echo "$ac_t""$CPP" 1>&6
-
-missing_dir=`cd $ac_aux_dir && pwd`
 for ac_prog in flex lex
 do
-# Extract the first word of "$ac_prog", so it can be a program name with args.
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1525: checking for $ac_word" >&5
-if eval "test \"`echo '$''{'ac_cv_prog_LEX'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:2444: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_LEX+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$LEX"; then
   ac_cv_prog_LEX="$LEX" # Let the user override the test.
 else
-  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
-  ac_dummy="$PATH"
-  for ac_dir in $ac_dummy; do
-    test -z "$ac_dir" && ac_dir=.
-    if test -f $ac_dir/$ac_word; then
-      ac_cv_prog_LEX="$ac_prog"
-      break
-    fi
-  done
-  IFS="$ac_save_ifs"
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  $as_executable_p "$ac_dir/$ac_word" || continue
+ac_cv_prog_LEX="$ac_prog"
+break
+done
+
 fi
 fi
-LEX="$ac_cv_prog_LEX"
+LEX=$ac_cv_prog_LEX
 if test -n "$LEX"; then
-  echo "$ac_t""$LEX" 1>&6
+  echo "$as_me:2466: result: $LEX" >&5
+echo "${ECHO_T}$LEX" >&6
 else
-  echo "$ac_t""no" 1>&6
+  echo "$as_me:2469: result: no" >&5
+echo "${ECHO_T}no" >&6
 fi
 
-test -n "$LEX" && break
+  test -n "$LEX" && break
 done
-test -n "$LEX" || LEX=""$missing_dir/missing flex""
+test -n "$LEX" || LEX="${am_missing_run}flex"
 
-# Extract the first word of "flex", so it can be a program name with args.
-set dummy flex; ac_word=$2
-echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1558: checking for $ac_word" >&5
-if eval "test \"`echo '$''{'ac_cv_prog_LEX'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+for ac_prog in flex lex
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+echo "$as_me:2481: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_LEX+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$LEX"; then
   ac_cv_prog_LEX="$LEX" # Let the user override the test.
 else
-  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
-  ac_dummy="$PATH"
-  for ac_dir in $ac_dummy; do
-    test -z "$ac_dir" && ac_dir=.
-    if test -f $ac_dir/$ac_word; then
-      ac_cv_prog_LEX="flex"
-      break
-    fi
-  done
-  IFS="$ac_save_ifs"
-  test -z "$ac_cv_prog_LEX" && ac_cv_prog_LEX="lex"
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  $as_executable_p "$ac_dir/$ac_word" || continue
+ac_cv_prog_LEX="$ac_prog"
+break
+done
+
 fi
 fi
-LEX="$ac_cv_prog_LEX"
+LEX=$ac_cv_prog_LEX
 if test -n "$LEX"; then
-  echo "$ac_t""$LEX" 1>&6
+  echo "$as_me:2503: result: $LEX" >&5
+echo "${ECHO_T}$LEX" >&6
 else
-  echo "$ac_t""no" 1>&6
+  echo "$as_me:2506: result: no" >&5
+echo "${ECHO_T}no" >&6
 fi
 
+  test -n "$LEX" && break
+done
+test -n "$LEX" || LEX=":"
+
 if test -z "$LEXLIB"
 then
-  case "$LEX" in
-  flex*) ac_lib=fl ;;
-  *) ac_lib=l ;;
-  esac
-  echo $ac_n "checking for yywrap in -l$ac_lib""... $ac_c" 1>&6
-echo "configure:1592: checking for yywrap in -l$ac_lib" >&5
-ac_lib_var=`echo $ac_lib'_'yywrap | sed 'y%./+-%__p_%'`
-if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  ac_save_LIBS="$LIBS"
-LIBS="-l$ac_lib  $LIBS"
-cat > conftest.$ac_ext <<EOF
-#line 1600 "configure"
+  echo "$as_me:2516: checking for yywrap in -lfl" >&5
+echo $ECHO_N "checking for yywrap in -lfl... $ECHO_C" >&6
+if test "${ac_cv_lib_fl_yywrap+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lfl  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line 2524 "configure"
 #include "confdefs.h"
+
 /* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
 /* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char yywrap();
+   builtin and then its argument prototype would still apply.  */
+char yywrap ();
+int
+main ()
+{
+yywrap ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:2543: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:2546: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:2548: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:2551: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_lib_fl_yywrap=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_fl_yywrap=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:2562: result: $ac_cv_lib_fl_yywrap" >&5
+echo "${ECHO_T}$ac_cv_lib_fl_yywrap" >&6
+if test $ac_cv_lib_fl_yywrap = yes; then
+  LEXLIB="-lfl"
+else
+  echo "$as_me:2567: checking for yywrap in -ll" >&5
+echo $ECHO_N "checking for yywrap in -ll... $ECHO_C" >&6
+if test "${ac_cv_lib_l_yywrap+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ll  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line 2575 "configure"
+#include "confdefs.h"
 
-int main() {
-yywrap()
-; return 0; }
-EOF
-if { (eval echo configure:1611: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_lib_$ac_lib_var=yes"
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char yywrap ();
+int
+main ()
+{
+yywrap ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:2594: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:2597: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:2599: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:2602: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_lib_l_yywrap=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_lib_$ac_lib_var=no"
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_l_yywrap=no
 fi
-rm -f conftest*
-LIBS="$ac_save_LIBS"
-
+rm -f conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
 fi
-if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-  LEXLIB="-l$ac_lib"
-else
-  echo "$ac_t""no" 1>&6
+echo "$as_me:2613: result: $ac_cv_lib_l_yywrap" >&5
+echo "${ECHO_T}$ac_cv_lib_l_yywrap" >&6
+if test $ac_cv_lib_l_yywrap = yes; then
+  LEXLIB="-ll"
+fi
+
 fi
 
 fi
 
-echo $ac_n "checking lex output file root""... $ac_c" 1>&6
-echo "configure:1634: checking lex output file root" >&5
-if eval "test \"`echo '$''{'ac_cv_prog_lex_root'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+if test "x$LEX" != "x:"; then
+  echo "$as_me:2624: checking lex output file root" >&5
+echo $ECHO_N "checking lex output file root... $ECHO_C" >&6
+if test "${ac_cv_prog_lex_root+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   # The minimal lex program is just a single line: %%.  But some broken lexes
 # (Solaris, I think it was) want two %% lines, so accommodate them.
@@ -1643,122 +2635,175 @@ if test -f lex.yy.c; then
 elif test -f lexyy.c; then
   ac_cv_prog_lex_root=lexyy
 else
-  { echo "configure: error: cannot find output from $LEX; giving up" 1>&2; exit 1; }
+  { { echo "$as_me:2638: error: cannot find output from $LEX; giving up" >&5
+echo "$as_me: error: cannot find output from $LEX; giving up" >&2;}
+   { (exit 1); exit 1; }; }
 fi
 fi
-
-echo "$ac_t""$ac_cv_prog_lex_root" 1>&6
+echo "$as_me:2643: result: $ac_cv_prog_lex_root" >&5
+echo "${ECHO_T}$ac_cv_prog_lex_root" >&6
 LEX_OUTPUT_ROOT=$ac_cv_prog_lex_root
 
-echo $ac_n "checking whether yytext is a pointer""... $ac_c" 1>&6
-echo "configure:1655: checking whether yytext is a pointer" >&5
-if eval "test \"`echo '$''{'ac_cv_prog_lex_yytext_pointer'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:2647: checking whether yytext is a pointer" >&5
+echo $ECHO_N "checking whether yytext is a pointer... $ECHO_C" >&6
+if test "${ac_cv_prog_lex_yytext_pointer+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   # POSIX says lex can declare yytext either as a pointer or an array; the
 # default is implementation-dependent. Figure out which it is, since
 # not all implementations provide the %pointer and %array declarations.
 ac_cv_prog_lex_yytext_pointer=no
 echo 'extern char *yytext;' >>$LEX_OUTPUT_ROOT.c
-ac_save_LIBS="$LIBS"
+ac_save_LIBS=$LIBS
 LIBS="$LIBS $LEXLIB"
-cat > conftest.$ac_ext <<EOF
-#line 1667 "configure"
-#include "confdefs.h"
+cat >conftest.$ac_ext <<_ACEOF
 `cat $LEX_OUTPUT_ROOT.c`
-int main() {
-
-; return 0; }
-EOF
-if { (eval echo configure:1674: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:2663: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:2666: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:2668: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:2671: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_cv_prog_lex_yytext_pointer=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
-LIBS="$ac_save_LIBS"
+rm -f conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_save_LIBS
 rm -f "${LEX_OUTPUT_ROOT}.c"
 
 fi
-
-echo "$ac_t""$ac_cv_prog_lex_yytext_pointer" 1>&6
+echo "$as_me:2683: result: $ac_cv_prog_lex_yytext_pointer" >&5
+echo "${ECHO_T}$ac_cv_prog_lex_yytext_pointer" >&6
 if test $ac_cv_prog_lex_yytext_pointer = yes; then
-  cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define YYTEXT_POINTER 1
 EOF
 
 fi
 
-# Extract the first word of "ranlib", so it can be a program name with args.
-set dummy ranlib; ac_word=$2
-echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1698: checking for $ac_word" >&5
-if eval "test \"`echo '$''{'ac_cv_prog_RANLIB'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+fi
+
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args.
+set dummy ${ac_tool_prefix}ranlib; ac_word=$2
+echo "$as_me:2698: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_RANLIB+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$RANLIB"; then
   ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test.
 else
-  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
-  ac_dummy="$PATH"
-  for ac_dir in $ac_dummy; do
-    test -z "$ac_dir" && ac_dir=.
-    if test -f $ac_dir/$ac_word; then
-      ac_cv_prog_RANLIB="ranlib"
-      break
-    fi
-  done
-  IFS="$ac_save_ifs"
-  test -z "$ac_cv_prog_RANLIB" && ac_cv_prog_RANLIB=":"
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  $as_executable_p "$ac_dir/$ac_word" || continue
+ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
+break
+done
+
 fi
 fi
-RANLIB="$ac_cv_prog_RANLIB"
+RANLIB=$ac_cv_prog_RANLIB
 if test -n "$RANLIB"; then
-  echo "$ac_t""$RANLIB" 1>&6
+  echo "$as_me:2720: result: $RANLIB" >&5
+echo "${ECHO_T}$RANLIB" >&6
+else
+  echo "$as_me:2723: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+fi
+if test -z "$ac_cv_prog_RANLIB"; then
+  ac_ct_RANLIB=$RANLIB
+  # Extract the first word of "ranlib", so it can be a program name with args.
+set dummy ranlib; ac_word=$2
+echo "$as_me:2732: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_RANLIB"; then
+  ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  $as_executable_p "$ac_dir/$ac_word" || continue
+ac_cv_prog_ac_ct_RANLIB="ranlib"
+break
+done
+
+  test -z "$ac_cv_prog_ac_ct_RANLIB" && ac_cv_prog_ac_ct_RANLIB=":"
+fi
+fi
+ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB
+if test -n "$ac_ct_RANLIB"; then
+  echo "$as_me:2755: result: $ac_ct_RANLIB" >&5
+echo "${ECHO_T}$ac_ct_RANLIB" >&6
 else
-  echo "$ac_t""no" 1>&6
+  echo "$as_me:2758: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  RANLIB=$ac_ct_RANLIB
+else
+  RANLIB="$ac_cv_prog_RANLIB"
 fi
 
 for ac_prog in mawk gawk nawk awk
 do
-# Extract the first word of "$ac_prog", so it can be a program name with args.
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1730: checking for $ac_word" >&5
-if eval "test \"`echo '$''{'ac_cv_prog_AWK'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:2771: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_AWK+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$AWK"; then
   ac_cv_prog_AWK="$AWK" # Let the user override the test.
 else
-  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
-  ac_dummy="$PATH"
-  for ac_dir in $ac_dummy; do
-    test -z "$ac_dir" && ac_dir=.
-    if test -f $ac_dir/$ac_word; then
-      ac_cv_prog_AWK="$ac_prog"
-      break
-    fi
-  done
-  IFS="$ac_save_ifs"
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  $as_executable_p "$ac_dir/$ac_word" || continue
+ac_cv_prog_AWK="$ac_prog"
+break
+done
+
 fi
 fi
-AWK="$ac_cv_prog_AWK"
+AWK=$ac_cv_prog_AWK
 if test -n "$AWK"; then
-  echo "$ac_t""$AWK" 1>&6
+  echo "$as_me:2793: result: $AWK" >&5
+echo "${ECHO_T}$AWK" >&6
 else
-  echo "$ac_t""no" 1>&6
+  echo "$as_me:2796: result: no" >&5
+echo "${ECHO_T}no" >&6
 fi
 
-test -n "$AWK" && break
+  test -n "$AWK" && break
 done
 
-echo $ac_n "checking for ln -s or something else""... $ac_c" 1>&6
-echo "configure:1760: checking for ln -s or something else" >&5
-if eval "test \"`echo '$''{'ac_cv_prog_LN_S'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:2803: checking for ln -s or something else" >&5
+echo $ECHO_N "checking for ln -s or something else... $ECHO_C" >&6
+if test "${ac_cv_prog_LN_S+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   rm -f conftestdata
 if ln -s X conftestdata 2>/dev/null
@@ -1776,16 +2821,14 @@ else
 fi
 fi
 LN_S="$ac_cv_prog_LN_S"
-echo "$ac_t""$ac_cv_prog_LN_S" 1>&6
-
-
+echo "$as_me:2824: result: $ac_cv_prog_LN_S" >&5
+echo "${ECHO_T}$ac_cv_prog_LN_S" >&6
 
 # Check whether --with-mips_abi or --without-mips_abi was given.
 if test "${with_mips_abi+set}" = set; then
   withval="$with_mips_abi"
-  :
-fi
 
+fi;
 
 case "$host_os" in
 irix*)
@@ -1801,75 +2844,104 @@ if test -n "$GCC"; then
 #
 # Don't you just love *all* the different SGI ABIs?
 
-case "${with_mips_abi}" in 
+case "${with_mips_abi}" in
         32|o32) abi='-mabi=32';  abilibdirext=''     ;;
        n32|yes) abi='-mabi=n32'; abilibdirext='32'  ;;
         64) abi='-mabi=64';  abilibdirext='64'   ;;
 	no) abi=''; abilibdirext='';;
-         *) { echo "configure: error: "Invalid ABI specified"" 1>&2; exit 1; } ;;
+         *) { { echo "$as_me:2852: error: \"Invalid ABI specified\"" >&5
+echo "$as_me: error: \"Invalid ABI specified\"" >&2;}
+   { (exit 1); exit 1; }; } ;;
 esac
 if test -n "$abi" ; then
 ac_foo=krb_cv_gcc_`echo $abi | tr =- __`
-echo $ac_n "checking if $CC supports the $abi option""... $ac_c" 1>&6
-echo "configure:1815: checking if $CC supports the $abi option" >&5
-if eval "test \"`echo '$''{'$ac_foo'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:2858: checking if $CC supports the $abi option" >&5
+echo $ECHO_N "checking if $CC supports the $abi option... $ECHO_C" >&6
+if eval "test \"\${$ac_foo+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
+
 save_CFLAGS="$CFLAGS"
 CFLAGS="$CFLAGS $abi"
-cat > conftest.$ac_ext <<EOF
-#line 1823 "configure"
+cat >conftest.$ac_ext <<_ACEOF
+#line 2867 "configure"
 #include "confdefs.h"
 
-int main() {
+int
+main ()
+{
 int x;
-; return 0; }
-EOF
-if { (eval echo configure:1830: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:2879: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:2882: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:2884: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:2887: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   eval $ac_foo=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval $ac_foo=no
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval $ac_foo=no
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 CFLAGS="$save_CFLAGS"
 
 fi
 
 ac_res=`eval echo \\\$$ac_foo`
-echo "$ac_t""$ac_res" 1>&6
+echo "$as_me:2901: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6
 if test $ac_res = no; then
 # Try to figure out why that failed...
 case $abi in
-	-mabi=32) 
+	-mabi=32)
 	save_CFLAGS="$CFLAGS"
 	CFLAGS="$CFLAGS -mabi=n32"
-	cat > conftest.$ac_ext <<EOF
-#line 1853 "configure"
+	cat >conftest.$ac_ext <<_ACEOF
+#line 2910 "configure"
 #include "confdefs.h"
 
-int main() {
+int
+main ()
+{
 int x;
-; return 0; }
-EOF
-if { (eval echo configure:1860: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:2922: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:2925: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:2927: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:2930: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_res=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_res=no
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_res=no
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 	CLAGS="$save_CFLAGS"
 	if test $ac_res = yes; then
 		# New GCC
-		{ echo "configure: error: $CC does not support the $with_mips_abi ABI" 1>&2; exit 1; }
+		{ { echo "$as_me:2942: error: $CC does not support the $with_mips_abi ABI" >&5
+echo "$as_me: error: $CC does not support the $with_mips_abi ABI" >&2;}
+   { (exit 1); exit 1; }; }
 	fi
 	# Old GCC
 	abi=''
@@ -1882,7 +2954,9 @@ rm -f conftest*
 			abilibdirext=''
 		else
 			# Some broken GCC
-			{ echo "configure: error: $CC does not support the $with_mips_abi ABI" 1>&2; exit 1; }
+			{ { echo "$as_me:2957: error: $CC does not support the $with_mips_abi ABI" >&5
+echo "$as_me: error: $CC does not support the $with_mips_abi ABI" >&2;}
+   { (exit 1); exit 1; }; }
 		fi
 	;;
 esac
@@ -1894,7 +2968,9 @@ case "${with_mips_abi}" in
        n32|yes) abi='-n32'; abilibdirext='32'  ;;
         64) abi='-64'; abilibdirext='64'   ;;
 	no) abi=''; abilibdirext='';;
-         *) { echo "configure: error: "Invalid ABI specified"" 1>&2; exit 1; } ;;
+         *) { { echo "$as_me:2971: error: \"Invalid ABI specified\"" >&5
+echo "$as_me: error: \"Invalid ABI specified\"" >&2;}
+   { (exit 1); exit 1; }; } ;;
 esac
 fi #if test -n "$GCC"; then
 ;;
@@ -1903,20 +2979,21 @@ esac
 CC="$CC $abi"
 libdir="$libdir$abilibdirext"
 
-
-echo $ac_n "checking for __attribute__""... $ac_c" 1>&6
-echo "configure:1909: checking for __attribute__" >&5
-if eval "test \"`echo '$''{'ac_cv___attribute__'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:2982: checking for __attribute__" >&5
+echo $ECHO_N "checking for __attribute__... $ECHO_C" >&6
+if test "${ac_cv___attribute__+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
-cat > conftest.$ac_ext <<EOF
-#line 1915 "configure"
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 2989 "configure"
 #include "confdefs.h"
 
 #include <stdlib.h>
 
-int main() {
+int
+main ()
+{
 
 static void foo(void) __attribute__ ((noreturn));
 
@@ -1926,28 +3003,39 @@ foo(void)
   exit(1);
 }
 
-; return 0; }
-EOF
-if { (eval echo configure:1932: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:3011: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:3014: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:3016: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:3019: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_cv___attribute__=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv___attribute__=no
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv___attribute__=no
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
 
 if test "$ac_cv___attribute__" = "yes"; then
-  cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define HAVE___ATTRIBUTE__ 1
 EOF
 
 fi
-echo "$ac_t""$ac_cv___attribute__" 1>&6
-
+echo "$as_me:3037: result: $ac_cv___attribute__" >&5
+echo "${ECHO_T}$ac_cv___attribute__" >&6
 
 # Check whether --enable-shared or --disable-shared was given.
 if test "${enable_shared+set}" = set; then
@@ -1970,8 +3058,7 @@ no) enable_shared=no ;;
 esac
 else
   enable_shared=no
-fi
-
+fi;
 # Check whether --enable-static or --disable-static was given.
 if test "${enable_static+set}" = set; then
   enableval="$enable_static"
@@ -1993,7 +3080,29 @@ no) enable_static=no ;;
 esac
 else
   enable_static=yes
-fi
+fi;
+# Check whether --enable-fast-install or --disable-fast-install was given.
+if test "${enable_fast_install+set}" = set; then
+  enableval="$enable_fast_install"
+  p=${PACKAGE-default}
+case "$enableval" in
+yes) enable_fast_install=yes ;;
+no) enable_fast_install=no ;;
+*)
+  enable_fast_install=no
+  # Look at the argument we got.  We use all the common list separators.
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:,"
+  for pkg in $enableval; do
+    if test "X$pkg" = "X$p"; then
+      enable_fast_install=yes
+    fi
+  done
+  IFS="$ac_save_ifs"
+  ;;
+esac
+else
+  enable_fast_install=yes
+fi;
 
 # Check whether --with-gnu-ld or --without-gnu-ld was given.
 if test "${with_gnu_ld+set}" = set; then
@@ -2001,20 +3110,30 @@ if test "${with_gnu_ld+set}" = set; then
   test "$withval" = no || with_gnu_ld=yes
 else
   with_gnu_ld=no
-fi
-
-
+fi;
 ac_prog=ld
-if test "$ac_cv_prog_gcc" = yes; then
+if test "$ac_cv_c_compiler_gnu" = yes; then
   # Check if gcc -print-prog-name=ld gives a path.
-  echo $ac_n "checking for ld used by GCC""... $ac_c" 1>&6
-echo "configure:2012: checking for ld used by GCC" >&5
-  ac_prog=`($CC -print-prog-name=ld) 2>&5`
+  echo "$as_me:3117: checking for ld used by GCC" >&5
+echo $ECHO_N "checking for ld used by GCC... $ECHO_C" >&6
+  case $host in
+  *-*-mingw*)
+    # gcc leaves a trailing carriage return which upsets mingw
+    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
+  *)
+    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
+  esac
   case "$ac_prog" in
-  # Accept absolute paths.
-  /* | [A-Za-z]:\\*)
-    test -z "$LD" && LD="$ac_prog"
-    ;;
+    # Accept absolute paths.
+    [\\/]* | [A-Za-z]:[\\/]*)
+      re_direlt='/[^/][^/]*/\.\./'
+      # Canonicalize the path of ld
+      ac_prog=`echo $ac_prog| sed 's%\\\\%/%g'`
+      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
+	ac_prog=`echo $ac_prog| sed "s%$re_direlt%/%"`
+      done
+      test -z "$LD" && LD="$ac_prog"
+      ;;
   "")
     # If it fails, then pretend we aren't using GCC.
     ac_prog=ld
@@ -2025,20 +3144,20 @@ echo "configure:2012: checking for ld used by GCC" >&5
     ;;
   esac
 elif test "$with_gnu_ld" = yes; then
-  echo $ac_n "checking for GNU ld""... $ac_c" 1>&6
-echo "configure:2030: checking for GNU ld" >&5
+  echo "$as_me:3147: checking for GNU ld" >&5
+echo $ECHO_N "checking for GNU ld... $ECHO_C" >&6
 else
-  echo $ac_n "checking for non-GNU ld""... $ac_c" 1>&6
-echo "configure:2033: checking for non-GNU ld" >&5
+  echo "$as_me:3150: checking for non-GNU ld" >&5
+echo $ECHO_N "checking for non-GNU ld... $ECHO_C" >&6
 fi
-if eval "test \"`echo '$''{'ac_cv_path_LD'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+if test "${ac_cv_path_LD+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -z "$LD"; then
-  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:"
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}${PATH_SEPARATOR-:}"
   for ac_dir in $PATH; do
     test -z "$ac_dir" && ac_dir=.
-    if test -f "$ac_dir/$ac_prog"; then
+    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
       ac_cv_path_LD="$ac_dir/$ac_prog"
       # Check to see if the program is GNU ld.  I'd rather use --version,
       # but apparently some GNU ld's only accept -v.
@@ -2046,7 +3165,7 @@ else
       if "$ac_cv_path_LD" -v 2>&1 < /dev/null | egrep '(GNU|with BFD)' > /dev/null; then
 	test "$with_gnu_ld" != no && break
       else
-        test "$with_gnu_ld" != yes && break
+	test "$with_gnu_ld" != yes && break
       fi
     fi
   done
@@ -2058,16 +3177,19 @@ fi
 
 LD="$ac_cv_path_LD"
 if test -n "$LD"; then
-  echo "$ac_t""$LD" 1>&6
+  echo "$as_me:3180: result: $LD" >&5
+echo "${ECHO_T}$LD" >&6
 else
-  echo "$ac_t""no" 1>&6
+  echo "$as_me:3183: result: no" >&5
+echo "${ECHO_T}no" >&6
 fi
-test -z "$LD" && { echo "configure: error: no acceptable ld found in \$PATH" 1>&2; exit 1; }
-
-echo $ac_n "checking if the linker ($LD) is GNU ld""... $ac_c" 1>&6
-echo "configure:2069: checking if the linker ($LD) is GNU ld" >&5
-if eval "test \"`echo '$''{'ac_cv_prog_gnu_ld'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+test -z "$LD" && { { echo "$as_me:3186: error: no acceptable ld found in \$PATH" >&5
+echo "$as_me: error: no acceptable ld found in \$PATH" >&2;}
+   { (exit 1); exit 1; }; }
+echo "$as_me:3189: checking if the linker ($LD) is GNU ld" >&5
+echo $ECHO_N "checking if the linker ($LD) is GNU ld... $ECHO_C" >&6
+if test "${ac_cv_prog_gnu_ld+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   # I'd rather use --version here, but apparently some GNU ld's only accept -v.
 if $LD -v 2>&1 </dev/null | egrep '(GNU|with BFD)' 1>&5; then
@@ -2076,34 +3198,49 @@ else
   ac_cv_prog_gnu_ld=no
 fi
 fi
+echo "$as_me:3201: result: $ac_cv_prog_gnu_ld" >&5
+echo "${ECHO_T}$ac_cv_prog_gnu_ld" >&6
+with_gnu_ld=$ac_cv_prog_gnu_ld
 
-echo "$ac_t""$ac_cv_prog_gnu_ld" 1>&6
-
+echo "$as_me:3205: checking for $LD option to reload object files" >&5
+echo $ECHO_N "checking for $LD option to reload object files... $ECHO_C" >&6
+if test "${lt_cv_ld_reload_flag+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_ld_reload_flag='-r'
+fi
+echo "$as_me:3212: result: $lt_cv_ld_reload_flag" >&5
+echo "${ECHO_T}$lt_cv_ld_reload_flag" >&6
+reload_flag=$lt_cv_ld_reload_flag
+test -n "$reload_flag" && reload_flag=" $reload_flag"
 
-echo $ac_n "checking for BSD-compatible nm""... $ac_c" 1>&6
-echo "configure:2085: checking for BSD-compatible nm" >&5
-if eval "test \"`echo '$''{'ac_cv_path_NM'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:3217: checking for BSD-compatible nm" >&5
+echo $ECHO_N "checking for BSD-compatible nm... $ECHO_C" >&6
+if test "${ac_cv_path_NM+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$NM"; then
   # Let the user override the test.
   ac_cv_path_NM="$NM"
 else
-  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:"
-  for ac_dir in /usr/ucb /usr/ccs/bin $PATH /bin; do
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}${PATH_SEPARATOR-:}"
+  for ac_dir in $PATH /usr/ccs/bin /usr/ucb /bin; do
     test -z "$ac_dir" && ac_dir=.
-    if test -f $ac_dir/nm; then
+    tmp_nm=$ac_dir/${ac_tool_prefix}nm
+    if test -f $tmp_nm || test -f $tmp_nm$ac_exeext ; then
       # Check to see if the nm accepts a BSD-compat flag.
       # Adding the `sed 1q' prevents false positives on HP-UX, which says:
       #   nm: unknown option "B" ignored
-      if ($ac_dir/nm -B /dev/null 2>&1 | sed '1q'; exit 0) | egrep /dev/null >/dev/null; then
-        ac_cv_path_NM="$ac_dir/nm -B"
-      elif ($ac_dir/nm -p /dev/null 2>&1 | sed '1q'; exit 0) | egrep /dev/null >/dev/null; then
-        ac_cv_path_NM="$ac_dir/nm -p"
+      if ($tmp_nm -B /dev/null 2>&1 | sed '1q'; exit 0) | egrep /dev/null >/dev/null; then
+	ac_cv_path_NM="$tmp_nm -B"
+	break
+      elif ($tmp_nm -p /dev/null 2>&1 | sed '1q'; exit 0) | egrep /dev/null >/dev/null; then
+	ac_cv_path_NM="$tmp_nm -p"
+	break
       else
-        ac_cv_path_NM="$ac_dir/nm"
+	ac_cv_path_NM=${ac_cv_path_NM="$tmp_nm"} # keep the first match, but
+	continue # so that we can try to find one that supports BSD flags
       fi
-      break
     fi
   done
   IFS="$ac_save_ifs"
@@ -2112,48 +3249,481 @@ fi
 fi
 
 NM="$ac_cv_path_NM"
-echo "$ac_t""$NM" 1>&6
+echo "$as_me:3252: result: $NM" >&5
+echo "${ECHO_T}$NM" >&6
+
+echo "$as_me:3255: checking whether ln -s works" >&5
+echo $ECHO_N "checking whether ln -s works... $ECHO_C" >&6
+LN_S=$as_ln_s
+if test "$LN_S" = "ln -s"; then
+  echo "$as_me:3259: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+else
+  echo "$as_me:3262: result: no, using $LN_S" >&5
+echo "${ECHO_T}no, using $LN_S" >&6
+fi
+
+echo "$as_me:3266: checking how to recognise dependant libraries" >&5
+echo $ECHO_N "checking how to recognise dependant libraries... $ECHO_C" >&6
+if test "${lt_cv_deplibs_check_method+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_file_magic_cmd='${MAGIC}'
+lt_cv_file_magic_test_file=
+lt_cv_deplibs_check_method='unknown'
+# Need to set the preceding variable on all platforms that support
+# interlibrary dependencies.
+# 'none' -- dependencies not supported.
+# `unknown' -- same as none, but documents that we really don't know.
+# 'pass_all' -- all dependencies passed with no checks.
+# 'test_compile' -- check by making test program.
+# 'file_magic [regex]' -- check by looking for files in library path
+# which responds to the $file_magic_cmd with a given egrep regex.
+# If you have `file' or equivalent on your system and you're not sure
+# whether `pass_all' will *always* work, you probably want this one.
+
+case "$host_os" in
+aix4*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+beos*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+bsdi4*)
+    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib)'
+    lt_cv_file_magic_cmd='/usr/bin/file -L'
+  lt_cv_file_magic_test_file=/shlib/libc.so
+  ;;
+
+cygwin* | mingw*)
+  lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
+  lt_cv_file_magic_cmd='${OBJDUMP} -f'
+  ;;
+
+freebsd*)
+  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
+    case "$host_cpu" in
+    i*86 )
+            lt_cv_deplibs_check_method=='file_magic OpenBSD/i[3-9]86 demand paged shared library'
+            lt_cv_file_magic_cmd=/usr/bin/file
+      lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
+      ;;
+    esac
+  else
+    lt_cv_deplibs_check_method=pass_all
+  fi
+  ;;
+
+gnu*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+hpux10.20*)
+  # TODO:  Does this work for hpux-11 too?
+  lt_cv_deplibs_check_method='file_magic (s0-90-90-9|PA-RISC0-9.0-9) shared library'
+  lt_cv_file_magic_cmd=/usr/bin/file
+  lt_cv_file_magic_test_file=/usr/lib/libc.sl
+  ;;
+
+irix5* | irix6*)
+  case "$host_os" in
+  irix5*)
+    # this will be overridden with pass_all, but let us keep it just in case
+    lt_cv_deplibs_check_method="file_magic ELF 32-bit MSB dynamic lib MIPS - version 1"
+    ;;
+  *)
+    case "$LD" in
+    *-32|*"-32 ") libmagic=32-bit;;
+    *-n32|*"-n32 ") libmagic=N32;;
+    *-64|*"-64 ") libmagic=64-bit;;
+    *) libmagic=never-match;;
+    esac
+    # this will be overridden with pass_all, but let us keep it just in case
+        lt_cv_deplibs_check_method="file_magic ELF ${libmagic} MSB mips-[1234] dynamic lib MIPS - version 1"
+        ;;
+  esac
+  lt_cv_file_magic_test_file=`echo /lib${libsuff}/libc.so*`
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+# This must be Linux ELF.
+linux-gnu*)
+  case "$host_cpu" in
+  alpha* | i*86 | powerpc* | sparc* | ia64* )
+    lt_cv_deplibs_check_method=pass_all ;;
+  *)
+    # glibc up to 2.1.1 does not perform some relocations on ARM
+        lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB (shared object|dynamic lib )' ;;
+      esac
+  lt_cv_file_magic_test_file=`echo /lib/libc.so* /lib/libc-*.so`
+  ;;
+
+netbsd*)
+  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then :
+  else
+        lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB shared object'
+        lt_cv_file_magic_cmd='/usr/bin/file -L'
+    lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*`
+  fi
+  ;;
+
+osf3* | osf4* | osf5*)
+  # this will be overridden with pass_all, but let us keep it just in case
+  lt_cv_deplibs_check_method='file_magic COFF format alpha shared library'
+  lt_cv_file_magic_test_file=/shlib/libc.so
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+sco3.2v5*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+solaris*)
+  lt_cv_deplibs_check_method=pass_all
+  lt_cv_file_magic_test_file=/lib/libc.so
+  ;;
 
+sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+  case "$host_vendor" in
+  ncr)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  motorola)
+        lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib) M[0-9][0-9]* Version [0-9]'
+        lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*`
+    ;;
+  esac
+  ;;
+esac
 
-echo $ac_n "checking whether ln -s works""... $ac_c" 1>&6
-echo "configure:2120: checking whether ln -s works" >&5
-if eval "test \"`echo '$''{'ac_cv_prog_LN_S'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+fi
+echo "$as_me:3402: result: $lt_cv_deplibs_check_method" >&5
+echo "${ECHO_T}$lt_cv_deplibs_check_method" >&6
+file_magic_cmd=$lt_cv_file_magic_cmd
+deplibs_check_method=$lt_cv_deplibs_check_method
+
+# Only perform the check for file, if the check method requires it
+case "$deplibs_check_method" in
+file_magic*)
+  if test "$file_magic_cmd" = '${MAGIC}'; then
+    echo "$as_me:3411: checking for ${ac_tool_prefix}file" >&5
+echo $ECHO_N "checking for ${ac_tool_prefix}file... $ECHO_C" >&6
+if test "${lt_cv_path_MAGIC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  rm -f conftestdata
-if ln -s X conftestdata 2>/dev/null
-then
-  rm -f conftestdata
-  ac_cv_prog_LN_S="ln -s"
+  case "$MAGIC" in
+  /*)
+  lt_cv_path_MAGIC="$MAGIC" # Let the user override the test with a path.
+  ;;
+  ?:/*)
+  ac_cv_path_MAGIC="$MAGIC" # Let the user override the test with a dos path.
+  ;;
+  *)
+  ac_save_MAGIC="$MAGIC"
+  IFS="${IFS=   }"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="/usr/bin:$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/${ac_tool_prefix}file; then
+      lt_cv_path_MAGIC="$ac_dir/${ac_tool_prefix}file"
+      if test -n "$file_magic_test_file"; then
+	case "$deplibs_check_method" in
+	"file_magic "*)
+	  file_magic_regex="`expr \"$deplibs_check_method\" : \"file_magic \(.*\)\"`"
+	  MAGIC="$lt_cv_path_MAGIC"
+	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
+	    egrep "$file_magic_regex" > /dev/null; then
+	    :
+	  else
+	    cat <<EOF 1>&2
+
+*** Warning: the command libtool uses to detect shared libraries,
+*** $file_magic_cmd, produces output that libtool cannot recognize.
+*** The result is that libtool may fail to recognize shared libraries
+*** as such.  This will affect the creation of libtool libraries that
+*** depend on shared libraries, but programs linked with such libtool
+*** libraries will work regardless of this problem.  Nevertheless, you
+*** may want to report the problem to your system manager and/or to
+*** bug-libtool@gnu.org
+
+EOF
+	  fi ;;
+	esac
+      fi
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+  MAGIC="$ac_save_MAGIC"
+  ;;
+esac
+fi
+
+MAGIC="$lt_cv_path_MAGIC"
+if test -n "$MAGIC"; then
+  echo "$as_me:3466: result: $MAGIC" >&5
+echo "${ECHO_T}$MAGIC" >&6
 else
-  ac_cv_prog_LN_S=ln
+  echo "$as_me:3469: result: no" >&5
+echo "${ECHO_T}no" >&6
 fi
+
+if test -z "$lt_cv_path_MAGIC"; then
+  if test -n "$ac_tool_prefix"; then
+    echo "$as_me:3475: checking for file" >&5
+echo $ECHO_N "checking for file... $ECHO_C" >&6
+if test "${lt_cv_path_MAGIC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case "$MAGIC" in
+  /*)
+  lt_cv_path_MAGIC="$MAGIC" # Let the user override the test with a path.
+  ;;
+  ?:/*)
+  ac_cv_path_MAGIC="$MAGIC" # Let the user override the test with a dos path.
+  ;;
+  *)
+  ac_save_MAGIC="$MAGIC"
+  IFS="${IFS=   }"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="/usr/bin:$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/file; then
+      lt_cv_path_MAGIC="$ac_dir/file"
+      if test -n "$file_magic_test_file"; then
+	case "$deplibs_check_method" in
+	"file_magic "*)
+	  file_magic_regex="`expr \"$deplibs_check_method\" : \"file_magic \(.*\)\"`"
+	  MAGIC="$lt_cv_path_MAGIC"
+	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
+	    egrep "$file_magic_regex" > /dev/null; then
+	    :
+	  else
+	    cat <<EOF 1>&2
+
+*** Warning: the command libtool uses to detect shared libraries,
+*** $file_magic_cmd, produces output that libtool cannot recognize.
+*** The result is that libtool may fail to recognize shared libraries
+*** as such.  This will affect the creation of libtool libraries that
+*** depend on shared libraries, but programs linked with such libtool
+*** libraries will work regardless of this problem.  Nevertheless, you
+*** may want to report the problem to your system manager and/or to
+*** bug-libtool@gnu.org
+
+EOF
+	  fi ;;
+	esac
+      fi
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+  MAGIC="$ac_save_MAGIC"
+  ;;
+esac
 fi
-LN_S="$ac_cv_prog_LN_S"
-if test "$ac_cv_prog_LN_S" = "ln -s"; then
-  echo "$ac_t""yes" 1>&6
+
+MAGIC="$lt_cv_path_MAGIC"
+if test -n "$MAGIC"; then
+  echo "$as_me:3530: result: $MAGIC" >&5
+echo "${ECHO_T}$MAGIC" >&6
 else
-  echo "$ac_t""no" 1>&6
+  echo "$as_me:3533: result: no" >&5
+echo "${ECHO_T}no" >&6
 fi
 
-# Always use our own libtool.
-LIBTOOL='$(top_builddir)/libtool'
+  else
+    MAGIC=:
+  fi
+fi
+
+  fi
+  ;;
+esac
+
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args.
+set dummy ${ac_tool_prefix}ranlib; ac_word=$2
+echo "$as_me:3549: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_RANLIB+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$RANLIB"; then
+  ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  $as_executable_p "$ac_dir/$ac_word" || continue
+ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
+break
+done
+
+fi
+fi
+RANLIB=$ac_cv_prog_RANLIB
+if test -n "$RANLIB"; then
+  echo "$as_me:3571: result: $RANLIB" >&5
+echo "${ECHO_T}$RANLIB" >&6
+else
+  echo "$as_me:3574: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+fi
+if test -z "$ac_cv_prog_RANLIB"; then
+  ac_ct_RANLIB=$RANLIB
+  # Extract the first word of "ranlib", so it can be a program name with args.
+set dummy ranlib; ac_word=$2
+echo "$as_me:3583: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_RANLIB"; then
+  ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  $as_executable_p "$ac_dir/$ac_word" || continue
+ac_cv_prog_ac_ct_RANLIB="ranlib"
+break
+done
+
+  test -z "$ac_cv_prog_ac_ct_RANLIB" && ac_cv_prog_ac_ct_RANLIB=":"
+fi
+fi
+ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB
+if test -n "$ac_ct_RANLIB"; then
+  echo "$as_me:3606: result: $ac_ct_RANLIB" >&5
+echo "${ECHO_T}$ac_ct_RANLIB" >&6
+else
+  echo "$as_me:3609: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  RANLIB=$ac_ct_RANLIB
+else
+  RANLIB="$ac_cv_prog_RANLIB"
+fi
+
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args.
+set dummy ${ac_tool_prefix}strip; ac_word=$2
+echo "$as_me:3621: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_STRIP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$STRIP"; then
+  ac_cv_prog_STRIP="$STRIP" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  $as_executable_p "$ac_dir/$ac_word" || continue
+ac_cv_prog_STRIP="${ac_tool_prefix}strip"
+break
+done
+
+fi
+fi
+STRIP=$ac_cv_prog_STRIP
+if test -n "$STRIP"; then
+  echo "$as_me:3643: result: $STRIP" >&5
+echo "${ECHO_T}$STRIP" >&6
+else
+  echo "$as_me:3646: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+fi
+if test -z "$ac_cv_prog_STRIP"; then
+  ac_ct_STRIP=$STRIP
+  # Extract the first word of "strip", so it can be a program name with args.
+set dummy strip; ac_word=$2
+echo "$as_me:3655: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_STRIP"; then
+  ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  $as_executable_p "$ac_dir/$ac_word" || continue
+ac_cv_prog_ac_ct_STRIP="strip"
+break
+done
+
+  test -z "$ac_cv_prog_ac_ct_STRIP" && ac_cv_prog_ac_ct_STRIP=":"
+fi
+fi
+ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP
+if test -n "$ac_ct_STRIP"; then
+  echo "$as_me:3678: result: $ac_ct_STRIP" >&5
+echo "${ECHO_T}$ac_ct_STRIP" >&6
+else
+  echo "$as_me:3681: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  STRIP=$ac_ct_STRIP
+else
+  STRIP="$ac_cv_prog_STRIP"
+fi
 
 # Check for any special flags to pass to ltconfig.
-libtool_flags=
+libtool_flags="--cache-file=$cache_file"
 test "$enable_shared" = no && libtool_flags="$libtool_flags --disable-shared"
 test "$enable_static" = no && libtool_flags="$libtool_flags --disable-static"
-test "$silent" = yes && libtool_flags="$libtool_flags --silent"
-test "$ac_cv_prog_gcc" = yes && libtool_flags="$libtool_flags --with-gcc"
+test "$enable_fast_install" = no && libtool_flags="$libtool_flags --disable-fast-install"
+test "$ac_cv_c_compiler_gnu" = yes && libtool_flags="$libtool_flags --with-gcc"
 test "$ac_cv_prog_gnu_ld" = yes && libtool_flags="$libtool_flags --with-gnu-ld"
 
+# Check whether --enable-libtool-lock or --disable-libtool-lock was given.
+if test "${enable_libtool_lock+set}" = set; then
+  enableval="$enable_libtool_lock"
+
+fi;
+test "x$enable_libtool_lock" = xno && libtool_flags="$libtool_flags --disable-lock"
+test x"$silent" = xyes && libtool_flags="$libtool_flags --silent"
+
+# Check whether --with-pic or --without-pic was given.
+if test "${with_pic+set}" = set; then
+  withval="$with_pic"
+  pic_mode="$withval"
+else
+  pic_mode=default
+fi;
+test x"$pic_mode" = xyes && libtool_flags="$libtool_flags --prefer-pic"
+test x"$pic_mode" = xno && libtool_flags="$libtool_flags --prefer-non-pic"
+
 # Some flags need to be propagated to the compiler or linker for good
 # libtool support.
 case "$host" in
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 2156 "configure"' > conftest.$ac_ext
-  if { (eval echo configure:2157: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  echo '#line 3721 "configure"' > conftest.$ac_ext
+  if { (eval echo "$as_me:3722: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:3725: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
     case "`/usr/bin/file conftest.o`" in
     *32-bit*)
       LD="${LD-ld} -32"
@@ -2171,23 +3741,164 @@ case "$host" in
 
 *-*-sco3.2v5*)
   # On SCO OpenServer 5, we need -belf to get full-featured binaries.
+  SAVE_CFLAGS="$CFLAGS"
   CFLAGS="$CFLAGS -belf"
+  echo "$as_me:3746: checking whether the C compiler needs -belf" >&5
+echo $ECHO_N "checking whether the C compiler needs -belf... $ECHO_C" >&6
+if test "${lt_cv_cc_needs_belf+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+     ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+     cat >conftest.$ac_ext <<_ACEOF
+#line 3759 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:3771: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:3774: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:3776: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:3779: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  lt_cv_cc_needs_belf=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+lt_cv_cc_needs_belf=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+     ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+fi
+echo "$as_me:3795: result: $lt_cv_cc_needs_belf" >&5
+echo "${ECHO_T}$lt_cv_cc_needs_belf" >&6
+  if test x"$lt_cv_cc_needs_belf" != x"yes"; then
+    # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
+    CFLAGS="$SAVE_CFLAGS"
+  fi
   ;;
+
 esac
 
+# Save cache, so that ltconfig can load it
+cat >confcache <<\_ACEOF
+# This file is a shell script that caches the results of configure
+# tests run on this system so they can be shared between configure
+# scripts and configure runs, see configure's option --config-cache.
+# It is not useful on other systems.  If it contains results you don't
+# want to keep, you may remove or edit it.
+#
+# config.status only pays attention to the cache file if you give it
+# the --recheck option to rerun configure.
+#
+# `ac_cv_env_foo' variables (set or unset) will be overriden when
+# loading this file, other *unset* `ac_cv_foo' will be assigned the
+# following values.
+
+_ACEOF
+
+# The following way of writing the cache mishandles newlines in values,
+# but we know of no workaround that is simple, portable, and efficient.
+# So, don't put newlines in cache variables' values.
+# Ultrix sh set writes to stderr and can't be redirected directly,
+# and sets the high bit in the cache file unless we assign to the vars.
+{
+  (set) 2>&1 |
+    case `(ac_space=' '; set | grep ac_space) 2>&1` in
+    *ac_space=\ *)
+      # `set' does not quote correctly, so add quotes (double-quote
+      # substitution turns \\\\ into \\, and sed turns \\ into \).
+      sed -n \
+        "s/'/'\\\\''/g;
+    	  s/^\\([_$ac_cr_alnum]*_cv_[_$ac_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
+      ;;
+    *)
+      # `set' quotes correctly as required by POSIX, so do not add quotes.
+      sed -n \
+        "s/^\\([_$ac_cr_alnum]*_cv_[_$ac_cr_alnum]*\\)=\\(.*\\)/\\1=\\2/p"
+      ;;
+    esac;
+} |
+  sed '
+     t clear
+     : clear
+     s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/
+     t end
+     /^ac_cv_env/!s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/
+     : end' >>confcache
+if cmp -s $cache_file confcache; then :; else
+  if test -w $cache_file; then
+    test "x$cache_file" != "x/dev/null" && echo "updating cache $cache_file"
+    cat confcache >$cache_file
+  else
+    echo "not updating unwritable cache $cache_file"
+  fi
+fi
+rm -f confcache
+
 # Actually configure libtool.  ac_aux_dir is where install-sh is found.
-CC="$CC" CFLAGS="$CFLAGS" CPPFLAGS="$CPPFLAGS" \
-LD="$LD" NM="$NM" RANLIB="$RANLIB" LN_S="$LN_S" \
+AR="$AR" CC="$CC" CFLAGS="$CFLAGS" CPPFLAGS="$CPPFLAGS" \
+MAGIC="$MAGIC" LD="$LD" LDFLAGS="$LDFLAGS" LIBS="$LIBS" \
+LN_S="$LN_S" NM="$NM" RANLIB="$RANLIB" STRIP="$STRIP" \
+AS="$AS" DLLTOOL="$DLLTOOL" OBJDUMP="$OBJDUMP" \
+objext="$OBJEXT" exeext="$EXEEXT" reload_flag="$reload_flag" \
+deplibs_check_method="$deplibs_check_method" file_magic_cmd="$file_magic_cmd" \
 ${CONFIG_SHELL-/bin/sh} $ac_aux_dir/ltconfig --no-reexec \
-$libtool_flags --no-verify $ac_aux_dir/ltmain.sh $host \
-|| { echo "configure: error: libtool configure failed" 1>&2; exit 1; }
+$libtool_flags --no-verify --build="$build" $ac_aux_dir/ltmain.sh $host \
+|| { { echo "$as_me:3870: error: libtool configure failed" >&5
+echo "$as_me: error: libtool configure failed" >&2;}
+   { (exit 1); exit 1; }; }
+
+# Reload cache, that may have been modified by ltconfig
+if test -r "$cache_file"; then
+  # Some versions of bash will fail to source /dev/null (special
+  # files actually), so we avoid doing that.
+  if test -f "$cache_file"; then
+    { echo "$as_me:3879: loading cache $cache_file" >&5
+echo "$as_me: loading cache $cache_file" >&6;}
+    case $cache_file in
+      [\\/]* | ?:[\\/]* ) . $cache_file;;
+      *)                      . ./$cache_file;;
+    esac
+  fi
+else
+  { echo "$as_me:3887: creating cache $cache_file" >&5
+echo "$as_me: creating cache $cache_file" >&6;}
+  >$cache_file
+fi
+
+# This can be used to rebuild libtool when needed
+LIBTOOL_DEPS="$ac_aux_dir/ltconfig $ac_aux_dir/ltmain.sh"
+
+# Always use our own libtool.
+LIBTOOL='$(SHELL) $(top_builddir)/libtool'
 
 # Redirect the config.log output again, so that the ltconfig log is not
 # clobbered by the next message.
 exec 5>>./config.log
 
-
-
 WFLAGS_NOUNUSED=""
 WFLAGS_NOIMPLICITINT=""
 if test -z "$WFLAGS" -a "$GCC" = "yes"; then
@@ -2201,49 +3912,7953 @@ if test -z "$WFLAGS" -a "$GCC" = "yes"; then
   WFLAGS_NOIMPLICITINT="-Wno-implicit-int"
 fi
 
-
 berkeley_db=db
+
 # Check whether --with-berkeley-db or --without-berkeley-db was given.
 if test "${with_berkeley_db+set}" = set; then
   withval="$with_berkeley_db"
-  
+
 if test "$withval" = no; then
 	berkeley_db=""
 fi
 
+fi;
+if test "$berkeley_db"; then
+
+for ac_header in 				\
+	db.h					\
+	db_185.h				\
+
+do
+ac_ac_Header=`echo "ac_cv_header_$ac_header" | $ac_tr_sh`
+echo "$as_me:3934: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 3940 "configure"
+#include "confdefs.h"
+#include <$ac_header>
+_ACEOF
+if { (eval echo "$as_me:3944: \"$ac_cpp conftest.$ac_ext >/dev/null\"") >&5
+  (eval $ac_cpp conftest.$ac_ext >/dev/null) 2>conftest.er1
+  ac_status=$?
+  egrep -v '^ *\+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:3950: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  eval "$ac_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_Header=no"
+fi
+rm -f conftest.err conftest.$ac_ext
+fi
+echo "$as_me:3969: result: `eval echo '${'$ac_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_Header'}'`" >&6
+if test `eval echo '${'$ac_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_header" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
 fi
 
+echo "$as_me:3981: checking for dbopen" >&5
+echo $ECHO_N "checking for dbopen... $ECHO_C" >&6
+if test "${ac_cv_funclib_dbopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
 
+if eval "test \"\$ac_cv_func_dbopen\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in $berkeley_db; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 3997 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#if defined(HAVE_DB_185_H)
+#include <db_185.h>
+#elif defined(HAVE_DB_H)
+#include <db.h>
+#endif
+
+int
+main ()
+{
+dbopen(NULL, 0, 0, 0, NULL)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:4016: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:4019: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:4021: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:4024: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_dbopen=$ac_lib; else ac_cv_funclib_dbopen=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_dbopen=\${ac_cv_funclib_dbopen-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_dbopen"
+
+if false; then
+
+for ac_func in dbopen
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:4046: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4052 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:4083: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:4086: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:4088: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:4091: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:4101: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# dbopen
+eval "ac_tr_func=HAVE_`echo dbopen | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_dbopen=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_dbopen=yes"
+	eval "LIB_dbopen="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:4125: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_dbopen=no"
+	eval "LIB_dbopen="
+	echo "$as_me:4131: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_dbopen=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:4145: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+echo "$as_me:4150: checking for dbm_firstkey" >&5
+echo $ECHO_N "checking for dbm_firstkey... $ECHO_C" >&6
+if test "${ac_cv_funclib_dbm_firstkey+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_dbm_firstkey\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" $berkeley_db gdbm ndbm; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 4166 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+dbm_firstkey()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:4178: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:4181: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:4183: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:4186: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_dbm_firstkey=$ac_lib; else ac_cv_funclib_dbm_firstkey=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_dbm_firstkey=\${ac_cv_funclib_dbm_firstkey-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_dbm_firstkey"
+
+if false; then
+
+for ac_func in dbm_firstkey
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:4208: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4214 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:4245: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:4248: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:4250: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:4253: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:4263: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# dbm_firstkey
+eval "ac_tr_func=HAVE_`echo dbm_firstkey | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_dbm_firstkey=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_dbm_firstkey=yes"
+	eval "LIB_dbm_firstkey="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:4287: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_dbm_firstkey=no"
+	eval "LIB_dbm_firstkey="
+	echo "$as_me:4293: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_dbm_firstkey=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:4307: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+echo "$as_me:4312: checking for db_create" >&5
+echo $ECHO_N "checking for db_create... $ECHO_C" >&6
+if test "${ac_cv_funclib_db_create+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_db_create\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" $berkeley_db; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 4328 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+db_create()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:4340: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:4343: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:4345: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:4348: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_db_create=$ac_lib; else ac_cv_funclib_db_create=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_db_create=\${ac_cv_funclib_db_create-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_db_create"
+
+if false; then
+
+for ac_func in db_create
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:4370: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4376 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:4407: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:4410: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:4412: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:4415: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:4425: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# db_create
+eval "ac_tr_func=HAVE_`echo db_create | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_db_create=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_db_create=yes"
+	eval "LIB_db_create="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:4449: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_db_create=no"
+	eval "LIB_db_create="
+	echo "$as_me:4455: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_db_create=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:4469: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+DBLIB="$LIB_dbopen"
+if test "$LIB_dbopen" != "$LIB_db_create"; then
+        DBLIB="$DBLIB $LIB_db_create"
+fi
+if test "$LIB_dbopen" != "$LIB_dbm_firstkey"; then
+	DBLIB="$DBLIB $LIB_dbm_firstkey"
+fi
+
+echo "$as_me:4482: checking for inline" >&5
+echo $ECHO_N "checking for inline... $ECHO_C" >&6
+if test "${ac_cv_c_inline+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_c_inline=no
+for ac_kw in inline __inline__ __inline; do
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4490 "configure"
+#include "confdefs.h"
+#ifndef __cplusplus
+$ac_kw int foo () {return 0; }
+#endif
+
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:4498: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:4501: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:4503: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:4506: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_c_inline=$ac_kw; break
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+done
+
+fi
+echo "$as_me:4517: result: $ac_cv_c_inline" >&5
+echo "${ECHO_T}$ac_cv_c_inline" >&6
+case $ac_cv_c_inline in
+  inline | yes) ;;
+  no)
+cat >>confdefs.h <<\EOF
+#define inline
+EOF
+ ;;
+  *)  cat >>confdefs.h <<EOF
+#define inline $ac_cv_c_inline
+EOF
+ ;;
+esac
+
+echo "$as_me:4532: checking for an ANSI C-conforming const" >&5
+echo $ECHO_N "checking for an ANSI C-conforming const... $ECHO_C" >&6
+if test "${ac_cv_c_const+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4538 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+/* FIXME: Include the comments suggested by Paul. */
+#ifndef __cplusplus
+  /* Ultrix mips cc rejects this.  */
+  typedef int charset[2];
+  const charset x;
+  /* SunOS 4.1.1 cc rejects this.  */
+  char const *const *ccp;
+  char **p;
+  /* NEC SVR4.0.2 mips cc rejects this.  */
+  struct point {int x, y;};
+  static struct point const zero = {0,0};
+  /* AIX XL C 1.02.0.0 rejects this.
+     It does not let you subtract one const X* pointer from another in
+     an arm of an if-expression whose if-part is not a constant
+     expression */
+  const char *g = "string";
+  ccp = &g + (g ? g-g : 0);
+  /* HPUX 7.0 cc rejects these. */
+  ++ccp;
+  p = (char**) ccp;
+  ccp = (char const *const *) p;
+  { /* SCO 3.2v4 cc rejects this.  */
+    char *t;
+    char const *s = 0 ? (char *) 0 : (char const *) 0;
+
+    *t++ = 0;
+  }
+  { /* Someone thinks the Sun supposedly-ANSI compiler will reject this.  */
+    int x[] = {25, 17};
+    const int *foo = &x[0];
+    ++foo;
+  }
+  { /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */
+    typedef const int *iptr;
+    iptr p = 0;
+    ++p;
+  }
+  { /* AIX XL C 1.02.0.0 rejects this saying
+       "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */
+    struct s { int j; const int *ap[3]; };
+    struct s *b; b->j = 5;
+  }
+  { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */
+    const int foo = 10;
+  }
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:4596: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:4599: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:4601: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:4604: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_c_const=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_c_const=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:4614: result: $ac_cv_c_const" >&5
+echo "${ECHO_T}$ac_cv_c_const" >&6
+if test $ac_cv_c_const = no; then
+
+cat >>confdefs.h <<\EOF
+#define const
+EOF
+
+fi
+
+echo "$as_me:4624: checking for ANSI C header files" >&5
+echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6
+if test "${ac_cv_header_stdc+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4630 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <float.h>
+
+_ACEOF
+if { (eval echo "$as_me:4638: \"$ac_cpp conftest.$ac_ext >/dev/null\"") >&5
+  (eval $ac_cpp conftest.$ac_ext >/dev/null) 2>conftest.er1
+  ac_status=$?
+  egrep -v '^ *\+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:4644: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  ac_cv_header_stdc=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_header_stdc=no
+fi
+rm -f conftest.err conftest.$ac_ext
+
+if test $ac_cv_header_stdc = yes; then
+  # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4666 "configure"
+#include "confdefs.h"
+#include <string.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "memchr" >/dev/null 2>&1; then
+  :
+else
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+  # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4684 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "free" >/dev/null 2>&1; then
+  :
+else
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+  # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
+  if test "$cross_compiling" = yes; then
+  :
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4705 "configure"
+#include "confdefs.h"
+#include <ctype.h>
+#if ((' ' & 0x0FF) == 0x020)
+# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
+# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
+#else
+# define ISLOWER(c) (('a' <= (c) && (c) <= 'i') \
+                     || ('j' <= (c) && (c) <= 'r') \
+                     || ('s' <= (c) && (c) <= 'z'))
+# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
+#endif
+
+#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
+int
+main ()
+{
+  int i;
+  for (i = 0; i < 256; i++)
+    if (XOR (islower (i), ISLOWER (i))
+        || toupper (i) != TOUPPER (i))
+      exit(2);
+  exit (0);
+}
+_ACEOF
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:4731: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:4734: \$? = $ac_status" >&5
+  (exit $ac_status); } && { (eval echo "$as_me:4735: \"./conftest$ac_exeext\"") >&5
+  (eval ./conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:4738: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  :
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_header_stdc=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+fi
+fi
+echo "$as_me:4751: result: $ac_cv_header_stdc" >&5
+echo "${ECHO_T}$ac_cv_header_stdc" >&6
+if test $ac_cv_header_stdc = yes; then
+
+cat >>confdefs.h <<\EOF
+#define STDC_HEADERS 1
+EOF
+
+fi
+
+for ac_header in stdlib.h string.h memory.h strings.h inttypes.h unistd.h
+do
+ac_ac_Header=`echo "ac_cv_header_$ac_header" | $ac_tr_sh`
+echo "$as_me:4764: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4770 "configure"
+#include "confdefs.h"
+#include <$ac_header>
+_ACEOF
+if { (eval echo "$as_me:4774: \"$ac_cpp conftest.$ac_ext >/dev/null\"") >&5
+  (eval $ac_cpp conftest.$ac_ext >/dev/null) 2>conftest.er1
+  ac_status=$?
+  egrep -v '^ *\+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:4780: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  eval "$ac_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_Header=no"
+fi
+rm -f conftest.err conftest.$ac_ext
+fi
+echo "$as_me:4799: result: `eval echo '${'$ac_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_Header'}'`" >&6
+if test `eval echo '${'$ac_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_header" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+echo "$as_me:4809: checking for size_t" >&5
+echo $ECHO_N "checking for size_t... $ECHO_C" >&6
+if test "${ac_cv_type_size_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4815 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((size_t *) 0)
+  return 0;
+if (sizeof (size_t))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:4830: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:4833: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:4835: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:4838: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_type_size_t=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_size_t=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:4848: result: $ac_cv_type_size_t" >&5
+echo "${ECHO_T}$ac_cv_type_size_t" >&6
+if test $ac_cv_type_size_t = yes; then
+  :
+else
+
+cat >>confdefs.h <<EOF
+#define size_t unsigned
+EOF
+
+fi
+
+echo "$as_me:4860: checking for pid_t" >&5
+echo $ECHO_N "checking for pid_t... $ECHO_C" >&6
+if test "${ac_cv_type_pid_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4866 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((pid_t *) 0)
+  return 0;
+if (sizeof (pid_t))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:4881: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:4884: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:4886: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:4889: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_type_pid_t=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_pid_t=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:4899: result: $ac_cv_type_pid_t" >&5
+echo "${ECHO_T}$ac_cv_type_pid_t" >&6
+if test $ac_cv_type_pid_t = yes; then
+  :
+else
+
+cat >>confdefs.h <<EOF
+#define pid_t int
+EOF
+
+fi
+
+echo "$as_me:4911: checking for uid_t in sys/types.h" >&5
+echo $ECHO_N "checking for uid_t in sys/types.h... $ECHO_C" >&6
+if test "${ac_cv_type_uid_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4917 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "uid_t" >/dev/null 2>&1; then
+  ac_cv_type_uid_t=yes
+else
+  ac_cv_type_uid_t=no
+fi
+rm -f conftest*
+
+fi
+echo "$as_me:4931: result: $ac_cv_type_uid_t" >&5
+echo "${ECHO_T}$ac_cv_type_uid_t" >&6
+if test $ac_cv_type_uid_t = no; then
+
+cat >>confdefs.h <<\EOF
+#define uid_t int
+EOF
+
+cat >>confdefs.h <<\EOF
+#define gid_t int
+EOF
+
+fi
+
+echo "$as_me:4945: checking return type of signal handlers" >&5
+echo $ECHO_N "checking return type of signal handlers... $ECHO_C" >&6
+if test "${ac_cv_type_signal+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4951 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <signal.h>
+#ifdef signal
+# undef signal
+#endif
+#ifdef __cplusplus
+extern "C" void (*signal (int, void (*)(int)))(int);
+#else
+void (*signal ()) ();
+#endif
+
+int
+main ()
+{
+int i;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:4973: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:4976: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:4978: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:4981: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_type_signal=void
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_signal=int
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:4991: result: $ac_cv_type_signal" >&5
+echo "${ECHO_T}$ac_cv_type_signal" >&6
+
+cat >>confdefs.h <<EOF
+#define RETSIGTYPE $ac_cv_type_signal
+EOF
+
+if test "$ac_cv_type_signal" = "void" ; then
+
+cat >>confdefs.h <<\EOF
+#define VOID_RETSIGTYPE 1
+EOF
+
+fi
+
+echo "$as_me:5006: checking whether time.h and sys/time.h may both be included" >&5
+echo $ECHO_N "checking whether time.h and sys/time.h may both be included... $ECHO_C" >&6
+if test "${ac_cv_header_time+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 5012 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <sys/time.h>
+#include <time.h>
+
+int
+main ()
+{
+struct tm *tp;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:5027: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:5030: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:5032: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:5035: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_header_time=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_header_time=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:5045: result: $ac_cv_header_time" >&5
+echo "${ECHO_T}$ac_cv_header_time" >&6
+if test $ac_cv_header_time = yes; then
+
+cat >>confdefs.h <<\EOF
+#define TIME_WITH_SYS_TIME 1
+EOF
+
+fi
+
+for ac_header in standards.h
+do
+ac_ac_Header=`echo "ac_cv_header_$ac_header" | $ac_tr_sh`
+echo "$as_me:5058: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 5064 "configure"
+#include "confdefs.h"
+#include <$ac_header>
+_ACEOF
+if { (eval echo "$as_me:5068: \"$ac_cpp conftest.$ac_ext >/dev/null\"") >&5
+  (eval $ac_cpp conftest.$ac_ext >/dev/null) 2>conftest.er1
+  ac_status=$?
+  egrep -v '^ *\+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:5074: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  eval "$ac_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_Header=no"
+fi
+rm -f conftest.err conftest.$ac_ext
+fi
+echo "$as_me:5093: result: `eval echo '${'$ac_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_Header'}'`" >&6
+if test `eval echo '${'$ac_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_header" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+for i in netinet/ip.h netinet/tcp.h; do
+
+cv=`echo "$i" | sed 'y%./+-%__p_%'`
+
+echo "$as_me:5107: checking for $i" >&5
+echo $ECHO_N "checking for $i... $ECHO_C" >&6
+if eval "test \"\${ac_cv_header_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 5113 "configure"
+#include "confdefs.h"
+\
+#ifdef HAVE_STANDARDS_H
+#include <standards.h>
+#endif
+#include <$i>
+
+_ACEOF
+if { (eval echo "$as_me:5122: \"$ac_cpp conftest.$ac_ext >/dev/null\"") >&5
+  (eval $ac_cpp conftest.$ac_ext >/dev/null) 2>conftest.er1
+  ac_status=$?
+  egrep -v '^ *\+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:5128: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  eval "ac_cv_header_$cv=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_header_$cv=no"
+fi
+rm -f conftest.err conftest.$ac_ext
+fi
+echo "$as_me:5147: result: `eval echo '${'ac_cv_header_$cv'}'`" >&5
+echo "${ECHO_T}`eval echo '${'ac_cv_header_$cv'}'`" >&6
+ac_res=`eval echo \\$ac_cv_header_$cv`
+if test "$ac_res" = yes; then
+	ac_tr_hdr=HAVE_`echo $i | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+	cat >>confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+done
+if false;then
+
+for ac_header in netinet/ip.h netinet/tcp.h
+do
+ac_ac_Header=`echo "ac_cv_header_$ac_header" | $ac_tr_sh`
+echo "$as_me:5163: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 5169 "configure"
+#include "confdefs.h"
+#include <$ac_header>
+_ACEOF
+if { (eval echo "$as_me:5173: \"$ac_cpp conftest.$ac_ext >/dev/null\"") >&5
+  (eval $ac_cpp conftest.$ac_ext >/dev/null) 2>conftest.er1
+  ac_status=$?
+  egrep -v '^ *\+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:5179: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  eval "$ac_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_Header=no"
+fi
+rm -f conftest.err conftest.$ac_ext
+fi
+echo "$as_me:5198: result: `eval echo '${'$ac_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_Header'}'`" >&6
+if test `eval echo '${'$ac_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_header" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+
+for ac_func in getlogin setlogin
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:5213: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 5219 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:5250: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:5253: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:5255: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:5258: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:5268: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+if test "$ac_cv_func_getlogin" = yes; then
+echo "$as_me:5279: checking if getlogin is posix" >&5
+echo $ECHO_N "checking if getlogin is posix... $ECHO_C" >&6
+if test "${ac_cv_func_getlogin_posix+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if test "$ac_cv_func_getlogin" = yes -a "$ac_cv_func_setlogin" = yes; then
+	ac_cv_func_getlogin_posix=no
+else
+	ac_cv_func_getlogin_posix=yes
+fi
+
+fi
+echo "$as_me:5292: result: $ac_cv_func_getlogin_posix" >&5
+echo "${ECHO_T}$ac_cv_func_getlogin_posix" >&6
+if test "$ac_cv_func_getlogin_posix" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define POSIX_GETLOGIN 1
+EOF
+
+fi
+fi
+
+echo "$as_me:5303: checking if realloc if broken" >&5
+echo $ECHO_N "checking if realloc if broken... $ECHO_C" >&6
+if test "${ac_cv_func_realloc_broken+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+ac_cv_func_realloc_broken=no
+if test "$cross_compiling" = yes; then
+  :
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 5314 "configure"
+#include "confdefs.h"
+
+#include <stddef.h>
+#include <stdlib.h>
+
+int main()
+{
+	return realloc(NULL, 17) == NULL;
+}
+
+_ACEOF
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:5327: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:5330: \$? = $ac_status" >&5
+  (exit $ac_status); } && { (eval echo "$as_me:5331: \"./conftest$ac_exeext\"") >&5
+  (eval ./conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:5334: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  :
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_realloc_broken=yes
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+
+fi
+echo "$as_me:5347: result: $ac_cv_func_realloc_broken" >&5
+echo "${ECHO_T}$ac_cv_func_realloc_broken" >&6
+if test "$ac_cv_func_realloc_broken" = yes ; then
+
+cat >>confdefs.h <<\EOF
+#define BROKEN_REALLOC 1
+EOF
+
+fi
+
+DIR_roken=roken
+LIB_roken='$(top_builddir)/lib/roken/libroken.la'
+INCLUDES_roken='-I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken'
+
+WFLAGS_NOUNUSED=""
+WFLAGS_NOIMPLICITINT=""
+if test -z "$WFLAGS" -a "$GCC" = "yes"; then
+  # -Wno-implicit-int for broken X11 headers
+  # leave these out for now:
+  #   -Wcast-align doesn't work well on alpha osf/1
+  #   -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast
+  #   -Wmissing-declarations -Wnested-externs
+  WFLAGS="-Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs"
+  WFLAGS_NOUNUSED="-Wno-unused"
+  WFLAGS_NOIMPLICITINT="-Wno-implicit-int"
+fi
+
+echo "$as_me:5374: checking for ssize_t" >&5
+echo $ECHO_N "checking for ssize_t... $ECHO_C" >&6
+if test "${ac_cv_type_ssize_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 5380 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <unistd.h>
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "ssize_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then
+  ac_cv_type_ssize_t=yes
+else
+  ac_cv_type_ssize_t=no
+fi
+rm -f conftest*
+
+fi
+echo "$as_me:5398: result: $ac_cv_type_ssize_t" >&5
+echo "${ECHO_T}$ac_cv_type_ssize_t" >&6
+if test $ac_cv_type_ssize_t = no; then
+
+cat >>confdefs.h <<\EOF
+#define ssize_t int
+EOF
+
+fi
+
+cv=`echo "long long" | sed 'y%./+- %__p__%'`
+echo "$as_me:5409: checking for long long" >&5
+echo $ECHO_N "checking for long long... $ECHO_C" >&6
+if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 5415 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+
+int
+main ()
+{
+long long foo;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:5432: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:5435: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:5437: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:5440: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+echo "$as_me:5451: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+  ac_tr_hdr=HAVE_`echo long long | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	echo "$as_me:5456: checking for long long" >&5
+echo $ECHO_N "checking for long long... $ECHO_C" >&6
+if test "${ac_cv_type_long_long+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 5462 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((long long *) 0)
+  return 0;
+if (sizeof (long long))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:5477: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:5480: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:5482: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:5485: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_type_long_long=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_long_long=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:5495: result: $ac_cv_type_long_long" >&5
+echo "${ECHO_T}$ac_cv_type_long_long" >&6
+if test $ac_cv_type_long_long = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_LONG_LONG 1
+EOF
+
+fi
+
+fi
+
+cat >>confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+for ac_header in \
+	arpa/inet.h				\
+	arpa/nameser.h				\
+	config.h				\
+	crypt.h					\
+	dbm.h					\
+	db.h					\
+	dirent.h				\
+	errno.h					\
+	err.h					\
+	fcntl.h					\
+	gdbm/ndbm.h				\
+	grp.h					\
+	ifaddrs.h				\
+	ndbm.h					\
+	net/if.h				\
+	netdb.h					\
+	netinet/in.h				\
+	netinet/in6.h				\
+	netinet/in_systm.h			\
+	netinet6/in6.h				\
+	netinet6/in6_var.h			\
+	paths.h					\
+	pwd.h					\
+	resolv.h				\
+	rpcsvc/dbm.h				\
+	rpcsvc/ypclnt.h				\
+	shadow.h				\
+	sys/ioctl.h				\
+	sys/param.h				\
+	sys/proc.h				\
+	sys/resource.h				\
+	sys/socket.h				\
+	sys/sockio.h				\
+	sys/stat.h				\
+	sys/sysctl.h				\
+	sys/time.h				\
+	sys/tty.h				\
+	sys/types.h				\
+	sys/uio.h				\
+	sys/utsname.h				\
+	sys/wait.h				\
+	syslog.h				\
+	termios.h				\
+	unistd.h				\
+	userconf.h				\
+	usersec.h				\
+	util.h					\
+	vis.h					\
+	winsock.h				\
+
+do
+ac_ac_Header=`echo "ac_cv_header_$ac_header" | $ac_tr_sh`
+echo "$as_me:5566: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 5572 "configure"
+#include "confdefs.h"
+#include <$ac_header>
+_ACEOF
+if { (eval echo "$as_me:5576: \"$ac_cpp conftest.$ac_ext >/dev/null\"") >&5
+  (eval $ac_cpp conftest.$ac_ext >/dev/null) 2>conftest.er1
+  ac_status=$?
+  egrep -v '^ *\+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:5582: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  eval "$ac_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_Header=no"
+fi
+rm -f conftest.err conftest.$ac_ext
+fi
+echo "$as_me:5601: result: `eval echo '${'$ac_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_Header'}'`" >&6
+if test `eval echo '${'$ac_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_header" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+if test "$ac_cv_header_err_h" = yes; then
+  have_err_h_TRUE=
+  have_err_h_FALSE='#'
+else
+  have_err_h_TRUE='#'
+  have_err_h_FALSE=
+fi
+
+if test "$ac_cv_header_fnmatch_h" = yes; then
+  have_fnmatch_h_TRUE=
+  have_fnmatch_h_FALSE='#'
+else
+  have_fnmatch_h_TRUE='#'
+  have_fnmatch_h_FALSE=
+fi
+
+if test "$ac_cv_header_ifaddrs_h" = yes; then
+  have_ifaddrs_h_TRUE=
+  have_ifaddrs_h_FALSE='#'
+else
+  have_ifaddrs_h_TRUE='#'
+  have_ifaddrs_h_FALSE=
+fi
+
+if test "$ac_cv_header_vis_h" = yes; then
+  have_vis_h_TRUE=
+  have_vis_h_FALSE='#'
+else
+  have_vis_h_TRUE='#'
+  have_vis_h_FALSE=
+fi
+
+# Check whether --with-ipv6 or --without-ipv6 was given.
+if test "${with_ipv6+set}" = set; then
+  withval="$with_ipv6"
+
+if test "$withval" = "no"; then
+	ac_cv_lib_ipv6=no
+fi
+fi;
+if test "${ac_cv_lib_ipv6+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  v6type=unknown
+v6lib=none
+
+echo "$as_me:5657: checking ipv6 stack type" >&5
+echo $ECHO_N "checking ipv6 stack type... $ECHO_C" >&6
+for i in v6d toshiba kame inria zeta linux; do
+	case $i in
+	v6d)
+		cat >conftest.$ac_ext <<_ACEOF
+#line 5663 "configure"
+#include "confdefs.h"
+
+#include </usr/local/v6/include/sys/types.h>
+#ifdef __V6D__
+yes
+#endif
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "yes" >/dev/null 2>&1; then
+  v6type=$i; v6lib=v6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-I/usr/local/v6/include $CFLAGS"
+fi
+rm -f conftest*
+
+		;;
+	toshiba)
+		cat >conftest.$ac_ext <<_ACEOF
+#line 5682 "configure"
+#include "confdefs.h"
+
+#include <sys/param.h>
+#ifdef _TOSHIBA_INET6
+yes
+#endif
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "yes" >/dev/null 2>&1; then
+  v6type=$i; v6lib=inet6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-DINET6 $CFLAGS"
+fi
+rm -f conftest*
+
+		;;
+	kame)
+		cat >conftest.$ac_ext <<_ACEOF
+#line 5701 "configure"
+#include "confdefs.h"
+
+#include <netinet/in.h>
+#ifdef __KAME__
+yes
+#endif
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "yes" >/dev/null 2>&1; then
+  v6type=$i; v6lib=inet6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-DINET6 $CFLAGS"
+fi
+rm -f conftest*
+
+		;;
+	inria)
+		cat >conftest.$ac_ext <<_ACEOF
+#line 5720 "configure"
+#include "confdefs.h"
+
+#include <netinet/in.h>
+#ifdef IPV6_INRIA_VERSION
+yes
+#endif
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "yes" >/dev/null 2>&1; then
+  v6type=$i; CFLAGS="-DINET6 $CFLAGS"
+fi
+rm -f conftest*
+
+		;;
+	zeta)
+		cat >conftest.$ac_ext <<_ACEOF
+#line 5737 "configure"
+#include "confdefs.h"
+
+#include <sys/param.h>
+#ifdef _ZETA_MINAMI_INET6
+yes
+#endif
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "yes" >/dev/null 2>&1; then
+  v6type=$i; v6lib=inet6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-DINET6 $CFLAGS"
+fi
+rm -f conftest*
+
+		;;
+	linux)
+		if test -d /usr/inet6; then
+			v6type=$i
+			v6lib=inet6
+			v6libdir=/usr/inet6
+			CFLAGS="-DINET6 $CFLAGS"
+		fi
+		;;
+	esac
+	if test "$v6type" != "unknown"; then
+		break
+	fi
+done
+echo "$as_me:5767: result: $v6type" >&5
+echo "${ECHO_T}$v6type" >&6
+
+if test "$v6lib" != "none"; then
+	for dir in $v6libdir /usr/local/v6/lib /usr/local/lib; do
+		if test -d $dir -a -f $dir/lib$v6lib.a; then
+			LIBS="-L$dir -l$v6lib $LIBS"
+			break
+		fi
+	done
+fi
+cat >conftest.$ac_ext <<_ACEOF
+#line 5779 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+
+int
+main ()
+{
+
+ struct sockaddr_in6 sin6;
+ int s;
+
+ s = socket(AF_INET6, SOCK_DGRAM, 0);
+
+ sin6.sin6_family = AF_INET6;
+ sin6.sin6_port = htons(17);
+ sin6.sin6_addr = in6addr_any;
+ bind(s, (struct sockaddr *)&sin6, sizeof(sin6));
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:5814: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:5817: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:5819: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:5822: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_lib_ipv6=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_ipv6=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+
+echo "$as_me:5833: checking for IPv6" >&5
+echo $ECHO_N "checking for IPv6... $ECHO_C" >&6
+echo "$as_me:5835: result: $ac_cv_lib_ipv6" >&5
+echo "${ECHO_T}$ac_cv_lib_ipv6" >&6
+if test "$ac_cv_lib_ipv6" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_IPV6 1
+EOF
+
+fi
+
+echo "$as_me:5845: checking for socket" >&5
+echo $ECHO_N "checking for socket... $ECHO_C" >&6
+if test "${ac_cv_funclib_socket+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_socket\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" socket; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 5861 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+socket()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:5873: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:5876: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:5878: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:5881: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_socket=$ac_lib; else ac_cv_funclib_socket=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_socket=\${ac_cv_funclib_socket-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_socket"
+
+if false; then
+
+for ac_func in socket
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:5903: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 5909 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:5940: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:5943: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:5945: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:5948: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:5958: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# socket
+eval "ac_tr_func=HAVE_`echo socket | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_socket=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_socket=yes"
+	eval "LIB_socket="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:5982: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_socket=no"
+	eval "LIB_socket="
+	echo "$as_me:5988: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_socket=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:6002: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+if test -n "$LIB_socket"; then
+	LIBS="$LIB_socket $LIBS"
+fi
+
+echo "$as_me:6011: checking for gethostbyname" >&5
+echo $ECHO_N "checking for gethostbyname... $ECHO_C" >&6
+if test "${ac_cv_funclib_gethostbyname+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_gethostbyname\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" nsl; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 6027 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+gethostbyname()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:6039: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:6042: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:6044: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:6047: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_gethostbyname=$ac_lib; else ac_cv_funclib_gethostbyname=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_gethostbyname=\${ac_cv_funclib_gethostbyname-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_gethostbyname"
+
+if false; then
+
+for ac_func in gethostbyname
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:6069: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 6075 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:6106: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:6109: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:6111: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:6114: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:6124: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# gethostbyname
+eval "ac_tr_func=HAVE_`echo gethostbyname | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_gethostbyname=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_gethostbyname=yes"
+	eval "LIB_gethostbyname="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:6148: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_gethostbyname=no"
+	eval "LIB_gethostbyname="
+	echo "$as_me:6154: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_gethostbyname=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:6168: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+if test -n "$LIB_gethostbyname"; then
+	LIBS="$LIB_gethostbyname $LIBS"
+fi
+
+echo "$as_me:6177: checking for syslog" >&5
+echo $ECHO_N "checking for syslog... $ECHO_C" >&6
+if test "${ac_cv_funclib_syslog+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_syslog\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" syslog; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 6193 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+syslog()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:6205: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:6208: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:6210: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:6213: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_syslog=$ac_lib; else ac_cv_funclib_syslog=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_syslog=\${ac_cv_funclib_syslog-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_syslog"
+
+if false; then
+
+for ac_func in syslog
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:6235: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 6241 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:6272: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:6275: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:6277: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:6280: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:6290: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# syslog
+eval "ac_tr_func=HAVE_`echo syslog | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_syslog=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_syslog=yes"
+	eval "LIB_syslog="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:6314: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_syslog=no"
+	eval "LIB_syslog="
+	echo "$as_me:6320: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_syslog=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:6334: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+if test -n "$LIB_syslog"; then
+	LIBS="$LIB_syslog $LIBS"
+fi
+
+echo "$as_me:6343: checking for gethostbyname2" >&5
+echo $ECHO_N "checking for gethostbyname2... $ECHO_C" >&6
+if test "${ac_cv_funclib_gethostbyname2+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_gethostbyname2\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" inet6 ip6; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 6359 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+gethostbyname2()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:6371: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:6374: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:6376: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:6379: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_gethostbyname2=$ac_lib; else ac_cv_funclib_gethostbyname2=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_gethostbyname2=\${ac_cv_funclib_gethostbyname2-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_gethostbyname2"
+
+if false; then
+
+for ac_func in gethostbyname2
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:6401: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 6407 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:6438: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:6441: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:6443: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:6446: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:6456: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# gethostbyname2
+eval "ac_tr_func=HAVE_`echo gethostbyname2 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_gethostbyname2=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_gethostbyname2=yes"
+	eval "LIB_gethostbyname2="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:6480: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_gethostbyname2=no"
+	eval "LIB_gethostbyname2="
+	echo "$as_me:6486: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_gethostbyname2=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:6500: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+if test -n "$LIB_gethostbyname2"; then
+	LIBS="$LIB_gethostbyname2 $LIBS"
+fi
+
+echo "$as_me:6509: checking for res_search" >&5
+echo $ECHO_N "checking for res_search... $ECHO_C" >&6
+if test "${ac_cv_funclib_res_search+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_res_search\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" resolv; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 6525 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+
+int
+main ()
+{
+res_search(0,0,0,0,0)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:6551: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:6554: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:6556: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:6559: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_res_search=$ac_lib; else ac_cv_funclib_res_search=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_res_search=\${ac_cv_funclib_res_search-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_res_search"
+
+if false; then
+
+for ac_func in res_search
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:6581: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 6587 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:6618: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:6621: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:6623: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:6626: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:6636: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# res_search
+eval "ac_tr_func=HAVE_`echo res_search | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_res_search=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_res_search=yes"
+	eval "LIB_res_search="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:6660: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_res_search=no"
+	eval "LIB_res_search="
+	echo "$as_me:6666: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_res_search=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:6680: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+if test -n "$LIB_res_search"; then
+	LIBS="$LIB_res_search $LIBS"
+fi
+
+echo "$as_me:6689: checking for dn_expand" >&5
+echo $ECHO_N "checking for dn_expand... $ECHO_C" >&6
+if test "${ac_cv_funclib_dn_expand+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_dn_expand\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" resolv; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 6705 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+
+int
+main ()
+{
+dn_expand(0,0,0,0,0)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:6731: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:6734: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:6736: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:6739: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_dn_expand=$ac_lib; else ac_cv_funclib_dn_expand=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_dn_expand=\${ac_cv_funclib_dn_expand-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_dn_expand"
+
+if false; then
+
+for ac_func in dn_expand
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:6761: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 6767 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:6798: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:6801: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:6803: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:6806: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:6816: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# dn_expand
+eval "ac_tr_func=HAVE_`echo dn_expand | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_dn_expand=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_dn_expand=yes"
+	eval "LIB_dn_expand="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:6840: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_dn_expand=no"
+	eval "LIB_dn_expand="
+	echo "$as_me:6846: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_dn_expand=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:6860: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+if test -n "$LIB_dn_expand"; then
+	LIBS="$LIB_dn_expand $LIBS"
+fi
+
+echo "$as_me:6869: checking for working snprintf" >&5
+echo $ECHO_N "checking for working snprintf... $ECHO_C" >&6
+if test "${ac_cv_func_snprintf_working+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_func_snprintf_working=yes
+if test "$cross_compiling" = yes; then
+  :
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 6879 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <string.h>
+int main()
+{
+	char foo[3];
+	snprintf(foo, 2, "12");
+	return strcmp(foo, "1");
+}
+_ACEOF
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:6892: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:6895: \$? = $ac_status" >&5
+  (exit $ac_status); } && { (eval echo "$as_me:6896: \"./conftest$ac_exeext\"") >&5
+  (eval ./conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:6899: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  :
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_snprintf_working=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+fi
+echo "$as_me:6911: result: $ac_cv_func_snprintf_working" >&5
+echo "${ECHO_T}$ac_cv_func_snprintf_working" >&6
+
+if test "$ac_cv_func_snprintf_working" = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_SNPRINTF 1
+EOF
+
+fi
+if test "$ac_cv_func_snprintf_working" = yes; then
+
+if test "$ac_cv_func_snprintf+set" != set -o "$ac_cv_func_snprintf" = yes; then
+echo "$as_me:6924: checking if snprintf needs a prototype" >&5
+echo $ECHO_N "checking if snprintf needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_snprintf_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 6930 "configure"
+#include "confdefs.h"
+#include <stdio.h>
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int snprintf (struct foo*);
+snprintf(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:6945: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:6948: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:6950: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:6953: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_func_snprintf_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_func_snprintf_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:6963: result: $ac_cv_func_snprintf_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_snprintf_noproto" >&6
+
+if test "$ac_cv_func_snprintf_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_SNPRINTF_PROTO 1
+EOF
+
+fi
+
+fi
+
+fi
+
+echo "$as_me:6978: checking for working vsnprintf" >&5
+echo $ECHO_N "checking for working vsnprintf... $ECHO_C" >&6
+if test "${ac_cv_func_vsnprintf_working+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_func_vsnprintf_working=yes
+if test "$cross_compiling" = yes; then
+  :
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 6988 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <string.h>
+#include <stdarg.h>
+
+int foo(int num, ...)
+{
+	char bar[3];
+	va_list arg;
+	va_start(arg, num);
+	vsnprintf(bar, 2, "%s", arg);
+	va_end(arg);
+	return strcmp(bar, "1");
+}
+
+int main()
+{
+	return foo(0, "12");
+}
+_ACEOF
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:7011: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:7014: \$? = $ac_status" >&5
+  (exit $ac_status); } && { (eval echo "$as_me:7015: \"./conftest$ac_exeext\"") >&5
+  (eval ./conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:7018: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  :
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_vsnprintf_working=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+fi
+echo "$as_me:7030: result: $ac_cv_func_vsnprintf_working" >&5
+echo "${ECHO_T}$ac_cv_func_vsnprintf_working" >&6
+
+if test "$ac_cv_func_vsnprintf_working" = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_VSNPRINTF 1
+EOF
+
+fi
+if test "$ac_cv_func_vsnprintf_working" = yes; then
+
+if test "$ac_cv_func_vsnprintf+set" != set -o "$ac_cv_func_vsnprintf" = yes; then
+echo "$as_me:7043: checking if vsnprintf needs a prototype" >&5
+echo $ECHO_N "checking if vsnprintf needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_vsnprintf_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 7049 "configure"
+#include "confdefs.h"
+#include <stdio.h>
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int vsnprintf (struct foo*);
+vsnprintf(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:7064: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:7067: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:7069: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:7072: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_func_vsnprintf_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_func_vsnprintf_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:7082: result: $ac_cv_func_vsnprintf_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_vsnprintf_noproto" >&6
+
+if test "$ac_cv_func_vsnprintf_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_VSNPRINTF_PROTO 1
+EOF
+
+fi
+
+fi
+
+fi
+
+echo "$as_me:7097: checking for working glob" >&5
+echo $ECHO_N "checking for working glob... $ECHO_C" >&6
+if test "${ac_cv_func_glob_working+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_func_glob_working=yes
+cat >conftest.$ac_ext <<_ACEOF
+#line 7104 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <glob.h>
+int
+main ()
+{
+
+glob(NULL, GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE, NULL, NULL);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:7120: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:7123: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:7125: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:7128: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  :
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_glob_working=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:7138: result: $ac_cv_func_glob_working" >&5
+echo "${ECHO_T}$ac_cv_func_glob_working" >&6
+
+if test "$ac_cv_func_glob_working" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_GLOB 1
+EOF
+
+fi
+if test "$ac_cv_func_glob_working" = yes; then
+
+if test "$ac_cv_func_glob+set" != set -o "$ac_cv_func_glob" = yes; then
+echo "$as_me:7151: checking if glob needs a prototype" >&5
+echo $ECHO_N "checking if glob needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_glob_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 7157 "configure"
+#include "confdefs.h"
+#include <stdio.h>
+#include <glob.h>
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int glob (struct foo*);
+glob(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:7173: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:7176: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:7178: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:7181: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_func_glob_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_func_glob_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:7191: result: $ac_cv_func_glob_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_glob_noproto" >&6
+
+if test "$ac_cv_func_glob_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_GLOB_PROTO 1
+EOF
+
+fi
+
+fi
+
+fi
+
+if test "$ac_cv_func_glob_working" != yes; then
+	LIBOBJS="$LIBOBJS glob.o"
+fi
+
+if test "$ac_cv_func_glob_working" = yes; then
+  have_glob_h_TRUE=
+  have_glob_h_FALSE='#'
+else
+  have_glob_h_TRUE='#'
+  have_glob_h_FALSE=
+fi
+
+for ac_func in 				\
+	asnprintf				\
+	asprintf				\
+	cgetent					\
+	getconfattr				\
+	getrlimit				\
+	getspnam				\
+	strsvis					\
+	strunvis				\
+	strvis					\
+	strvisx					\
+	svis					\
+	sysconf					\
+	sysctl					\
+	uname					\
+	unvis					\
+	vasnprintf				\
+	vasprintf				\
+	vis					\
+
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:7240: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 7246 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:7277: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:7280: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:7282: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:7285: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:7295: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+if test "$ac_cv_func_cgetent" = no; then
+	LIBOBJS="$LIBOBJS getcap.o"
+fi
+
+echo "$as_me:7309: checking for getsockopt" >&5
+echo $ECHO_N "checking for getsockopt... $ECHO_C" >&6
+if test "${ac_cv_funclib_getsockopt+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_getsockopt\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" ; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 7325 "configure"
+#include "confdefs.h"
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+int
+main ()
+{
+getsockopt(0,0,0,0,0)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:7342: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:7345: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:7347: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:7350: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_getsockopt=$ac_lib; else ac_cv_funclib_getsockopt=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_getsockopt=\${ac_cv_funclib_getsockopt-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_getsockopt"
+
+if false; then
+
+for ac_func in getsockopt
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:7372: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 7378 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:7409: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:7412: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:7414: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:7417: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:7427: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# getsockopt
+eval "ac_tr_func=HAVE_`echo getsockopt | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_getsockopt=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_getsockopt=yes"
+	eval "LIB_getsockopt="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:7451: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_getsockopt=no"
+	eval "LIB_getsockopt="
+	echo "$as_me:7457: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_getsockopt=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:7471: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+echo "$as_me:7476: checking for setsockopt" >&5
+echo $ECHO_N "checking for setsockopt... $ECHO_C" >&6
+if test "${ac_cv_funclib_setsockopt+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_setsockopt\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" ; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 7492 "configure"
+#include "confdefs.h"
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+int
+main ()
+{
+setsockopt(0,0,0,0,0)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:7509: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:7512: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:7514: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:7517: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_setsockopt=$ac_lib; else ac_cv_funclib_setsockopt=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_setsockopt=\${ac_cv_funclib_setsockopt-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_setsockopt"
+
+if false; then
+
+for ac_func in setsockopt
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:7539: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 7545 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:7576: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:7579: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:7581: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:7584: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:7594: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# setsockopt
+eval "ac_tr_func=HAVE_`echo setsockopt | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_setsockopt=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_setsockopt=yes"
+	eval "LIB_setsockopt="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:7618: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_setsockopt=no"
+	eval "LIB_setsockopt="
+	echo "$as_me:7624: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_setsockopt=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:7638: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+echo "$as_me:7643: checking for hstrerror" >&5
+echo $ECHO_N "checking for hstrerror... $ECHO_C" >&6
+if test "${ac_cv_funclib_hstrerror+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_hstrerror\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" resolv; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 7659 "configure"
+#include "confdefs.h"
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+int
+main ()
+{
+hstrerror(17)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:7673: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:7676: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:7678: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:7681: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_hstrerror=$ac_lib; else ac_cv_funclib_hstrerror=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_hstrerror=\${ac_cv_funclib_hstrerror-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_hstrerror"
+
+if false; then
+
+for ac_func in hstrerror
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:7703: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 7709 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:7740: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:7743: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:7745: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:7748: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:7758: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# hstrerror
+eval "ac_tr_func=HAVE_`echo hstrerror | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_hstrerror=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_hstrerror=yes"
+	eval "LIB_hstrerror="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:7782: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_hstrerror=no"
+	eval "LIB_hstrerror="
+	echo "$as_me:7788: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_hstrerror=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:7802: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+if test -n "$LIB_hstrerror"; then
+	LIBS="$LIB_hstrerror $LIBS"
+fi
+
+if eval "test \"$ac_cv_func_hstrerror\" != yes"; then
+LIBOBJS="$LIBOBJS hstrerror.o"
+fi
+
+if test "$ac_cv_func_hstrerror" = yes; then
+
+if test "$ac_cv_func_hstrerror+set" != set -o "$ac_cv_func_hstrerror" = yes; then
+echo "$as_me:7818: checking if hstrerror needs a prototype" >&5
+echo $ECHO_N "checking if hstrerror needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_hstrerror_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 7824 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int hstrerror (struct foo*);
+hstrerror(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:7842: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:7845: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:7847: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:7850: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_func_hstrerror_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_func_hstrerror_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:7860: result: $ac_cv_func_hstrerror_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_hstrerror_noproto" >&6
+
+if test "$ac_cv_func_hstrerror_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_HSTRERROR_PROTO 1
+EOF
+
+fi
+
+fi
+
+fi
+
+if test "$ac_cv_func_asprintf" = yes; then
+
+if test "$ac_cv_func_asprintf+set" != set -o "$ac_cv_func_asprintf" = yes; then
+echo "$as_me:7878: checking if asprintf needs a prototype" >&5
+echo $ECHO_N "checking if asprintf needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_asprintf_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 7884 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <string.h>
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int asprintf (struct foo*);
+asprintf(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:7901: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:7904: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:7906: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:7909: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_func_asprintf_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_func_asprintf_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:7919: result: $ac_cv_func_asprintf_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_asprintf_noproto" >&6
+
+if test "$ac_cv_func_asprintf_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_ASPRINTF_PROTO 1
+EOF
+
+fi
+
+fi
+fi
+if test "$ac_cv_func_vasprintf" = yes; then
+
+if test "$ac_cv_func_vasprintf+set" != set -o "$ac_cv_func_vasprintf" = yes; then
+echo "$as_me:7935: checking if vasprintf needs a prototype" >&5
+echo $ECHO_N "checking if vasprintf needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_vasprintf_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 7941 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <string.h>
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int vasprintf (struct foo*);
+vasprintf(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:7958: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:7961: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:7963: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:7966: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_func_vasprintf_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_func_vasprintf_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:7976: result: $ac_cv_func_vasprintf_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_vasprintf_noproto" >&6
+
+if test "$ac_cv_func_vasprintf_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_VASPRINTF_PROTO 1
+EOF
+
+fi
+
+fi
+fi
+if test "$ac_cv_func_asnprintf" = yes; then
+
+if test "$ac_cv_func_asnprintf+set" != set -o "$ac_cv_func_asnprintf" = yes; then
+echo "$as_me:7992: checking if asnprintf needs a prototype" >&5
+echo $ECHO_N "checking if asnprintf needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_asnprintf_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 7998 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <string.h>
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int asnprintf (struct foo*);
+asnprintf(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:8015: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:8018: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:8020: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:8023: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_func_asnprintf_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_func_asnprintf_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:8033: result: $ac_cv_func_asnprintf_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_asnprintf_noproto" >&6
+
+if test "$ac_cv_func_asnprintf_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_ASNPRINTF_PROTO 1
+EOF
+
+fi
+
+fi
+fi
+if test "$ac_cv_func_vasnprintf" = yes; then
+
+if test "$ac_cv_func_vasnprintf+set" != set -o "$ac_cv_func_vasnprintf" = yes; then
+echo "$as_me:8049: checking if vasnprintf needs a prototype" >&5
+echo $ECHO_N "checking if vasnprintf needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_vasnprintf_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 8055 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <string.h>
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int vasnprintf (struct foo*);
+vasnprintf(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:8072: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:8075: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:8077: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:8080: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_func_vasnprintf_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_func_vasnprintf_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:8090: result: $ac_cv_func_vasnprintf_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_vasnprintf_noproto" >&6
+
+if test "$ac_cv_func_vasnprintf_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_VASNPRINTF_PROTO 1
+EOF
+
+fi
+
+fi
+fi
+
+echo "$as_me:8104: checking for pidfile" >&5
+echo $ECHO_N "checking for pidfile... $ECHO_C" >&6
+if test "${ac_cv_funclib_pidfile+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_pidfile\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" util; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 8120 "configure"
+#include "confdefs.h"
+#ifdef HAVE_UTIL_H
+#include <util.h>
+#endif
+int
+main ()
+{
+pidfile(0)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:8134: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:8137: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:8139: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:8142: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_pidfile=$ac_lib; else ac_cv_funclib_pidfile=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_pidfile=\${ac_cv_funclib_pidfile-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_pidfile"
+
+if false; then
+
+for ac_func in pidfile
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:8164: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 8170 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:8201: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:8204: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:8206: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:8209: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:8219: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# pidfile
+eval "ac_tr_func=HAVE_`echo pidfile | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_pidfile=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_pidfile=yes"
+	eval "LIB_pidfile="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:8243: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_pidfile=no"
+	eval "LIB_pidfile="
+	echo "$as_me:8249: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_pidfile=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:8263: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+for ac_func in 					\
+	chown					\
+	copyhostent				\
+	daemon					\
+	err					\
+	errx					\
+	fchown					\
+	flock					\
+	fnmatch					\
+	freeaddrinfo				\
+	freehostent				\
+	gai_strerror				\
+	getaddrinfo				\
+	getcwd					\
+	getdtablesize				\
+	getegid					\
+	geteuid					\
+	getgid					\
+	gethostname				\
+	getifaddrs				\
+	getipnodebyaddr				\
+	getipnodebyname				\
+	getnameinfo				\
+	getopt					\
+	gettimeofday				\
+	getuid					\
+	getusershell				\
+	initgroups				\
+	innetgr					\
+	iruserok				\
+	lstat					\
+	memmove					\
+	mkstemp					\
+	putenv					\
+	rcmd					\
+	readv					\
+	recvmsg					\
+	sendmsg					\
+	setegid					\
+	setenv					\
+	seteuid					\
+	strcasecmp				\
+	strdup					\
+	strerror				\
+	strftime				\
+	strlcat					\
+	strlcpy					\
+	strlwr					\
+	strncasecmp				\
+	strndup					\
+	strnlen					\
+	strptime				\
+	strsep					\
+	strsep_copy				\
+	strtok_r				\
+	strupr					\
+	swab					\
+	unsetenv				\
+	verr					\
+	verrx					\
+	vsyslog					\
+	vwarn					\
+	vwarnx					\
+	warn					\
+	warnx					\
+	writev					\
+
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:8337: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 8343 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:8374: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:8377: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:8379: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:8382: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:8392: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+
+ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+  LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+
+if false; then
+
+for ac_func in \
+	chown					\
+	copyhostent				\
+	daemon					\
+	err					\
+	errx					\
+	fchown					\
+	flock					\
+	fnmatch					\
+	freeaddrinfo				\
+	freehostent				\
+	gai_strerror				\
+	getaddrinfo				\
+	getcwd					\
+	getdtablesize				\
+	getegid					\
+	geteuid					\
+	getgid					\
+	gethostname				\
+	getifaddrs				\
+	getipnodebyaddr				\
+	getipnodebyname				\
+	getnameinfo				\
+	getopt					\
+	gettimeofday				\
+	getuid					\
+	getusershell				\
+	initgroups				\
+	innetgr					\
+	iruserok				\
+	lstat					\
+	memmove					\
+	mkstemp					\
+	putenv					\
+	rcmd					\
+	readv					\
+	recvmsg					\
+	sendmsg					\
+	setegid					\
+	setenv					\
+	seteuid					\
+	strcasecmp				\
+	strdup					\
+	strerror				\
+	strftime				\
+	strlcat					\
+	strlcpy					\
+	strlwr					\
+	strncasecmp				\
+	strndup					\
+	strnlen					\
+	strptime				\
+	strsep					\
+	strsep_copy				\
+	strtok_r				\
+	strupr					\
+	swab					\
+	unsetenv				\
+	verr					\
+	verrx					\
+	vsyslog					\
+	vwarn					\
+	vwarnx					\
+	warn					\
+	warnx					\
+	writev					\
+
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:8476: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 8482 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:8513: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:8516: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:8518: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:8521: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:8531: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+done
+
+for ac_func in inet_aton
+do
+echo "$as_me:8546: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${ac_cv_func_$ac_func+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 8552 "configure"
+#include "confdefs.h"
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+int
+main ()
+{
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_inet_aton) || defined (__stub___inet_aton)
+choke me
+#else
+$ac_func(0,0)
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:8584: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:8587: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:8589: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:8592: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+
+if eval "test \"\${ac_cv_func_$ac_func}\" = yes"; then
+  ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+  cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+  echo "$as_me:8609: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+else
+  echo "$as_me:8612: result: no" >&5
+echo "${ECHO_T}no" >&6
+  LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+done
+if false; then
+
+for ac_func in inet_aton
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:8622: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 8628 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:8659: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:8662: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:8664: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:8667: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:8677: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+
+for ac_func in inet_ntop
+do
+echo "$as_me:8691: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${ac_cv_func_$ac_func+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 8697 "configure"
+#include "confdefs.h"
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+int
+main ()
+{
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_inet_ntop) || defined (__stub___inet_ntop)
+choke me
+#else
+$ac_func(0, 0, 0, 0)
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:8729: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:8732: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:8734: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:8737: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+
+if eval "test \"\${ac_cv_func_$ac_func}\" = yes"; then
+  ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+  cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+  echo "$as_me:8754: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+else
+  echo "$as_me:8757: result: no" >&5
+echo "${ECHO_T}no" >&6
+  LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+done
+if false; then
+
+for ac_func in inet_ntop
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:8767: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 8773 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:8804: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:8807: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:8809: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:8812: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:8822: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+
+for ac_func in inet_pton
+do
+echo "$as_me:8836: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${ac_cv_func_$ac_func+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 8842 "configure"
+#include "confdefs.h"
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+int
+main ()
+{
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_inet_pton) || defined (__stub___inet_pton)
+choke me
+#else
+$ac_func(0,0,0)
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:8874: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:8877: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:8879: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:8882: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+
+if eval "test \"\${ac_cv_func_$ac_func}\" = yes"; then
+  ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+  cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+  echo "$as_me:8899: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+else
+  echo "$as_me:8902: result: no" >&5
+echo "${ECHO_T}no" >&6
+  LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+done
+if false; then
+
+for ac_func in inet_pton
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:8912: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 8918 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:8949: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:8952: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:8954: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:8957: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:8967: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+
+echo "$as_me:8979: checking for sa_len in struct sockaddr" >&5
+echo $ECHO_N "checking for sa_len in struct sockaddr... $ECHO_C" >&6
+if test "${ac_cv_type_struct_sockaddr_sa_len+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 8986 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <sys/socket.h>
+int
+main ()
+{
+struct sockaddr x; x.sa_len;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:8999: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:9002: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:9004: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:9007: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_type_struct_sockaddr_sa_len=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_struct_sockaddr_sa_len=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:9017: result: $ac_cv_type_struct_sockaddr_sa_len" >&5
+echo "${ECHO_T}$ac_cv_type_struct_sockaddr_sa_len" >&6
+if test "$ac_cv_type_struct_sockaddr_sa_len" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_STRUCT_SOCKADDR_SA_LEN 1
+EOF
+
+fi
+
+if test "$ac_cv_func_getnameinfo" = "yes"; then
+
+echo "$as_me:9029: checking if getnameinfo is broken" >&5
+echo $ECHO_N "checking if getnameinfo is broken... $ECHO_C" >&6
+if test "${ac_cv_func_getnameinfo_broken+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test "$cross_compiling" = yes; then
+  { { echo "$as_me:9035: error: cannot run test program while cross compiling" >&5
+echo "$as_me: error: cannot run test program while cross compiling" >&2;}
+   { (exit 1); exit 1; }; }
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 9040 "configure"
+#include "confdefs.h"
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netdb.h>
+
+int
+main(int argc, char **argv)
+{
+  struct sockaddr_in sin;
+  char host[256];
+  memset(&sin, 0, sizeof(sin));
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+  sin.sin_len = sizeof(sin);
+#endif
+  sin.sin_family = AF_INET;
+  sin.sin_addr.s_addr = 0xffffffff;
+  sin.sin_port = 0;
+  return getnameinfo((struct sockaddr*)&sin, sizeof(sin), host, sizeof(host),
+	      NULL, 0, 0);
+}
+
+_ACEOF
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:9066: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:9069: \$? = $ac_status" >&5
+  (exit $ac_status); } && { (eval echo "$as_me:9070: \"./conftest$ac_exeext\"") >&5
+  (eval ./conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:9073: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_func_getnameinfo_broken=no
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_getnameinfo_broken=yes
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+fi
+echo "$as_me:9085: result: $ac_cv_func_getnameinfo_broken" >&5
+echo "${ECHO_T}$ac_cv_func_getnameinfo_broken" >&6
+  if test "$ac_cv_func_getnameinfo_broken" = yes; then
+    LIBOBJS="$LIBOBJS getnameinfo.o"
+  fi
+fi
+
+if test "$ac_cv_func_setenv+set" != set -o "$ac_cv_func_setenv" = yes; then
+echo "$as_me:9093: checking if setenv needs a prototype" >&5
+echo $ECHO_N "checking if setenv needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_setenv_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 9099 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int setenv (struct foo*);
+setenv(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:9114: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:9117: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:9119: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:9122: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_func_setenv_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_func_setenv_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:9132: result: $ac_cv_func_setenv_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_setenv_noproto" >&6
+
+if test "$ac_cv_func_setenv_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_SETENV_PROTO 1
+EOF
+
+fi
+
+fi
+
+if test "$ac_cv_func_unsetenv+set" != set -o "$ac_cv_func_unsetenv" = yes; then
+echo "$as_me:9146: checking if unsetenv needs a prototype" >&5
+echo $ECHO_N "checking if unsetenv needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_unsetenv_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 9152 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int unsetenv (struct foo*);
+unsetenv(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:9167: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:9170: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:9172: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:9175: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_func_unsetenv_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_func_unsetenv_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:9185: result: $ac_cv_func_unsetenv_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_unsetenv_noproto" >&6
+
+if test "$ac_cv_func_unsetenv_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_UNSETENV_PROTO 1
+EOF
+
+fi
+
+fi
+
+if test "$ac_cv_func_gethostname+set" != set -o "$ac_cv_func_gethostname" = yes; then
+echo "$as_me:9199: checking if gethostname needs a prototype" >&5
+echo $ECHO_N "checking if gethostname needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_gethostname_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 9205 "configure"
+#include "confdefs.h"
+#include <unistd.h>
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int gethostname (struct foo*);
+gethostname(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:9220: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:9223: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:9225: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:9228: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_func_gethostname_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_func_gethostname_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:9238: result: $ac_cv_func_gethostname_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_gethostname_noproto" >&6
+
+if test "$ac_cv_func_gethostname_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_GETHOSTNAME_PROTO 1
+EOF
+
+fi
+
+fi
+
+if test "$ac_cv_func_mkstemp+set" != set -o "$ac_cv_func_mkstemp" = yes; then
+echo "$as_me:9252: checking if mkstemp needs a prototype" >&5
+echo $ECHO_N "checking if mkstemp needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_mkstemp_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 9258 "configure"
+#include "confdefs.h"
+#include <unistd.h>
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int mkstemp (struct foo*);
+mkstemp(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:9273: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:9276: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:9278: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:9281: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_func_mkstemp_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_func_mkstemp_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:9291: result: $ac_cv_func_mkstemp_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_mkstemp_noproto" >&6
+
+if test "$ac_cv_func_mkstemp_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_MKSTEMP_PROTO 1
+EOF
+
+fi
+
+fi
+
+if test "$ac_cv_func_getusershell+set" != set -o "$ac_cv_func_getusershell" = yes; then
+echo "$as_me:9305: checking if getusershell needs a prototype" >&5
+echo $ECHO_N "checking if getusershell needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_getusershell_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 9311 "configure"
+#include "confdefs.h"
+#include <unistd.h>
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int getusershell (struct foo*);
+getusershell(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:9326: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:9329: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:9331: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:9334: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_func_getusershell_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_func_getusershell_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:9344: result: $ac_cv_func_getusershell_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_getusershell_noproto" >&6
+
+if test "$ac_cv_func_getusershell_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_GETUSERSHELL_PROTO 1
+EOF
+
+fi
+
+fi
+
+if test "$ac_cv_func_inet_aton+set" != set -o "$ac_cv_func_inet_aton" = yes; then
+echo "$as_me:9358: checking if inet_aton needs a prototype" >&5
+echo $ECHO_N "checking if inet_aton needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_inet_aton_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 9364 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int inet_aton (struct foo*);
+inet_aton(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:9391: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:9394: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:9396: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:9399: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_func_inet_aton_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_func_inet_aton_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:9409: result: $ac_cv_func_inet_aton_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_inet_aton_noproto" >&6
+
+if test "$ac_cv_func_inet_aton_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_INET_ATON_PROTO 1
+EOF
+
+fi
+
+fi
+
+echo "$as_me:9422: checking for crypt" >&5
+echo $ECHO_N "checking for crypt... $ECHO_C" >&6
+if test "${ac_cv_funclib_crypt+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_crypt\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" crypt; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 9438 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+crypt()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:9450: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:9453: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:9455: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:9458: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_crypt=$ac_lib; else ac_cv_funclib_crypt=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_crypt=\${ac_cv_funclib_crypt-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_crypt"
+
+if false; then
+
+for ac_func in crypt
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:9480: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 9486 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:9517: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:9520: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:9522: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:9525: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:9535: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# crypt
+eval "ac_tr_func=HAVE_`echo crypt | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_crypt=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_crypt=yes"
+	eval "LIB_crypt="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:9559: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_crypt=no"
+	eval "LIB_crypt="
+	echo "$as_me:9565: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_crypt=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:9579: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+echo "$as_me:9584: checking if gethostbyname is compatible with system prototype" >&5
+echo $ECHO_N "checking if gethostbyname is compatible with system prototype... $ECHO_C" >&6
+if test "${ac_cv_func_gethostbyname_proto_compat+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 9590 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+int
+main ()
+{
+struct hostent *gethostbyname(const char *);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:9618: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:9621: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:9623: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:9626: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_func_gethostbyname_proto_compat=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_func_gethostbyname_proto_compat=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:9636: result: $ac_cv_func_gethostbyname_proto_compat" >&5
+echo "${ECHO_T}$ac_cv_func_gethostbyname_proto_compat" >&6
+
+if test "$ac_cv_func_gethostbyname_proto_compat" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define GETHOSTBYNAME_PROTO_COMPATIBLE 1
+EOF
+
+fi
+
+echo "$as_me:9647: checking if gethostbyaddr is compatible with system prototype" >&5
+echo $ECHO_N "checking if gethostbyaddr is compatible with system prototype... $ECHO_C" >&6
+if test "${ac_cv_func_gethostbyaddr_proto_compat+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 9653 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+int
+main ()
+{
+struct hostent *gethostbyaddr(const void *, size_t, int);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:9681: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:9684: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:9686: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:9689: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_func_gethostbyaddr_proto_compat=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_func_gethostbyaddr_proto_compat=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:9699: result: $ac_cv_func_gethostbyaddr_proto_compat" >&5
+echo "${ECHO_T}$ac_cv_func_gethostbyaddr_proto_compat" >&6
+
+if test "$ac_cv_func_gethostbyaddr_proto_compat" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define GETHOSTBYADDR_PROTO_COMPATIBLE 1
+EOF
+
+fi
+
+echo "$as_me:9710: checking if getservbyname is compatible with system prototype" >&5
+echo $ECHO_N "checking if getservbyname is compatible with system prototype... $ECHO_C" >&6
+if test "${ac_cv_func_getservbyname_proto_compat+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 9716 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+int
+main ()
+{
+struct servent *getservbyname(const char *, const char *);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:9744: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:9747: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:9749: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:9752: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_func_getservbyname_proto_compat=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_func_getservbyname_proto_compat=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:9762: result: $ac_cv_func_getservbyname_proto_compat" >&5
+echo "${ECHO_T}$ac_cv_func_getservbyname_proto_compat" >&6
+
+if test "$ac_cv_func_getservbyname_proto_compat" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define GETSERVBYNAME_PROTO_COMPATIBLE 1
+EOF
+
+fi
+
+echo "$as_me:9773: checking if getsockname is compatible with system prototype" >&5
+echo $ECHO_N "checking if getsockname is compatible with system prototype... $ECHO_C" >&6
+if test "${ac_cv_func_getsockname_proto_compat+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 9779 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+
+int
+main ()
+{
+int getsockname(int, struct sockaddr*, socklen_t*);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:9798: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:9801: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:9803: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:9806: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_func_getsockname_proto_compat=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_func_getsockname_proto_compat=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:9816: result: $ac_cv_func_getsockname_proto_compat" >&5
+echo "${ECHO_T}$ac_cv_func_getsockname_proto_compat" >&6
+
+if test "$ac_cv_func_getsockname_proto_compat" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define GETSOCKNAME_PROTO_COMPATIBLE 1
+EOF
+
+fi
+
+echo "$as_me:9827: checking if openlog is compatible with system prototype" >&5
+echo $ECHO_N "checking if openlog is compatible with system prototype... $ECHO_C" >&6
+if test "${ac_cv_func_openlog_proto_compat+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 9833 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#endif
+
+int
+main ()
+{
+void openlog(const char *, int, int);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:9849: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:9852: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:9854: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:9857: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_func_openlog_proto_compat=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_func_openlog_proto_compat=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:9867: result: $ac_cv_func_openlog_proto_compat" >&5
+echo "${ECHO_T}$ac_cv_func_openlog_proto_compat" >&6
+
+if test "$ac_cv_func_openlog_proto_compat" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define OPENLOG_PROTO_COMPATIBLE 1
+EOF
+
+fi
+
+if test "$ac_cv_func_crypt+set" != set -o "$ac_cv_func_crypt" = yes; then
+echo "$as_me:9879: checking if crypt needs a prototype" >&5
+echo $ECHO_N "checking if crypt needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_crypt_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 9885 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_CRYPT_H
+#include <crypt.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int crypt (struct foo*);
+crypt(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:9907: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:9910: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:9912: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:9915: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_func_crypt_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_func_crypt_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:9925: result: $ac_cv_func_crypt_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_crypt_noproto" >&6
+
+if test "$ac_cv_func_crypt_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_CRYPT_PROTO 1
+EOF
+
+fi
+
+fi
+
+if test "$ac_cv_func_strtok_r+set" != set -o "$ac_cv_func_strtok_r" = yes; then
+echo "$as_me:9939: checking if strtok_r needs a prototype" >&5
+echo $ECHO_N "checking if strtok_r needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_strtok_r_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 9945 "configure"
+#include "confdefs.h"
+
+#include <string.h>
+
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int strtok_r (struct foo*);
+strtok_r(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:9962: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:9965: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:9967: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:9970: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_func_strtok_r_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_func_strtok_r_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:9980: result: $ac_cv_func_strtok_r_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_strtok_r_noproto" >&6
+
+if test "$ac_cv_func_strtok_r_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_STRTOK_R_PROTO 1
+EOF
+
+fi
+
+fi
+
+if test "$ac_cv_func_strsep+set" != set -o "$ac_cv_func_strsep" = yes; then
+echo "$as_me:9994: checking if strsep needs a prototype" >&5
+echo $ECHO_N "checking if strsep needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_strsep_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 10000 "configure"
+#include "confdefs.h"
+
+#include <string.h>
+
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int strsep (struct foo*);
+strsep(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:10017: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:10020: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:10022: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:10025: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_func_strsep_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_func_strsep_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:10035: result: $ac_cv_func_strsep_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_strsep_noproto" >&6
+
+if test "$ac_cv_func_strsep_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_STRSEP_PROTO 1
+EOF
+
+fi
+
+fi
+
+echo "$as_me:10048: checking for h_errno" >&5
+echo $ECHO_N "checking for h_errno... $ECHO_C" >&6
+if test "${ac_cv_var_h_errno+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 10055 "configure"
+#include "confdefs.h"
+extern int h_errno;
+int foo() { return h_errno; }
+int
+main ()
+{
+foo()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:10068: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:10071: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:10073: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:10076: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_var_h_errno=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_var_h_errno=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+
+fi
+
+ac_foo=`eval echo \\$ac_cv_var_h_errno`
+echo "$as_me:10089: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_H_ERRNO 1
+EOF
+
+echo "$as_me:10097: checking if h_errno is properly declared" >&5
+echo $ECHO_N "checking if h_errno is properly declared... $ECHO_C" >&6
+if test "${ac_cv_var_h_errno_declaration+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 10104 "configure"
+#include "confdefs.h"
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+extern struct { int foo; } h_errno;
+int
+main ()
+{
+h_errno.foo = 1;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:10122: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:10125: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:10127: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:10130: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_var_h_errno_declaration=no"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_var_h_errno_declaration=yes"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+echo "$as_me:10142: result: $ac_cv_var_h_errno_declaration" >&5
+echo "${ECHO_T}$ac_cv_var_h_errno_declaration" >&6
+if eval "test \"\$ac_cv_var_h_errno_declaration\" = yes"; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_H_ERRNO_DECLARATION 1
+EOF
+
+fi
+
+fi
+
+echo "$as_me:10154: checking for h_errlist" >&5
+echo $ECHO_N "checking for h_errlist... $ECHO_C" >&6
+if test "${ac_cv_var_h_errlist+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 10161 "configure"
+#include "confdefs.h"
+extern int h_errlist;
+int foo() { return h_errlist; }
+int
+main ()
+{
+foo()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:10174: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:10177: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:10179: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:10182: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_var_h_errlist=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_var_h_errlist=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+
+fi
+
+ac_foo=`eval echo \\$ac_cv_var_h_errlist`
+echo "$as_me:10195: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_H_ERRLIST 1
+EOF
+
+echo "$as_me:10203: checking if h_errlist is properly declared" >&5
+echo $ECHO_N "checking if h_errlist is properly declared... $ECHO_C" >&6
+if test "${ac_cv_var_h_errlist_declaration+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 10210 "configure"
+#include "confdefs.h"
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+extern struct { int foo; } h_errlist;
+int
+main ()
+{
+h_errlist.foo = 1;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:10225: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:10228: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:10230: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:10233: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_var_h_errlist_declaration=no"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_var_h_errlist_declaration=yes"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+echo "$as_me:10245: result: $ac_cv_var_h_errlist_declaration" >&5
+echo "${ECHO_T}$ac_cv_var_h_errlist_declaration" >&6
+if eval "test \"\$ac_cv_var_h_errlist_declaration\" = yes"; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_H_ERRLIST_DECLARATION 1
+EOF
+
+fi
+
+fi
+
+echo "$as_me:10257: checking for h_nerr" >&5
+echo $ECHO_N "checking for h_nerr... $ECHO_C" >&6
+if test "${ac_cv_var_h_nerr+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 10264 "configure"
+#include "confdefs.h"
+extern int h_nerr;
+int foo() { return h_nerr; }
+int
+main ()
+{
+foo()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:10277: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:10280: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:10282: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:10285: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_var_h_nerr=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_var_h_nerr=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+
+fi
+
+ac_foo=`eval echo \\$ac_cv_var_h_nerr`
+echo "$as_me:10298: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_H_NERR 1
+EOF
+
+echo "$as_me:10306: checking if h_nerr is properly declared" >&5
+echo $ECHO_N "checking if h_nerr is properly declared... $ECHO_C" >&6
+if test "${ac_cv_var_h_nerr_declaration+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 10313 "configure"
+#include "confdefs.h"
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+extern struct { int foo; } h_nerr;
+int
+main ()
+{
+h_nerr.foo = 1;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:10328: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:10331: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:10333: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:10336: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_var_h_nerr_declaration=no"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_var_h_nerr_declaration=yes"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+echo "$as_me:10348: result: $ac_cv_var_h_nerr_declaration" >&5
+echo "${ECHO_T}$ac_cv_var_h_nerr_declaration" >&6
+if eval "test \"\$ac_cv_var_h_nerr_declaration\" = yes"; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_H_NERR_DECLARATION 1
+EOF
+
+fi
+
+fi
+
+echo "$as_me:10360: checking for __progname" >&5
+echo $ECHO_N "checking for __progname... $ECHO_C" >&6
+if test "${ac_cv_var___progname+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 10367 "configure"
+#include "confdefs.h"
+extern int __progname;
+int foo() { return __progname; }
+int
+main ()
+{
+foo()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:10380: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:10383: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:10385: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:10388: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_var___progname=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_var___progname=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+
+fi
+
+ac_foo=`eval echo \\$ac_cv_var___progname`
+echo "$as_me:10401: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE___PROGNAME 1
+EOF
+
+echo "$as_me:10409: checking if __progname is properly declared" >&5
+echo $ECHO_N "checking if __progname is properly declared... $ECHO_C" >&6
+if test "${ac_cv_var___progname_declaration+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 10416 "configure"
+#include "confdefs.h"
+#ifdef HAVE_ERR_H
+#include <err.h>
+#endif
+extern struct { int foo; } __progname;
+int
+main ()
+{
+__progname.foo = 1;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:10431: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:10434: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:10436: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:10439: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_var___progname_declaration=no"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_var___progname_declaration=yes"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+echo "$as_me:10451: result: $ac_cv_var___progname_declaration" >&5
+echo "${ECHO_T}$ac_cv_var___progname_declaration" >&6
+if eval "test \"\$ac_cv_var___progname_declaration\" = yes"; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE___PROGNAME_DECLARATION 1
+EOF
+
+fi
+
+fi
+
+echo "$as_me:10463: checking if optarg is properly declared" >&5
+echo $ECHO_N "checking if optarg is properly declared... $ECHO_C" >&6
+if test "${ac_cv_var_optarg_declaration+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 10470 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+extern struct { int foo; } optarg;
+int
+main ()
+{
+optarg.foo = 1;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:10486: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:10489: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:10491: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:10494: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_var_optarg_declaration=no"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_var_optarg_declaration=yes"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+echo "$as_me:10506: result: $ac_cv_var_optarg_declaration" >&5
+echo "${ECHO_T}$ac_cv_var_optarg_declaration" >&6
+if eval "test \"\$ac_cv_var_optarg_declaration\" = yes"; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_OPTARG_DECLARATION 1
+EOF
+
+fi
+
+echo "$as_me:10516: checking if optind is properly declared" >&5
+echo $ECHO_N "checking if optind is properly declared... $ECHO_C" >&6
+if test "${ac_cv_var_optind_declaration+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 10523 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+extern struct { int foo; } optind;
+int
+main ()
+{
+optind.foo = 1;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:10539: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:10542: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:10544: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:10547: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_var_optind_declaration=no"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_var_optind_declaration=yes"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+echo "$as_me:10559: result: $ac_cv_var_optind_declaration" >&5
+echo "${ECHO_T}$ac_cv_var_optind_declaration" >&6
+if eval "test \"\$ac_cv_var_optind_declaration\" = yes"; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_OPTIND_DECLARATION 1
+EOF
+
+fi
+
+echo "$as_me:10569: checking if opterr is properly declared" >&5
+echo $ECHO_N "checking if opterr is properly declared... $ECHO_C" >&6
+if test "${ac_cv_var_opterr_declaration+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 10576 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+extern struct { int foo; } opterr;
+int
+main ()
+{
+opterr.foo = 1;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:10592: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:10595: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:10597: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:10600: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_var_opterr_declaration=no"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_var_opterr_declaration=yes"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+echo "$as_me:10612: result: $ac_cv_var_opterr_declaration" >&5
+echo "${ECHO_T}$ac_cv_var_opterr_declaration" >&6
+if eval "test \"\$ac_cv_var_opterr_declaration\" = yes"; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_OPTERR_DECLARATION 1
+EOF
+
+fi
+
+echo "$as_me:10622: checking if optopt is properly declared" >&5
+echo $ECHO_N "checking if optopt is properly declared... $ECHO_C" >&6
+if test "${ac_cv_var_optopt_declaration+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 10629 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+extern struct { int foo; } optopt;
+int
+main ()
+{
+optopt.foo = 1;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:10645: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:10648: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:10650: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:10653: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_var_optopt_declaration=no"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_var_optopt_declaration=yes"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+echo "$as_me:10665: result: $ac_cv_var_optopt_declaration" >&5
+echo "${ECHO_T}$ac_cv_var_optopt_declaration" >&6
+if eval "test \"\$ac_cv_var_optopt_declaration\" = yes"; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_OPTOPT_DECLARATION 1
+EOF
+
+fi
+
+echo "$as_me:10675: checking if environ is properly declared" >&5
+echo $ECHO_N "checking if environ is properly declared... $ECHO_C" >&6
+if test "${ac_cv_var_environ_declaration+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 10682 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+extern struct { int foo; } environ;
+int
+main ()
+{
+environ.foo = 1;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:10695: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:10698: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:10700: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:10703: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_var_environ_declaration=no"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_var_environ_declaration=yes"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+echo "$as_me:10715: result: $ac_cv_var_environ_declaration" >&5
+echo "${ECHO_T}$ac_cv_var_environ_declaration" >&6
+if eval "test \"\$ac_cv_var_environ_declaration\" = yes"; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_ENVIRON_DECLARATION 1
+EOF
+
+fi
+
+echo "$as_me:10725: checking for tm_gmtoff in struct tm" >&5
+echo $ECHO_N "checking for tm_gmtoff in struct tm... $ECHO_C" >&6
+if test "${ac_cv_type_struct_tm_tm_gmtoff+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 10732 "configure"
+#include "confdefs.h"
+#include <time.h>
+int
+main ()
+{
+struct tm x; x.tm_gmtoff;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:10744: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:10747: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:10749: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:10752: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_type_struct_tm_tm_gmtoff=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_struct_tm_tm_gmtoff=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:10762: result: $ac_cv_type_struct_tm_tm_gmtoff" >&5
+echo "${ECHO_T}$ac_cv_type_struct_tm_tm_gmtoff" >&6
+if test "$ac_cv_type_struct_tm_tm_gmtoff" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_STRUCT_TM_TM_GMTOFF 1
+EOF
+
+fi
+
+echo "$as_me:10772: checking for tm_zone in struct tm" >&5
+echo $ECHO_N "checking for tm_zone in struct tm... $ECHO_C" >&6
+if test "${ac_cv_type_struct_tm_tm_zone+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 10779 "configure"
+#include "confdefs.h"
+#include <time.h>
+int
+main ()
+{
+struct tm x; x.tm_zone;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:10791: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:10794: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:10796: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:10799: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_type_struct_tm_tm_zone=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_struct_tm_tm_zone=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:10809: result: $ac_cv_type_struct_tm_tm_zone" >&5
+echo "${ECHO_T}$ac_cv_type_struct_tm_tm_zone" >&6
+if test "$ac_cv_type_struct_tm_tm_zone" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_STRUCT_TM_TM_ZONE 1
+EOF
+
+fi
+
+echo "$as_me:10819: checking for timezone" >&5
+echo $ECHO_N "checking for timezone... $ECHO_C" >&6
+if test "${ac_cv_var_timezone+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 10826 "configure"
+#include "confdefs.h"
+extern int timezone;
+int foo() { return timezone; }
+int
+main ()
+{
+foo()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:10839: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:10842: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:10844: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:10847: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_var_timezone=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_var_timezone=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+
+fi
+
+ac_foo=`eval echo \\$ac_cv_var_timezone`
+echo "$as_me:10860: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_TIMEZONE 1
+EOF
+
+echo "$as_me:10868: checking if timezone is properly declared" >&5
+echo $ECHO_N "checking if timezone is properly declared... $ECHO_C" >&6
+if test "${ac_cv_var_timezone_declaration+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 10875 "configure"
+#include "confdefs.h"
+#include <time.h>
+extern struct { int foo; } timezone;
+int
+main ()
+{
+timezone.foo = 1;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:10888: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:10891: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:10893: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:10896: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_var_timezone_declaration=no"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_var_timezone_declaration=yes"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+echo "$as_me:10908: result: $ac_cv_var_timezone_declaration" >&5
+echo "${ECHO_T}$ac_cv_var_timezone_declaration" >&6
+if eval "test \"\$ac_cv_var_timezone_declaration\" = yes"; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_TIMEZONE_DECLARATION 1
+EOF
+
+fi
+
+fi
+
+cv=`echo "sa_family_t" | sed 'y%./+- %__p__%'`
+echo "$as_me:10921: checking for sa_family_t" >&5
+echo $ECHO_N "checking for sa_family_t... $ECHO_C" >&6
+if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 10927 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <sys/socket.h>
+int
+main ()
+{
+sa_family_t foo;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:10944: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:10947: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:10949: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:10952: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+echo "$as_me:10963: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+  ac_tr_hdr=HAVE_`echo sa_family_t | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	echo "$as_me:10968: checking for sa_family_t" >&5
+echo $ECHO_N "checking for sa_family_t... $ECHO_C" >&6
+if test "${ac_cv_type_sa_family_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 10974 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((sa_family_t *) 0)
+  return 0;
+if (sizeof (sa_family_t))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:10989: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:10992: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:10994: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:10997: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_type_sa_family_t=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_sa_family_t=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:11007: result: $ac_cv_type_sa_family_t" >&5
+echo "${ECHO_T}$ac_cv_type_sa_family_t" >&6
+if test $ac_cv_type_sa_family_t = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_SA_FAMILY_T 1
+EOF
+
+fi
+
+fi
+
+cat >>confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+cv=`echo "socklen_t" | sed 'y%./+- %__p__%'`
+echo "$as_me:11026: checking for socklen_t" >&5
+echo $ECHO_N "checking for socklen_t... $ECHO_C" >&6
+if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 11032 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <sys/socket.h>
+int
+main ()
+{
+socklen_t foo;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:11049: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:11052: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:11054: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:11057: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+echo "$as_me:11068: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+  ac_tr_hdr=HAVE_`echo socklen_t | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	echo "$as_me:11073: checking for socklen_t" >&5
+echo $ECHO_N "checking for socklen_t... $ECHO_C" >&6
+if test "${ac_cv_type_socklen_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 11079 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((socklen_t *) 0)
+  return 0;
+if (sizeof (socklen_t))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:11094: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:11097: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:11099: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:11102: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_type_socklen_t=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_socklen_t=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:11112: result: $ac_cv_type_socklen_t" >&5
+echo "${ECHO_T}$ac_cv_type_socklen_t" >&6
+if test $ac_cv_type_socklen_t = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_SOCKLEN_T 1
+EOF
+
+fi
+
+fi
+
+cat >>confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+cv=`echo "struct sockaddr" | sed 'y%./+- %__p__%'`
+echo "$as_me:11131: checking for struct sockaddr" >&5
+echo $ECHO_N "checking for struct sockaddr... $ECHO_C" >&6
+if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 11137 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <sys/socket.h>
+int
+main ()
+{
+struct sockaddr foo;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:11154: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:11157: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:11159: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:11162: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+echo "$as_me:11173: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+  ac_tr_hdr=HAVE_`echo struct sockaddr | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	echo "$as_me:11178: checking for struct sockaddr" >&5
+echo $ECHO_N "checking for struct sockaddr... $ECHO_C" >&6
+if test "${ac_cv_type_struct_sockaddr+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 11184 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((struct sockaddr *) 0)
+  return 0;
+if (sizeof (struct sockaddr))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:11199: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:11202: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:11204: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:11207: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_type_struct_sockaddr=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_struct_sockaddr=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:11217: result: $ac_cv_type_struct_sockaddr" >&5
+echo "${ECHO_T}$ac_cv_type_struct_sockaddr" >&6
+if test $ac_cv_type_struct_sockaddr = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_STRUCT_SOCKADDR 1
+EOF
+
+fi
+
+fi
+
+cat >>confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+cv=`echo "struct sockaddr_storage" | sed 'y%./+- %__p__%'`
+echo "$as_me:11236: checking for struct sockaddr_storage" >&5
+echo $ECHO_N "checking for struct sockaddr_storage... $ECHO_C" >&6
+if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 11242 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <sys/socket.h>
+int
+main ()
+{
+struct sockaddr_storage foo;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:11259: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:11262: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:11264: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:11267: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+echo "$as_me:11278: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+  ac_tr_hdr=HAVE_`echo struct sockaddr_storage | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	echo "$as_me:11283: checking for struct sockaddr_storage" >&5
+echo $ECHO_N "checking for struct sockaddr_storage... $ECHO_C" >&6
+if test "${ac_cv_type_struct_sockaddr_storage+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 11289 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((struct sockaddr_storage *) 0)
+  return 0;
+if (sizeof (struct sockaddr_storage))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:11304: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:11307: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:11309: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:11312: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_type_struct_sockaddr_storage=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_struct_sockaddr_storage=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:11322: result: $ac_cv_type_struct_sockaddr_storage" >&5
+echo "${ECHO_T}$ac_cv_type_struct_sockaddr_storage" >&6
+if test $ac_cv_type_struct_sockaddr_storage = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_STRUCT_SOCKADDR_STORAGE 1
+EOF
+
+fi
+
+fi
+
+cat >>confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+cv=`echo "struct addrinfo" | sed 'y%./+- %__p__%'`
+echo "$as_me:11341: checking for struct addrinfo" >&5
+echo $ECHO_N "checking for struct addrinfo... $ECHO_C" >&6
+if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 11347 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <netdb.h>
+int
+main ()
+{
+struct addrinfo foo;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:11364: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:11367: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:11369: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:11372: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+echo "$as_me:11383: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+  ac_tr_hdr=HAVE_`echo struct addrinfo | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	echo "$as_me:11388: checking for struct addrinfo" >&5
+echo $ECHO_N "checking for struct addrinfo... $ECHO_C" >&6
+if test "${ac_cv_type_struct_addrinfo+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 11394 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((struct addrinfo *) 0)
+  return 0;
+if (sizeof (struct addrinfo))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:11409: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:11412: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:11414: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:11417: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_type_struct_addrinfo=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_struct_addrinfo=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:11427: result: $ac_cv_type_struct_addrinfo" >&5
+echo "${ECHO_T}$ac_cv_type_struct_addrinfo" >&6
+if test $ac_cv_type_struct_addrinfo = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_STRUCT_ADDRINFO 1
+EOF
+
+fi
+
+fi
+
+cat >>confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+cv=`echo "struct ifaddrs" | sed 'y%./+- %__p__%'`
+echo "$as_me:11446: checking for struct ifaddrs" >&5
+echo $ECHO_N "checking for struct ifaddrs... $ECHO_C" >&6
+if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 11452 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <ifaddrs.h>
+int
+main ()
+{
+struct ifaddrs foo;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:11469: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:11472: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:11474: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:11477: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+echo "$as_me:11488: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+  ac_tr_hdr=HAVE_`echo struct ifaddrs | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	echo "$as_me:11493: checking for struct ifaddrs" >&5
+echo $ECHO_N "checking for struct ifaddrs... $ECHO_C" >&6
+if test "${ac_cv_type_struct_ifaddrs+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 11499 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((struct ifaddrs *) 0)
+  return 0;
+if (sizeof (struct ifaddrs))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:11514: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:11517: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:11519: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:11522: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_type_struct_ifaddrs=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_struct_ifaddrs=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:11532: result: $ac_cv_type_struct_ifaddrs" >&5
+echo "${ECHO_T}$ac_cv_type_struct_ifaddrs" >&6
+if test $ac_cv_type_struct_ifaddrs = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_STRUCT_IFADDRS 1
+EOF
+
+fi
+
+fi
+
+cat >>confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+echo "$as_me:11550: checking for struct winsize" >&5
+echo $ECHO_N "checking for struct winsize... $ECHO_C" >&6
+if test "${ac_cv_struct_winsize+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+ac_cv_struct_winsize=no
+for i in sys/termios.h sys/ioctl.h; do
+cat >conftest.$ac_ext <<_ACEOF
+#line 11559 "configure"
+#include "confdefs.h"
+#include <$i>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "struct[ 	]*winsize" >/dev/null 2>&1; then
+  ac_cv_struct_winsize=yes; break
+fi
+rm -f conftest*
+done
+
+fi
+
+if test "$ac_cv_struct_winsize" = "yes"; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_STRUCT_WINSIZE 1
+EOF
+
+fi
+echo "$as_me:11580: result: $ac_cv_struct_winsize" >&5
+echo "${ECHO_T}$ac_cv_struct_winsize" >&6
+cat >conftest.$ac_ext <<_ACEOF
+#line 11583 "configure"
+#include "confdefs.h"
+#include <termios.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "ws_xpixel" >/dev/null 2>&1; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_WS_XPIXEL 1
+EOF
+
+fi
+rm -f conftest*
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 11599 "configure"
+#include "confdefs.h"
+#include <termios.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "ws_ypixel" >/dev/null 2>&1; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_WS_YPIXEL 1
+EOF
+
+fi
+rm -f conftest*
+
+echo "$as_me:11614: checking for struct spwd" >&5
+echo $ECHO_N "checking for struct spwd... $ECHO_C" >&6
+if test "${ac_cv_struct_spwd+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 11621 "configure"
+#include "confdefs.h"
+#include <pwd.h>
+#ifdef HAVE_SHADOW_H
+#include <shadow.h>
+#endif
+int
+main ()
+{
+struct spwd foo;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:11636: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:11639: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:11641: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:11644: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_struct_spwd=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_struct_spwd=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+echo "$as_me:11656: result: $ac_cv_struct_spwd" >&5
+echo "${ECHO_T}$ac_cv_struct_spwd" >&6
+
+if test "$ac_cv_struct_spwd" = "yes"; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_STRUCT_SPWD 1
+EOF
+
+fi
+
+LIB_roken="${LIB_roken} \$(LIB_crypt) \$(LIB_dbopen)"
+
+LIB_roken="\$(top_builddir)/lib/vers/libvers.la $LIB_roken"
+
+# Check whether --with-openldap or --without-openldap was given.
+if test "${with_openldap+set}" = set; then
+  withval="$with_openldap"
+
+fi;
+
+# Check whether --with-openldap-lib or --without-openldap-lib was given.
+if test "${with_openldap_lib+set}" = set; then
+  withval="$with_openldap_lib"
+  if test "$withval" = "yes" -o "$withval" = "no"; then
+  { { echo "$as_me:11681: error: No argument for --with-openldap-lib" >&5
+echo "$as_me: error: No argument for --with-openldap-lib" >&2;}
+   { (exit 1); exit 1; }; }
+elif test "X$with_openldap" = "X"; then
+  with_openldap=yes
+fi
+fi;
+
+# Check whether --with-openldap-include or --without-openldap-include was given.
+if test "${with_openldap_include+set}" = set; then
+  withval="$with_openldap_include"
+  if test "$withval" = "yes" -o "$withval" = "no"; then
+  { { echo "$as_me:11693: error: No argument for --with-openldap-include" >&5
+echo "$as_me: error: No argument for --with-openldap-include" >&2;}
+   { (exit 1); exit 1; }; }
+elif test "X$with_openldap" = "X"; then
+  with_openldap=yes
+fi
+fi;
+
+echo "$as_me:11701: checking for openldap" >&5
+echo $ECHO_N "checking for openldap... $ECHO_C" >&6
+
+case "$with_openldap" in
+yes)	;;
+no)	;;
+"")	;;
+*)	if test "$with_openldap_include" = ""; then
+		with_openldap_include="$with_openldap/include"
+	fi
+	if test "$with_openldap_lib" = ""; then
+		with_openldap_lib="$with_openldap/lib$abilibdirext"
+	fi
+	;;
+esac
+header_dirs=
+lib_dirs=
+d=''
+for i in $d; do
+	header_dirs="$header_dirs $i/include"
+	lib_dirs="$lib_dirs $i/lib$abilibdirext"
+done
+
+case "$with_openldap_include" in
+yes) ;;
+no)  ;;
+*)   header_dirs="$with_openldap_include $header_dirs";;
+esac
+case "$with_openldap_lib" in
+yes) ;;
+no)  ;;
+*)   lib_dirs="$with_openldap_lib $lib_dirs";;
+esac
+
+save_CFLAGS="$CFLAGS"
+save_LIBS="$LIBS"
+ires= lres=
+for i in $header_dirs; do
+	CFLAGS="-I$i $save_CFLAGS"
+	cat >conftest.$ac_ext <<_ACEOF
+#line 11741 "configure"
+#include "confdefs.h"
+#include <ldap.h>
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:11753: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:11756: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:11758: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:11761: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ires=$i;break
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+done
+for i in $lib_dirs; do
+	LIBS="-L$i -lldap -llber  $save_LIBS"
+	cat >conftest.$ac_ext <<_ACEOF
+#line 11773 "configure"
+#include "confdefs.h"
+#include <ldap.h>
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:11785: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:11788: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:11790: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:11793: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  lres=$i;break
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+done
+CFLAGS="$save_CFLAGS"
+LIBS="$save_LIBS"
+
+if test "$ires" -a "$lres" -a "$with_openldap" != "no"; then
+	openldap_includedir="$ires"
+	openldap_libdir="$lres"
+	INCLUDE_openldap="-I$openldap_includedir"
+	LIB_openldap="-L$openldap_libdir -lldap -llber"
+
+cat >>confdefs.h <<EOF
+#define OPENLDAP 1
+EOF
+
+	with_openldap=yes
+	echo "$as_me:11816: result: headers $ires, libraries $lres" >&5
+echo "${ECHO_T}headers $ires, libraries $lres" >&6
+else
+	INCLUDE_openldap=
+	LIB_openldap=
+	with_openldap=no
+	echo "$as_me:11822: result: $with_openldap" >&5
+echo "${ECHO_T}$with_openldap" >&6
+fi
+
+if test "$openldap_libdir"; then
+	LIB_openldap="-R $openldap_libdir $LIB_openldap"
+fi
 
 # Check whether --with-krb4 or --without-krb4 was given.
 if test "${with_krb4+set}" = set; then
   withval="$with_krb4"
-  :
-fi
+
+fi;
 
 # Check whether --with-krb4-lib or --without-krb4-lib was given.
 if test "${with_krb4_lib+set}" = set; then
   withval="$with_krb4_lib"
   if test "$withval" = "yes" -o "$withval" = "no"; then
-  { echo "configure: error: No argument for --with-krb4-lib" 1>&2; exit 1; }
+  { { echo "$as_me:11840: error: No argument for --with-krb4-lib" >&5
+echo "$as_me: error: No argument for --with-krb4-lib" >&2;}
+   { (exit 1); exit 1; }; }
 elif test "X$with_krb4" = "X"; then
   with_krb4=yes
 fi
-fi
+fi;
 
 # Check whether --with-krb4-include or --without-krb4-include was given.
 if test "${with_krb4_include+set}" = set; then
   withval="$with_krb4_include"
   if test "$withval" = "yes" -o "$withval" = "no"; then
-  { echo "configure: error: No argument for --with-krb4-include" 1>&2; exit 1; }
+  { { echo "$as_me:11852: error: No argument for --with-krb4-include" >&5
+echo "$as_me: error: No argument for --with-krb4-include" >&2;}
+   { (exit 1); exit 1; }; }
 elif test "X$with_krb4" = "X"; then
   with_krb4=yes
 fi
-fi
-
+fi;
 
-echo $ac_n "checking for krb4""... $ac_c" 1>&6
-echo "configure:2247: checking for krb4" >&5
+echo "$as_me:11860: checking for krb4" >&5
+echo $ECHO_N "checking for krb4... $ECHO_C" >&6
 
 case "$with_krb4" in
 yes)	;;
@@ -2281,41 +11896,67 @@ save_LIBS="$LIBS"
 ires= lres=
 for i in $header_dirs; do
 	CFLAGS="-I$i $save_CFLAGS"
-	cat > conftest.$ac_ext <<EOF
-#line 2286 "configure"
+	cat >conftest.$ac_ext <<_ACEOF
+#line 11900 "configure"
 #include "confdefs.h"
 #include <krb.h>
-int main() {
+int
+main ()
+{
 
-; return 0; }
-EOF
-if { (eval echo configure:2293: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:11912: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:11915: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:11917: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:11920: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ires=$i;break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 done
 for i in $lib_dirs; do
 	LIBS="-L$i -lkrb -ldes $save_LIBS"
-	cat > conftest.$ac_ext <<EOF
-#line 2305 "configure"
+	cat >conftest.$ac_ext <<_ACEOF
+#line 11932 "configure"
 #include "confdefs.h"
 #include <krb.h>
-int main() {
+int
+main ()
+{
 
-; return 0; }
-EOF
-if { (eval echo configure:2312: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:11944: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:11947: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:11949: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:11952: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   lres=$i;break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 done
 CFLAGS="$save_CFLAGS"
 LIBS="$save_LIBS"
@@ -2325,22 +11966,22 @@ if test "$ires" -a "$lres" -a "$with_krb4" != "no"; then
 	krb4_libdir="$lres"
 	INCLUDE_krb4="-I$krb4_includedir"
 	LIB_krb4="-L$krb4_libdir -lkrb"
-	cat >> confdefs.h <<EOF
-#define `echo krb4 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ` 1
+
+cat >>confdefs.h <<EOF
+#define KRB4 1
 EOF
 
 	with_krb4=yes
-	echo "$ac_t""headers $ires, libraries $lres" 1>&6
+	echo "$as_me:11975: result: headers $ires, libraries $lres" >&5
+echo "${ECHO_T}headers $ires, libraries $lres" >&6
 else
 	INCLUDE_krb4=
 	LIB_krb4=
 	with_krb4=no
-	echo "$ac_t""$with_krb4" 1>&6
+	echo "$as_me:11981: result: $with_krb4" >&5
+echo "${ECHO_T}$with_krb4" >&6
 fi
 
-
-
-
 LIB_kdb=
 if test "$with_krb4" != "no"; then
 	save_CFLAGS="$CFLAGS"
@@ -2348,149 +11989,199 @@ if test "$with_krb4" != "no"; then
 	save_LIBS="$LIBS"
 	LIBS="$LIB_krb4 -ldes $LIBS"
 	EXTRA_LIB45=lib45.a
-	
-	echo $ac_n "checking for four valued krb_put_int""... $ac_c" 1>&6
-echo "configure:2354: checking for four valued krb_put_int" >&5
-if eval "test \"`echo '$''{'ac_cv_func_krb_put_int_four'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+
+	echo "$as_me:11993: checking for four valued krb_put_int" >&5
+echo $ECHO_N "checking for four valued krb_put_int... $ECHO_C" >&6
+if test "${ac_cv_func_krb_put_int_four+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat > conftest.$ac_ext <<EOF
-#line 2359 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 11999 "configure"
 #include "confdefs.h"
 #include <krb.h>
-int main() {
+int
+main ()
+{
 
 		char tmp[4];
 		krb_put_int(17, tmp, 4, sizeof(tmp));
-; return 0; }
-EOF
-if { (eval echo configure:2368: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:12013: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:12016: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:12018: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:12021: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_cv_func_krb_put_int_four=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_func_krb_put_int_four=no
-fi
-rm -f conftest*
-	
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_krb_put_int_four=no
 fi
+rm -f conftest.$ac_objext conftest.$ac_ext
 
-echo "$ac_t""$ac_cv_func_krb_put_int_four" 1>&6
+fi
+echo "$as_me:12032: result: $ac_cv_func_krb_put_int_four" >&5
+echo "${ECHO_T}$ac_cv_func_krb_put_int_four" >&6
 	if test "$ac_cv_func_krb_put_int_four" = yes; then
-		cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define HAVE_FOUR_VALUED_KRB_PUT_INT 1
 EOF
 
 	fi
-	echo $ac_n "checking for KRB_VERIFY_SECURE""... $ac_c" 1>&6
-echo "configure:2389: checking for KRB_VERIFY_SECURE" >&5
-if eval "test \"`echo '$''{'ac_cv_func_krb_verify_secure'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+
+	echo "$as_me:12042: checking for KRB_VERIFY_SECURE" >&5
+echo $ECHO_N "checking for KRB_VERIFY_SECURE... $ECHO_C" >&6
+if test "${ac_cv_func_krb_verify_secure+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat > conftest.$ac_ext <<EOF
-#line 2394 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 12048 "configure"
 #include "confdefs.h"
 #include <krb.h>
-int main() {
+int
+main ()
+{
 
 		int x = KRB_VERIFY_SECURE
-; return 0; }
-EOF
-if { (eval echo configure:2402: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:12061: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:12064: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:12066: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:12069: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_cv_func_krb_verify_secure=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_func_krb_verify_secure=no
-fi
-rm -f conftest*
-	
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_krb_verify_secure=no
 fi
+rm -f conftest.$ac_objext conftest.$ac_ext
 
-echo "$ac_t""$ac_cv_func_krb_verify_secure" 1>&6
+fi
+echo "$as_me:12080: result: $ac_cv_func_krb_verify_secure" >&5
+echo "${ECHO_T}$ac_cv_func_krb_verify_secure" >&6
 	if test "$ac_cv_func_krb_verify_secure" != yes; then
-		cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define KRB_VERIFY_SECURE 1
 EOF
 
-		cat >> confdefs.h <<\EOF
+cat >>confdefs.h <<\EOF
 #define KRB_VERIFY_SECURE_FAIL 2
 EOF
 
 	fi
-	echo $ac_n "checking for KRB_VERIFY_NOT_SECURE""... $ac_c" 1>&6
-echo "configure:2427: checking for KRB_VERIFY_NOT_SECURE" >&5
-if eval "test \"`echo '$''{'ac_cv_func_krb_verify_not_secure'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+	echo "$as_me:12093: checking for KRB_VERIFY_NOT_SECURE" >&5
+echo $ECHO_N "checking for KRB_VERIFY_NOT_SECURE... $ECHO_C" >&6
+if test "${ac_cv_func_krb_verify_not_secure+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat > conftest.$ac_ext <<EOF
-#line 2432 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 12099 "configure"
 #include "confdefs.h"
 #include <krb.h>
-int main() {
+int
+main ()
+{
 
 		int x = KRB_VERIFY_NOT_SECURE
-; return 0; }
-EOF
-if { (eval echo configure:2440: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:12112: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:12115: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:12117: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:12120: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_cv_func_krb_verify_not_secure=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_func_krb_verify_not_secure=no
-fi
-rm -f conftest*
-	
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_krb_verify_not_secure=no
 fi
+rm -f conftest.$ac_objext conftest.$ac_ext
 
-echo "$ac_t""$ac_cv_func_krb_verify_not_secure" 1>&6
+fi
+echo "$as_me:12131: result: $ac_cv_func_krb_verify_not_secure" >&5
+echo "${ECHO_T}$ac_cv_func_krb_verify_not_secure" >&6
 	if test "$ac_cv_func_krb_verify_not_secure" != yes; then
-		cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define KRB_VERIFY_NOT_SECURE 0
 EOF
 
 	fi
-	
-
 
-
-echo $ac_n "checking for krb_enable_debug""... $ac_c" 1>&6
-echo "configure:2465: checking for krb_enable_debug" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_krb_enable_debug'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:12141: checking for krb_enable_debug" >&5
+echo $ECHO_N "checking for krb_enable_debug... $ECHO_C" >&6
+if test "${ac_cv_funclib_krb_enable_debug+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
+
 if eval "test \"\$ac_cv_func_krb_enable_debug\" != yes" ; then
 	ac_save_LIBS="$LIBS"
 	for ac_lib in "" ; do
-		if test -n "$ac_lib"; then 
+		if test -n "$ac_lib"; then
 			ac_lib="-l$ac_lib"
 		else
 			ac_lib=""
 		fi
 		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 2480 "configure"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 12157 "configure"
 #include "confdefs.h"
 
-int main() {
+int
+main ()
+{
 krb_enable_debug()
-; return 0; }
-EOF
-if { (eval echo configure:2487: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:12169: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:12172: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:12174: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:12177: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_krb_enable_debug=$ac_lib; else ac_cv_funclib_krb_enable_debug=yes; fi";break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_krb_enable_debug=\${ac_cv_funclib_krb_enable_debug-no}"
 	LIBS="$ac_save_LIBS"
@@ -2498,14 +12189,79 @@ fi
 
 fi
 
-
 eval "ac_res=\$ac_cv_funclib_krb_enable_debug"
 
-: << END
-@@@funcs="$funcs krb_enable_debug"@@@
-@@@libs="$libs "" "@@@
-END
+if false; then
+
+for ac_func in krb_enable_debug
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:12199: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 12205 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:12236: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:12239: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:12241: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:12244: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:12254: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
 
+fi
 # krb_enable_debug
 eval "ac_tr_func=HAVE_`echo krb_enable_debug | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
 eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
@@ -2515,72 +12271,83 @@ case "$ac_res" in
 	yes)
 	eval "ac_cv_func_krb_enable_debug=yes"
 	eval "LIB_krb_enable_debug="
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	echo "$ac_t""yes" 1>&6
+	echo "$as_me:12278: result: yes" >&5
+echo "${ECHO_T}yes" >&6
 	;;
 	no)
 	eval "ac_cv_func_krb_enable_debug=no"
 	eval "LIB_krb_enable_debug="
-	echo "$ac_t""no" 1>&6
+	echo "$as_me:12284: result: no" >&5
+echo "${ECHO_T}no" >&6
 	;;
 	*)
 	eval "ac_cv_func_krb_enable_debug=yes"
 	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_lib 1
 EOF
 
-	echo "$ac_t""yes, in $ac_res" 1>&6
+	echo "$as_me:12298: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
 	;;
 esac
 
-
 if test -n "$LIB_krb_enable_debug"; then
 	LIBS="$LIB_krb_enable_debug $LIBS"
 fi
 
-	
-
-
-
-echo $ac_n "checking for krb_disable_debug""... $ac_c" 1>&6
-echo "configure:2555: checking for krb_disable_debug" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_krb_disable_debug'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:12307: checking for krb_disable_debug" >&5
+echo $ECHO_N "checking for krb_disable_debug... $ECHO_C" >&6
+if test "${ac_cv_funclib_krb_disable_debug+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
+
 if eval "test \"\$ac_cv_func_krb_disable_debug\" != yes" ; then
 	ac_save_LIBS="$LIBS"
 	for ac_lib in "" ; do
-		if test -n "$ac_lib"; then 
+		if test -n "$ac_lib"; then
 			ac_lib="-l$ac_lib"
 		else
 			ac_lib=""
 		fi
 		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 2570 "configure"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 12323 "configure"
 #include "confdefs.h"
 
-int main() {
+int
+main ()
+{
 krb_disable_debug()
-; return 0; }
-EOF
-if { (eval echo configure:2577: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:12335: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:12338: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:12340: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:12343: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_krb_disable_debug=$ac_lib; else ac_cv_funclib_krb_disable_debug=yes; fi";break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_krb_disable_debug=\${ac_cv_funclib_krb_disable_debug-no}"
 	LIBS="$ac_save_LIBS"
@@ -2588,14 +12355,79 @@ fi
 
 fi
 
-
 eval "ac_res=\$ac_cv_funclib_krb_disable_debug"
 
-: << END
-@@@funcs="$funcs krb_disable_debug"@@@
-@@@libs="$libs "" "@@@
-END
+if false; then
+
+for ac_func in krb_disable_debug
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:12365: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 12371 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
 
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:12402: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:12405: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:12407: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:12410: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:12420: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
 # krb_disable_debug
 eval "ac_tr_func=HAVE_`echo krb_disable_debug | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
 eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
@@ -2605,72 +12437,83 @@ case "$ac_res" in
 	yes)
 	eval "ac_cv_func_krb_disable_debug=yes"
 	eval "LIB_krb_disable_debug="
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	echo "$ac_t""yes" 1>&6
+	echo "$as_me:12444: result: yes" >&5
+echo "${ECHO_T}yes" >&6
 	;;
 	no)
 	eval "ac_cv_func_krb_disable_debug=no"
 	eval "LIB_krb_disable_debug="
-	echo "$ac_t""no" 1>&6
+	echo "$as_me:12450: result: no" >&5
+echo "${ECHO_T}no" >&6
 	;;
 	*)
 	eval "ac_cv_func_krb_disable_debug=yes"
 	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_lib 1
 EOF
 
-	echo "$ac_t""yes, in $ac_res" 1>&6
+	echo "$as_me:12464: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
 	;;
 esac
 
-
 if test -n "$LIB_krb_disable_debug"; then
 	LIBS="$LIB_krb_disable_debug $LIBS"
 fi
 
-	
-
-
-
-echo $ac_n "checking for krb_get_our_ip_for_realm""... $ac_c" 1>&6
-echo "configure:2645: checking for krb_get_our_ip_for_realm" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_krb_get_our_ip_for_realm'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:12473: checking for krb_get_our_ip_for_realm" >&5
+echo $ECHO_N "checking for krb_get_our_ip_for_realm... $ECHO_C" >&6
+if test "${ac_cv_funclib_krb_get_our_ip_for_realm+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
+
 if eval "test \"\$ac_cv_func_krb_get_our_ip_for_realm\" != yes" ; then
 	ac_save_LIBS="$LIBS"
 	for ac_lib in "" ; do
-		if test -n "$ac_lib"; then 
+		if test -n "$ac_lib"; then
 			ac_lib="-l$ac_lib"
 		else
 			ac_lib=""
 		fi
 		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 2660 "configure"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 12489 "configure"
 #include "confdefs.h"
 
-int main() {
+int
+main ()
+{
 krb_get_our_ip_for_realm()
-; return 0; }
-EOF
-if { (eval echo configure:2667: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:12501: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:12504: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:12506: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:12509: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_krb_get_our_ip_for_realm=$ac_lib; else ac_cv_funclib_krb_get_our_ip_for_realm=yes; fi";break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_krb_get_our_ip_for_realm=\${ac_cv_funclib_krb_get_our_ip_for_realm-no}"
 	LIBS="$ac_save_LIBS"
@@ -2678,14 +12521,79 @@ fi
 
 fi
 
-
 eval "ac_res=\$ac_cv_funclib_krb_get_our_ip_for_realm"
 
-: << END
-@@@funcs="$funcs krb_get_our_ip_for_realm"@@@
-@@@libs="$libs "" "@@@
-END
+if false; then
+
+for ac_func in krb_get_our_ip_for_realm
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:12531: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 12537 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
 
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:12568: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:12571: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:12573: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:12576: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:12586: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
 # krb_get_our_ip_for_realm
 eval "ac_tr_func=HAVE_`echo krb_get_our_ip_for_realm | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
 eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
@@ -2695,47 +12603,98 @@ case "$ac_res" in
 	yes)
 	eval "ac_cv_func_krb_get_our_ip_for_realm=yes"
 	eval "LIB_krb_get_our_ip_for_realm="
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	echo "$ac_t""yes" 1>&6
+	echo "$as_me:12610: result: yes" >&5
+echo "${ECHO_T}yes" >&6
 	;;
 	no)
 	eval "ac_cv_func_krb_get_our_ip_for_realm=no"
 	eval "LIB_krb_get_our_ip_for_realm="
-	echo "$ac_t""no" 1>&6
+	echo "$as_me:12616: result: no" >&5
+echo "${ECHO_T}no" >&6
 	;;
 	*)
 	eval "ac_cv_func_krb_get_our_ip_for_realm=yes"
 	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_lib 1
 EOF
 
-	echo "$ac_t""yes, in $ac_res" 1>&6
+	echo "$as_me:12630: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
 	;;
 esac
 
-
 if test -n "$LIB_krb_get_our_ip_for_realm"; then
 	LIBS="$LIB_krb_get_our_ip_for_realm $LIBS"
 fi
 
+	echo "$as_me:12639: checking for krb_mk_req with const arguments" >&5
+echo $ECHO_N "checking for krb_mk_req with const arguments... $ECHO_C" >&6
+if test "${ac_cv_func_krb_mk_req_const+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 12645 "configure"
+#include "confdefs.h"
+#include <krb.h>
+		int krb_mk_req(KTEXT a, const char *s, const char *i,
+			       const char *r, int32_t checksum)
+		{ return 17; }
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:12660: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:12663: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:12665: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:12668: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_func_krb_mk_req_const=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_krb_mk_req_const=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+echo "$as_me:12679: result: $ac_cv_func_krb_mk_req_const" >&5
+echo "${ECHO_T}$ac_cv_func_krb_mk_req_const" >&6
+	if test "$ac_cv_func_krb_mk_req_const" = "yes"; then
+
+cat >>confdefs.h <<\EOF
+#define KRB_MK_REQ_CONST 1
+EOF
+
+	fi
+
 	LIBS="$save_LIBS"
 	CFLAGS="$save_CFLAGS"
 	LIB_kdb="-lkdb -lkrb"
 	if test "$krb4_libdir"; then
-		LIB_krb4="-rpath $krb4_libdir $LIB_krb4"
-		LIB_kdb="-rpath $krb4_libdir -L$krb4_libdir $LIB_kdb"
+		LIB_krb4="-R $krb4_libdir $LIB_krb4"
+		LIB_kdb="-R $krb4_libdir -L$krb4_libdir $LIB_kdb"
 	fi
 fi
 
-
 if test "$with_krb4" != "no"; then
   KRB4_TRUE=
   KRB4_FALSE='#'
@@ -2744,7 +12703,6 @@ else
   KRB4_FALSE=
 fi
 
-
 if true; then
   KRB5_TRUE=
   KRB5_FALSE='#'
@@ -2752,158 +12710,64 @@ else
   KRB5_TRUE='#'
   KRB5_FALSE=
 fi
-cat >> confdefs.h <<\EOF
-#define KRB5 1
-EOF
-
 
-if test "$aix" != no; then
-  AIX_TRUE=
-  AIX_FALSE='#'
-else
-  AIX_TRUE='#'
-  AIX_FALSE=
-fi
-
-if test "$aix" = 4; then
-  AIX4_TRUE=
-  AIX4_FALSE='#'
-else
-  AIX4_TRUE='#'
-  AIX4_FALSE=
-fi
-aix_dynamic_afs=yes
-
-
-if test "$aix_dynamic_afs" = yes; then
-  AIX_DYNAMIC_AFS_TRUE=
-  AIX_DYNAMIC_AFS_FALSE='#'
+if true; then
+  do_roken_rename_TRUE=
+  do_roken_rename_FALSE='#'
 else
-  AIX_DYNAMIC_AFS_TRUE='#'
-  AIX_DYNAMIC_AFS_FALSE=
+  do_roken_rename_TRUE='#'
+  do_roken_rename_FALSE=
 fi
 
-
-
-echo $ac_n "checking for dlopen""... $ac_c" 1>&6
-echo "configure:2790: checking for dlopen" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_dlopen'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  
-if eval "test \"\$ac_cv_func_dlopen\" != yes" ; then
-	ac_save_LIBS="$LIBS"
-	for ac_lib in "" dl; do
-		if test -n "$ac_lib"; then 
-			ac_lib="-l$ac_lib"
-		else
-			ac_lib=""
-		fi
-		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 2805 "configure"
-#include "confdefs.h"
-
-int main() {
-dlopen()
-; return 0; }
+cat >>confdefs.h <<\EOF
+#define KRB5 1
 EOF
-if { (eval echo configure:2812: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "if test -n \"$ac_lib\";then ac_cv_funclib_dlopen=$ac_lib; else ac_cv_funclib_dlopen=yes; fi";break
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-fi
-rm -f conftest*
-	done
-	eval "ac_cv_funclib_dlopen=\${ac_cv_funclib_dlopen-no}"
-	LIBS="$ac_save_LIBS"
-fi
 
-fi
+# Check whether --enable-dce or --disable-dce was given.
+if test "${enable_dce+set}" = set; then
+  enableval="$enable_dce"
 
+fi;
+if test "$enable_dce" = yes; then
 
-eval "ac_res=\$ac_cv_funclib_dlopen"
-
-: << END
-@@@funcs="$funcs dlopen"@@@
-@@@libs="$libs "" dl"@@@
-END
-
-# dlopen
-eval "ac_tr_func=HAVE_`echo dlopen | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
-eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
-eval "LIB_dlopen=$ac_res"
-
-case "$ac_res" in
-	yes)
-	eval "ac_cv_func_dlopen=yes"
-	eval "LIB_dlopen="
-	cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
+cat >>confdefs.h <<\EOF
+#define DCE 1
 EOF
 
-	echo "$ac_t""yes" 1>&6
-	;;
-	no)
-	eval "ac_cv_func_dlopen=no"
-	eval "LIB_dlopen="
-	echo "$ac_t""no" 1>&6
-	;;
-	*)
-	eval "ac_cv_func_dlopen=yes"
-	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
-
-	cat >> confdefs.h <<EOF
-#define $ac_tr_lib 1
-EOF
-
-	echo "$ac_t""yes, in $ac_res" 1>&6
-	;;
-esac
-
-
-
-if test "$aix" != no; then
-	if test "$aix_dynamic_afs" = yes; then
-		if test "$ac_cv_funclib_dlopen" = yes; then
-			AIX_EXTRA_KAFS=
-		elif test "$ac_cv_funclib_dlopen" != no; then
-			AIX_EXTRA_KAFS="$ac_cv_funclib_dlopen"
-		else
-			AIX_EXTRA_KAFS=-lld
-		fi
-	else
-		AIX_EXTRA_KAFS=
-	fi
 fi
 
+if test "$enable_dce" = yes; then
+  DCE_TRUE=
+  DCE_FALSE='#'
+else
+  DCE_TRUE='#'
+  DCE_FALSE=
+fi
 
-
-if test "$ac_cv_funclib_dlopen" != no; then
-  HAVE_DLOPEN_TRUE=
-  HAVE_DLOPEN_FALSE='#'
+## XXX quite horrible:
+if test -f /etc/ibmcxx.cfg; then
+	dpagaix_LDADD=`sed -n '/^xlc_r4/,/^$/p' /etc/ibmcxx.cfg | sed -n -e '/libraries/{;s/^^=*=\(.*\)/\1/;s/,/ /gp;}'`
+	dpagaix_CFLAGS=`sed -n '/^xlc_r4/,/^$/p' /etc/ibmcxx.cfg | sed -n -e '/options/{;s/^^=*=\(.*\)/\1/;s/-q^,*//;s/,/ /gp;}'`
 else
-  HAVE_DLOPEN_TRUE='#'
-  HAVE_DLOPEN_FALSE=
+	dpagaix_CFLAGS="-D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce"
+	dpagaix_LDADD="-L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r"
 fi
+
 # Check whether --enable-kaserver or --disable-kaserver was given.
 if test "${enable_kaserver+set}" = set; then
   enableval="$enable_kaserver"
-  :
-fi
 
+fi;
 if test "$enable_kaserver" = yes; then
-	cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define KASERVER 1
 EOF
 
 	if test "$with_krb4" = "no"; then
-		{ echo "configure: error: kaserver requires krb4" 1>&2; exit 1; }
+		{ { echo "$as_me:12768: error: kaserver requires krb4" >&5
+echo "$as_me: error: kaserver requires krb4" >&2;}
+   { (exit 1); exit 1; }; }
 		exit 1
 	fi
 fi
@@ -2911,16 +12775,18 @@ fi
 # Check whether --enable-kaserver-db or --disable-kaserver-db was given.
 if test "${enable_kaserver_db+set}" = set; then
   enableval="$enable_kaserver_db"
-  :
-fi
 
+fi;
 if test "$enable_kaserver_db" = yes; then
-	cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define KASERVER_DB 1
 EOF
 
 	if test "$with_krb4" = "no"; then
-		{ echo "configure: error: kaserver-db requires krb4" 1>&2; exit 1; }
+		{ { echo "$as_me:12787: error: kaserver-db requires krb4" >&5
+echo "$as_me: error: kaserver-db requires krb4" >&2;}
+   { (exit 1); exit 1; }; }
 		exit 1
 	fi
 fi
@@ -2929,23 +12795,21 @@ otp=yes
 # Check whether --enable-otp or --disable-otp was given.
 if test "${enable_otp+set}" = set; then
   enableval="$enable_otp"
-  
+
 if test "$enableval" = "no"; then
 	otp=no
 fi
 
-fi
-
+fi;
 if test "$otp" = "yes"; then
-	cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define OTP 1
 EOF
 
 	LIB_otp='$(top_builddir)/lib/otp/libotp.la'
 fi
 
-
-
 if test "$otp" = yes; then
   OTP_TRUE=
   OTP_FALSE='#'
@@ -2957,94 +12821,94 @@ fi
 # Check whether --enable-osfc2 or --disable-osfc2 was given.
 if test "${enable_osfc2+set}" = set; then
   enableval="$enable_osfc2"
-  :
-fi
 
+fi;
 LIB_security=
 if test "$enable_osfc2" = yes; then
-	cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define HAVE_OSFC2 1
 EOF
 
 	LIB_security=-lsecurity
 fi
 
-
-
 # Extract the first word of "nroff", so it can be a program name with args.
 set dummy nroff; ac_word=$2
-echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2978: checking for $ac_word" >&5
-if eval "test \"`echo '$''{'ac_cv_path_NROFF'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:12838: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_path_NROFF+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  case "$NROFF" in
-  /*)
+  case $NROFF in
+  [\\/]* | ?:[\\/]*)
   ac_cv_path_NROFF="$NROFF" # Let the user override the test with a path.
   ;;
-  ?:/*)			 
-  ac_cv_path_NROFF="$NROFF" # Let the user override the test with a dos path.
-  ;;
   *)
-  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
-  ac_dummy="$PATH"
-  for ac_dir in $ac_dummy; do 
-    test -z "$ac_dir" && ac_dir=.
-    if test -f $ac_dir/$ac_word; then
-      ac_cv_path_NROFF="$ac_dir/$ac_word"
-      break
-    fi
-  done
-  IFS="$ac_save_ifs"
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  if $as_executable_p "$ac_dir/$ac_word"; then
+   ac_cv_path_NROFF="$ac_dir/$ac_word"
+   break
+fi
+done
+
   ;;
 esac
 fi
-NROFF="$ac_cv_path_NROFF"
+NROFF=$ac_cv_path_NROFF
+
 if test -n "$NROFF"; then
-  echo "$ac_t""$NROFF" 1>&6
+  echo "$as_me:12865: result: $NROFF" >&5
+echo "${ECHO_T}$NROFF" >&6
 else
-  echo "$ac_t""no" 1>&6
+  echo "$as_me:12868: result: no" >&5
+echo "${ECHO_T}no" >&6
 fi
 
 # Extract the first word of "groff", so it can be a program name with args.
 set dummy groff; ac_word=$2
-echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:3013: checking for $ac_word" >&5
-if eval "test \"`echo '$''{'ac_cv_path_GROFF'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:12874: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_path_GROFF+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  case "$GROFF" in
-  /*)
+  case $GROFF in
+  [\\/]* | ?:[\\/]*)
   ac_cv_path_GROFF="$GROFF" # Let the user override the test with a path.
   ;;
-  ?:/*)			 
-  ac_cv_path_GROFF="$GROFF" # Let the user override the test with a dos path.
-  ;;
   *)
-  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
-  ac_dummy="$PATH"
-  for ac_dir in $ac_dummy; do 
-    test -z "$ac_dir" && ac_dir=.
-    if test -f $ac_dir/$ac_word; then
-      ac_cv_path_GROFF="$ac_dir/$ac_word"
-      break
-    fi
-  done
-  IFS="$ac_save_ifs"
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  if $as_executable_p "$ac_dir/$ac_word"; then
+   ac_cv_path_GROFF="$ac_dir/$ac_word"
+   break
+fi
+done
+
   ;;
 esac
 fi
-GROFF="$ac_cv_path_GROFF"
+GROFF=$ac_cv_path_GROFF
+
 if test -n "$GROFF"; then
-  echo "$ac_t""$GROFF" 1>&6
+  echo "$as_me:12901: result: $GROFF" >&5
+echo "${ECHO_T}$GROFF" >&6
 else
-  echo "$ac_t""no" 1>&6
+  echo "$as_me:12904: result: no" >&5
+echo "${ECHO_T}no" >&6
 fi
 
-echo $ac_n "checking how to format man pages""... $ac_c" 1>&6
-echo "configure:3046: checking how to format man pages" >&5
-if eval "test \"`echo '$''{'ac_cv_sys_man_format'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:12908: checking how to format man pages" >&5
+echo $ECHO_N "checking how to format man pages... $ECHO_C" >&6
+if test "${ac_cv_sys_man_format+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat > conftest.1 << END
 .Dd January 1, 1970
@@ -3078,13 +12942,12 @@ if test "$ac_cv_sys_man_format"; then
 fi
 
 fi
-
-echo "$ac_t""$ac_cv_sys_man_format" 1>&6
+echo "$as_me:12945: result: $ac_cv_sys_man_format" >&5
+echo "${ECHO_T}$ac_cv_sys_man_format" >&6
 if test "$ac_cv_sys_man_format"; then
 	CATMAN="$ac_cv_sys_man_format"
-	
-fi
 
+fi
 
 if test "$CATMAN"; then
   CATMAN_TRUE=
@@ -3093,10 +12956,10 @@ else
   CATMAN_TRUE='#'
   CATMAN_FALSE=
 fi
-echo $ac_n "checking extension of pre-formatted manual pages""... $ac_c" 1>&6
-echo "configure:3098: checking extension of pre-formatted manual pages" >&5
-if eval "test \"`echo '$''{'ac_cv_sys_catman_ext'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:12959: checking extension of pre-formatted manual pages" >&5
+echo $ECHO_N "checking extension of pre-formatted manual pages... $ECHO_C" >&6
+if test "${ac_cv_sys_catman_ext+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if grep _suffix /etc/man.conf > /dev/null 2>&1; then
 	ac_cv_sys_catman_ext=0
@@ -3105,47 +12968,46 @@ else
 fi
 
 fi
-
-echo "$ac_t""$ac_cv_sys_catman_ext" 1>&6
+echo "$as_me:12971: result: $ac_cv_sys_catman_ext" >&5
+echo "${ECHO_T}$ac_cv_sys_catman_ext" >&6
 if test "$ac_cv_sys_catman_ext" = number; then
-	CATMANEXT='$$ext'
+	CATMANEXT='$$section'
 else
 	CATMANEXT=0
 fi
 
-
-
-
-
 # Check whether --with-readline or --without-readline was given.
 if test "${with_readline+set}" = set; then
   withval="$with_readline"
-  :
-fi
+
+fi;
 
 # Check whether --with-readline-lib or --without-readline-lib was given.
 if test "${with_readline_lib+set}" = set; then
   withval="$with_readline_lib"
   if test "$withval" = "yes" -o "$withval" = "no"; then
-  { echo "configure: error: No argument for --with-readline-lib" 1>&2; exit 1; }
+  { { echo "$as_me:12989: error: No argument for --with-readline-lib" >&5
+echo "$as_me: error: No argument for --with-readline-lib" >&2;}
+   { (exit 1); exit 1; }; }
 elif test "X$with_readline" = "X"; then
   with_readline=yes
 fi
-fi
+fi;
 
 # Check whether --with-readline-include or --without-readline-include was given.
 if test "${with_readline_include+set}" = set; then
   withval="$with_readline_include"
   if test "$withval" = "yes" -o "$withval" = "no"; then
-  { echo "configure: error: No argument for --with-readline-include" 1>&2; exit 1; }
+  { { echo "$as_me:13001: error: No argument for --with-readline-include" >&5
+echo "$as_me: error: No argument for --with-readline-include" >&2;}
+   { (exit 1); exit 1; }; }
 elif test "X$with_readline" = "X"; then
   with_readline=yes
 fi
-fi
+fi;
 
-
-echo $ac_n "checking for readline""... $ac_c" 1>&6
-echo "configure:3149: checking for readline" >&5
+echo "$as_me:13009: checking for readline" >&5
+echo $ECHO_N "checking for readline... $ECHO_C" >&6
 
 case "$with_readline" in
 yes)	;;
@@ -3183,43 +13045,69 @@ save_LIBS="$LIBS"
 ires= lres=
 for i in $header_dirs; do
 	CFLAGS="-I$i $save_CFLAGS"
-	cat > conftest.$ac_ext <<EOF
-#line 3188 "configure"
+	cat >conftest.$ac_ext <<_ACEOF
+#line 13049 "configure"
 #include "confdefs.h"
 #include <stdio.h>
  #include <readline.h>
-int main() {
+int
+main ()
+{
 
-; return 0; }
-EOF
-if { (eval echo configure:3196: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:13062: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:13065: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:13067: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:13070: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ires=$i;break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 done
 for i in $lib_dirs; do
 	LIBS="-L$i -lreadline  $save_LIBS"
-	cat > conftest.$ac_ext <<EOF
-#line 3208 "configure"
+	cat >conftest.$ac_ext <<_ACEOF
+#line 13082 "configure"
 #include "confdefs.h"
 #include <stdio.h>
  #include <readline.h>
-int main() {
+int
+main ()
+{
 
-; return 0; }
-EOF
-if { (eval echo configure:3216: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:13095: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:13098: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:13100: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:13103: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   lres=$i;break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 done
 CFLAGS="$save_CFLAGS"
 LIBS="$save_LIBS"
@@ -3229,52 +13117,54 @@ if test "$ires" -a "$lres" -a "$with_readline" != "no"; then
 	readline_libdir="$lres"
 	INCLUDE_readline="-I$readline_includedir"
 	LIB_readline="-L$readline_libdir -lreadline"
-	cat >> confdefs.h <<EOF
-#define `echo readline | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ` 1
+
+cat >>confdefs.h <<EOF
+#define READLINE 1
 EOF
 
 	with_readline=yes
-	echo "$ac_t""headers $ires, libraries $lres" 1>&6
+	echo "$as_me:13126: result: headers $ires, libraries $lres" >&5
+echo "${ECHO_T}headers $ires, libraries $lres" >&6
 else
 	INCLUDE_readline=
 	LIB_readline=
 	with_readline=no
-	echo "$ac_t""$with_readline" 1>&6
+	echo "$as_me:13132: result: $with_readline" >&5
+echo "${ECHO_T}$with_readline" >&6
 fi
 
-
-
-
-
 # Check whether --with-hesiod or --without-hesiod was given.
 if test "${with_hesiod+set}" = set; then
   withval="$with_hesiod"
-  :
-fi
+
+fi;
 
 # Check whether --with-hesiod-lib or --without-hesiod-lib was given.
 if test "${with_hesiod_lib+set}" = set; then
   withval="$with_hesiod_lib"
   if test "$withval" = "yes" -o "$withval" = "no"; then
-  { echo "configure: error: No argument for --with-hesiod-lib" 1>&2; exit 1; }
+  { { echo "$as_me:13146: error: No argument for --with-hesiod-lib" >&5
+echo "$as_me: error: No argument for --with-hesiod-lib" >&2;}
+   { (exit 1); exit 1; }; }
 elif test "X$with_hesiod" = "X"; then
   with_hesiod=yes
 fi
-fi
+fi;
 
 # Check whether --with-hesiod-include or --without-hesiod-include was given.
 if test "${with_hesiod_include+set}" = set; then
   withval="$with_hesiod_include"
   if test "$withval" = "yes" -o "$withval" = "no"; then
-  { echo "configure: error: No argument for --with-hesiod-include" 1>&2; exit 1; }
+  { { echo "$as_me:13158: error: No argument for --with-hesiod-include" >&5
+echo "$as_me: error: No argument for --with-hesiod-include" >&2;}
+   { (exit 1); exit 1; }; }
 elif test "X$with_hesiod" = "X"; then
   with_hesiod=yes
 fi
-fi
-
+fi;
 
-echo $ac_n "checking for hesiod""... $ac_c" 1>&6
-echo "configure:3278: checking for hesiod" >&5
+echo "$as_me:13166: checking for hesiod" >&5
+echo $ECHO_N "checking for hesiod... $ECHO_C" >&6
 
 case "$with_hesiod" in
 yes)	;;
@@ -3312,41 +13202,67 @@ save_LIBS="$LIBS"
 ires= lres=
 for i in $header_dirs; do
 	CFLAGS="-I$i $save_CFLAGS"
-	cat > conftest.$ac_ext <<EOF
-#line 3317 "configure"
+	cat >conftest.$ac_ext <<_ACEOF
+#line 13206 "configure"
 #include "confdefs.h"
 #include <hesiod.h>
-int main() {
+int
+main ()
+{
 
-; return 0; }
-EOF
-if { (eval echo configure:3324: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:13218: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:13221: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:13223: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:13226: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ires=$i;break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 done
 for i in $lib_dirs; do
 	LIBS="-L$i -lhesiod  $save_LIBS"
-	cat > conftest.$ac_ext <<EOF
-#line 3336 "configure"
+	cat >conftest.$ac_ext <<_ACEOF
+#line 13238 "configure"
 #include "confdefs.h"
 #include <hesiod.h>
-int main() {
+int
+main ()
+{
 
-; return 0; }
-EOF
-if { (eval echo configure:3343: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:13250: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:13253: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:13255: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:13258: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   lres=$i;break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 done
 CFLAGS="$save_CFLAGS"
 LIBS="$save_LIBS"
@@ -3356,105 +13272,125 @@ if test "$ires" -a "$lres" -a "$with_hesiod" != "no"; then
 	hesiod_libdir="$lres"
 	INCLUDE_hesiod="-I$hesiod_includedir"
 	LIB_hesiod="-L$hesiod_libdir -lhesiod"
-	cat >> confdefs.h <<EOF
-#define `echo hesiod | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ` 1
+
+cat >>confdefs.h <<EOF
+#define HESIOD 1
 EOF
 
 	with_hesiod=yes
-	echo "$ac_t""headers $ires, libraries $lres" 1>&6
+	echo "$as_me:13281: result: headers $ires, libraries $lres" >&5
+echo "${ECHO_T}headers $ires, libraries $lres" >&6
 else
 	INCLUDE_hesiod=
 	LIB_hesiod=
 	with_hesiod=no
-	echo "$ac_t""$with_hesiod" 1>&6
+	echo "$as_me:13287: result: $with_hesiod" >&5
+echo "${ECHO_T}$with_hesiod" >&6
 fi
 
-
-
-
-
 # Check whether --enable-bigendian or --disable-bigendian was given.
 if test "${enable_bigendian+set}" = set; then
   enableval="$enable_bigendian"
   krb_cv_c_bigendian=yes
-fi
-
+fi;
 # Check whether --enable-littleendian or --disable-littleendian was given.
 if test "${enable_littleendian+set}" = set; then
   enableval="$enable_littleendian"
   krb_cv_c_bigendian=no
-fi
-
-echo $ac_n "checking whether byte order is known at compile time""... $ac_c" 1>&6
-echo "configure:3390: checking whether byte order is known at compile time" >&5
-if eval "test \"`echo '$''{'krb_cv_c_bigendian_compile'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 3395 "configure"
+fi;
+echo "$as_me:13301: checking whether byte order is known at compile time" >&5
+echo $ECHO_N "checking whether byte order is known at compile time... $ECHO_C" >&6
+if test "${krb_cv_c_bigendian_compile+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 13307 "configure"
 #include "confdefs.h"
 
 #include <sys/types.h>
 #include <sys/param.h>
-int main() {
+int
+main ()
+{
 
 #if !BYTE_ORDER || !BIG_ENDIAN || !LITTLE_ENDIAN
  bogus endian macros
 #endif
-; return 0; }
-EOF
-if { (eval echo configure:3407: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:13324: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:13327: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:13329: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:13332: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   krb_cv_c_bigendian_compile=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  krb_cv_c_bigendian_compile=no
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+krb_cv_c_bigendian_compile=no
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-
-echo "$ac_t""$krb_cv_c_bigendian_compile" 1>&6
-if test "$krb_cv_c_bigendian_compile" = "no"; then
-  echo $ac_n "checking whether byte ordering is bigendian""... $ac_c" 1>&6
-echo "configure:3422: checking whether byte ordering is bigendian" >&5
-if eval "test \"`echo '$''{'krb_cv_c_bigendian'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:13342: result: $krb_cv_c_bigendian_compile" >&5
+echo "${ECHO_T}$krb_cv_c_bigendian_compile" >&6
+echo "$as_me:13344: checking whether byte ordering is bigendian" >&5
+echo $ECHO_N "checking whether byte ordering is bigendian... $ECHO_C" >&6
+if test "${krb_cv_c_bigendian+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
-  if test "$krb_cv_c_bigendian" = ""; then
-    krb_cv_c_bigendian=unknown
-  fi
-  cat > conftest.$ac_ext <<EOF
-#line 3431 "configure"
+
+  if test "$krb_cv_c_bigendian_compile" = "yes"; then
+    cat >conftest.$ac_ext <<_ACEOF
+#line 13352 "configure"
 #include "confdefs.h"
 
 #include <sys/types.h>
 #include <sys/param.h>
-int main() {
+int
+main ()
+{
 
 #if BYTE_ORDER != BIG_ENDIAN
   not big endian
 #endif
-; return 0; }
-EOF
-if { (eval echo configure:3443: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:13369: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:13372: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:13374: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:13377: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   krb_cv_c_bigendian=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  krb_cv_c_bigendian=no
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+krb_cv_c_bigendian=no
 fi
-rm -f conftest*
-  if test "$krb_cv_c_bigendian" = "unknown"; then
+rm -f conftest.$ac_objext conftest.$ac_ext
+  else
     if test "$cross_compiling" = yes; then
-  { echo "configure: error: specify either --enable-bigendian or --enable-littleendian" 1>&2; exit 1; }
+  { { echo "$as_me:13388: error: specify either --enable-bigendian or --enable-littleendian" >&5
+echo "$as_me: error: specify either --enable-bigendian or --enable-littleendian" >&2;}
+   { (exit 1); exit 1; }; }
 else
-  cat > conftest.$ac_ext <<EOF
-#line 3458 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 13393 "configure"
 #include "confdefs.h"
 main () {
       /* Are we little or big endian?  From Harbison&Steele.  */
@@ -3462,94 +13398,338 @@ main () {
       {
 	long l;
 	char c[sizeof (long)];
-      } u;
-      u.l = 1;
-      exit (u.c[sizeof (long) - 1] == 1);
-    }
-EOF
-if { (eval echo configure:3471: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
-then
+    } u;
+    u.l = 1;
+    exit (u.c[sizeof (long) - 1] == 1);
+  }
+_ACEOF
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:13407: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:13410: \$? = $ac_status" >&5
+  (exit $ac_status); } && { (eval echo "$as_me:13411: \"./conftest$ac_exeext\"") >&5
+  (eval ./conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:13414: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   krb_cv_c_bigendian=no
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -fr conftest*
-  krb_cv_c_bigendian=yes
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+krb_cv_c_bigendian=yes
 fi
-rm -fr conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 fi
-
   fi
-  
+
 fi
+echo "$as_me:13428: result: $krb_cv_c_bigendian" >&5
+echo "${ECHO_T}$krb_cv_c_bigendian" >&6
+if test "$krb_cv_c_bigendian" = "yes"; then
 
-echo "$ac_t""$krb_cv_c_bigendian" 1>&6
-  if test "$krb_cv_c_bigendian" = "yes"; then
-    cat >> confdefs.h <<\EOF
+cat >>confdefs.h <<\EOF
 #define WORDS_BIGENDIAN 1
 EOF
-  fi
 fi
 if test "$krb_cv_c_bigendian_compile" = "yes"; then
-  cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define ENDIANESS_IN_SYS_PARAM_H 1
 EOF
 fi
 
-echo $ac_n "checking for inline""... $ac_c" 1>&6
-echo "configure:3501: checking for inline" >&5
-if eval "test \"`echo '$''{'ac_cv_c_inline'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:13443: checking for inline" >&5
+echo $ECHO_N "checking for inline... $ECHO_C" >&6
+if test "${ac_cv_c_inline+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_cv_c_inline=no
 for ac_kw in inline __inline__ __inline; do
-  cat > conftest.$ac_ext <<EOF
-#line 3508 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 13451 "configure"
 #include "confdefs.h"
+#ifndef __cplusplus
+$ac_kw int foo () {return 0; }
+#endif
 
-int main() {
-} $ac_kw foo() {
-; return 0; }
-EOF
-if { (eval echo configure:3515: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:13459: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:13462: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:13464: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:13467: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_cv_c_inline=$ac_kw; break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 done
 
 fi
-
-echo "$ac_t""$ac_cv_c_inline" 1>&6
-case "$ac_cv_c_inline" in
+echo "$as_me:13478: result: $ac_cv_c_inline" >&5
+echo "${ECHO_T}$ac_cv_c_inline" >&6
+case $ac_cv_c_inline in
   inline | yes) ;;
-  no) cat >> confdefs.h <<\EOF
-#define inline 
+  no)
+cat >>confdefs.h <<\EOF
+#define inline
 EOF
  ;;
-  *)  cat >> confdefs.h <<EOF
+  *)  cat >>confdefs.h <<EOF
 #define inline $ac_cv_c_inline
 EOF
  ;;
 esac
 
+aix=no
+case "$host" in
+*-*-aix3*)
+	aix=3
+	;;
+*-*-aix4*)
+	aix=4
+	;;
+esac
+
+if test "$aix" != no; then
+  AIX_TRUE=
+  AIX_FALSE='#'
+else
+  AIX_TRUE='#'
+  AIX_FALSE=
+fi
+
+if test "$aix" = 4; then
+  AIX4_TRUE=
+  AIX4_FALSE='#'
+else
+  AIX4_TRUE='#'
+  AIX4_FALSE=
+fi
+aix_dynamic_afs=yes
+
+if test "$aix_dynamic_afs" = yes; then
+  AIX_DYNAMIC_AFS_TRUE=
+  AIX_DYNAMIC_AFS_FALSE='#'
+else
+  AIX_DYNAMIC_AFS_TRUE='#'
+  AIX_DYNAMIC_AFS_FALSE=
+fi
+
+echo "$as_me:13528: checking for dlopen" >&5
+echo $ECHO_N "checking for dlopen... $ECHO_C" >&6
+if test "${ac_cv_funclib_dlopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
 
-# If we find X, set shell vars x_includes and x_libraries to the
-# paths, otherwise set no_x=yes.
-# Uses ac_ vars as temps to allow command line to override cache and checks.
-# --without-x overrides everything else, but does not touch the cache.
-echo $ac_n "checking for X""... $ac_c" 1>&6
-echo "configure:3546: checking for X" >&5
+if eval "test \"\$ac_cv_func_dlopen\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" dl; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 13544 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+dlopen()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:13556: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:13559: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:13561: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:13564: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_dlopen=$ac_lib; else ac_cv_funclib_dlopen=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_dlopen=\${ac_cv_funclib_dlopen-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_dlopen"
+
+if false; then
+
+for ac_func in dlopen
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:13586: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 13592 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:13623: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:13626: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:13628: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:13631: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:13641: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# dlopen
+eval "ac_tr_func=HAVE_`echo dlopen | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_dlopen=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_dlopen=yes"
+	eval "LIB_dlopen="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:13665: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_dlopen=no"
+	eval "LIB_dlopen="
+	echo "$as_me:13671: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_dlopen=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:13685: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+if test "$aix" != no; then
+	if test "$aix_dynamic_afs" = yes; then
+		if test "$ac_cv_funclib_dlopen" = yes; then
+			AIX_EXTRA_KAFS=
+		elif test "$ac_cv_funclib_dlopen" != no; then
+			AIX_EXTRA_KAFS="$ac_cv_funclib_dlopen"
+		else
+			AIX_EXTRA_KAFS=-lld
+		fi
+	else
+		AIX_EXTRA_KAFS=
+	fi
+fi
+
+if test "$ac_cv_funclib_dlopen" != no; then
+  HAVE_DLOPEN_TRUE=
+  HAVE_DLOPEN_FALSE='#'
+else
+  HAVE_DLOPEN_TRUE='#'
+  HAVE_DLOPEN_FALSE=
+fi
+
+irix=no
+case "$host_os" in
+irix*) irix=yes ;;
+esac
+
+if test "$irix" != no; then
+  IRIX_TRUE=
+  IRIX_FALSE='#'
+else
+  IRIX_TRUE='#'
+  IRIX_FALSE=
+fi
+
+echo "$as_me:13725: checking for X" >&5
+echo $ECHO_N "checking for X... $ECHO_C" >&6
 
 # Check whether --with-x or --without-x was given.
 if test "${with_x+set}" = set; then
   withval="$with_x"
-  :
-fi
 
+fi;
 # $have_x is `yes', `no', `disabled', or empty when we do not yet know.
 if test "x$with_x" = xno; then
   # The user explicitly disabled X.
@@ -3559,16 +13739,16 @@ else
     # Both variables are already set.
     have_x=yes
   else
-if eval "test \"`echo '$''{'ac_cv_have_x'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+    if test "${ac_cv_have_x+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   # One or both of the vars are not set, and there is no cached value.
-ac_x_includes=NO ac_x_libraries=NO
+ac_x_includes=no ac_x_libraries=no
 rm -fr conftestdir
 if mkdir conftestdir; then
   cd conftestdir
   # Make sure to not put "make" in the Imakefile rules, since we grep it out.
-  cat > Imakefile <<'EOF'
+  cat >Imakefile <<'EOF'
 acfindx:
 	@echo 'ac_im_incroot="${INCROOT}"; ac_im_usrlibdir="${USRLIBDIR}"; ac_im_libdir="${LIBDIR}"'
 EOF
@@ -3578,174 +13758,154 @@ EOF
     # Open Windows xmkmf reportedly sets LIBDIR instead of USRLIBDIR.
     for ac_extension in a so sl; do
       if test ! -f $ac_im_usrlibdir/libX11.$ac_extension &&
-        test -f $ac_im_libdir/libX11.$ac_extension; then
+         test -f $ac_im_libdir/libX11.$ac_extension; then
         ac_im_usrlibdir=$ac_im_libdir; break
       fi
     done
     # Screen out bogus values from the imake configuration.  They are
     # bogus both because they are the default anyway, and because
     # using them would break gcc on systems where it needs fixed includes.
-    case "$ac_im_incroot" in
+    case $ac_im_incroot in
 	/usr/include) ;;
-	*) test -f "$ac_im_incroot/X11/Xos.h" && ac_x_includes="$ac_im_incroot" ;;
+	*) test -f "$ac_im_incroot/X11/Xos.h" && ac_x_includes=$ac_im_incroot;;
     esac
-    case "$ac_im_usrlibdir" in
+    case $ac_im_usrlibdir in
 	/usr/lib | /lib) ;;
-	*) test -d "$ac_im_usrlibdir" && ac_x_libraries="$ac_im_usrlibdir" ;;
+	*) test -d "$ac_im_usrlibdir" && ac_x_libraries=$ac_im_usrlibdir ;;
     esac
   fi
   cd ..
   rm -fr conftestdir
 fi
 
-if test "$ac_x_includes" = NO; then
-  # Guess where to find include files, by looking for this one X11 .h file.
-  test -z "$x_direct_test_include" && x_direct_test_include=X11/Intrinsic.h
-
+# Standard set of common directories for X headers.
+# Check X11 before X11Rn because it is often a symlink to the current release.
+ac_x_header_dirs='
+/usr/X11/include
+/usr/X11R6/include
+/usr/X11R5/include
+/usr/X11R4/include
+
+/usr/include/X11
+/usr/include/X11R6
+/usr/include/X11R5
+/usr/include/X11R4
+
+/usr/local/X11/include
+/usr/local/X11R6/include
+/usr/local/X11R5/include
+/usr/local/X11R4/include
+
+/usr/local/include/X11
+/usr/local/include/X11R6
+/usr/local/include/X11R5
+/usr/local/include/X11R4
+
+/usr/X386/include
+/usr/x386/include
+/usr/XFree86/include/X11
+
+/usr/include
+/usr/local/include
+/usr/unsupported/include
+/usr/athena/include
+/usr/local/x11r5/include
+/usr/lpp/Xamples/include
+
+/usr/openwin/include
+/usr/openwin/share/include'
+
+if test "$ac_x_includes" = no; then
+  # Guess where to find include files, by looking for Intrinsic.h.
   # First, try using that file with no special directory specified.
-cat > conftest.$ac_ext <<EOF
-#line 3608 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 13822 "configure"
 #include "confdefs.h"
-#include <$x_direct_test_include>
-EOF
-ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:3613: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
-ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
-if test -z "$ac_err"; then
-  rm -rf conftest*
+#include <X11/Intrinsic.h>
+_ACEOF
+if { (eval echo "$as_me:13826: \"$ac_cpp conftest.$ac_ext >/dev/null\"") >&5
+  (eval $ac_cpp conftest.$ac_ext >/dev/null) 2>conftest.er1
+  ac_status=$?
+  egrep -v '^ *\+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:13832: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
   # We can compile using X headers with no special include directory.
 ac_x_includes=
 else
-  echo "$ac_err" >&5
-  echo "configure: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
   cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  # Look for the header file in a standard set of common directories.
-# Check X11 before X11Rn because it is often a symlink to the current release.
-  for ac_dir in               \
-    /usr/X11/include          \
-    /usr/X11R6/include        \
-    /usr/X11R5/include        \
-    /usr/X11R4/include        \
-                              \
-    /usr/include/X11          \
-    /usr/include/X11R6        \
-    /usr/include/X11R5        \
-    /usr/include/X11R4        \
-                              \
-    /usr/local/X11/include    \
-    /usr/local/X11R6/include  \
-    /usr/local/X11R5/include  \
-    /usr/local/X11R4/include  \
-                              \
-    /usr/local/include/X11    \
-    /usr/local/include/X11R6  \
-    /usr/local/include/X11R5  \
-    /usr/local/include/X11R4  \
-                              \
-    /usr/X386/include         \
-    /usr/x386/include         \
-    /usr/XFree86/include/X11  \
-                              \
-    /usr/include              \
-    /usr/local/include        \
-    /usr/unsupported/include  \
-    /usr/athena/include       \
-    /usr/local/x11r5/include  \
-    /usr/lpp/Xamples/include  \
-                              \
-    /usr/openwin/include      \
-    /usr/openwin/share/include \
-    ; \
-  do
-    if test -r "$ac_dir/$x_direct_test_include"; then
-      ac_x_includes=$ac_dir
-      break
-    fi
-  done
+  for ac_dir in $ac_x_header_dirs; do
+  if test -r "$ac_dir/X11/Intrinsic.h"; then
+    ac_x_includes=$ac_dir
+    break
+  fi
+done
 fi
-rm -f conftest*
-fi # $ac_x_includes = NO
+rm -f conftest.err conftest.$ac_ext
+fi # $ac_x_includes = no
 
-if test "$ac_x_libraries" = NO; then
+if test "$ac_x_libraries" = no; then
   # Check for the libraries.
-
-  test -z "$x_direct_test_library" && x_direct_test_library=Xt
-  test -z "$x_direct_test_function" && x_direct_test_function=XtMalloc
-
   # See if we find them without any special options.
   # Don't add to $LIBS permanently.
-  ac_save_LIBS="$LIBS"
-  LIBS="-l$x_direct_test_library $LIBS"
-cat > conftest.$ac_ext <<EOF
-#line 3682 "configure"
+  ac_save_LIBS=$LIBS
+  LIBS="-lXt $LIBS"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 13865 "configure"
 #include "confdefs.h"
-
-int main() {
-${x_direct_test_function}()
-; return 0; }
-EOF
-if { (eval echo configure:3689: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  LIBS="$ac_save_LIBS"
+#include <X11/Intrinsic.h>
+int
+main ()
+{
+XtMalloc (0)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:13877: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:13880: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:13882: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:13885: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  LIBS=$ac_save_LIBS
 # We can link X programs with no special library path.
 ac_x_libraries=
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  LIBS="$ac_save_LIBS"
-# First see if replacing the include by lib works.
-# Check X11 before X11Rn because it is often a symlink to the current release.
-for ac_dir in `echo "$ac_x_includes" | sed s/include/lib/` \
-    /usr/X11/lib          \
-    /usr/X11R6/lib        \
-    /usr/X11R5/lib        \
-    /usr/X11R4/lib        \
-                          \
-    /usr/lib/X11          \
-    /usr/lib/X11R6        \
-    /usr/lib/X11R5        \
-    /usr/lib/X11R4        \
-                          \
-    /usr/local/X11/lib    \
-    /usr/local/X11R6/lib  \
-    /usr/local/X11R5/lib  \
-    /usr/local/X11R4/lib  \
-                          \
-    /usr/local/lib/X11    \
-    /usr/local/lib/X11R6  \
-    /usr/local/lib/X11R5  \
-    /usr/local/lib/X11R4  \
-                          \
-    /usr/X386/lib         \
-    /usr/x386/lib         \
-    /usr/XFree86/lib/X11  \
-                          \
-    /usr/lib              \
-    /usr/local/lib        \
-    /usr/unsupported/lib  \
-    /usr/athena/lib       \
-    /usr/local/x11r5/lib  \
-    /usr/lpp/Xamples/lib  \
-    /lib/usr/lib/X11	  \
-                          \
-    /usr/openwin/lib      \
-    /usr/openwin/share/lib \
-    ; \
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+LIBS=$ac_save_LIBS
+for ac_dir in `echo "$ac_x_includes $ac_x_header_dirs" | sed s/include/lib/g`
 do
+  # Don't even attempt the hair of trying to link an X program!
   for ac_extension in a so sl; do
-    if test -r $ac_dir/lib${x_direct_test_library}.$ac_extension; then
+    if test -r $ac_dir/libXt.$ac_extension; then
       ac_x_libraries=$ac_dir
       break 2
     fi
   done
 done
 fi
-rm -f conftest*
-fi # $ac_x_libraries = NO
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi # $ac_x_libraries = no
 
-if test "$ac_x_includes" = NO || test "$ac_x_libraries" = NO; then
+if test "$ac_x_includes" = no || test "$ac_x_libraries" = no; then
   # Didn't find X anywhere.  Cache the known absence of X.
   ac_cv_have_x="have_x=no"
 else
@@ -3754,12 +13914,14 @@ else
 	        ac_x_includes=$ac_x_includes ac_x_libraries=$ac_x_libraries"
 fi
 fi
+
   fi
   eval "$ac_cv_have_x"
 fi # $with_x != no
 
 if test "$have_x" != yes; then
-  echo "$ac_t""$have_x" 1>&6
+  echo "$as_me:13923: result: $have_x" >&5
+echo "${ECHO_T}$have_x" >&6
   no_x=yes
 else
   # If each of the values was on the command line, it overrides each guess.
@@ -3768,13 +13930,14 @@ else
   # Update the cache value to reflect the command line values.
   ac_cv_have_x="have_x=yes \
 		ac_x_includes=$x_includes ac_x_libraries=$x_libraries"
-  echo "$ac_t""libraries $x_libraries, headers $x_includes" 1>&6
+  echo "$as_me:13933: result: libraries $x_libraries, headers $x_includes" >&5
+echo "${ECHO_T}libraries $x_libraries, headers $x_includes" >&6
 fi
 
-
 if test "$no_x" = yes; then
   # Not all programs may use this symbol, but it does not hurt to define it.
-  cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define X_DISPLAY_MISSING 1
 EOF
 
@@ -3789,60 +13952,87 @@ else
     X_LIBS="$X_LIBS -L$x_libraries"
     # For Solaris; some versions of Sun CC require a space after -R and
     # others require no space.  Words are not sufficient . . . .
-    case "`(uname -sr) 2>/dev/null`" in
+    case `(uname -sr) 2>/dev/null` in
     "SunOS 5"*)
-      echo $ac_n "checking whether -R must be followed by a space""... $ac_c" 1>&6
-echo "configure:3796: checking whether -R must be followed by a space" >&5
-      ac_xsave_LIBS="$LIBS"; LIBS="$LIBS -R$x_libraries"
-      cat > conftest.$ac_ext <<EOF
-#line 3799 "configure"
+      echo "$as_me:13957: checking whether -R must be followed by a space" >&5
+echo $ECHO_N "checking whether -R must be followed by a space... $ECHO_C" >&6
+      ac_xsave_LIBS=$LIBS; LIBS="$LIBS -R$x_libraries"
+      cat >conftest.$ac_ext <<_ACEOF
+#line 13961 "configure"
 #include "confdefs.h"
 
-int main() {
+int
+main ()
+{
 
-; return 0; }
-EOF
-if { (eval echo configure:3806: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:13973: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:13976: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:13978: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:13981: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_R_nospace=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_R_nospace=no
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_R_nospace=no
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
       if test $ac_R_nospace = yes; then
-	echo "$ac_t""no" 1>&6
+	echo "$as_me:13991: result: no" >&5
+echo "${ECHO_T}no" >&6
 	X_LIBS="$X_LIBS -R$x_libraries"
       else
 	LIBS="$ac_xsave_LIBS -R $x_libraries"
-	cat > conftest.$ac_ext <<EOF
-#line 3822 "configure"
+	cat >conftest.$ac_ext <<_ACEOF
+#line 13997 "configure"
 #include "confdefs.h"
 
-int main() {
+int
+main ()
+{
 
-; return 0; }
-EOF
-if { (eval echo configure:3829: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:14009: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:14012: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:14014: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:14017: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_R_space=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_R_space=no
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_R_space=no
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 	if test $ac_R_space = yes; then
-	  echo "$ac_t""yes" 1>&6
+	  echo "$as_me:14027: result: yes" >&5
+echo "${ECHO_T}yes" >&6
 	  X_LIBS="$X_LIBS -R $x_libraries"
 	else
-	  echo "$ac_t""neither works" 1>&6
+	  echo "$as_me:14031: result: neither works" >&5
+echo "${ECHO_T}neither works" >&6
 	fi
       fi
-      LIBS="$ac_xsave_LIBS"
+      LIBS=$ac_xsave_LIBS
     esac
   fi
 
@@ -3853,535 +14043,714 @@ rm -f conftest*
   if test "$ISC" = yes; then
     X_EXTRA_LIBS="$X_EXTRA_LIBS -lnsl_s -linet"
   else
-    # Martyn.Johnson@cl.cam.ac.uk says this is needed for Ultrix, if the X
-    # libraries were built with DECnet support.  And karl@cs.umb.edu says
+    # Martyn Johnson says this is needed for Ultrix, if the X
+    # libraries were built with DECnet support.  And Karl Berry says
     # the Alpha needs dnet_stub (dnet does not exist).
-    echo $ac_n "checking for dnet_ntoa in -ldnet""... $ac_c" 1>&6
-echo "configure:3861: checking for dnet_ntoa in -ldnet" >&5
-ac_lib_var=`echo dnet'_'dnet_ntoa | sed 'y%./+-%__p_%'`
-if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+    echo "$as_me:14049: checking for dnet_ntoa in -ldnet" >&5
+echo $ECHO_N "checking for dnet_ntoa in -ldnet... $ECHO_C" >&6
+if test "${ac_cv_lib_dnet_dnet_ntoa+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  ac_save_LIBS="$LIBS"
+  ac_check_lib_save_LIBS=$LIBS
 LIBS="-ldnet  $LIBS"
-cat > conftest.$ac_ext <<EOF
-#line 3869 "configure"
+cat >conftest.$ac_ext <<_ACEOF
+#line 14057 "configure"
 #include "confdefs.h"
+
 /* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
 /* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char dnet_ntoa();
-
-int main() {
-dnet_ntoa()
-; return 0; }
-EOF
-if { (eval echo configure:3880: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_lib_$ac_lib_var=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_lib_$ac_lib_var=no"
-fi
-rm -f conftest*
-LIBS="$ac_save_LIBS"
-
-fi
-if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
+   builtin and then its argument prototype would still apply.  */
+char dnet_ntoa ();
+int
+main ()
+{
+dnet_ntoa ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:14076: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:14079: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:14081: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:14084: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_lib_dnet_dnet_ntoa=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_dnet_dnet_ntoa=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:14095: result: $ac_cv_lib_dnet_dnet_ntoa" >&5
+echo "${ECHO_T}$ac_cv_lib_dnet_dnet_ntoa" >&6
+if test $ac_cv_lib_dnet_dnet_ntoa = yes; then
   X_EXTRA_LIBS="$X_EXTRA_LIBS -ldnet"
-else
-  echo "$ac_t""no" 1>&6
 fi
 
     if test $ac_cv_lib_dnet_dnet_ntoa = no; then
-      echo $ac_n "checking for dnet_ntoa in -ldnet_stub""... $ac_c" 1>&6
-echo "configure:3902: checking for dnet_ntoa in -ldnet_stub" >&5
-ac_lib_var=`echo dnet_stub'_'dnet_ntoa | sed 'y%./+-%__p_%'`
-if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+      echo "$as_me:14102: checking for dnet_ntoa in -ldnet_stub" >&5
+echo $ECHO_N "checking for dnet_ntoa in -ldnet_stub... $ECHO_C" >&6
+if test "${ac_cv_lib_dnet_stub_dnet_ntoa+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  ac_save_LIBS="$LIBS"
+  ac_check_lib_save_LIBS=$LIBS
 LIBS="-ldnet_stub  $LIBS"
-cat > conftest.$ac_ext <<EOF
-#line 3910 "configure"
+cat >conftest.$ac_ext <<_ACEOF
+#line 14110 "configure"
 #include "confdefs.h"
+
 /* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
 /* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char dnet_ntoa();
-
-int main() {
-dnet_ntoa()
-; return 0; }
-EOF
-if { (eval echo configure:3921: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_lib_$ac_lib_var=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_lib_$ac_lib_var=no"
-fi
-rm -f conftest*
-LIBS="$ac_save_LIBS"
-
-fi
-if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
+   builtin and then its argument prototype would still apply.  */
+char dnet_ntoa ();
+int
+main ()
+{
+dnet_ntoa ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:14129: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:14132: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:14134: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:14137: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_lib_dnet_stub_dnet_ntoa=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_dnet_stub_dnet_ntoa=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:14148: result: $ac_cv_lib_dnet_stub_dnet_ntoa" >&5
+echo "${ECHO_T}$ac_cv_lib_dnet_stub_dnet_ntoa" >&6
+if test $ac_cv_lib_dnet_stub_dnet_ntoa = yes; then
   X_EXTRA_LIBS="$X_EXTRA_LIBS -ldnet_stub"
-else
-  echo "$ac_t""no" 1>&6
 fi
 
     fi
 
     # msh@cis.ufl.edu says -lnsl (and -lsocket) are needed for his 386/AT,
     # to get the SysV transport functions.
-    # chad@anasazi.com says the Pyramis MIS-ES running DC/OSx (SVR4)
+    # Chad R. Larson says the Pyramis MIS-ES running DC/OSx (SVR4)
     # needs -lnsl.
     # The nsl library prevents programs from opening the X display
-    # on Irix 5.2, according to dickey@clark.net.
-    echo $ac_n "checking for gethostbyname""... $ac_c" 1>&6
-echo "configure:3950: checking for gethostbyname" >&5
-if eval "test \"`echo '$''{'ac_cv_func_gethostbyname'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 3955 "configure"
+    # on Irix 5.2, according to T.E. Dickey.
+    # The functions gethostbyname, getservbyname, and inet_addr are
+    # in -lbsd on LynxOS 3.0.1/i386, according to Lars Hecking.
+    echo "$as_me:14164: checking for gethostbyname" >&5
+echo $ECHO_N "checking for gethostbyname... $ECHO_C" >&6
+if test "${ac_cv_func_gethostbyname+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 14170 "configure"
 #include "confdefs.h"
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char gethostbyname(); below.  */
+    which can conflict with char gethostbyname (); below.  */
 #include <assert.h>
 /* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
 /* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char gethostbyname();
-
-int main() {
+   builtin and then its argument prototype would still apply.  */
+char gethostbyname ();
+char (*f) ();
 
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
 #if defined (__stub_gethostbyname) || defined (__stub___gethostbyname)
 choke me
 #else
-gethostbyname();
+f = gethostbyname;
 #endif
 
-; return 0; }
-EOF
-if { (eval echo configure:3978: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_gethostbyname=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_gethostbyname=no"
-fi
-rm -f conftest*
-fi
-
-if eval "test \"`echo '$ac_cv_func_'gethostbyname`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-  :
-else
-  echo "$ac_t""no" 1>&6
-fi
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:14201: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:14204: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:14206: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:14209: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_func_gethostbyname=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_gethostbyname=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:14219: result: $ac_cv_func_gethostbyname" >&5
+echo "${ECHO_T}$ac_cv_func_gethostbyname" >&6
 
     if test $ac_cv_func_gethostbyname = no; then
-      echo $ac_n "checking for gethostbyname in -lnsl""... $ac_c" 1>&6
-echo "configure:3999: checking for gethostbyname in -lnsl" >&5
-ac_lib_var=`echo nsl'_'gethostbyname | sed 'y%./+-%__p_%'`
-if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+      echo "$as_me:14223: checking for gethostbyname in -lnsl" >&5
+echo $ECHO_N "checking for gethostbyname in -lnsl... $ECHO_C" >&6
+if test "${ac_cv_lib_nsl_gethostbyname+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  ac_save_LIBS="$LIBS"
+  ac_check_lib_save_LIBS=$LIBS
 LIBS="-lnsl  $LIBS"
-cat > conftest.$ac_ext <<EOF
-#line 4007 "configure"
+cat >conftest.$ac_ext <<_ACEOF
+#line 14231 "configure"
 #include "confdefs.h"
+
 /* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
 /* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char gethostbyname();
-
-int main() {
-gethostbyname()
-; return 0; }
-EOF
-if { (eval echo configure:4018: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_lib_$ac_lib_var=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_lib_$ac_lib_var=no"
+   builtin and then its argument prototype would still apply.  */
+char gethostbyname ();
+int
+main ()
+{
+gethostbyname ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:14250: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:14253: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:14255: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:14258: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_lib_nsl_gethostbyname=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_nsl_gethostbyname=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:14269: result: $ac_cv_lib_nsl_gethostbyname" >&5
+echo "${ECHO_T}$ac_cv_lib_nsl_gethostbyname" >&6
+if test $ac_cv_lib_nsl_gethostbyname = yes; then
+  X_EXTRA_LIBS="$X_EXTRA_LIBS -lnsl"
 fi
-rm -f conftest*
-LIBS="$ac_save_LIBS"
 
-fi
-if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-  X_EXTRA_LIBS="$X_EXTRA_LIBS -lnsl"
+      if test $ac_cv_lib_nsl_gethostbyname = no; then
+        echo "$as_me:14276: checking for gethostbyname in -lbsd" >&5
+echo $ECHO_N "checking for gethostbyname in -lbsd... $ECHO_C" >&6
+if test "${ac_cv_lib_bsd_gethostbyname+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  echo "$ac_t""no" 1>&6
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lbsd  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line 14284 "configure"
+#include "confdefs.h"
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char gethostbyname ();
+int
+main ()
+{
+gethostbyname ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:14303: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:14306: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:14308: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:14311: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_lib_bsd_gethostbyname=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_bsd_gethostbyname=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:14322: result: $ac_cv_lib_bsd_gethostbyname" >&5
+echo "${ECHO_T}$ac_cv_lib_bsd_gethostbyname" >&6
+if test $ac_cv_lib_bsd_gethostbyname = yes; then
+  X_EXTRA_LIBS="$X_EXTRA_LIBS -lbsd"
 fi
 
+      fi
     fi
 
     # lieder@skyler.mavd.honeywell.com says without -lsocket,
     # socket/setsockopt and other routines are undefined under SCO ODT
     # 2.0.  But -lsocket is broken on IRIX 5.2 (and is not necessary
-    # on later versions), says simon@lia.di.epfl.ch: it contains
-    # gethostby* variants that don't use the nameserver (or something).
-    # -lsocket must be given before -lnsl if both are needed.
-    # We assume that if connect needs -lnsl, so does gethostbyname.
-    echo $ac_n "checking for connect""... $ac_c" 1>&6
-echo "configure:4048: checking for connect" >&5
-if eval "test \"`echo '$''{'ac_cv_func_connect'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 4053 "configure"
+    # on later versions), says Simon Leinen: it contains gethostby*
+    # variants that don't use the nameserver (or something).  -lsocket
+    # must be given before -lnsl if both are needed.  We assume that
+    # if connect needs -lnsl, so does gethostbyname.
+    echo "$as_me:14338: checking for connect" >&5
+echo $ECHO_N "checking for connect... $ECHO_C" >&6
+if test "${ac_cv_func_connect+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 14344 "configure"
 #include "confdefs.h"
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char connect(); below.  */
+    which can conflict with char connect (); below.  */
 #include <assert.h>
 /* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
 /* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char connect();
-
-int main() {
+   builtin and then its argument prototype would still apply.  */
+char connect ();
+char (*f) ();
 
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
 #if defined (__stub_connect) || defined (__stub___connect)
 choke me
 #else
-connect();
+f = connect;
 #endif
 
-; return 0; }
-EOF
-if { (eval echo configure:4076: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_connect=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_connect=no"
-fi
-rm -f conftest*
-fi
-
-if eval "test \"`echo '$ac_cv_func_'connect`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-  :
-else
-  echo "$ac_t""no" 1>&6
-fi
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:14375: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:14378: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:14380: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:14383: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_func_connect=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_connect=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:14393: result: $ac_cv_func_connect" >&5
+echo "${ECHO_T}$ac_cv_func_connect" >&6
 
     if test $ac_cv_func_connect = no; then
-      echo $ac_n "checking for connect in -lsocket""... $ac_c" 1>&6
-echo "configure:4097: checking for connect in -lsocket" >&5
-ac_lib_var=`echo socket'_'connect | sed 'y%./+-%__p_%'`
-if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+      echo "$as_me:14397: checking for connect in -lsocket" >&5
+echo $ECHO_N "checking for connect in -lsocket... $ECHO_C" >&6
+if test "${ac_cv_lib_socket_connect+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  ac_save_LIBS="$LIBS"
+  ac_check_lib_save_LIBS=$LIBS
 LIBS="-lsocket $X_EXTRA_LIBS $LIBS"
-cat > conftest.$ac_ext <<EOF
-#line 4105 "configure"
+cat >conftest.$ac_ext <<_ACEOF
+#line 14405 "configure"
 #include "confdefs.h"
+
 /* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
 /* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char connect();
-
-int main() {
-connect()
-; return 0; }
-EOF
-if { (eval echo configure:4116: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_lib_$ac_lib_var=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_lib_$ac_lib_var=no"
-fi
-rm -f conftest*
-LIBS="$ac_save_LIBS"
-
-fi
-if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
+   builtin and then its argument prototype would still apply.  */
+char connect ();
+int
+main ()
+{
+connect ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:14424: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:14427: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:14429: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:14432: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_lib_socket_connect=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_socket_connect=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:14443: result: $ac_cv_lib_socket_connect" >&5
+echo "${ECHO_T}$ac_cv_lib_socket_connect" >&6
+if test $ac_cv_lib_socket_connect = yes; then
   X_EXTRA_LIBS="-lsocket $X_EXTRA_LIBS"
-else
-  echo "$ac_t""no" 1>&6
 fi
 
     fi
 
-    # gomez@mi.uni-erlangen.de says -lposix is necessary on A/UX.
-    echo $ac_n "checking for remove""... $ac_c" 1>&6
-echo "configure:4140: checking for remove" >&5
-if eval "test \"`echo '$''{'ac_cv_func_remove'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+    # Guillermo Gomez says -lposix is necessary on A/UX.
+    echo "$as_me:14452: checking for remove" >&5
+echo $ECHO_N "checking for remove... $ECHO_C" >&6
+if test "${ac_cv_func_remove+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat > conftest.$ac_ext <<EOF
-#line 4145 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 14458 "configure"
 #include "confdefs.h"
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char remove(); below.  */
+    which can conflict with char remove (); below.  */
 #include <assert.h>
 /* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
 /* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char remove();
-
-int main() {
+   builtin and then its argument prototype would still apply.  */
+char remove ();
+char (*f) ();
 
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
 #if defined (__stub_remove) || defined (__stub___remove)
 choke me
 #else
-remove();
+f = remove;
 #endif
 
-; return 0; }
-EOF
-if { (eval echo configure:4168: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_remove=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_remove=no"
-fi
-rm -f conftest*
-fi
-
-if eval "test \"`echo '$ac_cv_func_'remove`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-  :
-else
-  echo "$ac_t""no" 1>&6
-fi
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:14489: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:14492: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:14494: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:14497: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_func_remove=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_remove=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:14507: result: $ac_cv_func_remove" >&5
+echo "${ECHO_T}$ac_cv_func_remove" >&6
 
     if test $ac_cv_func_remove = no; then
-      echo $ac_n "checking for remove in -lposix""... $ac_c" 1>&6
-echo "configure:4189: checking for remove in -lposix" >&5
-ac_lib_var=`echo posix'_'remove | sed 'y%./+-%__p_%'`
-if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+      echo "$as_me:14511: checking for remove in -lposix" >&5
+echo $ECHO_N "checking for remove in -lposix... $ECHO_C" >&6
+if test "${ac_cv_lib_posix_remove+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  ac_save_LIBS="$LIBS"
+  ac_check_lib_save_LIBS=$LIBS
 LIBS="-lposix  $LIBS"
-cat > conftest.$ac_ext <<EOF
-#line 4197 "configure"
+cat >conftest.$ac_ext <<_ACEOF
+#line 14519 "configure"
 #include "confdefs.h"
+
 /* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
 /* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char remove();
-
-int main() {
-remove()
-; return 0; }
-EOF
-if { (eval echo configure:4208: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_lib_$ac_lib_var=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_lib_$ac_lib_var=no"
-fi
-rm -f conftest*
-LIBS="$ac_save_LIBS"
-
-fi
-if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
+   builtin and then its argument prototype would still apply.  */
+char remove ();
+int
+main ()
+{
+remove ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:14538: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:14541: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:14543: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:14546: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_lib_posix_remove=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_posix_remove=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:14557: result: $ac_cv_lib_posix_remove" >&5
+echo "${ECHO_T}$ac_cv_lib_posix_remove" >&6
+if test $ac_cv_lib_posix_remove = yes; then
   X_EXTRA_LIBS="$X_EXTRA_LIBS -lposix"
-else
-  echo "$ac_t""no" 1>&6
 fi
 
     fi
 
     # BSDI BSD/OS 2.1 needs -lipc for XOpenDisplay.
-    echo $ac_n "checking for shmat""... $ac_c" 1>&6
-echo "configure:4232: checking for shmat" >&5
-if eval "test \"`echo '$''{'ac_cv_func_shmat'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+    echo "$as_me:14566: checking for shmat" >&5
+echo $ECHO_N "checking for shmat... $ECHO_C" >&6
+if test "${ac_cv_func_shmat+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat > conftest.$ac_ext <<EOF
-#line 4237 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 14572 "configure"
 #include "confdefs.h"
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char shmat(); below.  */
+    which can conflict with char shmat (); below.  */
 #include <assert.h>
 /* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
 /* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char shmat();
-
-int main() {
+   builtin and then its argument prototype would still apply.  */
+char shmat ();
+char (*f) ();
 
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
 #if defined (__stub_shmat) || defined (__stub___shmat)
 choke me
 #else
-shmat();
+f = shmat;
 #endif
 
-; return 0; }
-EOF
-if { (eval echo configure:4260: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_shmat=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_shmat=no"
-fi
-rm -f conftest*
-fi
-
-if eval "test \"`echo '$ac_cv_func_'shmat`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-  :
-else
-  echo "$ac_t""no" 1>&6
-fi
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:14603: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:14606: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:14608: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:14611: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_func_shmat=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_shmat=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:14621: result: $ac_cv_func_shmat" >&5
+echo "${ECHO_T}$ac_cv_func_shmat" >&6
 
     if test $ac_cv_func_shmat = no; then
-      echo $ac_n "checking for shmat in -lipc""... $ac_c" 1>&6
-echo "configure:4281: checking for shmat in -lipc" >&5
-ac_lib_var=`echo ipc'_'shmat | sed 'y%./+-%__p_%'`
-if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+      echo "$as_me:14625: checking for shmat in -lipc" >&5
+echo $ECHO_N "checking for shmat in -lipc... $ECHO_C" >&6
+if test "${ac_cv_lib_ipc_shmat+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  ac_save_LIBS="$LIBS"
+  ac_check_lib_save_LIBS=$LIBS
 LIBS="-lipc  $LIBS"
-cat > conftest.$ac_ext <<EOF
-#line 4289 "configure"
+cat >conftest.$ac_ext <<_ACEOF
+#line 14633 "configure"
 #include "confdefs.h"
+
 /* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
 /* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char shmat();
-
-int main() {
-shmat()
-; return 0; }
-EOF
-if { (eval echo configure:4300: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_lib_$ac_lib_var=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_lib_$ac_lib_var=no"
-fi
-rm -f conftest*
-LIBS="$ac_save_LIBS"
-
-fi
-if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
+   builtin and then its argument prototype would still apply.  */
+char shmat ();
+int
+main ()
+{
+shmat ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:14652: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:14655: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:14657: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:14660: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_lib_ipc_shmat=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_ipc_shmat=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:14671: result: $ac_cv_lib_ipc_shmat" >&5
+echo "${ECHO_T}$ac_cv_lib_ipc_shmat" >&6
+if test $ac_cv_lib_ipc_shmat = yes; then
   X_EXTRA_LIBS="$X_EXTRA_LIBS -lipc"
-else
-  echo "$ac_t""no" 1>&6
 fi
 
     fi
   fi
 
   # Check for libraries that X11R6 Xt/Xaw programs need.
-  ac_save_LDFLAGS="$LDFLAGS"
+  ac_save_LDFLAGS=$LDFLAGS
   test -n "$x_libraries" && LDFLAGS="$LDFLAGS -L$x_libraries"
   # SM needs ICE to (dynamically) link under SunOS 4.x (so we have to
   # check for ICE first), but we must link in the order -lSM -lICE or
   # we get undefined symbols.  So assume we have SM if we have ICE.
   # These have to be linked with before -lX11, unlike the other
   # libraries we check for below, so use a different variable.
-  #  --interran@uluru.Stanford.EDU, kb@cs.umb.edu.
-  echo $ac_n "checking for IceConnectionNumber in -lICE""... $ac_c" 1>&6
-echo "configure:4333: checking for IceConnectionNumber in -lICE" >&5
-ac_lib_var=`echo ICE'_'IceConnectionNumber | sed 'y%./+-%__p_%'`
-if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  ac_save_LIBS="$LIBS"
+  # John Interrante, Karl Berry
+  echo "$as_me:14689: checking for IceConnectionNumber in -lICE" >&5
+echo $ECHO_N "checking for IceConnectionNumber in -lICE... $ECHO_C" >&6
+if test "${ac_cv_lib_ICE_IceConnectionNumber+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
 LIBS="-lICE $X_EXTRA_LIBS $LIBS"
-cat > conftest.$ac_ext <<EOF
-#line 4341 "configure"
+cat >conftest.$ac_ext <<_ACEOF
+#line 14697 "configure"
 #include "confdefs.h"
+
 /* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
 /* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char IceConnectionNumber();
-
-int main() {
-IceConnectionNumber()
-; return 0; }
-EOF
-if { (eval echo configure:4352: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_lib_$ac_lib_var=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_lib_$ac_lib_var=no"
-fi
-rm -f conftest*
-LIBS="$ac_save_LIBS"
-
-fi
-if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
+   builtin and then its argument prototype would still apply.  */
+char IceConnectionNumber ();
+int
+main ()
+{
+IceConnectionNumber ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:14716: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:14719: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:14721: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:14724: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_lib_ICE_IceConnectionNumber=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_ICE_IceConnectionNumber=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:14735: result: $ac_cv_lib_ICE_IceConnectionNumber" >&5
+echo "${ECHO_T}$ac_cv_lib_ICE_IceConnectionNumber" >&6
+if test $ac_cv_lib_ICE_IceConnectionNumber = yes; then
   X_PRE_LIBS="$X_PRE_LIBS -lSM -lICE"
-else
-  echo "$ac_t""no" 1>&6
 fi
 
-  LDFLAGS="$ac_save_LDFLAGS"
+  LDFLAGS=$ac_save_LDFLAGS
 
 fi
 
-
 # try to figure out if we need any additional ld flags, like -R
 # and yes, the autoconf X test is utterly broken
 if test "$no_x" != yes; then
-	echo $ac_n "checking for special X linker flags""... $ac_c" 1>&6
-echo "configure:4381: checking for special X linker flags" >&5
-if eval "test \"`echo '$''{'krb_cv_sys_x_libs_rpath'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+	echo "$as_me:14748: checking for special X linker flags" >&5
+echo $ECHO_N "checking for special X linker flags... $ECHO_C" >&6
+if test "${krb_cv_sys_x_libs_rpath+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
+
 	ac_save_libs="$LIBS"
 	ac_save_cflags="$CFLAGS"
 	CFLAGS="$CFLAGS $X_CFLAGS"
@@ -4405,10 +14774,12 @@ else
 		fi
 		LIBS="$ac_save_libs $foo $X_PRE_LIBS -lX11 $X_EXTRA_LIBS"
 		if test "$cross_compiling" = yes; then
-    { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; }
+  { { echo "$as_me:14777: error: cannot run test program while cross compiling" >&5
+echo "$as_me: error: cannot run test program while cross compiling" >&2;}
+   { (exit 1); exit 1; }; }
 else
-  cat > conftest.$ac_ext <<EOF
-#line 4412 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 14782 "configure"
 #include "confdefs.h"
 
 		#include <X11/Xlib.h>
@@ -4420,42 +14791,45 @@ else
 		{
 		return 0;
 		}
-		
-EOF
-if { (eval echo configure:4426: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
-then
+
+_ACEOF
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:14797: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:14800: \$? = $ac_status" >&5
+  (exit $ac_status); } && { (eval echo "$as_me:14801: \"./conftest$ac_exeext\"") >&5
+  (eval ./conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:14804: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   krb_cv_sys_x_libs_rpath="$rflag"; krb_cv_sys_x_libs="$foo"; break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -fr conftest*
-  :
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+:
 fi
-rm -fr conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 fi
-
 	done
 	LIBS="$ac_save_libs"
 	CFLAGS="$ac_save_cflags"
-	
-fi
 
-echo "$ac_t""$krb_cv_sys_x_libs_rpath" 1>&6
+fi
+echo "$as_me:14820: result: $krb_cv_sys_x_libs_rpath" >&5
+echo "${ECHO_T}$krb_cv_sys_x_libs_rpath" >&6
 	X_LIBS="$krb_cv_sys_x_libs"
 fi
 
-
-if test "$no_x" = "yes" ; then
-	MAKE_X_PROGS_BIN_PROGS=""
-	MAKE_X_PROGS_BIN_SCRPTS=""
-	MAKE_X_PROGS_LIBEXEC_PROGS=""
+if test "$no_x" != yes; then
+  HAVE_X_TRUE=
+  HAVE_X_FALSE='#'
 else
-	MAKE_X_PROGS_BIN_PROGS='$(X_PROGS_BIN_PROGS)'
-	MAKE_X_PROGS_BIN_SCRPTS='$(X_PROGS_BIN_SCRPTS)'
-	MAKE_X_PROGS_LIBEXEC_PROGS='$(X_PROGS_LIBEXEC_PROGS)'
+  HAVE_X_TRUE='#'
+  HAVE_X_FALSE=
 fi
 
-
 save_CFLAGS="$CFLAGS"
 CFLAGS="$X_CFLAGS $CFLAGS"
 save_LIBS="$LIBS"
@@ -4463,41 +14837,50 @@ LIBS="$X_PRE_LIBS $X_EXTRA_LIBS $LIBS"
 save_LDFLAGS="$LDFLAGS"
 LDFLAGS="$LDFLAGS $X_LIBS"
 
-
-
-
-
-echo $ac_n "checking for XauWriteAuth""... $ac_c" 1>&6
-echo "configure:4472: checking for XauWriteAuth" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_XauWriteAuth'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:14840: checking for XauWriteAuth" >&5
+echo $ECHO_N "checking for XauWriteAuth... $ECHO_C" >&6
+if test "${ac_cv_funclib_XauWriteAuth+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
+
 if eval "test \"\$ac_cv_func_XauWriteAuth\" != yes" ; then
 	ac_save_LIBS="$LIBS"
 	for ac_lib in "" X11 Xau; do
-		if test -n "$ac_lib"; then 
+		if test -n "$ac_lib"; then
 			ac_lib="-l$ac_lib"
 		else
 			ac_lib=""
 		fi
 		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 4487 "configure"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 14856 "configure"
 #include "confdefs.h"
 
-int main() {
+int
+main ()
+{
 XauWriteAuth()
-; return 0; }
-EOF
-if { (eval echo configure:4494: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:14868: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:14871: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:14873: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:14876: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_XauWriteAuth=$ac_lib; else ac_cv_funclib_XauWriteAuth=yes; fi";break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_XauWriteAuth=\${ac_cv_funclib_XauWriteAuth-no}"
 	LIBS="$ac_save_LIBS"
@@ -4505,14 +14888,79 @@ fi
 
 fi
 
-
 eval "ac_res=\$ac_cv_funclib_XauWriteAuth"
 
-: << END
-@@@funcs="$funcs XauWriteAuth"@@@
-@@@libs="$libs "" X11 Xau"@@@
-END
+if false; then
+
+for ac_func in XauWriteAuth
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:14898: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 14904 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
 
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:14935: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:14938: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:14940: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:14943: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:14953: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
 # XauWriteAuth
 eval "ac_tr_func=HAVE_`echo XauWriteAuth | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
 eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
@@ -4522,69 +14970,82 @@ case "$ac_res" in
 	yes)
 	eval "ac_cv_func_XauWriteAuth=yes"
 	eval "LIB_XauWriteAuth="
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	echo "$ac_t""yes" 1>&6
+	echo "$as_me:14977: result: yes" >&5
+echo "${ECHO_T}yes" >&6
 	;;
 	no)
 	eval "ac_cv_func_XauWriteAuth=no"
 	eval "LIB_XauWriteAuth="
-	echo "$ac_t""no" 1>&6
+	echo "$as_me:14983: result: no" >&5
+echo "${ECHO_T}no" >&6
 	;;
 	*)
 	eval "ac_cv_func_XauWriteAuth=yes"
 	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_lib 1
 EOF
 
-	echo "$ac_t""yes, in $ac_res" 1>&6
+	echo "$as_me:14997: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
 	;;
 esac
 
-
 ac_xxx="$LIBS"
 LIBS="$LIB_XauWriteAuth $LIBS"
 
-
-
-echo $ac_n "checking for XauReadAuth""... $ac_c" 1>&6
-echo "configure:4559: checking for XauReadAuth" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_XauReadAuth'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:15005: checking for XauReadAuth" >&5
+echo $ECHO_N "checking for XauReadAuth... $ECHO_C" >&6
+if test "${ac_cv_funclib_XauReadAuth+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
+
 if eval "test \"\$ac_cv_func_XauReadAuth\" != yes" ; then
 	ac_save_LIBS="$LIBS"
 	for ac_lib in "" X11 Xau; do
-		if test -n "$ac_lib"; then 
+		if test -n "$ac_lib"; then
 			ac_lib="-l$ac_lib"
 		else
 			ac_lib=""
 		fi
 		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 4574 "configure"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 15021 "configure"
 #include "confdefs.h"
 
-int main() {
+int
+main ()
+{
 XauReadAuth()
-; return 0; }
-EOF
-if { (eval echo configure:4581: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:15033: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:15036: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:15038: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:15041: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_XauReadAuth=$ac_lib; else ac_cv_funclib_XauReadAuth=yes; fi";break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_XauReadAuth=\${ac_cv_funclib_XauReadAuth-no}"
 	LIBS="$ac_save_LIBS"
@@ -4592,14 +15053,79 @@ fi
 
 fi
 
-
 eval "ac_res=\$ac_cv_funclib_XauReadAuth"
 
-: << END
-@@@funcs="$funcs XauReadAuth"@@@
-@@@libs="$libs "" X11 Xau"@@@
-END
+if false; then
+
+for ac_func in XauReadAuth
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:15063: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 15069 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
 
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:15100: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:15103: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:15105: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:15108: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:15118: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
 # XauReadAuth
 eval "ac_tr_func=HAVE_`echo XauReadAuth | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
 eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
@@ -4609,68 +15135,81 @@ case "$ac_res" in
 	yes)
 	eval "ac_cv_func_XauReadAuth=yes"
 	eval "LIB_XauReadAuth="
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	echo "$ac_t""yes" 1>&6
+	echo "$as_me:15142: result: yes" >&5
+echo "${ECHO_T}yes" >&6
 	;;
 	no)
 	eval "ac_cv_func_XauReadAuth=no"
 	eval "LIB_XauReadAuth="
-	echo "$ac_t""no" 1>&6
+	echo "$as_me:15148: result: no" >&5
+echo "${ECHO_T}no" >&6
 	;;
 	*)
 	eval "ac_cv_func_XauReadAuth=yes"
 	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_lib 1
 EOF
 
-	echo "$ac_t""yes, in $ac_res" 1>&6
+	echo "$as_me:15162: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
 	;;
 esac
 
-
 LIBS="$LIB_XauReadAauth $LIBS"
 
-
-
-echo $ac_n "checking for XauFileName""... $ac_c" 1>&6
-echo "configure:4645: checking for XauFileName" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_XauFileName'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:15169: checking for XauFileName" >&5
+echo $ECHO_N "checking for XauFileName... $ECHO_C" >&6
+if test "${ac_cv_funclib_XauFileName+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
+
 if eval "test \"\$ac_cv_func_XauFileName\" != yes" ; then
 	ac_save_LIBS="$LIBS"
 	for ac_lib in "" X11 Xau; do
-		if test -n "$ac_lib"; then 
+		if test -n "$ac_lib"; then
 			ac_lib="-l$ac_lib"
 		else
 			ac_lib=""
 		fi
 		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 4660 "configure"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 15185 "configure"
 #include "confdefs.h"
 
-int main() {
+int
+main ()
+{
 XauFileName()
-; return 0; }
-EOF
-if { (eval echo configure:4667: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:15197: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:15200: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:15202: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:15205: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_XauFileName=$ac_lib; else ac_cv_funclib_XauFileName=yes; fi";break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_XauFileName=\${ac_cv_funclib_XauFileName-no}"
 	LIBS="$ac_save_LIBS"
@@ -4678,14 +15217,79 @@ fi
 
 fi
 
-
 eval "ac_res=\$ac_cv_funclib_XauFileName"
 
-: << END
-@@@funcs="$funcs XauFileName"@@@
-@@@libs="$libs "" X11 Xau"@@@
-END
+if false; then
+
+for ac_func in XauFileName
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:15227: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 15233 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
 
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:15264: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:15267: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:15269: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:15272: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:15282: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
 # XauFileName
 eval "ac_tr_func=HAVE_`echo XauFileName | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
 eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
@@ -4695,33 +15299,35 @@ case "$ac_res" in
 	yes)
 	eval "ac_cv_func_XauFileName=yes"
 	eval "LIB_XauFileName="
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	echo "$ac_t""yes" 1>&6
+	echo "$as_me:15306: result: yes" >&5
+echo "${ECHO_T}yes" >&6
 	;;
 	no)
 	eval "ac_cv_func_XauFileName=no"
 	eval "LIB_XauFileName="
-	echo "$ac_t""no" 1>&6
+	echo "$as_me:15312: result: no" >&5
+echo "${ECHO_T}no" >&6
 	;;
 	*)
 	eval "ac_cv_func_XauFileName=yes"
 	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_lib 1
 EOF
 
-	echo "$ac_t""yes, in $ac_res" 1>&6
+	echo "$as_me:15326: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
 	;;
 esac
 
-
 LIBS="$ac_xxx"
 
 case "$ac_cv_funclib_XauWriteAuth" in
@@ -4744,7 +15350,6 @@ no)	;;
 esac
 
 if test "$AUTOMAKE" != ""; then
-	
 
 if test "$ac_cv_func_XauWriteAuth" != "yes"; then
   NEED_WRITEAUTH_TRUE=
@@ -4754,8 +15359,7 @@ else
   NEED_WRITEAUTH_FALSE=
 fi
 else
-	
-	
+
 	if test "$ac_cv_func_XauWriteAuth" != "yes"; then
 		NEED_WRITEAUTH_TRUE=
 		NEED_WRITEAUTH_FALSE='#'
@@ -4768,260 +15372,207 @@ CFLAGS=$save_CFLAGS
 LIBS=$save_LIBS
 LDFLAGS=$save_LDFLAGS
 
-
-
-echo $ac_n "checking for working const""... $ac_c" 1>&6
-echo "configure:4775: checking for working const" >&5
-if eval "test \"`echo '$''{'ac_cv_c_const'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:15375: checking for an ANSI C-conforming const" >&5
+echo $ECHO_N "checking for an ANSI C-conforming const... $ECHO_C" >&6
+if test "${ac_cv_c_const+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat > conftest.$ac_ext <<EOF
-#line 4780 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 15381 "configure"
 #include "confdefs.h"
 
-int main() {
-
-/* Ultrix mips cc rejects this.  */
-typedef int charset[2]; const charset x;
-/* SunOS 4.1.1 cc rejects this.  */
-char const *const *ccp;
-char **p;
-/* NEC SVR4.0.2 mips cc rejects this.  */
-struct point {int x, y;};
-static struct point const zero = {0,0};
-/* AIX XL C 1.02.0.0 rejects this.
-   It does not let you subtract one const X* pointer from another in an arm
-   of an if-expression whose if-part is not a constant expression */
-const char *g = "string";
-ccp = &g + (g ? g-g : 0);
-/* HPUX 7.0 cc rejects these. */
-++ccp;
-p = (char**) ccp;
-ccp = (char const *const *) p;
-{ /* SCO 3.2v4 cc rejects this.  */
-  char *t;
-  char const *s = 0 ? (char *) 0 : (char const *) 0;
+int
+main ()
+{
+/* FIXME: Include the comments suggested by Paul. */
+#ifndef __cplusplus
+  /* Ultrix mips cc rejects this.  */
+  typedef int charset[2];
+  const charset x;
+  /* SunOS 4.1.1 cc rejects this.  */
+  char const *const *ccp;
+  char **p;
+  /* NEC SVR4.0.2 mips cc rejects this.  */
+  struct point {int x, y;};
+  static struct point const zero = {0,0};
+  /* AIX XL C 1.02.0.0 rejects this.
+     It does not let you subtract one const X* pointer from another in
+     an arm of an if-expression whose if-part is not a constant
+     expression */
+  const char *g = "string";
+  ccp = &g + (g ? g-g : 0);
+  /* HPUX 7.0 cc rejects these. */
+  ++ccp;
+  p = (char**) ccp;
+  ccp = (char const *const *) p;
+  { /* SCO 3.2v4 cc rejects this.  */
+    char *t;
+    char const *s = 0 ? (char *) 0 : (char const *) 0;
+
+    *t++ = 0;
+  }
+  { /* Someone thinks the Sun supposedly-ANSI compiler will reject this.  */
+    int x[] = {25, 17};
+    const int *foo = &x[0];
+    ++foo;
+  }
+  { /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */
+    typedef const int *iptr;
+    iptr p = 0;
+    ++p;
+  }
+  { /* AIX XL C 1.02.0.0 rejects this saying
+       "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */
+    struct s { int j; const int *ap[3]; };
+    struct s *b; b->j = 5;
+  }
+  { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */
+    const int foo = 10;
+  }
+#endif
 
-  *t++ = 0;
-}
-{ /* Someone thinks the Sun supposedly-ANSI compiler will reject this.  */
-  int x[] = {25, 17};
-  const int *foo = &x[0];
-  ++foo;
-}
-{ /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */
-  typedef const int *iptr;
-  iptr p = 0;
-  ++p;
-}
-{ /* AIX XL C 1.02.0.0 rejects this saying
-     "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */
-  struct s { int j; const int *ap[3]; };
-  struct s *b; b->j = 5;
+  ;
+  return 0;
 }
-{ /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */
-  const int foo = 10;
-}
-
-; return 0; }
-EOF
-if { (eval echo configure:4829: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:15439: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:15442: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:15444: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:15447: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_cv_c_const=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_c_const=no
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_c_const=no
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-
-echo "$ac_t""$ac_cv_c_const" 1>&6
+echo "$as_me:15457: result: $ac_cv_c_const" >&5
+echo "${ECHO_T}$ac_cv_c_const" >&6
 if test $ac_cv_c_const = no; then
-  cat >> confdefs.h <<\EOF
-#define const 
-EOF
 
-fi
-
-echo $ac_n "checking for ANSI C header files""... $ac_c" 1>&6
-echo "configure:4850: checking for ANSI C header files" >&5
-if eval "test \"`echo '$''{'ac_cv_header_stdc'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 4855 "configure"
-#include "confdefs.h"
-#include <stdlib.h>
-#include <stdarg.h>
-#include <string.h>
-#include <float.h>
+cat >>confdefs.h <<\EOF
+#define const
 EOF
-ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:4863: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
-ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
-if test -z "$ac_err"; then
-  rm -rf conftest*
-  ac_cv_header_stdc=yes
-else
-  echo "$ac_err" >&5
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_header_stdc=no
-fi
-rm -f conftest*
-
-if test $ac_cv_header_stdc = yes; then
-  # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
-cat > conftest.$ac_ext <<EOF
-#line 4880 "configure"
-#include "confdefs.h"
-#include <string.h>
-EOF
-if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  egrep "memchr" >/dev/null 2>&1; then
-  :
-else
-  rm -rf conftest*
-  ac_cv_header_stdc=no
-fi
-rm -f conftest*
-
-fi
-
-if test $ac_cv_header_stdc = yes; then
-  # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
-cat > conftest.$ac_ext <<EOF
-#line 4898 "configure"
-#include "confdefs.h"
-#include <stdlib.h>
-EOF
-if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  egrep "free" >/dev/null 2>&1; then
-  :
-else
-  rm -rf conftest*
-  ac_cv_header_stdc=no
-fi
-rm -f conftest*
 
 fi
 
-if test $ac_cv_header_stdc = yes; then
-  # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
-if test "$cross_compiling" = yes; then
-  :
+echo "$as_me:15467: checking for off_t" >&5
+echo $ECHO_N "checking for off_t... $ECHO_C" >&6
+if test "${ac_cv_type_off_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat > conftest.$ac_ext <<EOF
-#line 4919 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 15473 "configure"
 #include "confdefs.h"
-#include <ctype.h>
-#define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
-#define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
-#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
-int main () { int i; for (i = 0; i < 256; i++)
-if (XOR (islower (i), ISLOWER (i)) || toupper (i) != TOUPPER (i)) exit(2);
-exit (0); }
-
-EOF
-if { (eval echo configure:4930: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
-then
-  :
+$ac_includes_default
+int
+main ()
+{
+if ((off_t *) 0)
+  return 0;
+if (sizeof (off_t))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:15488: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:15491: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:15493: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:15496: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_type_off_t=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -fr conftest*
-  ac_cv_header_stdc=no
-fi
-rm -fr conftest*
-fi
-
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_off_t=no
 fi
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-
-echo "$ac_t""$ac_cv_header_stdc" 1>&6
-if test $ac_cv_header_stdc = yes; then
-  cat >> confdefs.h <<\EOF
-#define STDC_HEADERS 1
-EOF
-
-fi
-
-echo $ac_n "checking for off_t""... $ac_c" 1>&6
-echo "configure:4954: checking for off_t" >&5
-if eval "test \"`echo '$''{'ac_cv_type_off_t'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 4959 "configure"
-#include "confdefs.h"
-#include <sys/types.h>
-#if STDC_HEADERS
-#include <stdlib.h>
-#include <stddef.h>
-#endif
-EOF
-if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  egrep "(^|[^a-zA-Z_0-9])off_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then
-  rm -rf conftest*
-  ac_cv_type_off_t=yes
+echo "$as_me:15506: result: $ac_cv_type_off_t" >&5
+echo "${ECHO_T}$ac_cv_type_off_t" >&6
+if test $ac_cv_type_off_t = yes; then
+  :
 else
-  rm -rf conftest*
-  ac_cv_type_off_t=no
-fi
-rm -f conftest*
 
-fi
-echo "$ac_t""$ac_cv_type_off_t" 1>&6
-if test $ac_cv_type_off_t = no; then
-  cat >> confdefs.h <<\EOF
+cat >>confdefs.h <<EOF
 #define off_t long
 EOF
 
 fi
 
-echo $ac_n "checking for size_t""... $ac_c" 1>&6
-echo "configure:4987: checking for size_t" >&5
-if eval "test \"`echo '$''{'ac_cv_type_size_t'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:15518: checking for size_t" >&5
+echo $ECHO_N "checking for size_t... $ECHO_C" >&6
+if test "${ac_cv_type_size_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat > conftest.$ac_ext <<EOF
-#line 4992 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 15524 "configure"
 #include "confdefs.h"
-#include <sys/types.h>
-#if STDC_HEADERS
-#include <stdlib.h>
-#include <stddef.h>
-#endif
-EOF
-if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  egrep "(^|[^a-zA-Z_0-9])size_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then
-  rm -rf conftest*
+$ac_includes_default
+int
+main ()
+{
+if ((size_t *) 0)
+  return 0;
+if (sizeof (size_t))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:15539: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:15542: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:15544: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:15547: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_cv_type_size_t=yes
 else
-  rm -rf conftest*
-  ac_cv_type_size_t=no
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_size_t=no
 fi
-rm -f conftest*
-
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$ac_t""$ac_cv_type_size_t" 1>&6
-if test $ac_cv_type_size_t = no; then
-  cat >> confdefs.h <<\EOF
+echo "$as_me:15557: result: $ac_cv_type_size_t" >&5
+echo "${ECHO_T}$ac_cv_type_size_t" >&6
+if test $ac_cv_type_size_t = yes; then
+  :
+else
+
+cat >>confdefs.h <<EOF
 #define size_t unsigned
 EOF
 
 fi
 
-echo $ac_n "checking for ssize_t""... $ac_c" 1>&6
-echo "configure:5020: checking for ssize_t" >&5
-if eval "test \"`echo '$''{'ac_cv_type_ssize_t'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:15569: checking for ssize_t" >&5
+echo $ECHO_N "checking for ssize_t... $ECHO_C" >&6
+if test "${ac_cv_type_ssize_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat > conftest.$ac_ext <<EOF
-#line 5025 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 15575 "configure"
 #include "confdefs.h"
 #include <sys/types.h>
 #if STDC_HEADERS
@@ -5029,100 +15580,118 @@ else
 #include <stddef.h>
 #endif
 #include <unistd.h>
-EOF
+_ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
   egrep "ssize_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then
-  rm -rf conftest*
   ac_cv_type_ssize_t=yes
 else
-  rm -rf conftest*
   ac_cv_type_ssize_t=no
 fi
 rm -f conftest*
 
 fi
-echo "$ac_t""$ac_cv_type_ssize_t" 1>&6
+echo "$as_me:15593: result: $ac_cv_type_ssize_t" >&5
+echo "${ECHO_T}$ac_cv_type_ssize_t" >&6
 if test $ac_cv_type_ssize_t = no; then
-  cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define ssize_t int
 EOF
 
 fi
 
-echo $ac_n "checking for pid_t""... $ac_c" 1>&6
-echo "configure:5054: checking for pid_t" >&5
-if eval "test \"`echo '$''{'ac_cv_type_pid_t'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:15603: checking for pid_t" >&5
+echo $ECHO_N "checking for pid_t... $ECHO_C" >&6
+if test "${ac_cv_type_pid_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat > conftest.$ac_ext <<EOF
-#line 5059 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 15609 "configure"
 #include "confdefs.h"
-#include <sys/types.h>
-#if STDC_HEADERS
-#include <stdlib.h>
-#include <stddef.h>
-#endif
-EOF
-if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  egrep "(^|[^a-zA-Z_0-9])pid_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then
-  rm -rf conftest*
+$ac_includes_default
+int
+main ()
+{
+if ((pid_t *) 0)
+  return 0;
+if (sizeof (pid_t))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:15624: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:15627: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:15629: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:15632: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_cv_type_pid_t=yes
 else
-  rm -rf conftest*
-  ac_cv_type_pid_t=no
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_pid_t=no
 fi
-rm -f conftest*
-
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$ac_t""$ac_cv_type_pid_t" 1>&6
-if test $ac_cv_type_pid_t = no; then
-  cat >> confdefs.h <<\EOF
+echo "$as_me:15642: result: $ac_cv_type_pid_t" >&5
+echo "${ECHO_T}$ac_cv_type_pid_t" >&6
+if test $ac_cv_type_pid_t = yes; then
+  :
+else
+
+cat >>confdefs.h <<EOF
 #define pid_t int
 EOF
 
 fi
 
-echo $ac_n "checking for uid_t in sys/types.h""... $ac_c" 1>&6
-echo "configure:5087: checking for uid_t in sys/types.h" >&5
-if eval "test \"`echo '$''{'ac_cv_type_uid_t'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:15654: checking for uid_t in sys/types.h" >&5
+echo $ECHO_N "checking for uid_t in sys/types.h... $ECHO_C" >&6
+if test "${ac_cv_type_uid_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat > conftest.$ac_ext <<EOF
-#line 5092 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 15660 "configure"
 #include "confdefs.h"
 #include <sys/types.h>
-EOF
+
+_ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
   egrep "uid_t" >/dev/null 2>&1; then
-  rm -rf conftest*
   ac_cv_type_uid_t=yes
 else
-  rm -rf conftest*
   ac_cv_type_uid_t=no
 fi
 rm -f conftest*
 
 fi
-
-echo "$ac_t""$ac_cv_type_uid_t" 1>&6
+echo "$as_me:15674: result: $ac_cv_type_uid_t" >&5
+echo "${ECHO_T}$ac_cv_type_uid_t" >&6
 if test $ac_cv_type_uid_t = no; then
-  cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define uid_t int
 EOF
 
-  cat >> confdefs.h <<\EOF
+cat >>confdefs.h <<\EOF
 #define gid_t int
 EOF
 
 fi
 
-echo $ac_n "checking for mode_t""... $ac_c" 1>&6
-echo "configure:5121: checking for mode_t" >&5
-if eval "test \"`echo '$''{'ac_cv_type_mode_t'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:15688: checking for mode_t" >&5
+echo $ECHO_N "checking for mode_t... $ECHO_C" >&6
+if test "${ac_cv_type_mode_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat > conftest.$ac_ext <<EOF
-#line 5126 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 15694 "configure"
 #include "confdefs.h"
 #include <sys/types.h>
 #if STDC_HEADERS
@@ -5130,33 +15699,33 @@ else
 #include <stddef.h>
 #endif
 
-EOF
+_ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
   egrep "mode_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then
-  rm -rf conftest*
   ac_cv_type_mode_t=yes
 else
-  rm -rf conftest*
   ac_cv_type_mode_t=no
 fi
 rm -f conftest*
 
 fi
-echo "$ac_t""$ac_cv_type_mode_t" 1>&6
+echo "$as_me:15712: result: $ac_cv_type_mode_t" >&5
+echo "${ECHO_T}$ac_cv_type_mode_t" >&6
 if test $ac_cv_type_mode_t = no; then
-  cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define mode_t unsigned short
 EOF
 
 fi
 
-echo $ac_n "checking for sig_atomic_t""... $ac_c" 1>&6
-echo "configure:5155: checking for sig_atomic_t" >&5
-if eval "test \"`echo '$''{'ac_cv_type_sig_atomic_t'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:15722: checking for sig_atomic_t" >&5
+echo $ECHO_N "checking for sig_atomic_t... $ECHO_C" >&6
+if test "${ac_cv_type_sig_atomic_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat > conftest.$ac_ext <<EOF
-#line 5160 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 15728 "configure"
 #include "confdefs.h"
 #include <sys/types.h>
 #if STDC_HEADERS
@@ -5164,36 +15733,34 @@ else
 #include <stddef.h>
 #endif
 #include <signal.h>
-EOF
+_ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
   egrep "sig_atomic_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then
-  rm -rf conftest*
   ac_cv_type_sig_atomic_t=yes
 else
-  rm -rf conftest*
   ac_cv_type_sig_atomic_t=no
 fi
 rm -f conftest*
 
 fi
-echo "$ac_t""$ac_cv_type_sig_atomic_t" 1>&6
+echo "$as_me:15746: result: $ac_cv_type_sig_atomic_t" >&5
+echo "${ECHO_T}$ac_cv_type_sig_atomic_t" >&6
 if test $ac_cv_type_sig_atomic_t = no; then
-  cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define sig_atomic_t int
 EOF
 
 fi
 
-
-
 cv=`echo "long long" | sed 'y%./+- %__p__%'`
-echo $ac_n "checking for long long""... $ac_c" 1>&6
-echo "configure:5192: checking for long long" >&5
-if eval "test \"`echo '$''{'ac_cv_type_$cv'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:15757: checking for long long" >&5
+echo $ECHO_N "checking for long long... $ECHO_C" >&6
+if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat > conftest.$ac_ext <<EOF
-#line 5197 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 15763 "configure"
 #include "confdefs.h"
 #include <sys/types.h>
 #if STDC_HEADERS
@@ -5201,145 +15768,244 @@ else
 #include <stddef.h>
 #endif
 
-int main() {
+int
+main ()
+{
 long long foo;
-; return 0; }
-EOF
-if { (eval echo configure:5209: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:15780: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:15783: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:15785: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:15788: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   eval "ac_cv_type_$cv=yes"
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_type_$cv=no"
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_type_$cv=no"
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$ac_t""`eval echo \\$ac_cv_type_$cv`" 1>&6
-if test `eval echo \\$ac_cv_type_$cv` = yes; then
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+echo "$as_me:15799: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
   ac_tr_hdr=HAVE_`echo long long | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	echo "$as_me:15804: checking for long long" >&5
+echo $ECHO_N "checking for long long... $ECHO_C" >&6
+if test "${ac_cv_type_long_long+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 15810 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((long long *) 0)
+  return 0;
+if (sizeof (long long))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:15825: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:15828: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:15830: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:15833: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_type_long_long=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_long_long=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:15843: result: $ac_cv_type_long_long" >&5
+echo "${ECHO_T}$ac_cv_type_long_long" >&6
+if test $ac_cv_type_long_long = yes; then
 
-: << END
-@@@funcs="$funcs long_long"@@@
-END
+cat >>confdefs.h <<EOF
+#define HAVE_LONG_LONG 1
+EOF
+
+fi
+
+fi
 
-  cat >> confdefs.h <<EOF
+cat >>confdefs.h <<EOF
 #define $ac_tr_hdr 1
 EOF
 
 fi
 
-echo $ac_n "checking whether time.h and sys/time.h may both be included""... $ac_c" 1>&6
-echo "configure:5235: checking whether time.h and sys/time.h may both be included" >&5
-if eval "test \"`echo '$''{'ac_cv_header_time'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:15861: checking whether time.h and sys/time.h may both be included" >&5
+echo $ECHO_N "checking whether time.h and sys/time.h may both be included... $ECHO_C" >&6
+if test "${ac_cv_header_time+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat > conftest.$ac_ext <<EOF
-#line 5240 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 15867 "configure"
 #include "confdefs.h"
 #include <sys/types.h>
 #include <sys/time.h>
 #include <time.h>
-int main() {
+
+int
+main ()
+{
 struct tm *tp;
-; return 0; }
-EOF
-if { (eval echo configure:5249: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:15882: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:15885: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:15887: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:15890: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_cv_header_time=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_header_time=no
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_header_time=no
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-
-echo "$ac_t""$ac_cv_header_time" 1>&6
+echo "$as_me:15900: result: $ac_cv_header_time" >&5
+echo "${ECHO_T}$ac_cv_header_time" >&6
 if test $ac_cv_header_time = yes; then
-  cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define TIME_WITH_SYS_TIME 1
 EOF
 
 fi
 
-echo $ac_n "checking whether struct tm is in sys/time.h or time.h""... $ac_c" 1>&6
-echo "configure:5270: checking whether struct tm is in sys/time.h or time.h" >&5
-if eval "test \"`echo '$''{'ac_cv_struct_tm'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:15910: checking whether struct tm is in sys/time.h or time.h" >&5
+echo $ECHO_N "checking whether struct tm is in sys/time.h or time.h... $ECHO_C" >&6
+if test "${ac_cv_struct_tm+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat > conftest.$ac_ext <<EOF
-#line 5275 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 15916 "configure"
 #include "confdefs.h"
 #include <sys/types.h>
 #include <time.h>
-int main() {
+
+int
+main ()
+{
 struct tm *tp; tp->tm_sec;
-; return 0; }
-EOF
-if { (eval echo configure:5283: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:15930: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:15933: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:15935: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:15938: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_cv_struct_tm=time.h
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_struct_tm=sys/time.h
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_struct_tm=sys/time.h
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-
-echo "$ac_t""$ac_cv_struct_tm" 1>&6
+echo "$as_me:15948: result: $ac_cv_struct_tm" >&5
+echo "${ECHO_T}$ac_cv_struct_tm" >&6
 if test $ac_cv_struct_tm = sys/time.h; then
-  cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define TM_IN_SYS_TIME 1
 EOF
 
 fi
 
-
-echo $ac_n "checking for ANSI C header files""... $ac_c" 1>&6
-echo "configure:5305: checking for ANSI C header files" >&5
-if eval "test \"`echo '$''{'ac_cv_header_stdc'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:15958: checking for ANSI C header files" >&5
+echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6
+if test "${ac_cv_header_stdc+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat > conftest.$ac_ext <<EOF
-#line 5310 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 15964 "configure"
 #include "confdefs.h"
 #include <stdlib.h>
 #include <stdarg.h>
 #include <string.h>
 #include <float.h>
-EOF
-ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:5318: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
-ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
-if test -z "$ac_err"; then
-  rm -rf conftest*
+
+_ACEOF
+if { (eval echo "$as_me:15972: \"$ac_cpp conftest.$ac_ext >/dev/null\"") >&5
+  (eval $ac_cpp conftest.$ac_ext >/dev/null) 2>conftest.er1
+  ac_status=$?
+  egrep -v '^ *\+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:15978: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
   ac_cv_header_stdc=yes
 else
-  echo "$ac_err" >&5
-  echo "configure: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
   cat conftest.$ac_ext >&5
-  rm -rf conftest*
   ac_cv_header_stdc=no
 fi
-rm -f conftest*
+rm -f conftest.err conftest.$ac_ext
 
 if test $ac_cv_header_stdc = yes; then
   # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
-cat > conftest.$ac_ext <<EOF
-#line 5335 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 16000 "configure"
 #include "confdefs.h"
 #include <string.h>
-EOF
+
+_ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
   egrep "memchr" >/dev/null 2>&1; then
   :
 else
-  rm -rf conftest*
   ac_cv_header_stdc=no
 fi
 rm -f conftest*
@@ -5348,16 +16014,16 @@ fi
 
 if test $ac_cv_header_stdc = yes; then
   # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
-cat > conftest.$ac_ext <<EOF
-#line 5353 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 16018 "configure"
 #include "confdefs.h"
 #include <stdlib.h>
-EOF
+
+_ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
   egrep "free" >/dev/null 2>&1; then
   :
 else
-  rm -rf conftest*
   ac_cv_header_stdc=no
 fi
 rm -f conftest*
@@ -5366,92 +16032,67 @@ fi
 
 if test $ac_cv_header_stdc = yes; then
   # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
-if test "$cross_compiling" = yes; then
+  if test "$cross_compiling" = yes; then
   :
 else
-  cat > conftest.$ac_ext <<EOF
-#line 5374 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 16039 "configure"
 #include "confdefs.h"
 #include <ctype.h>
-#define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
-#define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
-#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
-int main () { int i; for (i = 0; i < 256; i++)
-if (XOR (islower (i), ISLOWER (i)) || toupper (i) != TOUPPER (i)) exit(2);
-exit (0); }
+#if ((' ' & 0x0FF) == 0x020)
+# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
+# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
+#else
+# define ISLOWER(c) (('a' <= (c) && (c) <= 'i') \
+                     || ('j' <= (c) && (c) <= 'r') \
+                     || ('s' <= (c) && (c) <= 'z'))
+# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
+#endif
 
-EOF
-if { (eval echo configure:5385: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
-then
+#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
+int
+main ()
+{
+  int i;
+  for (i = 0; i < 256; i++)
+    if (XOR (islower (i), ISLOWER (i))
+        || toupper (i) != TOUPPER (i))
+      exit(2);
+  exit (0);
+}
+_ACEOF
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:16065: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:16068: \$? = $ac_status" >&5
+  (exit $ac_status); } && { (eval echo "$as_me:16069: \"./conftest$ac_exeext\"") >&5
+  (eval ./conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:16072: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   :
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -fr conftest*
-  ac_cv_header_stdc=no
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_header_stdc=no
 fi
-rm -fr conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 fi
-
 fi
 fi
-
-echo "$ac_t""$ac_cv_header_stdc" 1>&6
+echo "$as_me:16085: result: $ac_cv_header_stdc" >&5
+echo "${ECHO_T}$ac_cv_header_stdc" >&6
 if test $ac_cv_header_stdc = yes; then
-  cat >> confdefs.h <<\EOF
-#define STDC_HEADERS 1
-EOF
-
-fi
-
 
-if test "$berkeley_db"; then
-  for ac_hdr in 				\
-	db.h					\
-	db_185.h				\
-  
-do
-ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
-echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:5417: checking for $ac_hdr" >&5
-if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 5422 "configure"
-#include "confdefs.h"
-#include <$ac_hdr>
-EOF
-ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:5427: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
-ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
-if test -z "$ac_err"; then
-  rm -rf conftest*
-  eval "ac_cv_header_$ac_safe=yes"
-else
-  echo "$ac_err" >&5
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_header_$ac_safe=no"
-fi
-rm -f conftest*
-fi
-if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-    ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
-  cat >> confdefs.h <<EOF
-#define $ac_tr_hdr 1
+cat >>confdefs.h <<\EOF
+#define STDC_HEADERS 1
 EOF
- 
-else
-  echo "$ac_t""no" 1>&6
-fi
-done
 
 fi
 
-for ac_hdr in \
+for ac_header in \
 	arpa/ftp.h				\
 	arpa/inet.h				\
 	arpa/nameser.h				\
@@ -5467,6 +16108,7 @@ for ac_hdr in \
 	errno.h					\
 	fcntl.h					\
 	fnmatch.h				\
+	gdbm/ndbm.h				\
 	grp.h					\
 	inttypes.h				\
 	io.h					\
@@ -5535,88 +16177,104 @@ for ac_hdr in \
 	tmpdir.h				\
 	udb.h					\
 	unistd.h				\
+	userconf.h				\
+	usersec.h				\
 	util.h					\
 	utmp.h					\
 	utmpx.h					\
 
 do
-ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
-echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:5546: checking for $ac_hdr" >&5
-if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 5551 "configure"
+ac_ac_Header=`echo "ac_cv_header_$ac_header" | $ac_tr_sh`
+echo "$as_me:16188: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 16194 "configure"
 #include "confdefs.h"
-#include <$ac_hdr>
-EOF
-ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:5556: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
-ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
-if test -z "$ac_err"; then
-  rm -rf conftest*
-  eval "ac_cv_header_$ac_safe=yes"
+#include <$ac_header>
+_ACEOF
+if { (eval echo "$as_me:16198: \"$ac_cpp conftest.$ac_ext >/dev/null\"") >&5
+  (eval $ac_cpp conftest.$ac_ext >/dev/null) 2>conftest.er1
+  ac_status=$?
+  egrep -v '^ *\+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:16204: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
 else
-  echo "$ac_err" >&5
-  echo "configure: failed program was:" >&5
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  eval "$ac_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
   cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_header_$ac_safe=no"
+  eval "$ac_ac_Header=no"
 fi
-rm -f conftest*
+rm -f conftest.err conftest.$ac_ext
 fi
-if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-    ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
-  cat >> confdefs.h <<EOF
-#define $ac_tr_hdr 1
+echo "$as_me:16223: result: `eval echo '${'$ac_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_Header'}'`" >&6
+if test `eval echo '${'$ac_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_header" | $ac_tr_cpp` 1
 EOF
- 
-else
-  echo "$ac_t""no" 1>&6
+
 fi
 done
 
-
-
-for ac_hdr in standards.h
+for ac_header in standards.h
 do
-ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
-echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:5588: checking for $ac_hdr" >&5
-if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 5593 "configure"
+ac_ac_Header=`echo "ac_cv_header_$ac_header" | $ac_tr_sh`
+echo "$as_me:16236: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 16242 "configure"
 #include "confdefs.h"
-#include <$ac_hdr>
-EOF
-ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:5598: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
-ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
-if test -z "$ac_err"; then
-  rm -rf conftest*
-  eval "ac_cv_header_$ac_safe=yes"
+#include <$ac_header>
+_ACEOF
+if { (eval echo "$as_me:16246: \"$ac_cpp conftest.$ac_ext >/dev/null\"") >&5
+  (eval $ac_cpp conftest.$ac_ext >/dev/null) 2>conftest.er1
+  ac_status=$?
+  egrep -v '^ *\+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:16252: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
 else
-  echo "$ac_err" >&5
-  echo "configure: failed program was:" >&5
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  eval "$ac_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
   cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_header_$ac_safe=no"
+  eval "$ac_ac_Header=no"
 fi
-rm -f conftest*
+rm -f conftest.err conftest.$ac_ext
 fi
-if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-    ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
-  cat >> confdefs.h <<EOF
-#define $ac_tr_hdr 1
+echo "$as_me:16271: result: `eval echo '${'$ac_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_Header'}'`" >&6
+if test `eval echo '${'$ac_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_header" | $ac_tr_cpp` 1
 EOF
- 
-else
-  echo "$ac_t""no" 1>&6
+
 fi
 done
 
@@ -5624,13 +16282,13 @@ for i in netinet/ip.h netinet/tcp.h; do
 
 cv=`echo "$i" | sed 'y%./+-%__p_%'`
 
-echo $ac_n "checking for $i""... $ac_c" 1>&6
-echo "configure:5629: checking for $i" >&5
-if eval "test \"`echo '$''{'ac_cv_header_$cv'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:16285: checking for $i" >&5
+echo $ECHO_N "checking for $i... $ECHO_C" >&6
+if eval "test \"\${ac_cv_header_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat > conftest.$ac_ext <<EOF
-#line 5634 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 16291 "configure"
 #include "confdefs.h"
 \
 #ifdef HAVE_STANDARDS_H
@@ -5638,55 +16296,109 @@ else
 #endif
 #include <$i>
 
-EOF
-ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:5644: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
-ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
-if test -z "$ac_err"; then
-  rm -rf conftest*
+_ACEOF
+if { (eval echo "$as_me:16300: \"$ac_cpp conftest.$ac_ext >/dev/null\"") >&5
+  (eval $ac_cpp conftest.$ac_ext >/dev/null) 2>conftest.er1
+  ac_status=$?
+  egrep -v '^ *\+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:16306: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
   eval "ac_cv_header_$cv=yes"
 else
-  echo "$ac_err" >&5
-  echo "configure: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
   cat conftest.$ac_ext >&5
-  rm -rf conftest*
   eval "ac_cv_header_$cv=no"
 fi
-rm -f conftest*
+rm -f conftest.err conftest.$ac_ext
 fi
-
-echo "$ac_t""`eval echo \\$ac_cv_header_$cv`" 1>&6
-if test `eval echo \\$ac_cv_header_$cv` = yes; then
-  ac_tr_hdr=HAVE_`echo $i | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
-  cat >> confdefs.h <<EOF
+echo "$as_me:16325: result: `eval echo '${'ac_cv_header_$cv'}'`" >&5
+echo "${ECHO_T}`eval echo '${'ac_cv_header_$cv'}'`" >&6
+ac_res=`eval echo \\$ac_cv_header_$cv`
+if test "$ac_res" = yes; then
+	ac_tr_hdr=HAVE_`echo $i | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+	cat >>confdefs.h <<EOF
 #define $ac_tr_hdr 1
 EOF
 
 fi
 done
-: << END
-@@@headers="$headers netinet/ip.h netinet/tcp.h"@@@
-END
+if false;then
 
+for ac_header in netinet/ip.h netinet/tcp.h
+do
+ac_ac_Header=`echo "ac_cv_header_$ac_header" | $ac_tr_sh`
+echo "$as_me:16341: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 16347 "configure"
+#include "confdefs.h"
+#include <$ac_header>
+_ACEOF
+if { (eval echo "$as_me:16351: \"$ac_cpp conftest.$ac_ext >/dev/null\"") >&5
+  (eval $ac_cpp conftest.$ac_ext >/dev/null) 2>conftest.er1
+  ac_status=$?
+  egrep -v '^ *\+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:16357: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  eval "$ac_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_Header=no"
+fi
+rm -f conftest.err conftest.$ac_ext
+fi
+echo "$as_me:16376: result: `eval echo '${'$ac_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_Header'}'`" >&6
+if test `eval echo '${'$ac_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_header" | $ac_tr_cpp` 1
+EOF
 
+fi
+done
 
+fi
 
 # Check whether --enable-netinfo or --disable-netinfo was given.
 if test "${enable_netinfo+set}" = set; then
   enableval="$enable_netinfo"
-  :
-fi
 
+fi;
 
 if test "$ac_cv_header_netinfo_ni_h" = yes -a "$enable_netinfo" = yes; then
-       cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define HAVE_NETINFO 1
 EOF
 
 fi
 
-
-
 if test "$ac_cv_header_err_h" = yes; then
   have_err_h_TRUE=
   have_err_h_FALSE='#'
@@ -5695,7 +16407,6 @@ else
   have_err_h_FALSE=
 fi
 
-
 if test "$ac_cv_header_fnmatch_h" = yes; then
   have_fnmatch_h_TRUE=
   have_fnmatch_h_FALSE='#'
@@ -5704,39 +16415,36 @@ else
   have_fnmatch_h_FALSE=
 fi
 
-
 # Check whether --with-ipv6 or --without-ipv6 was given.
 if test "${with_ipv6+set}" = set; then
   withval="$with_ipv6"
-  
+
 if test "$withval" = "no"; then
 	ac_cv_lib_ipv6=no
 fi
-fi
-
-if eval "test \"`echo '$''{'ac_cv_lib_ipv6'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+fi;
+if test "${ac_cv_lib_ipv6+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   v6type=unknown
 v6lib=none
 
-echo $ac_n "checking ipv6 stack type""... $ac_c" 1>&6
-echo "configure:5725: checking ipv6 stack type" >&5
+echo "$as_me:16432: checking ipv6 stack type" >&5
+echo $ECHO_N "checking ipv6 stack type... $ECHO_C" >&6
 for i in v6d toshiba kame inria zeta linux; do
 	case $i in
 	v6d)
-		cat > conftest.$ac_ext <<EOF
-#line 5730 "configure"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 16438 "configure"
 #include "confdefs.h"
-dnl
+
 #include </usr/local/v6/include/sys/types.h>
 #ifdef __V6D__
 yes
 #endif
-EOF
+_ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
   egrep "yes" >/dev/null 2>&1; then
-  rm -rf conftest*
   v6type=$i; v6lib=v6;
 			v6libdir=/usr/local/v6/lib;
 			CFLAGS="-I/usr/local/v6/include $CFLAGS"
@@ -5745,18 +16453,17 @@ rm -f conftest*
 
 		;;
 	toshiba)
-		cat > conftest.$ac_ext <<EOF
-#line 5750 "configure"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 16457 "configure"
 #include "confdefs.h"
-dnl
+
 #include <sys/param.h>
 #ifdef _TOSHIBA_INET6
 yes
 #endif
-EOF
+_ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
   egrep "yes" >/dev/null 2>&1; then
-  rm -rf conftest*
   v6type=$i; v6lib=inet6;
 			v6libdir=/usr/local/v6/lib;
 			CFLAGS="-DINET6 $CFLAGS"
@@ -5765,18 +16472,17 @@ rm -f conftest*
 
 		;;
 	kame)
-		cat > conftest.$ac_ext <<EOF
-#line 5770 "configure"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 16476 "configure"
 #include "confdefs.h"
-dnl
+
 #include <netinet/in.h>
 #ifdef __KAME__
 yes
 #endif
-EOF
+_ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
   egrep "yes" >/dev/null 2>&1; then
-  rm -rf conftest*
   v6type=$i; v6lib=inet6;
 			v6libdir=/usr/local/v6/lib;
 			CFLAGS="-DINET6 $CFLAGS"
@@ -5785,36 +16491,34 @@ rm -f conftest*
 
 		;;
 	inria)
-		cat > conftest.$ac_ext <<EOF
-#line 5790 "configure"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 16495 "configure"
 #include "confdefs.h"
-dnl
+
 #include <netinet/in.h>
 #ifdef IPV6_INRIA_VERSION
 yes
 #endif
-EOF
+_ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
   egrep "yes" >/dev/null 2>&1; then
-  rm -rf conftest*
   v6type=$i; CFLAGS="-DINET6 $CFLAGS"
 fi
 rm -f conftest*
 
 		;;
 	zeta)
-		cat > conftest.$ac_ext <<EOF
-#line 5808 "configure"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 16512 "configure"
 #include "confdefs.h"
-dnl
+
 #include <sys/param.h>
 #ifdef _ZETA_MINAMI_INET6
 yes
 #endif
-EOF
+_ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
   egrep "yes" >/dev/null 2>&1; then
-  rm -rf conftest*
   v6type=$i; v6lib=inet6;
 			v6libdir=/usr/local/v6/lib;
 			CFLAGS="-DINET6 $CFLAGS"
@@ -5835,7 +16539,8 @@ rm -f conftest*
 		break
 	fi
 done
-echo "$ac_t""$v6type" 1>&6
+echo "$as_me:16542: result: $v6type" >&5
+echo "${ECHO_T}$v6type" >&6
 
 if test "$v6lib" != "none"; then
 	for dir in $v6libdir /usr/local/v6/lib /usr/local/lib; do
@@ -5845,8 +16550,8 @@ if test "$v6lib" != "none"; then
 		fi
 	done
 fi
-cat > conftest.$ac_ext <<EOF
-#line 5850 "configure"
+cat >conftest.$ac_ext <<_ACEOF
+#line 16554 "configure"
 #include "confdefs.h"
 
 #ifdef HAVE_SYS_TYPES_H
@@ -5862,7 +16567,9 @@ cat > conftest.$ac_ext <<EOF
 #include <netinet/in6.h>
 #endif
 
-int main() {
+int
+main ()
+{
 
  struct sockaddr_in6 sin6;
  int s;
@@ -5874,67 +16581,86 @@ int main() {
  sin6.sin6_addr = in6addr_any;
  bind(s, (struct sockaddr *)&sin6, sizeof(sin6));
 
-; return 0; }
-EOF
-if { (eval echo configure:5880: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:16589: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:16592: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:16594: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:16597: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_cv_lib_ipv6=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_lib_ipv6=no
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_ipv6=no
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 fi
 
-echo $ac_n "checking for IPv6""... $ac_c" 1>&6
-echo "configure:5893: checking for IPv6" >&5
-echo "$ac_t""$ac_cv_lib_ipv6" 1>&6
+echo "$as_me:16608: checking for IPv6" >&5
+echo $ECHO_N "checking for IPv6... $ECHO_C" >&6
+echo "$as_me:16610: result: $ac_cv_lib_ipv6" >&5
+echo "${ECHO_T}$ac_cv_lib_ipv6" >&6
 if test "$ac_cv_lib_ipv6" = yes; then
-  cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define HAVE_IPV6 1
 EOF
 
 fi
 
-
-
-
-
-
-
-echo $ac_n "checking for socket""... $ac_c" 1>&6
-echo "configure:5909: checking for socket" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_socket'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:16620: checking for socket" >&5
+echo $ECHO_N "checking for socket... $ECHO_C" >&6
+if test "${ac_cv_funclib_socket+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
+
 if eval "test \"\$ac_cv_func_socket\" != yes" ; then
 	ac_save_LIBS="$LIBS"
 	for ac_lib in "" socket; do
-		if test -n "$ac_lib"; then 
+		if test -n "$ac_lib"; then
 			ac_lib="-l$ac_lib"
 		else
 			ac_lib=""
 		fi
 		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 5924 "configure"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 16636 "configure"
 #include "confdefs.h"
 
-int main() {
+int
+main ()
+{
 socket()
-; return 0; }
-EOF
-if { (eval echo configure:5931: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:16648: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:16651: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:16653: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:16656: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_socket=$ac_lib; else ac_cv_funclib_socket=yes; fi";break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_socket=\${ac_cv_funclib_socket-no}"
 	LIBS="$ac_save_LIBS"
@@ -5942,14 +16668,79 @@ fi
 
 fi
 
-
 eval "ac_res=\$ac_cv_funclib_socket"
 
-: << END
-@@@funcs="$funcs socket"@@@
-@@@libs="$libs "" socket"@@@
-END
+if false; then
+
+for ac_func in socket
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:16678: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 16684 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:16715: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:16718: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:16720: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:16723: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:16733: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
 
+fi
+done
+
+fi
 # socket
 eval "ac_tr_func=HAVE_`echo socket | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
 eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
@@ -5959,72 +16750,83 @@ case "$ac_res" in
 	yes)
 	eval "ac_cv_func_socket=yes"
 	eval "LIB_socket="
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	echo "$ac_t""yes" 1>&6
+	echo "$as_me:16757: result: yes" >&5
+echo "${ECHO_T}yes" >&6
 	;;
 	no)
 	eval "ac_cv_func_socket=no"
 	eval "LIB_socket="
-	echo "$ac_t""no" 1>&6
+	echo "$as_me:16763: result: no" >&5
+echo "${ECHO_T}no" >&6
 	;;
 	*)
 	eval "ac_cv_func_socket=yes"
 	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_lib 1
 EOF
 
-	echo "$ac_t""yes, in $ac_res" 1>&6
+	echo "$as_me:16777: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
 	;;
 esac
 
-
 if test -n "$LIB_socket"; then
 	LIBS="$LIB_socket $LIBS"
 fi
 
-
-
-
-
-echo $ac_n "checking for gethostbyname""... $ac_c" 1>&6
-echo "configure:5999: checking for gethostbyname" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_gethostbyname'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:16786: checking for gethostbyname" >&5
+echo $ECHO_N "checking for gethostbyname... $ECHO_C" >&6
+if test "${ac_cv_funclib_gethostbyname+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
+
 if eval "test \"\$ac_cv_func_gethostbyname\" != yes" ; then
 	ac_save_LIBS="$LIBS"
 	for ac_lib in "" nsl; do
-		if test -n "$ac_lib"; then 
+		if test -n "$ac_lib"; then
 			ac_lib="-l$ac_lib"
 		else
 			ac_lib=""
 		fi
 		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 6014 "configure"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 16802 "configure"
 #include "confdefs.h"
 
-int main() {
+int
+main ()
+{
 gethostbyname()
-; return 0; }
-EOF
-if { (eval echo configure:6021: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:16814: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:16817: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:16819: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:16822: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_gethostbyname=$ac_lib; else ac_cv_funclib_gethostbyname=yes; fi";break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_gethostbyname=\${ac_cv_funclib_gethostbyname-no}"
 	LIBS="$ac_save_LIBS"
@@ -6032,14 +16834,79 @@ fi
 
 fi
 
-
 eval "ac_res=\$ac_cv_funclib_gethostbyname"
 
-: << END
-@@@funcs="$funcs gethostbyname"@@@
-@@@libs="$libs "" nsl"@@@
-END
+if false; then
+
+for ac_func in gethostbyname
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:16844: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 16850 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
 
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:16881: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:16884: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:16886: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:16889: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:16899: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
 # gethostbyname
 eval "ac_tr_func=HAVE_`echo gethostbyname | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
 eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
@@ -6049,72 +16916,83 @@ case "$ac_res" in
 	yes)
 	eval "ac_cv_func_gethostbyname=yes"
 	eval "LIB_gethostbyname="
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	echo "$ac_t""yes" 1>&6
+	echo "$as_me:16923: result: yes" >&5
+echo "${ECHO_T}yes" >&6
 	;;
 	no)
 	eval "ac_cv_func_gethostbyname=no"
 	eval "LIB_gethostbyname="
-	echo "$ac_t""no" 1>&6
+	echo "$as_me:16929: result: no" >&5
+echo "${ECHO_T}no" >&6
 	;;
 	*)
 	eval "ac_cv_func_gethostbyname=yes"
 	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_lib 1
 EOF
 
-	echo "$ac_t""yes, in $ac_res" 1>&6
+	echo "$as_me:16943: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
 	;;
 esac
 
-
 if test -n "$LIB_gethostbyname"; then
 	LIBS="$LIB_gethostbyname $LIBS"
 fi
 
-
-
-
-
-echo $ac_n "checking for syslog""... $ac_c" 1>&6
-echo "configure:6089: checking for syslog" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_syslog'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:16952: checking for syslog" >&5
+echo $ECHO_N "checking for syslog... $ECHO_C" >&6
+if test "${ac_cv_funclib_syslog+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
+
 if eval "test \"\$ac_cv_func_syslog\" != yes" ; then
 	ac_save_LIBS="$LIBS"
 	for ac_lib in "" syslog; do
-		if test -n "$ac_lib"; then 
+		if test -n "$ac_lib"; then
 			ac_lib="-l$ac_lib"
 		else
 			ac_lib=""
 		fi
 		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 6104 "configure"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 16968 "configure"
 #include "confdefs.h"
 
-int main() {
+int
+main ()
+{
 syslog()
-; return 0; }
-EOF
-if { (eval echo configure:6111: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:16980: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:16983: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:16985: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:16988: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_syslog=$ac_lib; else ac_cv_funclib_syslog=yes; fi";break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_syslog=\${ac_cv_funclib_syslog-no}"
 	LIBS="$ac_save_LIBS"
@@ -6122,14 +17000,79 @@ fi
 
 fi
 
-
 eval "ac_res=\$ac_cv_funclib_syslog"
 
-: << END
-@@@funcs="$funcs syslog"@@@
-@@@libs="$libs "" syslog"@@@
-END
+if false; then
+
+for ac_func in syslog
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:17010: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 17016 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
 
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:17047: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:17050: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:17052: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:17055: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:17065: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
 # syslog
 eval "ac_tr_func=HAVE_`echo syslog | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
 eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
@@ -6139,72 +17082,83 @@ case "$ac_res" in
 	yes)
 	eval "ac_cv_func_syslog=yes"
 	eval "LIB_syslog="
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	echo "$ac_t""yes" 1>&6
+	echo "$as_me:17089: result: yes" >&5
+echo "${ECHO_T}yes" >&6
 	;;
 	no)
 	eval "ac_cv_func_syslog=no"
 	eval "LIB_syslog="
-	echo "$ac_t""no" 1>&6
+	echo "$as_me:17095: result: no" >&5
+echo "${ECHO_T}no" >&6
 	;;
 	*)
 	eval "ac_cv_func_syslog=yes"
 	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_lib 1
 EOF
 
-	echo "$ac_t""yes, in $ac_res" 1>&6
+	echo "$as_me:17109: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
 	;;
 esac
 
-
 if test -n "$LIB_syslog"; then
 	LIBS="$LIB_syslog $LIBS"
 fi
 
-
-
-
-
-echo $ac_n "checking for logwtmp""... $ac_c" 1>&6
-echo "configure:6179: checking for logwtmp" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_logwtmp'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:17118: checking for logwtmp" >&5
+echo $ECHO_N "checking for logwtmp... $ECHO_C" >&6
+if test "${ac_cv_funclib_logwtmp+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
+
 if eval "test \"\$ac_cv_func_logwtmp\" != yes" ; then
 	ac_save_LIBS="$LIBS"
 	for ac_lib in "" util; do
-		if test -n "$ac_lib"; then 
+		if test -n "$ac_lib"; then
 			ac_lib="-l$ac_lib"
 		else
 			ac_lib=""
 		fi
 		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 6194 "configure"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 17134 "configure"
 #include "confdefs.h"
 
-int main() {
+int
+main ()
+{
 logwtmp()
-; return 0; }
-EOF
-if { (eval echo configure:6201: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:17146: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:17149: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:17151: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:17154: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_logwtmp=$ac_lib; else ac_cv_funclib_logwtmp=yes; fi";break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_logwtmp=\${ac_cv_funclib_logwtmp-no}"
 	LIBS="$ac_save_LIBS"
@@ -6212,14 +17166,79 @@ fi
 
 fi
 
-
 eval "ac_res=\$ac_cv_funclib_logwtmp"
 
-: << END
-@@@funcs="$funcs logwtmp"@@@
-@@@libs="$libs "" util"@@@
-END
+if false; then
+
+for ac_func in logwtmp
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:17176: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 17182 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:17213: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:17216: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:17218: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:17221: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:17231: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
 
+fi
 # logwtmp
 eval "ac_tr_func=HAVE_`echo logwtmp | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
 eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
@@ -6229,67 +17248,79 @@ case "$ac_res" in
 	yes)
 	eval "ac_cv_func_logwtmp=yes"
 	eval "LIB_logwtmp="
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	echo "$ac_t""yes" 1>&6
+	echo "$as_me:17255: result: yes" >&5
+echo "${ECHO_T}yes" >&6
 	;;
 	no)
 	eval "ac_cv_func_logwtmp=no"
 	eval "LIB_logwtmp="
-	echo "$ac_t""no" 1>&6
+	echo "$as_me:17261: result: no" >&5
+echo "${ECHO_T}no" >&6
 	;;
 	*)
 	eval "ac_cv_func_logwtmp=yes"
 	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_lib 1
 EOF
 
-	echo "$ac_t""yes, in $ac_res" 1>&6
+	echo "$as_me:17275: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
 	;;
 esac
 
-
-
-
-
-echo $ac_n "checking for tgetent""... $ac_c" 1>&6
-echo "configure:6264: checking for tgetent" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_tgetent'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:17280: checking for tgetent" >&5
+echo $ECHO_N "checking for tgetent... $ECHO_C" >&6
+if test "${ac_cv_funclib_tgetent+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
+
 if eval "test \"\$ac_cv_func_tgetent\" != yes" ; then
 	ac_save_LIBS="$LIBS"
 	for ac_lib in "" termcap ncurses curses; do
-		if test -n "$ac_lib"; then 
+		if test -n "$ac_lib"; then
 			ac_lib="-l$ac_lib"
 		else
 			ac_lib=""
 		fi
 		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 6279 "configure"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 17296 "configure"
 #include "confdefs.h"
 
-int main() {
+int
+main ()
+{
 tgetent()
-; return 0; }
-EOF
-if { (eval echo configure:6286: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:17308: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:17311: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:17313: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:17316: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_tgetent=$ac_lib; else ac_cv_funclib_tgetent=yes; fi";break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_tgetent=\${ac_cv_funclib_tgetent-no}"
 	LIBS="$ac_save_LIBS"
@@ -6297,14 +17328,79 @@ fi
 
 fi
 
-
 eval "ac_res=\$ac_cv_funclib_tgetent"
 
-: << END
-@@@funcs="$funcs tgetent"@@@
-@@@libs="$libs "" termcap ncurses curses"@@@
-END
+if false; then
+
+for ac_func in tgetent
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:17338: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 17344 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:17375: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:17378: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:17380: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:17383: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:17393: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
 
+fi
 # tgetent
 eval "ac_tr_func=HAVE_`echo tgetent | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
 eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
@@ -6314,68 +17410,79 @@ case "$ac_res" in
 	yes)
 	eval "ac_cv_func_tgetent=yes"
 	eval "LIB_tgetent="
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	echo "$ac_t""yes" 1>&6
+	echo "$as_me:17417: result: yes" >&5
+echo "${ECHO_T}yes" >&6
 	;;
 	no)
 	eval "ac_cv_func_tgetent=no"
 	eval "LIB_tgetent="
-	echo "$ac_t""no" 1>&6
+	echo "$as_me:17423: result: no" >&5
+echo "${ECHO_T}no" >&6
 	;;
 	*)
 	eval "ac_cv_func_tgetent=yes"
 	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_lib 1
 EOF
 
-	echo "$ac_t""yes, in $ac_res" 1>&6
+	echo "$as_me:17437: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
 	;;
 esac
 
-
-
-
-
-
-echo $ac_n "checking for gethostbyname2""... $ac_c" 1>&6
-echo "configure:6350: checking for gethostbyname2" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_gethostbyname2'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:17442: checking for gethostbyname2" >&5
+echo $ECHO_N "checking for gethostbyname2... $ECHO_C" >&6
+if test "${ac_cv_funclib_gethostbyname2+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
+
 if eval "test \"\$ac_cv_func_gethostbyname2\" != yes" ; then
 	ac_save_LIBS="$LIBS"
 	for ac_lib in "" inet6 ip6; do
-		if test -n "$ac_lib"; then 
+		if test -n "$ac_lib"; then
 			ac_lib="-l$ac_lib"
 		else
 			ac_lib=""
 		fi
 		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 6365 "configure"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 17458 "configure"
 #include "confdefs.h"
 
-int main() {
+int
+main ()
+{
 gethostbyname2()
-; return 0; }
-EOF
-if { (eval echo configure:6372: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:17470: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:17473: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:17475: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:17478: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_gethostbyname2=$ac_lib; else ac_cv_funclib_gethostbyname2=yes; fi";break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_gethostbyname2=\${ac_cv_funclib_gethostbyname2-no}"
 	LIBS="$ac_save_LIBS"
@@ -6383,14 +17490,79 @@ fi
 
 fi
 
-
 eval "ac_res=\$ac_cv_funclib_gethostbyname2"
 
-: << END
-@@@funcs="$funcs gethostbyname2"@@@
-@@@libs="$libs "" inet6 ip6"@@@
-END
+if false; then
+
+for ac_func in gethostbyname2
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:17500: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 17506 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:17537: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:17540: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:17542: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:17545: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:17555: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
 
+fi
+done
+
+fi
 # gethostbyname2
 eval "ac_tr_func=HAVE_`echo gethostbyname2 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
 eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
@@ -6400,59 +17572,56 @@ case "$ac_res" in
 	yes)
 	eval "ac_cv_func_gethostbyname2=yes"
 	eval "LIB_gethostbyname2="
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	echo "$ac_t""yes" 1>&6
+	echo "$as_me:17579: result: yes" >&5
+echo "${ECHO_T}yes" >&6
 	;;
 	no)
 	eval "ac_cv_func_gethostbyname2=no"
 	eval "LIB_gethostbyname2="
-	echo "$ac_t""no" 1>&6
+	echo "$as_me:17585: result: no" >&5
+echo "${ECHO_T}no" >&6
 	;;
 	*)
 	eval "ac_cv_func_gethostbyname2=yes"
 	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_lib 1
 EOF
 
-	echo "$ac_t""yes, in $ac_res" 1>&6
+	echo "$as_me:17599: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
 	;;
 esac
 
-
 if test -n "$LIB_gethostbyname2"; then
 	LIBS="$LIB_gethostbyname2 $LIBS"
 fi
 
-
-
-
-
-
-echo $ac_n "checking for res_search""... $ac_c" 1>&6
-echo "configure:6441: checking for res_search" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_res_search'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:17608: checking for res_search" >&5
+echo $ECHO_N "checking for res_search... $ECHO_C" >&6
+if test "${ac_cv_funclib_res_search+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
+
 if eval "test \"\$ac_cv_func_res_search\" != yes" ; then
 	ac_save_LIBS="$LIBS"
 	for ac_lib in "" resolv; do
-		if test -n "$ac_lib"; then 
+		if test -n "$ac_lib"; then
 			ac_lib="-l$ac_lib"
 		else
 			ac_lib=""
 		fi
 		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 6456 "configure"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 17624 "configure"
 #include "confdefs.h"
 
 #include <stdio.h>
@@ -6469,18 +17638,31 @@ if eval "test \"\$ac_cv_func_res_search\" != yes" ; then
 #include <resolv.h>
 #endif
 
-int main() {
+int
+main ()
+{
 res_search(0,0,0,0,0)
-; return 0; }
-EOF
-if { (eval echo configure:6477: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:17650: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:17653: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:17655: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:17658: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_res_search=$ac_lib; else ac_cv_funclib_res_search=yes; fi";break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_res_search=\${ac_cv_funclib_res_search-no}"
 	LIBS="$ac_save_LIBS"
@@ -6488,14 +17670,79 @@ fi
 
 fi
 
-
 eval "ac_res=\$ac_cv_funclib_res_search"
 
-: << END
-@@@funcs="$funcs res_search"@@@
-@@@libs="$libs "" resolv"@@@
-END
+if false; then
+
+for ac_func in res_search
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:17680: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 17686 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
 
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:17717: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:17720: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:17722: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:17725: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:17735: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
 # res_search
 eval "ac_tr_func=HAVE_`echo res_search | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
 eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
@@ -6505,59 +17752,56 @@ case "$ac_res" in
 	yes)
 	eval "ac_cv_func_res_search=yes"
 	eval "LIB_res_search="
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	echo "$ac_t""yes" 1>&6
+	echo "$as_me:17759: result: yes" >&5
+echo "${ECHO_T}yes" >&6
 	;;
 	no)
 	eval "ac_cv_func_res_search=no"
 	eval "LIB_res_search="
-	echo "$ac_t""no" 1>&6
+	echo "$as_me:17765: result: no" >&5
+echo "${ECHO_T}no" >&6
 	;;
 	*)
 	eval "ac_cv_func_res_search=yes"
 	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_lib 1
 EOF
 
-	echo "$ac_t""yes, in $ac_res" 1>&6
+	echo "$as_me:17779: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
 	;;
 esac
 
-
 if test -n "$LIB_res_search"; then
 	LIBS="$LIB_res_search $LIBS"
 fi
 
-
-
-
-
-
-echo $ac_n "checking for dn_expand""... $ac_c" 1>&6
-echo "configure:6546: checking for dn_expand" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_dn_expand'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:17788: checking for dn_expand" >&5
+echo $ECHO_N "checking for dn_expand... $ECHO_C" >&6
+if test "${ac_cv_funclib_dn_expand+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
+
 if eval "test \"\$ac_cv_func_dn_expand\" != yes" ; then
 	ac_save_LIBS="$LIBS"
 	for ac_lib in "" resolv; do
-		if test -n "$ac_lib"; then 
+		if test -n "$ac_lib"; then
 			ac_lib="-l$ac_lib"
 		else
 			ac_lib=""
 		fi
 		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 6561 "configure"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 17804 "configure"
 #include "confdefs.h"
 
 #include <stdio.h>
@@ -6574,18 +17818,31 @@ if eval "test \"\$ac_cv_func_dn_expand\" != yes" ; then
 #include <resolv.h>
 #endif
 
-int main() {
+int
+main ()
+{
 dn_expand(0,0,0,0,0)
-; return 0; }
-EOF
-if { (eval echo configure:6582: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:17830: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:17833: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:17835: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:17838: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_dn_expand=$ac_lib; else ac_cv_funclib_dn_expand=yes; fi";break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_dn_expand=\${ac_cv_funclib_dn_expand-no}"
 	LIBS="$ac_save_LIBS"
@@ -6593,14 +17850,79 @@ fi
 
 fi
 
-
 eval "ac_res=\$ac_cv_funclib_dn_expand"
 
-: << END
-@@@funcs="$funcs dn_expand"@@@
-@@@libs="$libs "" resolv"@@@
-END
+if false; then
 
+for ac_func in dn_expand
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:17860: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 17866 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:17897: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:17900: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:17902: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:17905: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:17915: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
 # dn_expand
 eval "ac_tr_func=HAVE_`echo dn_expand | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
 eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
@@ -6610,51 +17932,50 @@ case "$ac_res" in
 	yes)
 	eval "ac_cv_func_dn_expand=yes"
 	eval "LIB_dn_expand="
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	echo "$ac_t""yes" 1>&6
+	echo "$as_me:17939: result: yes" >&5
+echo "${ECHO_T}yes" >&6
 	;;
 	no)
 	eval "ac_cv_func_dn_expand=no"
 	eval "LIB_dn_expand="
-	echo "$ac_t""no" 1>&6
+	echo "$as_me:17945: result: no" >&5
+echo "${ECHO_T}no" >&6
 	;;
 	*)
 	eval "ac_cv_func_dn_expand=yes"
 	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_lib 1
 EOF
 
-	echo "$ac_t""yes, in $ac_res" 1>&6
+	echo "$as_me:17959: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
 	;;
 esac
 
-
 if test -n "$LIB_dn_expand"; then
 	LIBS="$LIB_dn_expand $LIBS"
 fi
 
-
-
-
-echo $ac_n "checking for working snprintf""... $ac_c" 1>&6
-echo "configure:6649: checking for working snprintf" >&5
-if eval "test \"`echo '$''{'ac_cv_func_snprintf_working'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:17968: checking for working snprintf" >&5
+echo $ECHO_N "checking for working snprintf... $ECHO_C" >&6
+if test "${ac_cv_func_snprintf_working+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_cv_func_snprintf_working=yes
 if test "$cross_compiling" = yes; then
   :
 else
-  cat > conftest.$ac_ext <<EOF
-#line 6658 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 17978 "configure"
 #include "confdefs.h"
 
 #include <stdio.h>
@@ -6665,25 +17986,33 @@ int main()
 	snprintf(foo, 2, "12");
 	return strcmp(foo, "1");
 }
-EOF
-if { (eval echo configure:6670: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
-then
+_ACEOF
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:17991: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:17994: \$? = $ac_status" >&5
+  (exit $ac_status); } && { (eval echo "$as_me:17995: \"./conftest$ac_exeext\"") >&5
+  (eval ./conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:17998: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   :
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -fr conftest*
-  ac_cv_func_snprintf_working=no
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_snprintf_working=no
 fi
-rm -fr conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 fi
-
 fi
-
-echo "$ac_t""$ac_cv_func_snprintf_working" 1>&6
+echo "$as_me:18010: result: $ac_cv_func_snprintf_working" >&5
+echo "${ECHO_T}$ac_cv_func_snprintf_working" >&6
 
 if test "$ac_cv_func_snprintf_working" = yes; then
-	cat >> confdefs.h <<EOF
+
+cat >>confdefs.h <<EOF
 #define HAVE_SNPRINTF 1
 EOF
 
@@ -6691,38 +18020,51 @@ fi
 if test "$ac_cv_func_snprintf_working" = yes; then
 
 if test "$ac_cv_func_snprintf+set" != set -o "$ac_cv_func_snprintf" = yes; then
-echo $ac_n "checking if snprintf needs a prototype""... $ac_c" 1>&6
-echo "configure:6696: checking if snprintf needs a prototype" >&5
-if eval "test \"`echo '$''{'ac_cv_func_snprintf_noproto'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:18023: checking if snprintf needs a prototype" >&5
+echo $ECHO_N "checking if snprintf needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_snprintf_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat > conftest.$ac_ext <<EOF
-#line 6701 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 18029 "configure"
 #include "confdefs.h"
 #include <stdio.h>
-int main() {
+int
+main ()
+{
 struct foo { int foo; } xx;
 extern int snprintf (struct foo*);
 snprintf(&xx);
 
-; return 0; }
-EOF
-if { (eval echo configure:6711: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:18044: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:18047: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:18049: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:18052: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   eval "ac_cv_func_snprintf_noproto=yes"
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_snprintf_noproto=no"
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_func_snprintf_noproto=no"
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-
-echo "$ac_t""$ac_cv_func_snprintf_noproto" 1>&6
+echo "$as_me:18062: result: $ac_cv_func_snprintf_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_snprintf_noproto" >&6
 
 if test "$ac_cv_func_snprintf_noproto" = yes; then
-	cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define NEED_SNPRINTF_PROTO 1
 EOF
 
@@ -6732,18 +18074,17 @@ fi
 
 fi
 
-
-echo $ac_n "checking for working vsnprintf""... $ac_c" 1>&6
-echo "configure:6738: checking for working vsnprintf" >&5
-if eval "test \"`echo '$''{'ac_cv_func_vsnprintf_working'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:18077: checking for working vsnprintf" >&5
+echo $ECHO_N "checking for working vsnprintf... $ECHO_C" >&6
+if test "${ac_cv_func_vsnprintf_working+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_cv_func_vsnprintf_working=yes
 if test "$cross_compiling" = yes; then
   :
 else
-  cat > conftest.$ac_ext <<EOF
-#line 6747 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 18087 "configure"
 #include "confdefs.h"
 
 #include <stdio.h>
@@ -6760,30 +18101,37 @@ int foo(int num, ...)
 	return strcmp(bar, "1");
 }
 
-
 int main()
 {
 	return foo(0, "12");
 }
-EOF
-if { (eval echo configure:6770: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
-then
+_ACEOF
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:18110: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:18113: \$? = $ac_status" >&5
+  (exit $ac_status); } && { (eval echo "$as_me:18114: \"./conftest$ac_exeext\"") >&5
+  (eval ./conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:18117: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   :
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -fr conftest*
-  ac_cv_func_vsnprintf_working=no
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_vsnprintf_working=no
 fi
-rm -fr conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 fi
-
 fi
-
-echo "$ac_t""$ac_cv_func_vsnprintf_working" 1>&6
+echo "$as_me:18129: result: $ac_cv_func_vsnprintf_working" >&5
+echo "${ECHO_T}$ac_cv_func_vsnprintf_working" >&6
 
 if test "$ac_cv_func_vsnprintf_working" = yes; then
-	cat >> confdefs.h <<EOF
+
+cat >>confdefs.h <<EOF
 #define HAVE_VSNPRINTF 1
 EOF
 
@@ -6791,1054 +18139,400 @@ fi
 if test "$ac_cv_func_vsnprintf_working" = yes; then
 
 if test "$ac_cv_func_vsnprintf+set" != set -o "$ac_cv_func_vsnprintf" = yes; then
-echo $ac_n "checking if vsnprintf needs a prototype""... $ac_c" 1>&6
-echo "configure:6796: checking if vsnprintf needs a prototype" >&5
-if eval "test \"`echo '$''{'ac_cv_func_vsnprintf_noproto'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:18142: checking if vsnprintf needs a prototype" >&5
+echo $ECHO_N "checking if vsnprintf needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_vsnprintf_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat > conftest.$ac_ext <<EOF
-#line 6801 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 18148 "configure"
 #include "confdefs.h"
 #include <stdio.h>
-int main() {
+int
+main ()
+{
 struct foo { int foo; } xx;
 extern int vsnprintf (struct foo*);
 vsnprintf(&xx);
 
-; return 0; }
-EOF
-if { (eval echo configure:6811: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:18163: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:18166: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:18168: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:18171: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   eval "ac_cv_func_vsnprintf_noproto=yes"
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_vsnprintf_noproto=no"
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_func_vsnprintf_noproto=no"
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-
-echo "$ac_t""$ac_cv_func_vsnprintf_noproto" 1>&6
+echo "$as_me:18181: result: $ac_cv_func_vsnprintf_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_vsnprintf_noproto" >&6
 
 if test "$ac_cv_func_vsnprintf_noproto" = yes; then
-	cat >> confdefs.h <<\EOF
-#define NEED_VSNPRINTF_PROTO 1
-EOF
-
-fi
-
-fi
-
-fi
-
-
-
-echo $ac_n "checking for working glob""... $ac_c" 1>&6
-echo "configure:6839: checking for working glob" >&5
-if eval "test \"`echo '$''{'ac_cv_func_glob_working'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  ac_cv_func_glob_working=yes
-cat > conftest.$ac_ext <<EOF
-#line 6845 "configure"
-#include "confdefs.h"
-
-#include <stdio.h>
-#include <glob.h>
-int main() {
-
-glob(NULL, GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE, NULL, NULL);
-
-; return 0; }
-EOF
-if { (eval echo configure:6856: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  :
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_func_glob_working=no
-fi
-rm -f conftest*
-fi
-
-echo "$ac_t""$ac_cv_func_glob_working" 1>&6
-
-if test "$ac_cv_func_glob_working" = yes; then
-	cat >> confdefs.h <<\EOF
-#define HAVE_GLOB 1
-EOF
-
-fi
-if test "$ac_cv_func_glob_working" = yes; then
-
-if test "$ac_cv_func_glob+set" != set -o "$ac_cv_func_glob" = yes; then
-echo $ac_n "checking if glob needs a prototype""... $ac_c" 1>&6
-echo "configure:6880: checking if glob needs a prototype" >&5
-if eval "test \"`echo '$''{'ac_cv_func_glob_noproto'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 6885 "configure"
-#include "confdefs.h"
-#include <stdio.h>
-#include <glob.h>
-int main() {
-struct foo { int foo; } xx;
-extern int glob (struct foo*);
-glob(&xx);
-
-; return 0; }
-EOF
-if { (eval echo configure:6896: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval "ac_cv_func_glob_noproto=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_glob_noproto=no"
-fi
-rm -f conftest*
-fi
-
-echo "$ac_t""$ac_cv_func_glob_noproto" 1>&6
-
-if test "$ac_cv_func_glob_noproto" = yes; then
-	cat >> confdefs.h <<\EOF
-#define NEED_GLOB_PROTO 1
-EOF
 
-fi
-
-fi
-
-fi
-
-
-if test "$ac_cv_func_glob_working" != yes; then
-	LIBOBJS="$LIBOBJS glob.o"
-fi
-
-
-if test "$ac_cv_func_glob_working" = yes; then
-  have_glob_h_TRUE=
-  have_glob_h_FALSE='#'
-else
-  have_glob_h_TRUE='#'
-  have_glob_h_FALSE=
-fi
-
-
-
-
-
-echo $ac_n "checking for dbopen""... $ac_c" 1>&6
-echo "configure:6940: checking for dbopen" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_dbopen'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  
-if eval "test \"\$ac_cv_func_dbopen\" != yes" ; then
-	ac_save_LIBS="$LIBS"
-	for ac_lib in "" $berkeley_db; do
-		if test -n "$ac_lib"; then 
-			ac_lib="-l$ac_lib"
-		else
-			ac_lib=""
-		fi
-		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 6955 "configure"
-#include "confdefs.h"
-
-int main() {
-dbopen()
-; return 0; }
+cat >>confdefs.h <<\EOF
+#define NEED_VSNPRINTF_PROTO 1
 EOF
-if { (eval echo configure:6962: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "if test -n \"$ac_lib\";then ac_cv_funclib_dbopen=$ac_lib; else ac_cv_funclib_dbopen=yes; fi";break
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-fi
-rm -f conftest*
-	done
-	eval "ac_cv_funclib_dbopen=\${ac_cv_funclib_dbopen-no}"
-	LIBS="$ac_save_LIBS"
-fi
 
 fi
 
-
-eval "ac_res=\$ac_cv_funclib_dbopen"
-
-: << END
-@@@funcs="$funcs dbopen"@@@
-@@@libs="$libs "" $berkeley_db"@@@
-END
-
-# dbopen
-eval "ac_tr_func=HAVE_`echo dbopen | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
-eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
-eval "LIB_dbopen=$ac_res"
-
-case "$ac_res" in
-	yes)
-	eval "ac_cv_func_dbopen=yes"
-	eval "LIB_dbopen="
-	cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
-
-	echo "$ac_t""yes" 1>&6
-	;;
-	no)
-	eval "ac_cv_func_dbopen=no"
-	eval "LIB_dbopen="
-	echo "$ac_t""no" 1>&6
-	;;
-	*)
-	eval "ac_cv_func_dbopen=yes"
-	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
-
-	cat >> confdefs.h <<EOF
-#define $ac_tr_lib 1
-EOF
-
-	echo "$ac_t""yes, in $ac_res" 1>&6
-	;;
-esac
-
-
-
-
-
-echo $ac_n "checking for dbm_firstkey""... $ac_c" 1>&6
-echo "configure:7025: checking for dbm_firstkey" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_dbm_firstkey'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  
-if eval "test \"\$ac_cv_func_dbm_firstkey\" != yes" ; then
-	ac_save_LIBS="$LIBS"
-	for ac_lib in "" $berkeley_db gdbm ndbm; do
-		if test -n "$ac_lib"; then 
-			ac_lib="-l$ac_lib"
-		else
-			ac_lib=""
-		fi
-		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 7040 "configure"
-#include "confdefs.h"
-
-int main() {
-dbm_firstkey()
-; return 0; }
-EOF
-if { (eval echo configure:7047: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "if test -n \"$ac_lib\";then ac_cv_funclib_dbm_firstkey=$ac_lib; else ac_cv_funclib_dbm_firstkey=yes; fi";break
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-fi
-rm -f conftest*
-	done
-	eval "ac_cv_funclib_dbm_firstkey=\${ac_cv_funclib_dbm_firstkey-no}"
-	LIBS="$ac_save_LIBS"
 fi
 
 fi
 
+for ac_func in 				\
+	_getpty					\
+	_scrsize				\
+	fcntl					\
+	gettimeofday				\
+	getuid					\
+	grantpt					\
+	mktime					\
+	ptsname					\
+	rand					\
+	random					\
+	revoke					\
+	select					\
+	setitimer				\
+	setpcred				\
+	setpgid					\
+	setproctitle				\
+	setregid				\
+	setresgid				\
+	setresuid				\
+	setreuid				\
+	setsid					\
+	setutent				\
+	sigaction				\
+	strstr					\
+	timegm					\
+	ttyname					\
+	ttyslot					\
+	umask					\
+	unlockpt				\
+	vhangup					\
+	yp_get_default_domain			\
 
-eval "ac_res=\$ac_cv_funclib_dbm_firstkey"
-
-: << END
-@@@funcs="$funcs dbm_firstkey"@@@
-@@@libs="$libs "" $berkeley_db gdbm ndbm"@@@
-END
-
-# dbm_firstkey
-eval "ac_tr_func=HAVE_`echo dbm_firstkey | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
-eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
-eval "LIB_dbm_firstkey=$ac_res"
-
-case "$ac_res" in
-	yes)
-	eval "ac_cv_func_dbm_firstkey=yes"
-	eval "LIB_dbm_firstkey="
-	cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
-
-	echo "$ac_t""yes" 1>&6
-	;;
-	no)
-	eval "ac_cv_func_dbm_firstkey=no"
-	eval "LIB_dbm_firstkey="
-	echo "$ac_t""no" 1>&6
-	;;
-	*)
-	eval "ac_cv_func_dbm_firstkey=yes"
-	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
-
-	cat >> confdefs.h <<EOF
-#define $ac_tr_lib 1
-EOF
-
-	echo "$ac_t""yes, in $ac_res" 1>&6
-	;;
-esac
-
-
-
-DBLIB="$LIB_dbopen"
-if test "$LIB_dbopen" != "$LIB_dbm_firstkey"; then
-	DBLIB="$DBLIB $LIB_dbm_firstkey"
-fi
-
-for ac_func in _getpty _scrsize asnprintf asprintf cgetent fcntl
 do
-echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:7115: checking for $ac_func" >&5
-if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 7120 "configure"
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:18231: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 18237 "configure"
 #include "confdefs.h"
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func(); below.  */
+    which can conflict with char $ac_func (); below.  */
 #include <assert.h>
 /* Override any gcc2 internal prototype to avoid an error.  */
-/* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char $ac_func();
-
-int main() {
-
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-choke me
-#else
-$ac_func();
+#ifdef __cplusplus
+extern "C"
 #endif
-
-; return 0; }
-EOF
-if { (eval echo configure:7143: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=no"
-fi
-rm -f conftest*
-fi
-
-if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
-  cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
- 
-else
-  echo "$ac_t""no" 1>&6
-fi
-done
-
-for ac_func in getmsg getrlimit getspnam gettimeofday getuid
-do
-echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:7170: checking for $ac_func" >&5
-if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 7175 "configure"
-#include "confdefs.h"
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func(); below.  */
-#include <assert.h>
-/* Override any gcc2 internal prototype to avoid an error.  */
 /* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char $ac_func();
-
-int main() {
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
 
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
 #if defined (__stub_$ac_func) || defined (__stub___$ac_func)
 choke me
 #else
-$ac_func();
+f = $ac_func;
 #endif
 
-; return 0; }
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:18268: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:18271: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:18273: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:18276: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:18286: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
 EOF
-if { (eval echo configure:7198: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=no"
-fi
-rm -f conftest*
-fi
 
-if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
-  cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
- 
-else
-  echo "$ac_t""no" 1>&6
 fi
 done
 
-for ac_func in grantpt mktime ptsname rand random setproctitle
+for ac_header in capability.h sys/capability.h
 do
-echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:7225: checking for $ac_func" >&5
-if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 7230 "configure"
+ac_ac_Header=`echo "ac_cv_header_$ac_header" | $ac_tr_sh`
+echo "$as_me:18299: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 18305 "configure"
 #include "confdefs.h"
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func(); below.  */
-#include <assert.h>
-/* Override any gcc2 internal prototype to avoid an error.  */
-/* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char $ac_func();
-
-int main() {
-
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-choke me
-#else
-$ac_func();
-#endif
-
-; return 0; }
-EOF
-if { (eval echo configure:7253: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=no"
-fi
-rm -f conftest*
-fi
-
-if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
-  cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
- 
+#include <$ac_header>
+_ACEOF
+if { (eval echo "$as_me:18309: \"$ac_cpp conftest.$ac_ext >/dev/null\"") >&5
+  (eval $ac_cpp conftest.$ac_ext >/dev/null) 2>conftest.er1
+  ac_status=$?
+  egrep -v '^ *\+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:18315: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
 else
-  echo "$ac_t""no" 1>&6
+  ac_cpp_err=yes
 fi
-done
-
-for ac_func in revoke select setitimer setpcred setpgid
-do
-echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:7280: checking for $ac_func" >&5
-if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+if test -z "$ac_cpp_err"; then
+  eval "$ac_ac_Header=yes"
 else
-  cat > conftest.$ac_ext <<EOF
-#line 7285 "configure"
-#include "confdefs.h"
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func(); below.  */
-#include <assert.h>
-/* Override any gcc2 internal prototype to avoid an error.  */
-/* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char $ac_func();
-
-int main() {
-
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-choke me
-#else
-$ac_func();
-#endif
-
-; return 0; }
-EOF
-if { (eval echo configure:7308: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=yes"
-else
-  echo "configure: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
   cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=no"
+  eval "$ac_ac_Header=no"
 fi
-rm -f conftest*
+rm -f conftest.err conftest.$ac_ext
 fi
-
-if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
-  cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
- 
-else
-  echo "$ac_t""no" 1>&6
-fi
-done
-
-for ac_func in setregid setresgid setresuid setreuid setutent
-do
-echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:7335: checking for $ac_func" >&5
-if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 7340 "configure"
-#include "confdefs.h"
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func(); below.  */
-#include <assert.h>
-/* Override any gcc2 internal prototype to avoid an error.  */
-/* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char $ac_func();
-
-int main() {
-
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-choke me
-#else
-$ac_func();
-#endif
-
-; return 0; }
+echo "$as_me:18334: result: `eval echo '${'$ac_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_Header'}'`" >&6
+if test `eval echo '${'$ac_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_header" | $ac_tr_cpp` 1
 EOF
-if { (eval echo configure:7363: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=no"
-fi
-rm -f conftest*
-fi
 
-if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
-  cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
- 
-else
-  echo "$ac_t""no" 1>&6
 fi
 done
 
-for ac_func in setsid sigaction strstr
+for ac_func in sgi_getcapabilitybyname cap_set_proc
 do
-echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:7390: checking for $ac_func" >&5
-if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 7395 "configure"
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:18347: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 18353 "configure"
 #include "confdefs.h"
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func(); below.  */
+    which can conflict with char $ac_func (); below.  */
 #include <assert.h>
 /* Override any gcc2 internal prototype to avoid an error.  */
-/* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char $ac_func();
-
-int main() {
-
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-choke me
-#else
-$ac_func();
+#ifdef __cplusplus
+extern "C"
 #endif
-
-; return 0; }
-EOF
-if { (eval echo configure:7418: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=no"
-fi
-rm -f conftest*
-fi
-
-if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
-  cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
- 
-else
-  echo "$ac_t""no" 1>&6
-fi
-done
-
-for ac_func in sysconf sysctl timegm ttyname ttyslot umask uname
-do
-echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:7445: checking for $ac_func" >&5
-if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 7450 "configure"
-#include "confdefs.h"
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func(); below.  */
-#include <assert.h>
-/* Override any gcc2 internal prototype to avoid an error.  */
 /* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char $ac_func();
-
-int main() {
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
 
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
 #if defined (__stub_$ac_func) || defined (__stub___$ac_func)
 choke me
 #else
-$ac_func();
+f = $ac_func;
 #endif
 
-; return 0; }
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:18384: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:18387: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:18389: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:18392: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:18402: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
 EOF
-if { (eval echo configure:7473: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=no"
-fi
-rm -f conftest*
-fi
 
-if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
-  cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
- 
-else
-  echo "$ac_t""no" 1>&6
 fi
 done
 
-for ac_func in unlockpt vasnprintf vasprintf vhangup
-do
-echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:7500: checking for $ac_func" >&5
-if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 7505 "configure"
-#include "confdefs.h"
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func(); below.  */
-#include <assert.h>
-/* Override any gcc2 internal prototype to avoid an error.  */
-/* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char $ac_func();
-
-int main() {
-
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-choke me
-#else
-$ac_func();
-#endif
-
-; return 0; }
-EOF
-if { (eval echo configure:7528: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=no"
-fi
-rm -f conftest*
-fi
-
-if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
-  cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
- 
+echo "$as_me:18412: checking for getpwnam_r" >&5
+echo $ECHO_N "checking for getpwnam_r... $ECHO_C" >&6
+if test "${ac_cv_funclib_getpwnam_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  echo "$ac_t""no" 1>&6
-fi
-done
 
-for ac_func in yp_get_default_domain
-do
-echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:7555: checking for $ac_func" >&5
-if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 7560 "configure"
+if eval "test \"\$ac_cv_func_getpwnam_r\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" c_r; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 18428 "configure"
 #include "confdefs.h"
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func(); below.  */
-#include <assert.h>
-/* Override any gcc2 internal prototype to avoid an error.  */
-/* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char $ac_func();
 
-int main() {
-
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-choke me
-#else
-$ac_func();
-#endif
-
-; return 0; }
-EOF
-if { (eval echo configure:7583: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=yes"
+int
+main ()
+{
+getpwnam_r()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:18440: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:18443: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:18445: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:18448: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_getpwnam_r=$ac_lib; else ac_cv_funclib_getpwnam_r=yes; fi";break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=no"
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_getpwnam_r=\${ac_cv_funclib_getpwnam_r-no}"
+	LIBS="$ac_save_LIBS"
 fi
 
-if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
-  cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
- 
-else
-  echo "$ac_t""no" 1>&6
 fi
-done
-
 
-if test "$ac_cv_func_cgetent" = no; then
-	LIBOBJS="$LIBOBJS getcap.o"
-fi
+eval "ac_res=\$ac_cv_funclib_getpwnam_r"
 
+if false; then
 
-for ac_func in getlogin setlogin
+for ac_func in getpwnam_r
 do
-echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:7616: checking for $ac_func" >&5
-if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 7621 "configure"
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:18470: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 18476 "configure"
 #include "confdefs.h"
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func(); below.  */
+    which can conflict with char $ac_func (); below.  */
 #include <assert.h>
 /* Override any gcc2 internal prototype to avoid an error.  */
-/* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char $ac_func();
-
-int main() {
-
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-choke me
-#else
-$ac_func();
+#ifdef __cplusplus
+extern "C"
 #endif
-
-; return 0; }
-EOF
-if { (eval echo configure:7644: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=no"
-fi
-rm -f conftest*
-fi
-
-if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
-  cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
- 
-else
-  echo "$ac_t""no" 1>&6
-fi
-done
-
-if test "$ac_cv_func_getlogin" = yes; then
-echo $ac_n "checking if getlogin is posix""... $ac_c" 1>&6
-echo "configure:7670: checking if getlogin is posix" >&5
-if eval "test \"`echo '$''{'ac_cv_func_getlogin_posix'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  
-if test "$ac_cv_func_getlogin" = yes -a "$ac_cv_func_setlogin" = yes; then
-	ac_cv_func_getlogin_posix=no
-else
-	ac_cv_func_getlogin_posix=yes
-fi
-
-fi
-
-echo "$ac_t""$ac_cv_func_getlogin_posix" 1>&6
-if test "$ac_cv_func_getlogin_posix" = yes; then
-	cat >> confdefs.h <<\EOF
-#define POSIX_GETLOGIN 1
-EOF
-
-fi
-fi
-
-
-
-
-for ac_hdr in capability.h sys/capability.h
-do
-ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
-echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:7699: checking for $ac_hdr" >&5
-if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 7704 "configure"
-#include "confdefs.h"
-#include <$ac_hdr>
-EOF
-ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:7709: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
-ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
-if test -z "$ac_err"; then
-  rm -rf conftest*
-  eval "ac_cv_header_$ac_safe=yes"
-else
-  echo "$ac_err" >&5
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_header_$ac_safe=no"
-fi
-rm -f conftest*
-fi
-if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-    ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
-  cat >> confdefs.h <<EOF
-#define $ac_tr_hdr 1
-EOF
- 
-else
-  echo "$ac_t""no" 1>&6
-fi
-done
-
-
-for ac_func in sgi_getcapabilitybyname cap_set_proc
-do
-echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:7739: checking for $ac_func" >&5
-if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 7744 "configure"
-#include "confdefs.h"
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func(); below.  */
-#include <assert.h>
-/* Override any gcc2 internal prototype to avoid an error.  */
 /* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char $ac_func();
-
-int main() {
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
 
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
 #if defined (__stub_$ac_func) || defined (__stub___$ac_func)
 choke me
 #else
-$ac_func();
+f = $ac_func;
 #endif
 
-; return 0; }
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:18507: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:18510: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:18512: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:18515: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:18525: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
 EOF
-if { (eval echo configure:7767: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=no"
-fi
-rm -f conftest*
-fi
 
-if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
-  cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
- 
-else
-  echo "$ac_t""no" 1>&6
 fi
 done
 
-
-
-
-
-
-
-echo $ac_n "checking for getpwnam_r""... $ac_c" 1>&6
-echo "configure:7798: checking for getpwnam_r" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_getpwnam_r'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  
-if eval "test \"\$ac_cv_func_getpwnam_r\" != yes" ; then
-	ac_save_LIBS="$LIBS"
-	for ac_lib in "" c_r; do
-		if test -n "$ac_lib"; then 
-			ac_lib="-l$ac_lib"
-		else
-			ac_lib=""
-		fi
-		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 7813 "configure"
-#include "confdefs.h"
-
-int main() {
-getpwnam_r()
-; return 0; }
-EOF
-if { (eval echo configure:7820: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "if test -n \"$ac_lib\";then ac_cv_funclib_getpwnam_r=$ac_lib; else ac_cv_funclib_getpwnam_r=yes; fi";break
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-fi
-rm -f conftest*
-	done
-	eval "ac_cv_funclib_getpwnam_r=\${ac_cv_funclib_getpwnam_r-no}"
-	LIBS="$ac_save_LIBS"
 fi
-
-fi
-
-
-eval "ac_res=\$ac_cv_funclib_getpwnam_r"
-
-: << END
-@@@funcs="$funcs getpwnam_r"@@@
-@@@libs="$libs "" c_r"@@@
-END
-
 # getpwnam_r
 eval "ac_tr_func=HAVE_`echo getpwnam_r | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
 eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
@@ -7848,46 +18542,48 @@ case "$ac_res" in
 	yes)
 	eval "ac_cv_func_getpwnam_r=yes"
 	eval "LIB_getpwnam_r="
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	echo "$ac_t""yes" 1>&6
+	echo "$as_me:18549: result: yes" >&5
+echo "${ECHO_T}yes" >&6
 	;;
 	no)
 	eval "ac_cv_func_getpwnam_r=no"
 	eval "LIB_getpwnam_r="
-	echo "$ac_t""no" 1>&6
+	echo "$as_me:18555: result: no" >&5
+echo "${ECHO_T}no" >&6
 	;;
 	*)
 	eval "ac_cv_func_getpwnam_r=yes"
 	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_lib 1
 EOF
 
-	echo "$ac_t""yes, in $ac_res" 1>&6
+	echo "$as_me:18569: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
 	;;
 esac
 
-
 if test "$ac_cv_func_getpwnam_r" = yes; then
-	echo $ac_n "checking if getpwnam_r is posix""... $ac_c" 1>&6
-echo "configure:7881: checking if getpwnam_r is posix" >&5
-if eval "test \"`echo '$''{'ac_cv_func_getpwnam_r_posix'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+	echo "$as_me:18575: checking if getpwnam_r is posix" >&5
+echo $ECHO_N "checking if getpwnam_r is posix... $ECHO_C" >&6
+if test "${ac_cv_func_getpwnam_r_posix+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_libs="$LIBS"
 	LIBS="$LIBS $LIB_getpwnam_r"
 	if test "$cross_compiling" = yes; then
   :
 else
-  cat > conftest.$ac_ext <<EOF
-#line 7891 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 18586 "configure"
 #include "confdefs.h"
 
 #include <pwd.h>
@@ -7897,52 +18593,56 @@ int main()
 	return getpwnam_r("", &pw, NULL, 0, &pwd) < 0;
 }
 
-EOF
-if { (eval echo configure:7902: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
-then
+_ACEOF
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:18598: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:18601: \$? = $ac_status" >&5
+  (exit $ac_status); } && { (eval echo "$as_me:18602: \"./conftest$ac_exeext\"") >&5
+  (eval ./conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:18605: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_cv_func_getpwnam_r_posix=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -fr conftest*
-  ac_cv_func_getpwnam_r_posix=no
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_getpwnam_r_posix=no
 fi
-rm -fr conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 fi
-
 LIBS="$ac_libs"
 fi
-
-echo "$ac_t""$ac_cv_func_getpwnam_r_posix" 1>&6
+echo "$as_me:18618: result: $ac_cv_func_getpwnam_r_posix" >&5
+echo "${ECHO_T}$ac_cv_func_getpwnam_r_posix" >&6
 if test "$ac_cv_func_getpwnam_r_posix" = yes; then
-	cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define POSIX_GETPWNAM_R 1
 EOF
 
 fi
 fi
 
-
-
-
-
-echo $ac_n "checking for getsockopt""... $ac_c" 1>&6
-echo "configure:7931: checking for getsockopt" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_getsockopt'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:18629: checking for getsockopt" >&5
+echo $ECHO_N "checking for getsockopt... $ECHO_C" >&6
+if test "${ac_cv_funclib_getsockopt+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
+
 if eval "test \"\$ac_cv_func_getsockopt\" != yes" ; then
 	ac_save_LIBS="$LIBS"
 	for ac_lib in "" ; do
-		if test -n "$ac_lib"; then 
+		if test -n "$ac_lib"; then
 			ac_lib="-l$ac_lib"
 		else
 			ac_lib=""
 		fi
 		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 7946 "configure"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 18645 "configure"
 #include "confdefs.h"
 #ifdef HAVE_SYS_TYPES_H
 #include <sys/types.h>
@@ -7950,18 +18650,31 @@ if eval "test \"\$ac_cv_func_getsockopt\" != yes" ; then
 #ifdef HAVE_SYS_SOCKET_H
 #include <sys/socket.h>
 #endif
-int main() {
+int
+main ()
+{
 getsockopt(0,0,0,0,0)
-; return 0; }
-EOF
-if { (eval echo configure:7958: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:18662: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:18665: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:18667: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:18670: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_getsockopt=$ac_lib; else ac_cv_funclib_getsockopt=yes; fi";break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_getsockopt=\${ac_cv_funclib_getsockopt-no}"
 	LIBS="$ac_save_LIBS"
@@ -7969,14 +18682,79 @@ fi
 
 fi
 
-
 eval "ac_res=\$ac_cv_funclib_getsockopt"
 
-: << END
-@@@funcs="$funcs getsockopt"@@@
-@@@libs="$libs "" "@@@
-END
+if false; then
+
+for ac_func in getsockopt
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:18692: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 18698 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
 
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:18729: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:18732: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:18734: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:18737: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:18747: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
 # getsockopt
 eval "ac_tr_func=HAVE_`echo getsockopt | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
 eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
@@ -7986,53 +18764,52 @@ case "$ac_res" in
 	yes)
 	eval "ac_cv_func_getsockopt=yes"
 	eval "LIB_getsockopt="
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	echo "$ac_t""yes" 1>&6
+	echo "$as_me:18771: result: yes" >&5
+echo "${ECHO_T}yes" >&6
 	;;
 	no)
 	eval "ac_cv_func_getsockopt=no"
 	eval "LIB_getsockopt="
-	echo "$ac_t""no" 1>&6
+	echo "$as_me:18777: result: no" >&5
+echo "${ECHO_T}no" >&6
 	;;
 	*)
 	eval "ac_cv_func_getsockopt=yes"
 	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_lib 1
 EOF
 
-	echo "$ac_t""yes, in $ac_res" 1>&6
+	echo "$as_me:18791: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
 	;;
 esac
 
-
-
-
-
-echo $ac_n "checking for setsockopt""... $ac_c" 1>&6
-echo "configure:8021: checking for setsockopt" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_setsockopt'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:18796: checking for setsockopt" >&5
+echo $ECHO_N "checking for setsockopt... $ECHO_C" >&6
+if test "${ac_cv_funclib_setsockopt+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
+
 if eval "test \"\$ac_cv_func_setsockopt\" != yes" ; then
 	ac_save_LIBS="$LIBS"
 	for ac_lib in "" ; do
-		if test -n "$ac_lib"; then 
+		if test -n "$ac_lib"; then
 			ac_lib="-l$ac_lib"
 		else
 			ac_lib=""
 		fi
 		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 8036 "configure"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 18812 "configure"
 #include "confdefs.h"
 #ifdef HAVE_SYS_TYPES_H
 #include <sys/types.h>
@@ -8040,18 +18817,31 @@ if eval "test \"\$ac_cv_func_setsockopt\" != yes" ; then
 #ifdef HAVE_SYS_SOCKET_H
 #include <sys/socket.h>
 #endif
-int main() {
+int
+main ()
+{
 setsockopt(0,0,0,0,0)
-; return 0; }
-EOF
-if { (eval echo configure:8048: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:18829: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:18832: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:18834: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:18837: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_setsockopt=$ac_lib; else ac_cv_funclib_setsockopt=yes; fi";break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_setsockopt=\${ac_cv_funclib_setsockopt-no}"
 	LIBS="$ac_save_LIBS"
@@ -8059,1630 +18849,258 @@ fi
 
 fi
 
-
 eval "ac_res=\$ac_cv_funclib_setsockopt"
 
-: << END
-@@@funcs="$funcs setsockopt"@@@
-@@@libs="$libs "" "@@@
-END
-
-# setsockopt
-eval "ac_tr_func=HAVE_`echo setsockopt | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
-eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
-eval "LIB_setsockopt=$ac_res"
-
-case "$ac_res" in
-	yes)
-	eval "ac_cv_func_setsockopt=yes"
-	eval "LIB_setsockopt="
-	cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
-
-	echo "$ac_t""yes" 1>&6
-	;;
-	no)
-	eval "ac_cv_func_setsockopt=no"
-	eval "LIB_setsockopt="
-	echo "$ac_t""no" 1>&6
-	;;
-	*)
-	eval "ac_cv_func_setsockopt=yes"
-	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
-
-	cat >> confdefs.h <<EOF
-#define $ac_tr_lib 1
-EOF
-
-	echo "$ac_t""yes, in $ac_res" 1>&6
-	;;
-esac
-
-
+if false; then
 
-for ac_func in getudbnam setlim
+for ac_func in setsockopt
 do
-echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:8111: checking for $ac_func" >&5
-if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 8116 "configure"
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:18859: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 18865 "configure"
 #include "confdefs.h"
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func(); below.  */
+    which can conflict with char $ac_func (); below.  */
 #include <assert.h>
 /* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
 /* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char $ac_func();
-
-int main() {
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
 
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
 #if defined (__stub_$ac_func) || defined (__stub___$ac_func)
 choke me
 #else
-$ac_func();
+f = $ac_func;
 #endif
 
-; return 0; }
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:18896: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:18899: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:18901: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:18904: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:18914: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
 EOF
-if { (eval echo configure:8139: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=no"
-fi
-rm -f conftest*
-fi
 
-if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
-  cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
- 
-else
-  echo "$ac_t""no" 1>&6
 fi
 done
 
-
-echo $ac_n "checking return type of signal handlers""... $ac_c" 1>&6
-echo "configure:8165: checking return type of signal handlers" >&5
-if eval "test \"`echo '$''{'ac_cv_type_signal'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 8170 "configure"
-#include "confdefs.h"
-#include <sys/types.h>
-#include <signal.h>
-#ifdef signal
-#undef signal
-#endif
-#ifdef __cplusplus
-extern "C" void (*signal (int, void (*)(int)))(int);
-#else
-void (*signal ()) ();
-#endif
-
-int main() {
-int i;
-; return 0; }
-EOF
-if { (eval echo configure:8187: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  ac_cv_type_signal=void
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_type_signal=int
-fi
-rm -f conftest*
-fi
-
-echo "$ac_t""$ac_cv_type_signal" 1>&6
-cat >> confdefs.h <<EOF
-#define RETSIGTYPE $ac_cv_type_signal
-EOF
-
-
-if test "$ac_cv_type_signal" = "void" ; then
-	cat >> confdefs.h <<\EOF
-#define VOID_RETSIGTYPE 1
-EOF
-
-fi
-
-
-
-
-
-
-echo $ac_n "checking for hstrerror""... $ac_c" 1>&6
-echo "configure:8218: checking for hstrerror" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_hstrerror'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  
-if eval "test \"\$ac_cv_func_hstrerror\" != yes" ; then
-	ac_save_LIBS="$LIBS"
-	for ac_lib in "" resolv; do
-		if test -n "$ac_lib"; then 
-			ac_lib="-l$ac_lib"
-		else
-			ac_lib=""
-		fi
-		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 8233 "configure"
-#include "confdefs.h"
-#ifdef HAVE_NETDB_H
-#include <netdb.h>
-#endif
-int main() {
-hstrerror(17)
-; return 0; }
-EOF
-if { (eval echo configure:8242: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "if test -n \"$ac_lib\";then ac_cv_funclib_hstrerror=$ac_lib; else ac_cv_funclib_hstrerror=yes; fi";break
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-fi
-rm -f conftest*
-	done
-	eval "ac_cv_funclib_hstrerror=\${ac_cv_funclib_hstrerror-no}"
-	LIBS="$ac_save_LIBS"
-fi
-
 fi
-
-
-eval "ac_res=\$ac_cv_funclib_hstrerror"
-
-: << END
-@@@funcs="$funcs hstrerror"@@@
-@@@libs="$libs "" resolv"@@@
-END
-
-# hstrerror
-eval "ac_tr_func=HAVE_`echo hstrerror | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+# setsockopt
+eval "ac_tr_func=HAVE_`echo setsockopt | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
 eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
-eval "LIB_hstrerror=$ac_res"
+eval "LIB_setsockopt=$ac_res"
 
 case "$ac_res" in
 	yes)
-	eval "ac_cv_func_hstrerror=yes"
-	eval "LIB_hstrerror="
-	cat >> confdefs.h <<EOF
+	eval "ac_cv_func_setsockopt=yes"
+	eval "LIB_setsockopt="
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	echo "$ac_t""yes" 1>&6
+	echo "$as_me:18938: result: yes" >&5
+echo "${ECHO_T}yes" >&6
 	;;
 	no)
-	eval "ac_cv_func_hstrerror=no"
-	eval "LIB_hstrerror="
-	echo "$ac_t""no" 1>&6
+	eval "ac_cv_func_setsockopt=no"
+	eval "LIB_setsockopt="
+	echo "$as_me:18944: result: no" >&5
+echo "${ECHO_T}no" >&6
 	;;
 	*)
-	eval "ac_cv_func_hstrerror=yes"
+	eval "ac_cv_func_setsockopt=yes"
 	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_lib 1
 EOF
 
-	echo "$ac_t""yes, in $ac_res" 1>&6
+	echo "$as_me:18958: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
 	;;
 esac
 
-
-if test -n "$LIB_hstrerror"; then
-	LIBS="$LIB_hstrerror $LIBS"
-fi
-
-if eval "test \"$ac_cv_func_hstrerror\" != yes"; then
-LIBOBJS="$LIBOBJS hstrerror.o"
-fi
-
-if test "$ac_cv_func_hstrerror" = yes; then
-
-if test "$ac_cv_func_hstrerror+set" != set -o "$ac_cv_func_hstrerror" = yes; then
-echo $ac_n "checking if hstrerror needs a prototype""... $ac_c" 1>&6
-echo "configure:8313: checking if hstrerror needs a prototype" >&5
-if eval "test \"`echo '$''{'ac_cv_func_hstrerror_noproto'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 8318 "configure"
-#include "confdefs.h"
-
-#ifdef HAVE_NETDB_H
-#include <netdb.h>
-#endif
-int main() {
-struct foo { int foo; } xx;
-extern int hstrerror (struct foo*);
-hstrerror(&xx);
-
-; return 0; }
-EOF
-if { (eval echo configure:8331: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval "ac_cv_func_hstrerror_noproto=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_hstrerror_noproto=no"
-fi
-rm -f conftest*
-fi
-
-echo "$ac_t""$ac_cv_func_hstrerror_noproto" 1>&6
-
-if test "$ac_cv_func_hstrerror_noproto" = yes; then
-	cat >> confdefs.h <<\EOF
-#define NEED_HSTRERROR_PROTO 1
-EOF
-
-fi
-
-fi
-
-fi
-
-if test "$ac_cv_func_asprintf" = yes; then
-
-if test "$ac_cv_func_asprintf+set" != set -o "$ac_cv_func_asprintf" = yes; then
-echo $ac_n "checking if asprintf needs a prototype""... $ac_c" 1>&6
-echo "configure:8360: checking if asprintf needs a prototype" >&5
-if eval "test \"`echo '$''{'ac_cv_func_asprintf_noproto'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 8365 "configure"
-#include "confdefs.h"
-
-#include <stdio.h>
-#include <string.h>
-int main() {
-struct foo { int foo; } xx;
-extern int asprintf (struct foo*);
-asprintf(&xx);
-
-; return 0; }
-EOF
-if { (eval echo configure:8377: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval "ac_cv_func_asprintf_noproto=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_asprintf_noproto=no"
-fi
-rm -f conftest*
-fi
-
-echo "$ac_t""$ac_cv_func_asprintf_noproto" 1>&6
-
-if test "$ac_cv_func_asprintf_noproto" = yes; then
-	cat >> confdefs.h <<\EOF
-#define NEED_ASPRINTF_PROTO 1
-EOF
-
-fi
-
-fi
-fi
-if test "$ac_cv_func_vasprintf" = yes; then
-
-if test "$ac_cv_func_vasprintf+set" != set -o "$ac_cv_func_vasprintf" = yes; then
-echo $ac_n "checking if vasprintf needs a prototype""... $ac_c" 1>&6
-echo "configure:8404: checking if vasprintf needs a prototype" >&5
-if eval "test \"`echo '$''{'ac_cv_func_vasprintf_noproto'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 8409 "configure"
-#include "confdefs.h"
-
-#include <stdio.h>
-#include <string.h>
-int main() {
-struct foo { int foo; } xx;
-extern int vasprintf (struct foo*);
-vasprintf(&xx);
-
-; return 0; }
-EOF
-if { (eval echo configure:8421: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval "ac_cv_func_vasprintf_noproto=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_vasprintf_noproto=no"
-fi
-rm -f conftest*
-fi
-
-echo "$ac_t""$ac_cv_func_vasprintf_noproto" 1>&6
-
-if test "$ac_cv_func_vasprintf_noproto" = yes; then
-	cat >> confdefs.h <<\EOF
-#define NEED_VASPRINTF_PROTO 1
-EOF
-
-fi
-
-fi
-fi
-if test "$ac_cv_func_asnprintf" = yes; then
-
-if test "$ac_cv_func_asnprintf+set" != set -o "$ac_cv_func_asnprintf" = yes; then
-echo $ac_n "checking if asnprintf needs a prototype""... $ac_c" 1>&6
-echo "configure:8448: checking if asnprintf needs a prototype" >&5
-if eval "test \"`echo '$''{'ac_cv_func_asnprintf_noproto'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 8453 "configure"
-#include "confdefs.h"
-
-#include <stdio.h>
-#include <string.h>
-int main() {
-struct foo { int foo; } xx;
-extern int asnprintf (struct foo*);
-asnprintf(&xx);
-
-; return 0; }
-EOF
-if { (eval echo configure:8465: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval "ac_cv_func_asnprintf_noproto=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_asnprintf_noproto=no"
-fi
-rm -f conftest*
-fi
-
-echo "$ac_t""$ac_cv_func_asnprintf_noproto" 1>&6
-
-if test "$ac_cv_func_asnprintf_noproto" = yes; then
-	cat >> confdefs.h <<\EOF
-#define NEED_ASNPRINTF_PROTO 1
-EOF
-
-fi
-
-fi
-fi
-if test "$ac_cv_func_vasnprintf" = yes; then
-
-if test "$ac_cv_func_vasnprintf+set" != set -o "$ac_cv_func_vasnprintf" = yes; then
-echo $ac_n "checking if vasnprintf needs a prototype""... $ac_c" 1>&6
-echo "configure:8492: checking if vasnprintf needs a prototype" >&5
-if eval "test \"`echo '$''{'ac_cv_func_vasnprintf_noproto'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 8497 "configure"
-#include "confdefs.h"
-
-#include <stdio.h>
-#include <string.h>
-int main() {
-struct foo { int foo; } xx;
-extern int vasnprintf (struct foo*);
-vasnprintf(&xx);
-
-; return 0; }
-EOF
-if { (eval echo configure:8509: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval "ac_cv_func_vasnprintf_noproto=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_vasnprintf_noproto=no"
-fi
-rm -f conftest*
-fi
-
-echo "$ac_t""$ac_cv_func_vasnprintf_noproto" 1>&6
-
-if test "$ac_cv_func_vasnprintf_noproto" = yes; then
-	cat >> confdefs.h <<\EOF
-#define NEED_VASNPRINTF_PROTO 1
-EOF
-
-fi
-
-fi
-fi
-
-for ac_func in chown copyhostent daemon err errx fchown flock fnmatch
-do
-echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:8536: checking for $ac_func" >&5
-if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 8541 "configure"
-#include "confdefs.h"
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func(); below.  */
-#include <assert.h>
-/* Override any gcc2 internal prototype to avoid an error.  */
-/* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char $ac_func();
-
-int main() {
-
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-choke me
-#else
-$ac_func();
-#endif
-
-; return 0; }
-EOF
-if { (eval echo configure:8564: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=no"
-fi
-rm -f conftest*
-fi
-
-if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-  
-ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
-cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
-
-else
-  echo "$ac_t""no" 1>&6
-LIBOBJS="$LIBOBJS ${ac_func}.o"
-fi
-
-: << END
-@@@funcs="$funcs chown copyhostent daemon err errx fchown flock fnmatch"@@@
-END
-done
-
-for ac_func in freeaddrinfo freehostent gai_strerror getaddrinfo
-do
-echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:8597: checking for $ac_func" >&5
-if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 8602 "configure"
-#include "confdefs.h"
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func(); below.  */
-#include <assert.h>
-/* Override any gcc2 internal prototype to avoid an error.  */
-/* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char $ac_func();
-
-int main() {
-
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-choke me
-#else
-$ac_func();
-#endif
-
-; return 0; }
-EOF
-if { (eval echo configure:8625: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=no"
-fi
-rm -f conftest*
-fi
-
-if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-  
-ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
-cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
-
-else
-  echo "$ac_t""no" 1>&6
-LIBOBJS="$LIBOBJS ${ac_func}.o"
-fi
-
-: << END
-@@@funcs="$funcs freeaddrinfo freehostent gai_strerror getaddrinfo"@@@
-END
-done
-
-for ac_func in getcwd getdtablesize gethostname getipnodebyaddr getipnodebyname
-do
-echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:8658: checking for $ac_func" >&5
-if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 8663 "configure"
-#include "confdefs.h"
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func(); below.  */
-#include <assert.h>
-/* Override any gcc2 internal prototype to avoid an error.  */
-/* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char $ac_func();
-
-int main() {
-
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-choke me
-#else
-$ac_func();
-#endif
-
-; return 0; }
-EOF
-if { (eval echo configure:8686: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=no"
-fi
-rm -f conftest*
-fi
-
-if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-  
-ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
-cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
-
-else
-  echo "$ac_t""no" 1>&6
-LIBOBJS="$LIBOBJS ${ac_func}.o"
-fi
-
-: << END
-@@@funcs="$funcs getcwd getdtablesize gethostname getipnodebyaddr getipnodebyname"@@@
-END
-done
-
-for ac_func in geteuid getgid getegid
-do
-echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:8719: checking for $ac_func" >&5
-if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 8724 "configure"
-#include "confdefs.h"
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func(); below.  */
-#include <assert.h>
-/* Override any gcc2 internal prototype to avoid an error.  */
-/* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char $ac_func();
-
-int main() {
-
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-choke me
-#else
-$ac_func();
-#endif
-
-; return 0; }
-EOF
-if { (eval echo configure:8747: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=no"
-fi
-rm -f conftest*
-fi
-
-if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-  
-ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
-cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
-
-else
-  echo "$ac_t""no" 1>&6
-LIBOBJS="$LIBOBJS ${ac_func}.o"
-fi
-
-: << END
-@@@funcs="$funcs geteuid getgid getegid"@@@
-END
-done
-
-for ac_func in getnameinfo getopt getusershell
-do
-echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:8780: checking for $ac_func" >&5
-if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 8785 "configure"
-#include "confdefs.h"
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func(); below.  */
-#include <assert.h>
-/* Override any gcc2 internal prototype to avoid an error.  */
-/* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char $ac_func();
-
-int main() {
-
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-choke me
-#else
-$ac_func();
-#endif
-
-; return 0; }
-EOF
-if { (eval echo configure:8808: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=no"
-fi
-rm -f conftest*
-fi
-
-if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-  
-ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
-cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
-
-else
-  echo "$ac_t""no" 1>&6
-LIBOBJS="$LIBOBJS ${ac_func}.o"
-fi
-
-: << END
-@@@funcs="$funcs getnameinfo getopt getusershell"@@@
-END
-done
-
-for ac_func in inet_aton inet_ntop inet_pton initgroups innetgr iruserok lstat
-do
-echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:8841: checking for $ac_func" >&5
-if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 8846 "configure"
-#include "confdefs.h"
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func(); below.  */
-#include <assert.h>
-/* Override any gcc2 internal prototype to avoid an error.  */
-/* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char $ac_func();
-
-int main() {
-
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-choke me
-#else
-$ac_func();
-#endif
-
-; return 0; }
-EOF
-if { (eval echo configure:8869: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=no"
-fi
-rm -f conftest*
-fi
-
-if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-  
-ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
-cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
-
-else
-  echo "$ac_t""no" 1>&6
-LIBOBJS="$LIBOBJS ${ac_func}.o"
-fi
-
-: << END
-@@@funcs="$funcs inet_aton inet_ntop inet_pton initgroups innetgr iruserok lstat"@@@
-END
-done
-
-for ac_func in memmove
-do
-echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:8902: checking for $ac_func" >&5
-if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 8907 "configure"
-#include "confdefs.h"
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func(); below.  */
-#include <assert.h>
-/* Override any gcc2 internal prototype to avoid an error.  */
-/* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char $ac_func();
-
-int main() {
-
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-choke me
-#else
-$ac_func();
-#endif
-
-; return 0; }
-EOF
-if { (eval echo configure:8930: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=no"
-fi
-rm -f conftest*
-fi
-
-if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-  
-ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
-cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
-
-else
-  echo "$ac_t""no" 1>&6
-LIBOBJS="$LIBOBJS ${ac_func}.o"
-fi
-
-: << END
-@@@funcs="$funcs memmove"@@@
-END
-done
-
-for ac_func in mkstemp putenv rcmd readv recvmsg sendmsg setegid setenv seteuid
-do
-echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:8963: checking for $ac_func" >&5
-if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 8968 "configure"
-#include "confdefs.h"
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func(); below.  */
-#include <assert.h>
-/* Override any gcc2 internal prototype to avoid an error.  */
-/* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char $ac_func();
-
-int main() {
-
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-choke me
-#else
-$ac_func();
-#endif
-
-; return 0; }
-EOF
-if { (eval echo configure:8991: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=no"
-fi
-rm -f conftest*
-fi
-
-if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-  
-ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
-cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
-
-else
-  echo "$ac_t""no" 1>&6
-LIBOBJS="$LIBOBJS ${ac_func}.o"
-fi
-
-: << END
-@@@funcs="$funcs mkstemp putenv rcmd readv recvmsg sendmsg setegid setenv seteuid"@@@
-END
-done
-
-for ac_func in strcasecmp strncasecmp strdup strerror strftime
-do
-echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:9024: checking for $ac_func" >&5
-if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 9029 "configure"
-#include "confdefs.h"
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func(); below.  */
-#include <assert.h>
-/* Override any gcc2 internal prototype to avoid an error.  */
-/* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char $ac_func();
-
-int main() {
-
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-choke me
-#else
-$ac_func();
-#endif
-
-; return 0; }
-EOF
-if { (eval echo configure:9052: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=no"
-fi
-rm -f conftest*
-fi
-
-if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-  
-ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
-cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
-
-else
-  echo "$ac_t""no" 1>&6
-LIBOBJS="$LIBOBJS ${ac_func}.o"
-fi
-
-: << END
-@@@funcs="$funcs strcasecmp strncasecmp strdup strerror strftime"@@@
-END
-done
-
-for ac_func in strlcat strlcpy strlwr
+for ac_func in getudbnam setlim
 do
-echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:9085: checking for $ac_func" >&5
-if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 9090 "configure"
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:18966: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 18972 "configure"
 #include "confdefs.h"
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func(); below.  */
+    which can conflict with char $ac_func (); below.  */
 #include <assert.h>
 /* Override any gcc2 internal prototype to avoid an error.  */
-/* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char $ac_func();
-
-int main() {
-
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-choke me
-#else
-$ac_func();
+#ifdef __cplusplus
+extern "C"
 #endif
-
-; return 0; }
-EOF
-if { (eval echo configure:9113: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=no"
-fi
-rm -f conftest*
-fi
-
-if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-  
-ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
-cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
-
-else
-  echo "$ac_t""no" 1>&6
-LIBOBJS="$LIBOBJS ${ac_func}.o"
-fi
-
-: << END
-@@@funcs="$funcs strlcat strlcpy strlwr"@@@
-END
-done
-
-for ac_func in strndup strnlen strptime strsep strtok_r strupr
-do
-echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:9146: checking for $ac_func" >&5
-if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 9151 "configure"
-#include "confdefs.h"
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func(); below.  */
-#include <assert.h>
-/* Override any gcc2 internal prototype to avoid an error.  */
 /* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char $ac_func();
-
-int main() {
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
 
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
 #if defined (__stub_$ac_func) || defined (__stub___$ac_func)
 choke me
 #else
-$ac_func();
+f = $ac_func;
 #endif
 
-; return 0; }
-EOF
-if { (eval echo configure:9174: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=no"
-fi
-rm -f conftest*
-fi
-
-if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-  
-ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
-cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:19003: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:19006: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:19008: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:19011: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:19021: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
 EOF
 
-else
-  echo "$ac_t""no" 1>&6
-LIBOBJS="$LIBOBJS ${ac_func}.o"
 fi
-
-: << END
-@@@funcs="$funcs strndup strnlen strptime strsep strtok_r strupr"@@@
-END
 done
 
-for ac_func in swab unsetenv verr verrx vsyslog
-do
-echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:9207: checking for $ac_func" >&5
-if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:19031: checking return type of signal handlers" >&5
+echo $ECHO_N "checking return type of signal handlers... $ECHO_C" >&6
+if test "${ac_cv_type_signal+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat > conftest.$ac_ext <<EOF
-#line 9212 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 19037 "configure"
 #include "confdefs.h"
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func(); below.  */
-#include <assert.h>
-/* Override any gcc2 internal prototype to avoid an error.  */
-/* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char $ac_func();
-
-int main() {
-
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-choke me
-#else
-$ac_func();
+#include <sys/types.h>
+#include <signal.h>
+#ifdef signal
+# undef signal
 #endif
-
-; return 0; }
-EOF
-if { (eval echo configure:9235: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=no"
-fi
-rm -f conftest*
-fi
-
-if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-  
-ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
-cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
-
-else
-  echo "$ac_t""no" 1>&6
-LIBOBJS="$LIBOBJS ${ac_func}.o"
-fi
-
-: << END
-@@@funcs="$funcs swab unsetenv verr verrx vsyslog"@@@
-END
-done
-
-for ac_func in vwarn vwarnx warn warnx writev
-do
-echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:9268: checking for $ac_func" >&5
-if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 9273 "configure"
-#include "confdefs.h"
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func(); below.  */
-#include <assert.h>
-/* Override any gcc2 internal prototype to avoid an error.  */
-/* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char $ac_func();
-
-int main() {
-
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-choke me
+#ifdef __cplusplus
+extern "C" void (*signal (int, void (*)(int)))(int);
 #else
-$ac_func();
+void (*signal ()) ();
 #endif
 
-; return 0; }
-EOF
-if { (eval echo configure:9296: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_$ac_func=no"
-fi
-rm -f conftest*
-fi
-
-if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-  
-ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
-cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
-
-else
-  echo "$ac_t""no" 1>&6
-LIBOBJS="$LIBOBJS ${ac_func}.o"
-fi
-
-: << END
-@@@funcs="$funcs vwarn vwarnx warn warnx writev"@@@
-END
-done
-
-
-
-if test "$ac_cv_func_setenv+set" != set -o "$ac_cv_func_setenv" = yes; then
-echo $ac_n "checking if setenv needs a prototype""... $ac_c" 1>&6
-echo "configure:9330: checking if setenv needs a prototype" >&5
-if eval "test \"`echo '$''{'ac_cv_func_setenv_noproto'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 9335 "configure"
-#include "confdefs.h"
-#include <stdlib.h>
-int main() {
-struct foo { int foo; } xx;
-extern int setenv (struct foo*);
-setenv(&xx);
-
-; return 0; }
-EOF
-if { (eval echo configure:9345: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval "ac_cv_func_setenv_noproto=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_setenv_noproto=no"
-fi
-rm -f conftest*
-fi
-
-echo "$ac_t""$ac_cv_func_setenv_noproto" 1>&6
-
-if test "$ac_cv_func_setenv_noproto" = yes; then
-	cat >> confdefs.h <<\EOF
-#define NEED_SETENV_PROTO 1
-EOF
-
-fi
-
-fi
-
-
-if test "$ac_cv_func_unsetenv+set" != set -o "$ac_cv_func_unsetenv" = yes; then
-echo $ac_n "checking if unsetenv needs a prototype""... $ac_c" 1>&6
-echo "configure:9371: checking if unsetenv needs a prototype" >&5
-if eval "test \"`echo '$''{'ac_cv_func_unsetenv_noproto'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 9376 "configure"
-#include "confdefs.h"
-#include <stdlib.h>
-int main() {
-struct foo { int foo; } xx;
-extern int unsetenv (struct foo*);
-unsetenv(&xx);
-
-; return 0; }
-EOF
-if { (eval echo configure:9386: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval "ac_cv_func_unsetenv_noproto=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_unsetenv_noproto=no"
-fi
-rm -f conftest*
-fi
-
-echo "$ac_t""$ac_cv_func_unsetenv_noproto" 1>&6
-
-if test "$ac_cv_func_unsetenv_noproto" = yes; then
-	cat >> confdefs.h <<\EOF
-#define NEED_UNSETENV_PROTO 1
-EOF
-
-fi
-
-fi
-
-
-if test "$ac_cv_func_gethostname+set" != set -o "$ac_cv_func_gethostname" = yes; then
-echo $ac_n "checking if gethostname needs a prototype""... $ac_c" 1>&6
-echo "configure:9412: checking if gethostname needs a prototype" >&5
-if eval "test \"`echo '$''{'ac_cv_func_gethostname_noproto'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 9417 "configure"
-#include "confdefs.h"
-#include <unistd.h>
-int main() {
-struct foo { int foo; } xx;
-extern int gethostname (struct foo*);
-gethostname(&xx);
-
-; return 0; }
-EOF
-if { (eval echo configure:9427: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval "ac_cv_func_gethostname_noproto=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_gethostname_noproto=no"
-fi
-rm -f conftest*
-fi
-
-echo "$ac_t""$ac_cv_func_gethostname_noproto" 1>&6
-
-if test "$ac_cv_func_gethostname_noproto" = yes; then
-	cat >> confdefs.h <<\EOF
-#define NEED_GETHOSTNAME_PROTO 1
-EOF
-
-fi
-
-fi
-
-
-if test "$ac_cv_func_mkstemp+set" != set -o "$ac_cv_func_mkstemp" = yes; then
-echo $ac_n "checking if mkstemp needs a prototype""... $ac_c" 1>&6
-echo "configure:9453: checking if mkstemp needs a prototype" >&5
-if eval "test \"`echo '$''{'ac_cv_func_mkstemp_noproto'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 9458 "configure"
-#include "confdefs.h"
-#include <unistd.h>
-int main() {
-struct foo { int foo; } xx;
-extern int mkstemp (struct foo*);
-mkstemp(&xx);
-
-; return 0; }
-EOF
-if { (eval echo configure:9468: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval "ac_cv_func_mkstemp_noproto=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_mkstemp_noproto=no"
-fi
-rm -f conftest*
-fi
-
-echo "$ac_t""$ac_cv_func_mkstemp_noproto" 1>&6
-
-if test "$ac_cv_func_mkstemp_noproto" = yes; then
-	cat >> confdefs.h <<\EOF
-#define NEED_MKSTEMP_PROTO 1
-EOF
-
-fi
-
-fi
-
-
-if test "$ac_cv_func_getusershell+set" != set -o "$ac_cv_func_getusershell" = yes; then
-echo $ac_n "checking if getusershell needs a prototype""... $ac_c" 1>&6
-echo "configure:9494: checking if getusershell needs a prototype" >&5
-if eval "test \"`echo '$''{'ac_cv_func_getusershell_noproto'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 9499 "configure"
-#include "confdefs.h"
-#include <unistd.h>
-int main() {
-struct foo { int foo; } xx;
-extern int getusershell (struct foo*);
-getusershell(&xx);
-
-; return 0; }
-EOF
-if { (eval echo configure:9509: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval "ac_cv_func_getusershell_noproto=yes"
+int
+main ()
+{
+int i;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:19059: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:19062: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:19064: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:19067: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_type_signal=void
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_getusershell_noproto=no"
-fi
-rm -f conftest*
-fi
-
-echo "$ac_t""$ac_cv_func_getusershell_noproto" 1>&6
-
-if test "$ac_cv_func_getusershell_noproto" = yes; then
-	cat >> confdefs.h <<\EOF
-#define NEED_GETUSERSHELL_PROTO 1
-EOF
-
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_signal=int
 fi
-
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
+echo "$as_me:19077: result: $ac_cv_type_signal" >&5
+echo "${ECHO_T}$ac_cv_type_signal" >&6
 
-
-
-if test "$ac_cv_func_inet_aton+set" != set -o "$ac_cv_func_inet_aton" = yes; then
-echo $ac_n "checking if inet_aton needs a prototype""... $ac_c" 1>&6
-echo "configure:9536: checking if inet_aton needs a prototype" >&5
-if eval "test \"`echo '$''{'ac_cv_func_inet_aton_noproto'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 9541 "configure"
-#include "confdefs.h"
-
-#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_SYS_SOCKET_H
-#include <sys/socket.h>
-#endif
-#ifdef HAVE_NETINET_IN_H
-#include <netinet/in.h>
-#endif
-#ifdef HAVE_ARPA_INET_H
-#include <arpa/inet.h>
-#endif
-int main() {
-struct foo { int foo; } xx;
-extern int inet_aton (struct foo*);
-inet_aton(&xx);
-
-; return 0; }
+cat >>confdefs.h <<EOF
+#define RETSIGTYPE $ac_cv_type_signal
 EOF
-if { (eval echo configure:9563: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval "ac_cv_func_inet_aton_noproto=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_inet_aton_noproto=no"
-fi
-rm -f conftest*
-fi
 
-echo "$ac_t""$ac_cv_func_inet_aton_noproto" 1>&6
+if test "$ac_cv_type_signal" = "void" ; then
 
-if test "$ac_cv_func_inet_aton_noproto" = yes; then
-	cat >> confdefs.h <<\EOF
-#define NEED_INET_ATON_PROTO 1
+cat >>confdefs.h <<\EOF
+#define VOID_RETSIGTYPE 1
 EOF
 
 fi
 
-fi
-
-
-
-
-
-echo $ac_n "checking for crypt""... $ac_c" 1>&6
-echo "configure:9591: checking for crypt" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_crypt'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  
-if eval "test \"\$ac_cv_func_crypt\" != yes" ; then
-	ac_save_LIBS="$LIBS"
-	for ac_lib in "" crypt; do
-		if test -n "$ac_lib"; then 
-			ac_lib="-l$ac_lib"
-		else
-			ac_lib=""
-		fi
-		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 9606 "configure"
-#include "confdefs.h"
-
-int main() {
-crypt()
-; return 0; }
-EOF
-if { (eval echo configure:9613: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "if test -n \"$ac_lib\";then ac_cv_funclib_crypt=$ac_lib; else ac_cv_funclib_crypt=yes; fi";break
+echo "$as_me:19092: checking if realloc if broken" >&5
+echo $ECHO_N "checking if realloc if broken... $ECHO_C" >&6
+if test "${ac_cv_func_realloc_broken+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-fi
-rm -f conftest*
-	done
-	eval "ac_cv_funclib_crypt=\${ac_cv_funclib_crypt-no}"
-	LIBS="$ac_save_LIBS"
-fi
-
-fi
-
-
-eval "ac_res=\$ac_cv_funclib_crypt"
-
-: << END
-@@@funcs="$funcs crypt"@@@
-@@@libs="$libs "" crypt"@@@
-END
 
-# crypt
-eval "ac_tr_func=HAVE_`echo crypt | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
-eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
-eval "LIB_crypt=$ac_res"
-
-case "$ac_res" in
-	yes)
-	eval "ac_cv_func_crypt=yes"
-	eval "LIB_crypt="
-	cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
-
-	echo "$ac_t""yes" 1>&6
-	;;
-	no)
-	eval "ac_cv_func_crypt=no"
-	eval "LIB_crypt="
-	echo "$ac_t""no" 1>&6
-	;;
-	*)
-	eval "ac_cv_func_crypt=yes"
-	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
-
-	cat >> confdefs.h <<EOF
-#define $ac_tr_lib 1
-EOF
-
-	echo "$ac_t""yes, in $ac_res" 1>&6
-	;;
-esac
-
-
-
-LIB_roken='$(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen)'
-
-echo $ac_n "checking if realloc if broken""... $ac_c" 1>&6
-echo "configure:9676: checking if realloc if broken" >&5
-if eval "test \"`echo '$''{'ac_cv_func_realloc_broken'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  
 ac_cv_func_realloc_broken=no
 if test "$cross_compiling" = yes; then
   :
 else
-  cat > conftest.$ac_ext <<EOF
-#line 9686 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 19103 "configure"
 #include "confdefs.h"
 
 #include <stddef.h>
@@ -9693,1414 +19111,617 @@ int main()
 	return realloc(NULL, 17) == NULL;
 }
 
-EOF
-if { (eval echo configure:9698: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
-then
+_ACEOF
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:19116: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:19119: \$? = $ac_status" >&5
+  (exit $ac_status); } && { (eval echo "$as_me:19120: \"./conftest$ac_exeext\"") >&5
+  (eval ./conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:19123: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   :
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -fr conftest*
-  ac_cv_func_realloc_broken=yes
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_realloc_broken=yes
 fi
-rm -fr conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 fi
 
-
 fi
-
-echo "$ac_t""$ac_cv_func_realloc_broken" 1>&6
+echo "$as_me:19136: result: $ac_cv_func_realloc_broken" >&5
+echo "${ECHO_T}$ac_cv_func_realloc_broken" >&6
 if test "$ac_cv_func_realloc_broken" = yes ; then
-	cat >> confdefs.h <<\EOF
-#define BROKEN_REALLOC 1
-EOF
-
-fi
-
-
-
-
-echo $ac_n "checking if gethostbyname is compatible with system prototype""... $ac_c" 1>&6
-echo "configure:9725: checking if gethostbyname is compatible with system prototype" >&5
-if eval "test \"`echo '$''{'ac_cv_func_gethostbyname_proto_compat'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 9730 "configure"
-#include "confdefs.h"
-
-#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_SYS_SOCKET_H
-#include <sys/socket.h>
-#endif
-#ifdef HAVE_NETINET_IN_H
-#include <netinet/in.h>
-#endif
-#ifdef HAVE_ARPA_INET_H
-#include <arpa/inet.h>
-#endif
-#ifdef HAVE_NETDB_H
-#include <netdb.h>
-#endif
-
-int main() {
-struct hostent *gethostbyname(const char *);
-; return 0; }
-EOF
-if { (eval echo configure:9753: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval "ac_cv_func_gethostbyname_proto_compat=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_gethostbyname_proto_compat=no"
-fi
-rm -f conftest*
-fi
-
-echo "$ac_t""$ac_cv_func_gethostbyname_proto_compat" 1>&6
-
-if test "$ac_cv_func_gethostbyname_proto_compat" = yes; then
-	cat >> confdefs.h <<\EOF
-#define GETHOSTBYNAME_PROTO_COMPATIBLE 1
-EOF
-
-fi
-
-
-
-
-echo $ac_n "checking if gethostbyaddr is compatible with system prototype""... $ac_c" 1>&6
-echo "configure:9778: checking if gethostbyaddr is compatible with system prototype" >&5
-if eval "test \"`echo '$''{'ac_cv_func_gethostbyaddr_proto_compat'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 9783 "configure"
-#include "confdefs.h"
-
-#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_SYS_SOCKET_H
-#include <sys/socket.h>
-#endif
-#ifdef HAVE_NETINET_IN_H
-#include <netinet/in.h>
-#endif
-#ifdef HAVE_ARPA_INET_H
-#include <arpa/inet.h>
-#endif
-#ifdef HAVE_NETDB_H
-#include <netdb.h>
-#endif
-
-int main() {
-struct hostent *gethostbyaddr(const void *, size_t, int);
-; return 0; }
-EOF
-if { (eval echo configure:9806: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval "ac_cv_func_gethostbyaddr_proto_compat=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_gethostbyaddr_proto_compat=no"
-fi
-rm -f conftest*
-fi
-
-echo "$ac_t""$ac_cv_func_gethostbyaddr_proto_compat" 1>&6
-
-if test "$ac_cv_func_gethostbyaddr_proto_compat" = yes; then
-	cat >> confdefs.h <<\EOF
-#define GETHOSTBYADDR_PROTO_COMPATIBLE 1
-EOF
-
-fi
-
-
-
-
-echo $ac_n "checking if getservbyname is compatible with system prototype""... $ac_c" 1>&6
-echo "configure:9831: checking if getservbyname is compatible with system prototype" >&5
-if eval "test \"`echo '$''{'ac_cv_func_getservbyname_proto_compat'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 9836 "configure"
-#include "confdefs.h"
-
-#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_SYS_SOCKET_H
-#include <sys/socket.h>
-#endif
-#ifdef HAVE_NETINET_IN_H
-#include <netinet/in.h>
-#endif
-#ifdef HAVE_ARPA_INET_H
-#include <arpa/inet.h>
-#endif
-#ifdef HAVE_NETDB_H
-#include <netdb.h>
-#endif
-
-int main() {
-struct servent *getservbyname(const char *, const char *);
-; return 0; }
-EOF
-if { (eval echo configure:9859: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval "ac_cv_func_getservbyname_proto_compat=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_getservbyname_proto_compat=no"
-fi
-rm -f conftest*
-fi
-
-echo "$ac_t""$ac_cv_func_getservbyname_proto_compat" 1>&6
-
-if test "$ac_cv_func_getservbyname_proto_compat" = yes; then
-	cat >> confdefs.h <<\EOF
-#define GETSERVBYNAME_PROTO_COMPATIBLE 1
-EOF
-
-fi
-
-
-
-
-echo $ac_n "checking if openlog is compatible with system prototype""... $ac_c" 1>&6
-echo "configure:9884: checking if openlog is compatible with system prototype" >&5
-if eval "test \"`echo '$''{'ac_cv_func_openlog_proto_compat'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 9889 "configure"
-#include "confdefs.h"
-
-#ifdef HAVE_SYSLOG_H
-#include <syslog.h>
-#endif
-
-int main() {
-void openlog(const char *, int, int);
-; return 0; }
-EOF
-if { (eval echo configure:9900: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval "ac_cv_func_openlog_proto_compat=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_openlog_proto_compat=no"
-fi
-rm -f conftest*
-fi
-
-echo "$ac_t""$ac_cv_func_openlog_proto_compat" 1>&6
-
-if test "$ac_cv_func_openlog_proto_compat" = yes; then
-	cat >> confdefs.h <<\EOF
-#define OPENLOG_PROTO_COMPATIBLE 1
-EOF
-
-fi
-
-
-
-
-if test "$ac_cv_func_crypt+set" != set -o "$ac_cv_func_crypt" = yes; then
-echo $ac_n "checking if crypt needs a prototype""... $ac_c" 1>&6
-echo "configure:9926: checking if crypt needs a prototype" >&5
-if eval "test \"`echo '$''{'ac_cv_func_crypt_noproto'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 9931 "configure"
-#include "confdefs.h"
-
-#ifdef HAVE_CRYPT_H
-#include <crypt.h>
-#endif
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-
-int main() {
-struct foo { int foo; } xx;
-extern int crypt (struct foo*);
-crypt(&xx);
-
-; return 0; }
-EOF
-if { (eval echo configure:9948: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval "ac_cv_func_crypt_noproto=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_crypt_noproto=no"
-fi
-rm -f conftest*
-fi
-
-echo "$ac_t""$ac_cv_func_crypt_noproto" 1>&6
-
-if test "$ac_cv_func_crypt_noproto" = yes; then
-	cat >> confdefs.h <<\EOF
-#define NEED_CRYPT_PROTO 1
-EOF
-
-fi
-
-fi
-
-
-
-if test "$ac_cv_func_strtok_r+set" != set -o "$ac_cv_func_strtok_r" = yes; then
-echo $ac_n "checking if strtok_r needs a prototype""... $ac_c" 1>&6
-echo "configure:9975: checking if strtok_r needs a prototype" >&5
-if eval "test \"`echo '$''{'ac_cv_func_strtok_r_noproto'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 9980 "configure"
-#include "confdefs.h"
-
-#include <string.h>
-
-int main() {
-struct foo { int foo; } xx;
-extern int strtok_r (struct foo*);
-strtok_r(&xx);
-
-; return 0; }
-EOF
-if { (eval echo configure:9992: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval "ac_cv_func_strtok_r_noproto=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_strtok_r_noproto=no"
-fi
-rm -f conftest*
-fi
-
-echo "$ac_t""$ac_cv_func_strtok_r_noproto" 1>&6
-
-if test "$ac_cv_func_strtok_r_noproto" = yes; then
-	cat >> confdefs.h <<\EOF
-#define NEED_STRTOK_R_PROTO 1
-EOF
-
-fi
-
-fi
-
-
-
-if test "$ac_cv_func_strsep+set" != set -o "$ac_cv_func_strsep" = yes; then
-echo $ac_n "checking if strsep needs a prototype""... $ac_c" 1>&6
-echo "configure:10019: checking if strsep needs a prototype" >&5
-if eval "test \"`echo '$''{'ac_cv_func_strsep_noproto'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 10024 "configure"
-#include "confdefs.h"
-
-#include <string.h>
-
-int main() {
-struct foo { int foo; } xx;
-extern int strsep (struct foo*);
-strsep(&xx);
-
-; return 0; }
-EOF
-if { (eval echo configure:10036: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval "ac_cv_func_strsep_noproto=yes"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_func_strsep_noproto=no"
-fi
-rm -f conftest*
-fi
-
-echo "$ac_t""$ac_cv_func_strsep_noproto" 1>&6
-
-if test "$ac_cv_func_strsep_noproto" = yes; then
-	cat >> confdefs.h <<\EOF
-#define NEED_STRSEP_PROTO 1
-EOF
-
-fi
-
-fi
-
-
-
-echo $ac_n "checking for h_errno""... $ac_c" 1>&6
-echo "configure:10062: checking for h_errno" >&5
-if eval "test \"`echo '$''{'ac_cv_var_h_errno'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  
-cat > conftest.$ac_ext <<EOF
-#line 10068 "configure"
-#include "confdefs.h"
-extern int h_errno;
-int foo() { return h_errno; }
-int main() {
-foo()
-; return 0; }
-EOF
-if { (eval echo configure:10076: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  ac_cv_var_h_errno=yes
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_var_h_errno=no
-fi
-rm -f conftest*
-
-fi
-
-
-
-echo "$ac_t""`eval echo \\$ac_cv_var_h_errno`" 1>&6
-if test `eval echo \\$ac_cv_var_h_errno` = yes; then
-	cat >> confdefs.h <<EOF
-#define HAVE_H_ERRNO 1
-EOF
-
-	
-echo $ac_n "checking if h_errno is properly declared""... $ac_c" 1>&6
-echo "configure:10099: checking if h_errno is properly declared" >&5
-if eval "test \"`echo '$''{'ac_cv_var_h_errno_declaration'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  
-cat > conftest.$ac_ext <<EOF
-#line 10105 "configure"
-#include "confdefs.h"
-#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_NETDB_H
-#include <netdb.h>
-#endif
-extern struct { int foo; } h_errno;
-int main() {
-h_errno.foo = 1;
-; return 0; }
-EOF
-if { (eval echo configure:10118: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval "ac_cv_var_h_errno_declaration=no"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_var_h_errno_declaration=yes"
-fi
-rm -f conftest*
-
-fi
-
-
-
-
-echo "$ac_t""$ac_cv_var_h_errno_declaration" 1>&6
-if eval "test \"\$ac_cv_var_h_errno_declaration\" = yes"; then
-	cat >> confdefs.h <<\EOF
-#define HAVE_H_ERRNO_DECLARATION 1
-EOF
-
-fi
-
-
-fi
-
-
-
-
-echo $ac_n "checking for h_errlist""... $ac_c" 1>&6
-echo "configure:10149: checking for h_errlist" >&5
-if eval "test \"`echo '$''{'ac_cv_var_h_errlist'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  
-cat > conftest.$ac_ext <<EOF
-#line 10155 "configure"
-#include "confdefs.h"
-extern int h_errlist;
-int foo() { return h_errlist; }
-int main() {
-foo()
-; return 0; }
-EOF
-if { (eval echo configure:10163: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  ac_cv_var_h_errlist=yes
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_var_h_errlist=no
-fi
-rm -f conftest*
-
-fi
-
-
-
-echo "$ac_t""`eval echo \\$ac_cv_var_h_errlist`" 1>&6
-if test `eval echo \\$ac_cv_var_h_errlist` = yes; then
-	cat >> confdefs.h <<EOF
-#define HAVE_H_ERRLIST 1
-EOF
-
-	
-echo $ac_n "checking if h_errlist is properly declared""... $ac_c" 1>&6
-echo "configure:10186: checking if h_errlist is properly declared" >&5
-if eval "test \"`echo '$''{'ac_cv_var_h_errlist_declaration'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  
-cat > conftest.$ac_ext <<EOF
-#line 10192 "configure"
-#include "confdefs.h"
-#ifdef HAVE_NETDB_H
-#include <netdb.h>
-#endif
-extern struct { int foo; } h_errlist;
-int main() {
-h_errlist.foo = 1;
-; return 0; }
-EOF
-if { (eval echo configure:10202: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval "ac_cv_var_h_errlist_declaration=no"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_var_h_errlist_declaration=yes"
-fi
-rm -f conftest*
-
-fi
-
-
-
-
-echo "$ac_t""$ac_cv_var_h_errlist_declaration" 1>&6
-if eval "test \"\$ac_cv_var_h_errlist_declaration\" = yes"; then
-	cat >> confdefs.h <<\EOF
-#define HAVE_H_ERRLIST_DECLARATION 1
-EOF
-
-fi
-
-
-fi
-
-
-
-
-echo $ac_n "checking for h_nerr""... $ac_c" 1>&6
-echo "configure:10233: checking for h_nerr" >&5
-if eval "test \"`echo '$''{'ac_cv_var_h_nerr'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  
-cat > conftest.$ac_ext <<EOF
-#line 10239 "configure"
-#include "confdefs.h"
-extern int h_nerr;
-int foo() { return h_nerr; }
-int main() {
-foo()
-; return 0; }
-EOF
-if { (eval echo configure:10247: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  ac_cv_var_h_nerr=yes
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_var_h_nerr=no
-fi
-rm -f conftest*
-
-fi
-
 
-
-echo "$ac_t""`eval echo \\$ac_cv_var_h_nerr`" 1>&6
-if test `eval echo \\$ac_cv_var_h_nerr` = yes; then
-	cat >> confdefs.h <<EOF
-#define HAVE_H_NERR 1
-EOF
-
-	
-echo $ac_n "checking if h_nerr is properly declared""... $ac_c" 1>&6
-echo "configure:10270: checking if h_nerr is properly declared" >&5
-if eval "test \"`echo '$''{'ac_cv_var_h_nerr_declaration'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  
-cat > conftest.$ac_ext <<EOF
-#line 10276 "configure"
-#include "confdefs.h"
-#ifdef HAVE_NETDB_H
-#include <netdb.h>
-#endif
-extern struct { int foo; } h_nerr;
-int main() {
-h_nerr.foo = 1;
-; return 0; }
-EOF
-if { (eval echo configure:10286: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval "ac_cv_var_h_nerr_declaration=no"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_var_h_nerr_declaration=yes"
-fi
-rm -f conftest*
-
-fi
-
-
-
-
-echo "$ac_t""$ac_cv_var_h_nerr_declaration" 1>&6
-if eval "test \"\$ac_cv_var_h_nerr_declaration\" = yes"; then
-	cat >> confdefs.h <<\EOF
-#define HAVE_H_NERR_DECLARATION 1
-EOF
-
-fi
-
-
-fi
-
-
-
-
-echo $ac_n "checking for __progname""... $ac_c" 1>&6
-echo "configure:10317: checking for __progname" >&5
-if eval "test \"`echo '$''{'ac_cv_var___progname'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  
-cat > conftest.$ac_ext <<EOF
-#line 10323 "configure"
-#include "confdefs.h"
-extern int __progname;
-int foo() { return __progname; }
-int main() {
-foo()
-; return 0; }
-EOF
-if { (eval echo configure:10331: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  ac_cv_var___progname=yes
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_var___progname=no
-fi
-rm -f conftest*
-
-fi
-
-
-
-echo "$ac_t""`eval echo \\$ac_cv_var___progname`" 1>&6
-if test `eval echo \\$ac_cv_var___progname` = yes; then
-	cat >> confdefs.h <<EOF
-#define HAVE___PROGNAME 1
-EOF
-
-	
-echo $ac_n "checking if __progname is properly declared""... $ac_c" 1>&6
-echo "configure:10354: checking if __progname is properly declared" >&5
-if eval "test \"`echo '$''{'ac_cv_var___progname_declaration'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  
-cat > conftest.$ac_ext <<EOF
-#line 10360 "configure"
-#include "confdefs.h"
-#ifdef HAVE_ERR_H
-#include <err.h>
-#endif
-extern struct { int foo; } __progname;
-int main() {
-__progname.foo = 1;
-; return 0; }
-EOF
-if { (eval echo configure:10370: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval "ac_cv_var___progname_declaration=no"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_var___progname_declaration=yes"
-fi
-rm -f conftest*
-
-fi
-
-
-
-
-echo "$ac_t""$ac_cv_var___progname_declaration" 1>&6
-if eval "test \"\$ac_cv_var___progname_declaration\" = yes"; then
-	cat >> confdefs.h <<\EOF
-#define HAVE___PROGNAME_DECLARATION 1
-EOF
-
-fi
-
-
-fi
-
-
-
-
-echo $ac_n "checking if optarg is properly declared""... $ac_c" 1>&6
-echo "configure:10401: checking if optarg is properly declared" >&5
-if eval "test \"`echo '$''{'ac_cv_var_optarg_declaration'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  
-cat > conftest.$ac_ext <<EOF
-#line 10407 "configure"
-#include "confdefs.h"
-#include <stdlib.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-extern struct { int foo; } optarg;
-int main() {
-optarg.foo = 1;
-; return 0; }
-EOF
-if { (eval echo configure:10418: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval "ac_cv_var_optarg_declaration=no"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_var_optarg_declaration=yes"
-fi
-rm -f conftest*
-
-fi
-
-
-
-
-echo "$ac_t""$ac_cv_var_optarg_declaration" 1>&6
-if eval "test \"\$ac_cv_var_optarg_declaration\" = yes"; then
-	cat >> confdefs.h <<\EOF
-#define HAVE_OPTARG_DECLARATION 1
-EOF
-
-fi
-
-
-
-echo $ac_n "checking if optind is properly declared""... $ac_c" 1>&6
-echo "configure:10445: checking if optind is properly declared" >&5
-if eval "test \"`echo '$''{'ac_cv_var_optind_declaration'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  
-cat > conftest.$ac_ext <<EOF
-#line 10451 "configure"
-#include "confdefs.h"
-#include <stdlib.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-extern struct { int foo; } optind;
-int main() {
-optind.foo = 1;
-; return 0; }
-EOF
-if { (eval echo configure:10462: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval "ac_cv_var_optind_declaration=no"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_var_optind_declaration=yes"
-fi
-rm -f conftest*
-
-fi
-
-
-
-
-echo "$ac_t""$ac_cv_var_optind_declaration" 1>&6
-if eval "test \"\$ac_cv_var_optind_declaration\" = yes"; then
-	cat >> confdefs.h <<\EOF
-#define HAVE_OPTIND_DECLARATION 1
-EOF
-
-fi
-
-
-
-echo $ac_n "checking if opterr is properly declared""... $ac_c" 1>&6
-echo "configure:10489: checking if opterr is properly declared" >&5
-if eval "test \"`echo '$''{'ac_cv_var_opterr_declaration'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  
-cat > conftest.$ac_ext <<EOF
-#line 10495 "configure"
-#include "confdefs.h"
-#include <stdlib.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-extern struct { int foo; } opterr;
-int main() {
-opterr.foo = 1;
-; return 0; }
-EOF
-if { (eval echo configure:10506: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval "ac_cv_var_opterr_declaration=no"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_var_opterr_declaration=yes"
-fi
-rm -f conftest*
-
-fi
-
-
-
-
-echo "$ac_t""$ac_cv_var_opterr_declaration" 1>&6
-if eval "test \"\$ac_cv_var_opterr_declaration\" = yes"; then
-	cat >> confdefs.h <<\EOF
-#define HAVE_OPTERR_DECLARATION 1
-EOF
-
-fi
-
-
-
-echo $ac_n "checking if optopt is properly declared""... $ac_c" 1>&6
-echo "configure:10533: checking if optopt is properly declared" >&5
-if eval "test \"`echo '$''{'ac_cv_var_optopt_declaration'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  
-cat > conftest.$ac_ext <<EOF
-#line 10539 "configure"
-#include "confdefs.h"
-#include <stdlib.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-extern struct { int foo; } optopt;
-int main() {
-optopt.foo = 1;
-; return 0; }
-EOF
-if { (eval echo configure:10550: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval "ac_cv_var_optopt_declaration=no"
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_var_optopt_declaration=yes"
-fi
-rm -f conftest*
-
-fi
-
-
-
-
-echo "$ac_t""$ac_cv_var_optopt_declaration" 1>&6
-if eval "test \"\$ac_cv_var_optopt_declaration\" = yes"; then
-	cat >> confdefs.h <<\EOF
-#define HAVE_OPTOPT_DECLARATION 1
+cat >>confdefs.h <<\EOF
+#define BROKEN_REALLOC 1
 EOF
 
 fi
 
-
-
-
-echo $ac_n "checking if environ is properly declared""... $ac_c" 1>&6
-echo "configure:10578: checking if environ is properly declared" >&5
-if eval "test \"`echo '$''{'ac_cv_var_environ_declaration'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  
-cat > conftest.$ac_ext <<EOF
-#line 10584 "configure"
-#include "confdefs.h"
-#include <stdlib.h>
-extern struct { int foo; } environ;
-int main() {
-environ.foo = 1;
-; return 0; }
-EOF
-if { (eval echo configure:10592: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval "ac_cv_var_environ_declaration=no"
+echo "$as_me:19146: checking for ut_addr in struct utmp" >&5
+echo $ECHO_N "checking for ut_addr in struct utmp... $ECHO_C" >&6
+if test "${ac_cv_type_struct_utmp_ut_addr+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_var_environ_declaration=yes"
-fi
-rm -f conftest*
-
-fi
-
-
-
-
-echo "$ac_t""$ac_cv_var_environ_declaration" 1>&6
-if eval "test \"\$ac_cv_var_environ_declaration\" = yes"; then
-	cat >> confdefs.h <<\EOF
-#define HAVE_ENVIRON_DECLARATION 1
-EOF
-
-fi
-
-
 
-
-
-
-echo $ac_n "checking for ut_addr in struct utmp""... $ac_c" 1>&6
-echo "configure:10622: checking for ut_addr in struct utmp" >&5
-if eval "test \"`echo '$''{'ac_cv_type_struct_utmp_ut_addr'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  
-cat > conftest.$ac_ext <<EOF
-#line 10628 "configure"
+cat >conftest.$ac_ext <<_ACEOF
+#line 19153 "configure"
 #include "confdefs.h"
 #include <utmp.h>
-int main() {
+int
+main ()
+{
 struct utmp x; x.ut_addr;
-; return 0; }
-EOF
-if { (eval echo configure:10635: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:19165: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:19168: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:19170: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:19173: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_cv_type_struct_utmp_ut_addr=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_type_struct_utmp_ut_addr=no
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_struct_utmp_ut_addr=no
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-
-echo "$ac_t""$ac_cv_type_struct_utmp_ut_addr" 1>&6
+echo "$as_me:19183: result: $ac_cv_type_struct_utmp_ut_addr" >&5
+echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_addr" >&6
 if test "$ac_cv_type_struct_utmp_ut_addr" = yes; then
-	
-	cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define HAVE_STRUCT_UTMP_UT_ADDR 1
 EOF
 
-	
 fi
 
-
-
-
-echo $ac_n "checking for ut_host in struct utmp""... $ac_c" 1>&6
-echo "configure:10661: checking for ut_host in struct utmp" >&5
-if eval "test \"`echo '$''{'ac_cv_type_struct_utmp_ut_host'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:19193: checking for ut_host in struct utmp" >&5
+echo $ECHO_N "checking for ut_host in struct utmp... $ECHO_C" >&6
+if test "${ac_cv_type_struct_utmp_ut_host+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
-cat > conftest.$ac_ext <<EOF
-#line 10667 "configure"
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 19200 "configure"
 #include "confdefs.h"
 #include <utmp.h>
-int main() {
+int
+main ()
+{
 struct utmp x; x.ut_host;
-; return 0; }
-EOF
-if { (eval echo configure:10674: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:19212: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:19215: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:19217: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:19220: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_cv_type_struct_utmp_ut_host=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_type_struct_utmp_ut_host=no
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_struct_utmp_ut_host=no
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-
-echo "$ac_t""$ac_cv_type_struct_utmp_ut_host" 1>&6
+echo "$as_me:19230: result: $ac_cv_type_struct_utmp_ut_host" >&5
+echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_host" >&6
 if test "$ac_cv_type_struct_utmp_ut_host" = yes; then
-	
-	cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define HAVE_STRUCT_UTMP_UT_HOST 1
 EOF
 
-	
 fi
 
-
-
-
-echo $ac_n "checking for ut_id in struct utmp""... $ac_c" 1>&6
-echo "configure:10700: checking for ut_id in struct utmp" >&5
-if eval "test \"`echo '$''{'ac_cv_type_struct_utmp_ut_id'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:19240: checking for ut_id in struct utmp" >&5
+echo $ECHO_N "checking for ut_id in struct utmp... $ECHO_C" >&6
+if test "${ac_cv_type_struct_utmp_ut_id+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
-cat > conftest.$ac_ext <<EOF
-#line 10706 "configure"
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 19247 "configure"
 #include "confdefs.h"
 #include <utmp.h>
-int main() {
+int
+main ()
+{
 struct utmp x; x.ut_id;
-; return 0; }
-EOF
-if { (eval echo configure:10713: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:19259: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:19262: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:19264: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:19267: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_cv_type_struct_utmp_ut_id=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_type_struct_utmp_ut_id=no
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_struct_utmp_ut_id=no
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-
-echo "$ac_t""$ac_cv_type_struct_utmp_ut_id" 1>&6
+echo "$as_me:19277: result: $ac_cv_type_struct_utmp_ut_id" >&5
+echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_id" >&6
 if test "$ac_cv_type_struct_utmp_ut_id" = yes; then
-	
-	cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define HAVE_STRUCT_UTMP_UT_ID 1
 EOF
 
-	
 fi
 
-
-
-
-echo $ac_n "checking for ut_pid in struct utmp""... $ac_c" 1>&6
-echo "configure:10739: checking for ut_pid in struct utmp" >&5
-if eval "test \"`echo '$''{'ac_cv_type_struct_utmp_ut_pid'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:19287: checking for ut_pid in struct utmp" >&5
+echo $ECHO_N "checking for ut_pid in struct utmp... $ECHO_C" >&6
+if test "${ac_cv_type_struct_utmp_ut_pid+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
-cat > conftest.$ac_ext <<EOF
-#line 10745 "configure"
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 19294 "configure"
 #include "confdefs.h"
 #include <utmp.h>
-int main() {
+int
+main ()
+{
 struct utmp x; x.ut_pid;
-; return 0; }
-EOF
-if { (eval echo configure:10752: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:19306: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:19309: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:19311: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:19314: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_cv_type_struct_utmp_ut_pid=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_type_struct_utmp_ut_pid=no
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_struct_utmp_ut_pid=no
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-
-echo "$ac_t""$ac_cv_type_struct_utmp_ut_pid" 1>&6
+echo "$as_me:19324: result: $ac_cv_type_struct_utmp_ut_pid" >&5
+echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_pid" >&6
 if test "$ac_cv_type_struct_utmp_ut_pid" = yes; then
-	
-	cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define HAVE_STRUCT_UTMP_UT_PID 1
 EOF
 
-	
 fi
 
-
-
-
-echo $ac_n "checking for ut_type in struct utmp""... $ac_c" 1>&6
-echo "configure:10778: checking for ut_type in struct utmp" >&5
-if eval "test \"`echo '$''{'ac_cv_type_struct_utmp_ut_type'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:19334: checking for ut_type in struct utmp" >&5
+echo $ECHO_N "checking for ut_type in struct utmp... $ECHO_C" >&6
+if test "${ac_cv_type_struct_utmp_ut_type+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
-cat > conftest.$ac_ext <<EOF
-#line 10784 "configure"
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 19341 "configure"
 #include "confdefs.h"
 #include <utmp.h>
-int main() {
+int
+main ()
+{
 struct utmp x; x.ut_type;
-; return 0; }
-EOF
-if { (eval echo configure:10791: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:19353: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:19356: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:19358: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:19361: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_cv_type_struct_utmp_ut_type=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_type_struct_utmp_ut_type=no
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_struct_utmp_ut_type=no
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-
-echo "$ac_t""$ac_cv_type_struct_utmp_ut_type" 1>&6
+echo "$as_me:19371: result: $ac_cv_type_struct_utmp_ut_type" >&5
+echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_type" >&6
 if test "$ac_cv_type_struct_utmp_ut_type" = yes; then
-	
-	cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define HAVE_STRUCT_UTMP_UT_TYPE 1
 EOF
 
-	
 fi
 
-
-
-
-echo $ac_n "checking for ut_user in struct utmp""... $ac_c" 1>&6
-echo "configure:10817: checking for ut_user in struct utmp" >&5
-if eval "test \"`echo '$''{'ac_cv_type_struct_utmp_ut_user'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:19381: checking for ut_user in struct utmp" >&5
+echo $ECHO_N "checking for ut_user in struct utmp... $ECHO_C" >&6
+if test "${ac_cv_type_struct_utmp_ut_user+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
-cat > conftest.$ac_ext <<EOF
-#line 10823 "configure"
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 19388 "configure"
 #include "confdefs.h"
 #include <utmp.h>
-int main() {
+int
+main ()
+{
 struct utmp x; x.ut_user;
-; return 0; }
-EOF
-if { (eval echo configure:10830: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:19400: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:19403: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:19405: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:19408: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_cv_type_struct_utmp_ut_user=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_type_struct_utmp_ut_user=no
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_struct_utmp_ut_user=no
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-
-echo "$ac_t""$ac_cv_type_struct_utmp_ut_user" 1>&6
+echo "$as_me:19418: result: $ac_cv_type_struct_utmp_ut_user" >&5
+echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_user" >&6
 if test "$ac_cv_type_struct_utmp_ut_user" = yes; then
-	
-	cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define HAVE_STRUCT_UTMP_UT_USER 1
 EOF
 
-	
 fi
 
-
-
-
-echo $ac_n "checking for ut_exit in struct utmpx""... $ac_c" 1>&6
-echo "configure:10856: checking for ut_exit in struct utmpx" >&5
-if eval "test \"`echo '$''{'ac_cv_type_struct_utmpx_ut_exit'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:19428: checking for ut_exit in struct utmpx" >&5
+echo $ECHO_N "checking for ut_exit in struct utmpx... $ECHO_C" >&6
+if test "${ac_cv_type_struct_utmpx_ut_exit+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
-cat > conftest.$ac_ext <<EOF
-#line 10862 "configure"
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 19435 "configure"
 #include "confdefs.h"
 #include <utmpx.h>
-int main() {
+int
+main ()
+{
 struct utmpx x; x.ut_exit;
-; return 0; }
-EOF
-if { (eval echo configure:10869: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:19447: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:19450: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:19452: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:19455: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_cv_type_struct_utmpx_ut_exit=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_type_struct_utmpx_ut_exit=no
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_struct_utmpx_ut_exit=no
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-
-echo "$ac_t""$ac_cv_type_struct_utmpx_ut_exit" 1>&6
+echo "$as_me:19465: result: $ac_cv_type_struct_utmpx_ut_exit" >&5
+echo "${ECHO_T}$ac_cv_type_struct_utmpx_ut_exit" >&6
 if test "$ac_cv_type_struct_utmpx_ut_exit" = yes; then
-	
-	cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define HAVE_STRUCT_UTMPX_UT_EXIT 1
 EOF
 
-	
 fi
 
-
-
-
-echo $ac_n "checking for ut_syslen in struct utmpx""... $ac_c" 1>&6
-echo "configure:10895: checking for ut_syslen in struct utmpx" >&5
-if eval "test \"`echo '$''{'ac_cv_type_struct_utmpx_ut_syslen'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:19475: checking for ut_syslen in struct utmpx" >&5
+echo $ECHO_N "checking for ut_syslen in struct utmpx... $ECHO_C" >&6
+if test "${ac_cv_type_struct_utmpx_ut_syslen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
-cat > conftest.$ac_ext <<EOF
-#line 10901 "configure"
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 19482 "configure"
 #include "confdefs.h"
 #include <utmpx.h>
-int main() {
+int
+main ()
+{
 struct utmpx x; x.ut_syslen;
-; return 0; }
-EOF
-if { (eval echo configure:10908: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:19494: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:19497: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:19499: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:19502: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_cv_type_struct_utmpx_ut_syslen=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_type_struct_utmpx_ut_syslen=no
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_struct_utmpx_ut_syslen=no
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-
-echo "$ac_t""$ac_cv_type_struct_utmpx_ut_syslen" 1>&6
+echo "$as_me:19512: result: $ac_cv_type_struct_utmpx_ut_syslen" >&5
+echo "${ECHO_T}$ac_cv_type_struct_utmpx_ut_syslen" >&6
 if test "$ac_cv_type_struct_utmpx_ut_syslen" = yes; then
-	
-	cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define HAVE_STRUCT_UTMPX_UT_SYSLEN 1
 EOF
 
-	
 fi
 
-
-
-
-
-
-echo $ac_n "checking for tm_gmtoff in struct tm""... $ac_c" 1>&6
-echo "configure:10936: checking for tm_gmtoff in struct tm" >&5
-if eval "test \"`echo '$''{'ac_cv_type_struct_tm_tm_gmtoff'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:19522: checking for tm_gmtoff in struct tm" >&5
+echo $ECHO_N "checking for tm_gmtoff in struct tm... $ECHO_C" >&6
+if test "${ac_cv_type_struct_tm_tm_gmtoff+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
-cat > conftest.$ac_ext <<EOF
-#line 10942 "configure"
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 19529 "configure"
 #include "confdefs.h"
 #include <time.h>
-int main() {
+int
+main ()
+{
 struct tm x; x.tm_gmtoff;
-; return 0; }
-EOF
-if { (eval echo configure:10949: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:19541: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:19544: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:19546: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:19549: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_cv_type_struct_tm_tm_gmtoff=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_type_struct_tm_tm_gmtoff=no
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_struct_tm_tm_gmtoff=no
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-
-echo "$ac_t""$ac_cv_type_struct_tm_tm_gmtoff" 1>&6
+echo "$as_me:19559: result: $ac_cv_type_struct_tm_tm_gmtoff" >&5
+echo "${ECHO_T}$ac_cv_type_struct_tm_tm_gmtoff" >&6
 if test "$ac_cv_type_struct_tm_tm_gmtoff" = yes; then
-	
-	cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define HAVE_STRUCT_TM_TM_GMTOFF 1
 EOF
 
-	
 fi
 
-
-
-
-echo $ac_n "checking for tm_zone in struct tm""... $ac_c" 1>&6
-echo "configure:10975: checking for tm_zone in struct tm" >&5
-if eval "test \"`echo '$''{'ac_cv_type_struct_tm_tm_zone'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:19569: checking for tm_zone in struct tm" >&5
+echo $ECHO_N "checking for tm_zone in struct tm... $ECHO_C" >&6
+if test "${ac_cv_type_struct_tm_tm_zone+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
-cat > conftest.$ac_ext <<EOF
-#line 10981 "configure"
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 19576 "configure"
 #include "confdefs.h"
 #include <time.h>
-int main() {
+int
+main ()
+{
 struct tm x; x.tm_zone;
-; return 0; }
-EOF
-if { (eval echo configure:10988: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:19588: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:19591: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:19593: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:19596: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_cv_type_struct_tm_tm_zone=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_type_struct_tm_tm_zone=no
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_struct_tm_tm_zone=no
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-
-echo "$ac_t""$ac_cv_type_struct_tm_tm_zone" 1>&6
+echo "$as_me:19606: result: $ac_cv_type_struct_tm_tm_zone" >&5
+echo "${ECHO_T}$ac_cv_type_struct_tm_tm_zone" >&6
 if test "$ac_cv_type_struct_tm_tm_zone" = yes; then
-	
-	cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define HAVE_STRUCT_TM_TM_ZONE 1
 EOF
 
-	
 fi
 
-
-
-
-
-echo $ac_n "checking for timezone""... $ac_c" 1>&6
-echo "configure:11015: checking for timezone" >&5
-if eval "test \"`echo '$''{'ac_cv_var_timezone'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:19616: checking for timezone" >&5
+echo $ECHO_N "checking for timezone... $ECHO_C" >&6
+if test "${ac_cv_var_timezone+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
-cat > conftest.$ac_ext <<EOF
-#line 11021 "configure"
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 19623 "configure"
 #include "confdefs.h"
 extern int timezone;
 int foo() { return timezone; }
-int main() {
+int
+main ()
+{
 foo()
-; return 0; }
-EOF
-if { (eval echo configure:11029: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:19636: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:19639: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:19641: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:19644: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_cv_var_timezone=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_var_timezone=no
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_var_timezone=no
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 
 fi
 
+ac_foo=`eval echo \\$ac_cv_var_timezone`
+echo "$as_me:19657: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
 
-
-echo "$ac_t""`eval echo \\$ac_cv_var_timezone`" 1>&6
-if test `eval echo \\$ac_cv_var_timezone` = yes; then
-	cat >> confdefs.h <<EOF
+cat >>confdefs.h <<EOF
 #define HAVE_TIMEZONE 1
 EOF
 
-	
-echo $ac_n "checking if timezone is properly declared""... $ac_c" 1>&6
-echo "configure:11052: checking if timezone is properly declared" >&5
-if eval "test \"`echo '$''{'ac_cv_var_timezone_declaration'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:19665: checking if timezone is properly declared" >&5
+echo $ECHO_N "checking if timezone is properly declared... $ECHO_C" >&6
+if test "${ac_cv_var_timezone_declaration+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
-cat > conftest.$ac_ext <<EOF
-#line 11058 "configure"
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 19672 "configure"
 #include "confdefs.h"
 #include <time.h>
 extern struct { int foo; } timezone;
-int main() {
+int
+main ()
+{
 timezone.foo = 1;
-; return 0; }
-EOF
-if { (eval echo configure:11066: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:19685: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:19688: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:19690: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:19693: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   eval "ac_cv_var_timezone_declaration=no"
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_var_timezone_declaration=yes"
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_var_timezone_declaration=yes"
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 
 fi
 
-
-
-
-echo "$ac_t""$ac_cv_var_timezone_declaration" 1>&6
+echo "$as_me:19705: result: $ac_cv_var_timezone_declaration" >&5
+echo "${ECHO_T}$ac_cv_var_timezone_declaration" >&6
 if eval "test \"\$ac_cv_var_timezone_declaration\" = yes"; then
-	cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define HAVE_TIMEZONE_DECLARATION 1
 EOF
 
 fi
 
-
 fi
 
-
-
-
-
 cv=`echo "sa_family_t" | sed 'y%./+- %__p__%'`
-echo $ac_n "checking for sa_family_t""... $ac_c" 1>&6
-echo "configure:11099: checking for sa_family_t" >&5
-if eval "test \"`echo '$''{'ac_cv_type_$cv'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:19718: checking for sa_family_t" >&5
+echo $ECHO_N "checking for sa_family_t... $ECHO_C" >&6
+if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat > conftest.$ac_ext <<EOF
-#line 11104 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 19724 "configure"
 #include "confdefs.h"
 #include <sys/types.h>
 #if STDC_HEADERS
@@ -11108,46 +19729,104 @@ else
 #include <stddef.h>
 #endif
 #include <sys/socket.h>
-int main() {
+int
+main ()
+{
 sa_family_t foo;
-; return 0; }
-EOF
-if { (eval echo configure:11116: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:19741: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:19744: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:19746: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:19749: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   eval "ac_cv_type_$cv=yes"
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_type_$cv=no"
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_type_$cv=no"
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$ac_t""`eval echo \\$ac_cv_type_$cv`" 1>&6
-if test `eval echo \\$ac_cv_type_$cv` = yes; then
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+echo "$as_me:19760: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
   ac_tr_hdr=HAVE_`echo sa_family_t | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	echo "$as_me:19765: checking for sa_family_t" >&5
+echo $ECHO_N "checking for sa_family_t... $ECHO_C" >&6
+if test "${ac_cv_type_sa_family_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 19771 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((sa_family_t *) 0)
+  return 0;
+if (sizeof (sa_family_t))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:19786: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:19789: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:19791: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:19794: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_type_sa_family_t=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_sa_family_t=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:19804: result: $ac_cv_type_sa_family_t" >&5
+echo "${ECHO_T}$ac_cv_type_sa_family_t" >&6
+if test $ac_cv_type_sa_family_t = yes; then
 
-: << END
-@@@funcs="$funcs sa_family_t"@@@
-END
-
-  cat >> confdefs.h <<EOF
-#define $ac_tr_hdr 1
+cat >>confdefs.h <<EOF
+#define HAVE_SA_FAMILY_T 1
 EOF
 
 fi
 
+fi
 
+cat >>confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
 
+fi
 
 cv=`echo "socklen_t" | sed 'y%./+- %__p__%'`
-echo $ac_n "checking for socklen_t""... $ac_c" 1>&6
-echo "configure:11146: checking for socklen_t" >&5
-if eval "test \"`echo '$''{'ac_cv_type_$cv'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:19823: checking for socklen_t" >&5
+echo $ECHO_N "checking for socklen_t... $ECHO_C" >&6
+if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat > conftest.$ac_ext <<EOF
-#line 11151 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 19829 "configure"
 #include "confdefs.h"
 #include <sys/types.h>
 #if STDC_HEADERS
@@ -11155,46 +19834,104 @@ else
 #include <stddef.h>
 #endif
 #include <sys/socket.h>
-int main() {
+int
+main ()
+{
 socklen_t foo;
-; return 0; }
-EOF
-if { (eval echo configure:11163: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:19846: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:19849: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:19851: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:19854: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   eval "ac_cv_type_$cv=yes"
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_type_$cv=no"
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_type_$cv=no"
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$ac_t""`eval echo \\$ac_cv_type_$cv`" 1>&6
-if test `eval echo \\$ac_cv_type_$cv` = yes; then
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+echo "$as_me:19865: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
   ac_tr_hdr=HAVE_`echo socklen_t | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	echo "$as_me:19870: checking for socklen_t" >&5
+echo $ECHO_N "checking for socklen_t... $ECHO_C" >&6
+if test "${ac_cv_type_socklen_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 19876 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((socklen_t *) 0)
+  return 0;
+if (sizeof (socklen_t))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:19891: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:19894: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:19896: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:19899: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_type_socklen_t=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_socklen_t=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:19909: result: $ac_cv_type_socklen_t" >&5
+echo "${ECHO_T}$ac_cv_type_socklen_t" >&6
+if test $ac_cv_type_socklen_t = yes; then
 
-: << END
-@@@funcs="$funcs socklen_t"@@@
-END
-
-  cat >> confdefs.h <<EOF
-#define $ac_tr_hdr 1
+cat >>confdefs.h <<EOF
+#define HAVE_SOCKLEN_T 1
 EOF
 
 fi
 
+fi
 
+cat >>confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
 
+fi
 
 cv=`echo "struct sockaddr" | sed 'y%./+- %__p__%'`
-echo $ac_n "checking for struct sockaddr""... $ac_c" 1>&6
-echo "configure:11193: checking for struct sockaddr" >&5
-if eval "test \"`echo '$''{'ac_cv_type_$cv'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:19928: checking for struct sockaddr" >&5
+echo $ECHO_N "checking for struct sockaddr... $ECHO_C" >&6
+if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat > conftest.$ac_ext <<EOF
-#line 11198 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 19934 "configure"
 #include "confdefs.h"
 #include <sys/types.h>
 #if STDC_HEADERS
@@ -11202,46 +19939,104 @@ else
 #include <stddef.h>
 #endif
 #include <sys/socket.h>
-int main() {
+int
+main ()
+{
 struct sockaddr foo;
-; return 0; }
-EOF
-if { (eval echo configure:11210: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:19951: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:19954: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:19956: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:19959: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   eval "ac_cv_type_$cv=yes"
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_type_$cv=no"
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_type_$cv=no"
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$ac_t""`eval echo \\$ac_cv_type_$cv`" 1>&6
-if test `eval echo \\$ac_cv_type_$cv` = yes; then
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+echo "$as_me:19970: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
   ac_tr_hdr=HAVE_`echo struct sockaddr | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	echo "$as_me:19975: checking for struct sockaddr" >&5
+echo $ECHO_N "checking for struct sockaddr... $ECHO_C" >&6
+if test "${ac_cv_type_struct_sockaddr+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 19981 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((struct sockaddr *) 0)
+  return 0;
+if (sizeof (struct sockaddr))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:19996: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:19999: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:20001: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:20004: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_type_struct_sockaddr=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_struct_sockaddr=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:20014: result: $ac_cv_type_struct_sockaddr" >&5
+echo "${ECHO_T}$ac_cv_type_struct_sockaddr" >&6
+if test $ac_cv_type_struct_sockaddr = yes; then
 
-: << END
-@@@funcs="$funcs struct_sockaddr"@@@
-END
-
-  cat >> confdefs.h <<EOF
-#define $ac_tr_hdr 1
+cat >>confdefs.h <<EOF
+#define HAVE_STRUCT_SOCKADDR 1
 EOF
 
 fi
 
+fi
 
+cat >>confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
 
+fi
 
 cv=`echo "struct sockaddr_storage" | sed 'y%./+- %__p__%'`
-echo $ac_n "checking for struct sockaddr_storage""... $ac_c" 1>&6
-echo "configure:11240: checking for struct sockaddr_storage" >&5
-if eval "test \"`echo '$''{'ac_cv_type_$cv'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:20033: checking for struct sockaddr_storage" >&5
+echo $ECHO_N "checking for struct sockaddr_storage... $ECHO_C" >&6
+if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat > conftest.$ac_ext <<EOF
-#line 11245 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 20039 "configure"
 #include "confdefs.h"
 #include <sys/types.h>
 #if STDC_HEADERS
@@ -11249,46 +20044,104 @@ else
 #include <stddef.h>
 #endif
 #include <sys/socket.h>
-int main() {
+int
+main ()
+{
 struct sockaddr_storage foo;
-; return 0; }
-EOF
-if { (eval echo configure:11257: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:20056: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:20059: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:20061: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:20064: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   eval "ac_cv_type_$cv=yes"
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_type_$cv=no"
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_type_$cv=no"
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$ac_t""`eval echo \\$ac_cv_type_$cv`" 1>&6
-if test `eval echo \\$ac_cv_type_$cv` = yes; then
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+echo "$as_me:20075: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
   ac_tr_hdr=HAVE_`echo struct sockaddr_storage | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	echo "$as_me:20080: checking for struct sockaddr_storage" >&5
+echo $ECHO_N "checking for struct sockaddr_storage... $ECHO_C" >&6
+if test "${ac_cv_type_struct_sockaddr_storage+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 20086 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((struct sockaddr_storage *) 0)
+  return 0;
+if (sizeof (struct sockaddr_storage))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:20101: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:20104: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:20106: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:20109: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_type_struct_sockaddr_storage=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_struct_sockaddr_storage=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:20119: result: $ac_cv_type_struct_sockaddr_storage" >&5
+echo "${ECHO_T}$ac_cv_type_struct_sockaddr_storage" >&6
+if test $ac_cv_type_struct_sockaddr_storage = yes; then
 
-: << END
-@@@funcs="$funcs struct_sockaddr_storage"@@@
-END
-
-  cat >> confdefs.h <<EOF
-#define $ac_tr_hdr 1
+cat >>confdefs.h <<EOF
+#define HAVE_STRUCT_SOCKADDR_STORAGE 1
 EOF
 
 fi
 
+fi
 
+cat >>confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
 
+fi
 
 cv=`echo "struct addrinfo" | sed 'y%./+- %__p__%'`
-echo $ac_n "checking for struct addrinfo""... $ac_c" 1>&6
-echo "configure:11287: checking for struct addrinfo" >&5
-if eval "test \"`echo '$''{'ac_cv_type_$cv'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:20138: checking for struct addrinfo" >&5
+echo $ECHO_N "checking for struct addrinfo... $ECHO_C" >&6
+if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat > conftest.$ac_ext <<EOF
-#line 11292 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 20144 "configure"
 #include "confdefs.h"
 #include <sys/types.h>
 #if STDC_HEADERS
@@ -11296,54 +20149,112 @@ else
 #include <stddef.h>
 #endif
 #include <netdb.h>
-int main() {
+int
+main ()
+{
 struct addrinfo foo;
-; return 0; }
-EOF
-if { (eval echo configure:11304: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:20161: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:20164: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:20166: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:20169: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   eval "ac_cv_type_$cv=yes"
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval "ac_cv_type_$cv=no"
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "ac_cv_type_$cv=no"
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$ac_t""`eval echo \\$ac_cv_type_$cv`" 1>&6
-if test `eval echo \\$ac_cv_type_$cv` = yes; then
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+echo "$as_me:20180: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
   ac_tr_hdr=HAVE_`echo struct addrinfo | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	echo "$as_me:20185: checking for struct addrinfo" >&5
+echo $ECHO_N "checking for struct addrinfo... $ECHO_C" >&6
+if test "${ac_cv_type_struct_addrinfo+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 20191 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((struct addrinfo *) 0)
+  return 0;
+if (sizeof (struct addrinfo))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:20206: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:20209: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:20211: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:20214: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_type_struct_addrinfo=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_struct_addrinfo=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:20224: result: $ac_cv_type_struct_addrinfo" >&5
+echo "${ECHO_T}$ac_cv_type_struct_addrinfo" >&6
+if test $ac_cv_type_struct_addrinfo = yes; then
 
-: << END
-@@@funcs="$funcs struct_addrinfo"@@@
-END
-
-  cat >> confdefs.h <<EOF
-#define $ac_tr_hdr 1
+cat >>confdefs.h <<EOF
+#define HAVE_STRUCT_ADDRINFO 1
 EOF
 
 fi
 
+fi
 
+cat >>confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
 
+fi
 
-echo $ac_n "checking for struct winsize""... $ac_c" 1>&6
-echo "configure:11333: checking for struct winsize" >&5
-if eval "test \"`echo '$''{'ac_cv_struct_winsize'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:20242: checking for struct winsize" >&5
+echo $ECHO_N "checking for struct winsize... $ECHO_C" >&6
+if test "${ac_cv_struct_winsize+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
+
 ac_cv_struct_winsize=no
 for i in sys/termios.h sys/ioctl.h; do
-cat > conftest.$ac_ext <<EOF
-#line 11341 "configure"
+cat >conftest.$ac_ext <<_ACEOF
+#line 20251 "configure"
 #include "confdefs.h"
 #include <$i>
-EOF
+
+_ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
   egrep "struct[ 	]*winsize" >/dev/null 2>&1; then
-  rm -rf conftest*
   ac_cv_struct_winsize=yes; break
 fi
 rm -f conftest*
@@ -11352,139 +20263,158 @@ done
 fi
 
 if test "$ac_cv_struct_winsize" = "yes"; then
-  cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define HAVE_STRUCT_WINSIZE 1
 EOF
 
 fi
-echo "$ac_t""$ac_cv_struct_winsize" 1>&6
-cat > conftest.$ac_ext <<EOF
-#line 11363 "configure"
+echo "$as_me:20272: result: $ac_cv_struct_winsize" >&5
+echo "${ECHO_T}$ac_cv_struct_winsize" >&6
+cat >conftest.$ac_ext <<_ACEOF
+#line 20275 "configure"
 #include "confdefs.h"
 #include <termios.h>
-EOF
+
+_ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
   egrep "ws_xpixel" >/dev/null 2>&1; then
-  rm -rf conftest*
-  cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define HAVE_WS_XPIXEL 1
 EOF
 
 fi
 rm -f conftest*
 
-cat > conftest.$ac_ext <<EOF
-#line 11378 "configure"
+cat >conftest.$ac_ext <<_ACEOF
+#line 20291 "configure"
 #include "confdefs.h"
 #include <termios.h>
-EOF
+
+_ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
   egrep "ws_ypixel" >/dev/null 2>&1; then
-  rm -rf conftest*
-  cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define HAVE_WS_YPIXEL 1
 EOF
 
 fi
 rm -f conftest*
 
-
-
-
-
-echo $ac_n "checking for struct spwd""... $ac_c" 1>&6
-echo "configure:11397: checking for struct spwd" >&5
-if eval "test \"`echo '$''{'ac_cv_struct_spwd'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:20306: checking for struct spwd" >&5
+echo $ECHO_N "checking for struct spwd... $ECHO_C" >&6
+if test "${ac_cv_struct_spwd+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
-cat > conftest.$ac_ext <<EOF
-#line 11403 "configure"
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 20313 "configure"
 #include "confdefs.h"
 #include <pwd.h>
 #ifdef HAVE_SHADOW_H
 #include <shadow.h>
 #endif
-int main() {
+int
+main ()
+{
 struct spwd foo;
-; return 0; }
-EOF
-if { (eval echo configure:11413: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:20328: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:20331: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:20333: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:20336: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_cv_struct_spwd=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_struct_spwd=no
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_struct_spwd=no
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 
 fi
 
-echo "$ac_t""$ac_cv_struct_spwd" 1>&6
+echo "$as_me:20348: result: $ac_cv_struct_spwd" >&5
+echo "${ECHO_T}$ac_cv_struct_spwd" >&6
 
 if test "$ac_cv_struct_spwd" = "yes"; then
-  cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define HAVE_STRUCT_SPWD 1
 EOF
 
 fi
 
-
-
-
-
-echo $ac_n "checking for sa_len in struct sockaddr""... $ac_c" 1>&6
-echo "configure:11440: checking for sa_len in struct sockaddr" >&5
-if eval "test \"`echo '$''{'ac_cv_type_struct_sockaddr_sa_len'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:20359: checking for sa_len in struct sockaddr" >&5
+echo $ECHO_N "checking for sa_len in struct sockaddr... $ECHO_C" >&6
+if test "${ac_cv_type_struct_sockaddr_sa_len+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
-cat > conftest.$ac_ext <<EOF
-#line 11446 "configure"
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 20366 "configure"
 #include "confdefs.h"
 #include <sys/types.h>
 #include <sys/socket.h>
-int main() {
+int
+main ()
+{
 struct sockaddr x; x.sa_len;
-; return 0; }
-EOF
-if { (eval echo configure:11454: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:20379: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:20382: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:20384: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:20387: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_cv_type_struct_sockaddr_sa_len=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_type_struct_sockaddr_sa_len=no
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_type_struct_sockaddr_sa_len=no
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-
-echo "$ac_t""$ac_cv_type_struct_sockaddr_sa_len" 1>&6
+echo "$as_me:20397: result: $ac_cv_type_struct_sockaddr_sa_len" >&5
+echo "${ECHO_T}$ac_cv_type_struct_sockaddr_sa_len" >&6
 if test "$ac_cv_type_struct_sockaddr_sa_len" = yes; then
-	
-	cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define HAVE_STRUCT_SOCKADDR_SA_LEN 1
 EOF
 
-	
 fi
 
+for i in int8_t int16_t int32_t int64_t \
+	u_int8_t u_int16_t u_int32_t u_int64_t \
+	uint8_t uint16_t uint32_t uint64_t; do
+	echo "$as_me:20410: checking for $i" >&5
+echo $ECHO_N "checking for $i... $ECHO_C" >&6
 
-
-
-
-for i in int8_t int16_t int32_t int64_t; do
-	echo $ac_n "checking for $i""... $ac_c" 1>&6
-echo "configure:11482: checking for $i" >&5
-	
-if eval "test \"`echo '$''{'ac_cv_type_$i'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+if eval "test \"\${ac_cv_type_$i+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat > conftest.$ac_ext <<EOF
-#line 11488 "configure"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 20417 "configure"
 #include "confdefs.h"
 
 #ifdef HAVE_INTTYPES_H
@@ -11503,226 +20433,225 @@ else
 #include <netinet/in6_machtypes.h>
 #endif
 
-int main() {
+int
+main ()
+{
 $i x;
 
-; return 0; }
-EOF
-if { (eval echo configure:11512: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:20446: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:20449: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:20451: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:20454: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   eval ac_cv_type_$i=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval ac_cv_type_$i=no
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval ac_cv_type_$i=no
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
 
 	eval ac_res=\$ac_cv_type_$i
 	if test "$ac_res" = yes; then
 		type=HAVE_`echo $i | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
-		cat >> confdefs.h <<EOF
+		cat >>confdefs.h <<EOF
 #define $type 1
 EOF
 
 	fi
-	echo "$ac_t""$ac_res" 1>&6
+	echo "$as_me:20473: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6
 done
 
+for ac_header in 				\
+	openssl/md4.h				\
+	openssl/md5.h				\
+	openssl/sha.h				\
+	openssl/des.h				\
+	openssl/rc4.h				\
 
-for i in u_int8_t u_int16_t u_int32_t u_int64_t; do
-	echo $ac_n "checking for $i""... $ac_c" 1>&6
-echo "configure:11538: checking for $i" >&5
-	
-if eval "test \"`echo '$''{'ac_cv_type_$i'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 11544 "configure"
+do
+ac_ac_Header=`echo "ac_cv_header_$ac_header" | $ac_tr_sh`
+echo "$as_me:20486: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 20492 "configure"
 #include "confdefs.h"
-
-#ifdef HAVE_INTTYPES_H
-#include <inttypes.h>
-#endif
-#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_SYS_BITYPES_H
-#include <sys/bitypes.h>
-#endif
-#ifdef HAVE_BIND_BITYPES_H
-#include <bind/bitypes.h>
-#endif
-#ifdef HAVE_NETINET_IN6_MACHTYPES_H
-#include <netinet/in6_machtypes.h>
-#endif
-
-int main() {
-$i x;
-
-; return 0; }
-EOF
-if { (eval echo configure:11568: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
-  eval ac_cv_type_$i=yes
+#include <$ac_header>
+_ACEOF
+if { (eval echo "$as_me:20496: \"$ac_cpp conftest.$ac_ext >/dev/null\"") >&5
+  (eval $ac_cpp conftest.$ac_ext >/dev/null) 2>conftest.er1
+  ac_status=$?
+  egrep -v '^ *\+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:20502: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  eval "$ac_ac_Header=yes"
 else
-  echo "configure: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
   cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  eval ac_cv_type_$i=no
+  eval "$ac_ac_Header=no"
 fi
-rm -f conftest*
+rm -f conftest.err conftest.$ac_ext
 fi
-
-	eval ac_res=\$ac_cv_type_$i
-	if test "$ac_res" = yes; then
-		type=HAVE_`echo $i | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
-		cat >> confdefs.h <<EOF
-#define $type 1
+echo "$as_me:20521: result: `eval echo '${'$ac_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_Header'}'`" >&6
+if test `eval echo '${'$ac_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_header" | $ac_tr_cpp` 1
 EOF
 
-	fi
-	echo "$ac_t""$ac_res" 1>&6
+fi
 done
 
-
-
-
-
-
-echo $ac_n "checking for MD4Init""... $ac_c" 1>&6
-echo "configure:11597: checking for MD4Init" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_MD4Init'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:20531: checking for MD4_Init" >&5
+echo $ECHO_N "checking for MD4_Init... $ECHO_C" >&6
+if test "${ac_cv_funclib_MD4_Init+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
-if eval "test \"\$ac_cv_func_MD4Init\" != yes" ; then
+
+if eval "test \"\$ac_cv_func_MD4_Init\" != yes" ; then
 	ac_save_LIBS="$LIBS"
-	for ac_lib in "" crypto; do
-		if test -n "$ac_lib"; then 
+	for ac_lib in crypto des; do
+		if test -n "$ac_lib"; then
 			ac_lib="-l$ac_lib"
 		else
 			ac_lib=""
 		fi
-		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 11612 "configure"
+		LIBS="$LIB_krb4 $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 20547 "configure"
 #include "confdefs.h"
 
-int main() {
-MD4Init()
-; return 0; }
-EOF
-if { (eval echo configure:11619: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "if test -n \"$ac_lib\";then ac_cv_funclib_MD4Init=$ac_lib; else ac_cv_funclib_MD4Init=yes; fi";break
+int
+main ()
+{
+MD4_Init()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:20559: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:20562: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:20564: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:20567: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_MD4_Init=$ac_lib; else ac_cv_funclib_MD4_Init=yes; fi";break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 	done
-	eval "ac_cv_funclib_MD4Init=\${ac_cv_funclib_MD4Init-no}"
+	eval "ac_cv_funclib_MD4_Init=\${ac_cv_funclib_MD4_Init-no}"
 	LIBS="$ac_save_LIBS"
 fi
 
 fi
 
+eval "ac_res=\$ac_cv_funclib_MD4_Init"
 
-eval "ac_res=\$ac_cv_funclib_MD4Init"
-
-: << END
-@@@funcs="$funcs MD4Init"@@@
-@@@libs="$libs "" crypto"@@@
-END
-
-# MD4Init
-eval "ac_tr_func=HAVE_`echo MD4Init | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
-eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
-eval "LIB_MD4Init=$ac_res"
+if false; then
 
-case "$ac_res" in
-	yes)
-	eval "ac_cv_func_MD4Init=yes"
-	eval "LIB_MD4Init="
-	cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
+for ac_func in MD4_Init
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:20589: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 20595 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
 
-	echo "$ac_t""yes" 1>&6
-	;;
-	no)
-	eval "ac_cv_func_MD4Init=no"
-	eval "LIB_MD4Init="
-	echo "$ac_t""no" 1>&6
-	;;
-	*)
-	eval "ac_cv_func_MD4Init=yes"
-	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
 
-	cat >> confdefs.h <<EOF
-#define $ac_tr_lib 1
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:20626: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:20629: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:20631: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:20634: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:20644: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
 EOF
 
-	echo "$ac_t""yes, in $ac_res" 1>&6
-	;;
-esac
-
-
-
-
-
-echo $ac_n "checking for MD4_Init""... $ac_c" 1>&6
-echo "configure:11682: checking for MD4_Init" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_MD4_Init'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  
-if eval "test \"\$ac_cv_func_MD4_Init\" != yes" ; then
-	ac_save_LIBS="$LIBS"
-	for ac_lib in "" crypto; do
-		if test -n "$ac_lib"; then 
-			ac_lib="-l$ac_lib"
-		else
-			ac_lib=""
-		fi
-		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 11697 "configure"
-#include "confdefs.h"
-
-int main() {
-MD4_Init()
-; return 0; }
-EOF
-if { (eval echo configure:11704: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "if test -n \"$ac_lib\";then ac_cv_funclib_MD4_Init=$ac_lib; else ac_cv_funclib_MD4_Init=yes; fi";break
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-fi
-rm -f conftest*
-	done
-	eval "ac_cv_funclib_MD4_Init=\${ac_cv_funclib_MD4_Init-no}"
-	LIBS="$ac_save_LIBS"
 fi
+done
 
 fi
-
-
-eval "ac_res=\$ac_cv_funclib_MD4_Init"
-
-: << END
-@@@funcs="$funcs MD4_Init"@@@
-@@@libs="$libs "" crypto"@@@
-END
-
 # MD4_Init
 eval "ac_tr_func=HAVE_`echo MD4_Init | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
 eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
@@ -11732,167 +20661,159 @@ case "$ac_res" in
 	yes)
 	eval "ac_cv_func_MD4_Init=yes"
 	eval "LIB_MD4_Init="
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	echo "$ac_t""yes" 1>&6
+	echo "$as_me:20668: result: yes" >&5
+echo "${ECHO_T}yes" >&6
 	;;
 	no)
 	eval "ac_cv_func_MD4_Init=no"
 	eval "LIB_MD4_Init="
-	echo "$ac_t""no" 1>&6
+	echo "$as_me:20674: result: no" >&5
+echo "${ECHO_T}no" >&6
 	;;
 	*)
 	eval "ac_cv_func_MD4_Init=yes"
 	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_lib 1
 EOF
 
-	echo "$ac_t""yes, in $ac_res" 1>&6
+	echo "$as_me:20688: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
 	;;
 esac
 
-
-
-
-
-echo $ac_n "checking for MD5Init""... $ac_c" 1>&6
-echo "configure:11767: checking for MD5Init" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_MD5Init'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:20693: checking for MD5_Init" >&5
+echo $ECHO_N "checking for MD5_Init... $ECHO_C" >&6
+if test "${ac_cv_funclib_MD5_Init+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
-if eval "test \"\$ac_cv_func_MD5Init\" != yes" ; then
+
+if eval "test \"\$ac_cv_func_MD5_Init\" != yes" ; then
 	ac_save_LIBS="$LIBS"
-	for ac_lib in "" crypto; do
-		if test -n "$ac_lib"; then 
+	for ac_lib in crypto des; do
+		if test -n "$ac_lib"; then
 			ac_lib="-l$ac_lib"
 		else
 			ac_lib=""
 		fi
-		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 11782 "configure"
+		LIBS="$LIB_krb4 $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 20709 "configure"
 #include "confdefs.h"
 
-int main() {
-MD5Init()
-; return 0; }
-EOF
-if { (eval echo configure:11789: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "if test -n \"$ac_lib\";then ac_cv_funclib_MD5Init=$ac_lib; else ac_cv_funclib_MD5Init=yes; fi";break
+int
+main ()
+{
+MD5_Init()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:20721: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:20724: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:20726: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:20729: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_MD5_Init=$ac_lib; else ac_cv_funclib_MD5_Init=yes; fi";break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 	done
-	eval "ac_cv_funclib_MD5Init=\${ac_cv_funclib_MD5Init-no}"
+	eval "ac_cv_funclib_MD5_Init=\${ac_cv_funclib_MD5_Init-no}"
 	LIBS="$ac_save_LIBS"
 fi
 
 fi
 
+eval "ac_res=\$ac_cv_funclib_MD5_Init"
 
-eval "ac_res=\$ac_cv_funclib_MD5Init"
-
-: << END
-@@@funcs="$funcs MD5Init"@@@
-@@@libs="$libs "" crypto"@@@
-END
-
-# MD5Init
-eval "ac_tr_func=HAVE_`echo MD5Init | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
-eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
-eval "LIB_MD5Init=$ac_res"
+if false; then
 
-case "$ac_res" in
-	yes)
-	eval "ac_cv_func_MD5Init=yes"
-	eval "LIB_MD5Init="
-	cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
+for ac_func in MD5_Init
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:20751: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 20757 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
 
-	echo "$ac_t""yes" 1>&6
-	;;
-	no)
-	eval "ac_cv_func_MD5Init=no"
-	eval "LIB_MD5Init="
-	echo "$ac_t""no" 1>&6
-	;;
-	*)
-	eval "ac_cv_func_MD5Init=yes"
-	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
 
-	cat >> confdefs.h <<EOF
-#define $ac_tr_lib 1
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:20788: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:20791: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:20793: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:20796: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:20806: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
 EOF
 
-	echo "$ac_t""yes, in $ac_res" 1>&6
-	;;
-esac
-
-
-
-
-
-echo $ac_n "checking for MD5_Init""... $ac_c" 1>&6
-echo "configure:11852: checking for MD5_Init" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_MD5_Init'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  
-if eval "test \"\$ac_cv_func_MD5_Init\" != yes" ; then
-	ac_save_LIBS="$LIBS"
-	for ac_lib in "" crypto; do
-		if test -n "$ac_lib"; then 
-			ac_lib="-l$ac_lib"
-		else
-			ac_lib=""
-		fi
-		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 11867 "configure"
-#include "confdefs.h"
-
-int main() {
-MD5_Init()
-; return 0; }
-EOF
-if { (eval echo configure:11874: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "if test -n \"$ac_lib\";then ac_cv_funclib_MD5_Init=$ac_lib; else ac_cv_funclib_MD5_Init=yes; fi";break
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-fi
-rm -f conftest*
-	done
-	eval "ac_cv_funclib_MD5_Init=\${ac_cv_funclib_MD5_Init-no}"
-	LIBS="$ac_save_LIBS"
 fi
+done
 
 fi
-
-
-eval "ac_res=\$ac_cv_funclib_MD5_Init"
-
-: << END
-@@@funcs="$funcs MD5_Init"@@@
-@@@libs="$libs "" crypto"@@@
-END
-
 # MD5_Init
 eval "ac_tr_func=HAVE_`echo MD5_Init | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
 eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
@@ -11902,325 +20823,579 @@ case "$ac_res" in
 	yes)
 	eval "ac_cv_func_MD5_Init=yes"
 	eval "LIB_MD5_Init="
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	echo "$ac_t""yes" 1>&6
+	echo "$as_me:20830: result: yes" >&5
+echo "${ECHO_T}yes" >&6
 	;;
 	no)
 	eval "ac_cv_func_MD5_Init=no"
 	eval "LIB_MD5_Init="
-	echo "$ac_t""no" 1>&6
+	echo "$as_me:20836: result: no" >&5
+echo "${ECHO_T}no" >&6
 	;;
 	*)
 	eval "ac_cv_func_MD5_Init=yes"
 	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_lib 1
 EOF
 
-	echo "$ac_t""yes, in $ac_res" 1>&6
+	echo "$as_me:20850: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
 	;;
 esac
 
-
-
-
-
-echo $ac_n "checking for SHA1Init""... $ac_c" 1>&6
-echo "configure:11937: checking for SHA1Init" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_SHA1Init'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:20855: checking for SHA1_Init" >&5
+echo $ECHO_N "checking for SHA1_Init... $ECHO_C" >&6
+if test "${ac_cv_funclib_SHA1_Init+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
-if eval "test \"\$ac_cv_func_SHA1Init\" != yes" ; then
+
+if eval "test \"\$ac_cv_func_SHA1_Init\" != yes" ; then
 	ac_save_LIBS="$LIBS"
-	for ac_lib in "" crypto; do
-		if test -n "$ac_lib"; then 
+	for ac_lib in crypto des; do
+		if test -n "$ac_lib"; then
 			ac_lib="-l$ac_lib"
 		else
 			ac_lib=""
 		fi
-		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 11952 "configure"
+		LIBS="$LIB_krb4 $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 20871 "configure"
 #include "confdefs.h"
 
-int main() {
-SHA1Init()
-; return 0; }
-EOF
-if { (eval echo configure:11959: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "if test -n \"$ac_lib\";then ac_cv_funclib_SHA1Init=$ac_lib; else ac_cv_funclib_SHA1Init=yes; fi";break
+int
+main ()
+{
+SHA1_Init()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:20883: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:20886: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:20888: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:20891: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_SHA1_Init=$ac_lib; else ac_cv_funclib_SHA1_Init=yes; fi";break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 	done
-	eval "ac_cv_funclib_SHA1Init=\${ac_cv_funclib_SHA1Init-no}"
+	eval "ac_cv_funclib_SHA1_Init=\${ac_cv_funclib_SHA1_Init-no}"
 	LIBS="$ac_save_LIBS"
 fi
 
 fi
 
+eval "ac_res=\$ac_cv_funclib_SHA1_Init"
 
-eval "ac_res=\$ac_cv_funclib_SHA1Init"
+if false; then
 
-: << END
-@@@funcs="$funcs SHA1Init"@@@
-@@@libs="$libs "" crypto"@@@
-END
+for ac_func in SHA1_Init
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:20913: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 20919 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:20950: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:20953: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:20955: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:20958: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:20968: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
 
-# SHA1Init
-eval "ac_tr_func=HAVE_`echo SHA1Init | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+fi
+done
+
+fi
+# SHA1_Init
+eval "ac_tr_func=HAVE_`echo SHA1_Init | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
 eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
-eval "LIB_SHA1Init=$ac_res"
+eval "LIB_SHA1_Init=$ac_res"
 
 case "$ac_res" in
 	yes)
-	eval "ac_cv_func_SHA1Init=yes"
-	eval "LIB_SHA1Init="
-	cat >> confdefs.h <<EOF
+	eval "ac_cv_func_SHA1_Init=yes"
+	eval "LIB_SHA1_Init="
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	echo "$ac_t""yes" 1>&6
+	echo "$as_me:20992: result: yes" >&5
+echo "${ECHO_T}yes" >&6
 	;;
 	no)
-	eval "ac_cv_func_SHA1Init=no"
-	eval "LIB_SHA1Init="
-	echo "$ac_t""no" 1>&6
+	eval "ac_cv_func_SHA1_Init=no"
+	eval "LIB_SHA1_Init="
+	echo "$as_me:20998: result: no" >&5
+echo "${ECHO_T}no" >&6
 	;;
 	*)
-	eval "ac_cv_func_SHA1Init=yes"
+	eval "ac_cv_func_SHA1_Init=yes"
 	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_lib 1
 EOF
 
-	echo "$ac_t""yes, in $ac_res" 1>&6
+	echo "$as_me:21012: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
 	;;
 esac
 
-
-
-
-
-echo $ac_n "checking for SHA1_Init""... $ac_c" 1>&6
-echo "configure:12022: checking for SHA1_Init" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_SHA1_Init'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:21017: checking for des_cbc_encrypt" >&5
+echo $ECHO_N "checking for des_cbc_encrypt... $ECHO_C" >&6
+if test "${ac_cv_funclib_des_cbc_encrypt+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
-if eval "test \"\$ac_cv_func_SHA1_Init\" != yes" ; then
+
+if eval "test \"\$ac_cv_func_des_cbc_encrypt\" != yes" ; then
 	ac_save_LIBS="$LIBS"
-	for ac_lib in "" crypto; do
-		if test -n "$ac_lib"; then 
+	for ac_lib in crypto des; do
+		if test -n "$ac_lib"; then
 			ac_lib="-l$ac_lib"
 		else
 			ac_lib=""
 		fi
-		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 12037 "configure"
+		LIBS="$LIB_krb4 $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 21033 "configure"
 #include "confdefs.h"
 
-int main() {
-SHA1_Init()
-; return 0; }
-EOF
-if { (eval echo configure:12044: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "if test -n \"$ac_lib\";then ac_cv_funclib_SHA1_Init=$ac_lib; else ac_cv_funclib_SHA1_Init=yes; fi";break
+int
+main ()
+{
+des_cbc_encrypt()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:21045: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:21048: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:21050: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:21053: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_des_cbc_encrypt=$ac_lib; else ac_cv_funclib_des_cbc_encrypt=yes; fi";break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 	done
-	eval "ac_cv_funclib_SHA1_Init=\${ac_cv_funclib_SHA1_Init-no}"
+	eval "ac_cv_funclib_des_cbc_encrypt=\${ac_cv_funclib_des_cbc_encrypt-no}"
 	LIBS="$ac_save_LIBS"
 fi
 
 fi
 
+eval "ac_res=\$ac_cv_funclib_des_cbc_encrypt"
 
-eval "ac_res=\$ac_cv_funclib_SHA1_Init"
+if false; then
 
-: << END
-@@@funcs="$funcs SHA1_Init"@@@
-@@@libs="$libs "" crypto"@@@
-END
+for ac_func in des_cbc_encrypt
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:21075: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 21081 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
 
-# SHA1_Init
-eval "ac_tr_func=HAVE_`echo SHA1_Init | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:21112: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:21115: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:21117: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:21120: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:21130: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# des_cbc_encrypt
+eval "ac_tr_func=HAVE_`echo des_cbc_encrypt | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
 eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
-eval "LIB_SHA1_Init=$ac_res"
+eval "LIB_des_cbc_encrypt=$ac_res"
 
 case "$ac_res" in
 	yes)
-	eval "ac_cv_func_SHA1_Init=yes"
-	eval "LIB_SHA1_Init="
-	cat >> confdefs.h <<EOF
+	eval "ac_cv_func_des_cbc_encrypt=yes"
+	eval "LIB_des_cbc_encrypt="
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	echo "$ac_t""yes" 1>&6
+	echo "$as_me:21154: result: yes" >&5
+echo "${ECHO_T}yes" >&6
 	;;
 	no)
-	eval "ac_cv_func_SHA1_Init=no"
-	eval "LIB_SHA1_Init="
-	echo "$ac_t""no" 1>&6
+	eval "ac_cv_func_des_cbc_encrypt=no"
+	eval "LIB_des_cbc_encrypt="
+	echo "$as_me:21160: result: no" >&5
+echo "${ECHO_T}no" >&6
 	;;
 	*)
-	eval "ac_cv_func_SHA1_Init=yes"
+	eval "ac_cv_func_des_cbc_encrypt=yes"
 	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_lib 1
 EOF
 
-	echo "$ac_t""yes, in $ac_res" 1>&6
+	echo "$as_me:21174: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
 	;;
 esac
 
-
-
-
-
-echo $ac_n "checking for des_cbc_encrypt""... $ac_c" 1>&6
-echo "configure:12107: checking for des_cbc_encrypt" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_des_cbc_encrypt'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:21179: checking for RC4" >&5
+echo $ECHO_N "checking for RC4... $ECHO_C" >&6
+if test "${ac_cv_funclib_RC4+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
-if eval "test \"\$ac_cv_func_des_cbc_encrypt\" != yes" ; then
+
+if eval "test \"\$ac_cv_func_RC4\" != yes" ; then
 	ac_save_LIBS="$LIBS"
-	for ac_lib in "" crypto des; do
-		if test -n "$ac_lib"; then 
+	for ac_lib in crypto des; do
+		if test -n "$ac_lib"; then
 			ac_lib="-l$ac_lib"
 		else
 			ac_lib=""
 		fi
-		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 12122 "configure"
+		LIBS="$LIB_krb4 $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 21195 "configure"
 #include "confdefs.h"
 
-int main() {
-des_cbc_encrypt()
-; return 0; }
-EOF
-if { (eval echo configure:12129: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
-  eval "if test -n \"$ac_lib\";then ac_cv_funclib_des_cbc_encrypt=$ac_lib; else ac_cv_funclib_des_cbc_encrypt=yes; fi";break
-else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-fi
-rm -f conftest*
+int
+main ()
+{
+RC4()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:21207: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:21210: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:21212: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:21215: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_RC4=$ac_lib; else ac_cv_funclib_RC4=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
 	done
-	eval "ac_cv_funclib_des_cbc_encrypt=\${ac_cv_funclib_des_cbc_encrypt-no}"
+	eval "ac_cv_funclib_RC4=\${ac_cv_funclib_RC4-no}"
 	LIBS="$ac_save_LIBS"
 fi
 
 fi
 
+eval "ac_res=\$ac_cv_funclib_RC4"
 
-eval "ac_res=\$ac_cv_funclib_des_cbc_encrypt"
+if false; then
 
-: << END
-@@@funcs="$funcs des_cbc_encrypt"@@@
-@@@libs="$libs "" crypto des"@@@
-END
+for ac_func in RC4
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:21237: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 21243 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
 
-# des_cbc_encrypt
-eval "ac_tr_func=HAVE_`echo des_cbc_encrypt | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:21274: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:21277: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:21279: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:21282: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:21292: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# RC4
+eval "ac_tr_func=HAVE_`echo RC4 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
 eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
-eval "LIB_des_cbc_encrypt=$ac_res"
+eval "LIB_RC4=$ac_res"
 
 case "$ac_res" in
 	yes)
-	eval "ac_cv_func_des_cbc_encrypt=yes"
-	eval "LIB_des_cbc_encrypt="
-	cat >> confdefs.h <<EOF
+	eval "ac_cv_func_RC4=yes"
+	eval "LIB_RC4="
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	echo "$ac_t""yes" 1>&6
+	echo "$as_me:21316: result: yes" >&5
+echo "${ECHO_T}yes" >&6
 	;;
 	no)
-	eval "ac_cv_func_des_cbc_encrypt=no"
-	eval "LIB_des_cbc_encrypt="
-	echo "$ac_t""no" 1>&6
+	eval "ac_cv_func_RC4=no"
+	eval "LIB_RC4="
+	echo "$as_me:21322: result: no" >&5
+echo "${ECHO_T}no" >&6
 	;;
 	*)
-	eval "ac_cv_func_des_cbc_encrypt=yes"
+	eval "ac_cv_func_RC4=yes"
 	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_lib 1
 EOF
 
-	echo "$ac_t""yes, in $ac_res" 1>&6
+	echo "$as_me:21336: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
 	;;
 esac
 
+if test "$ac_cv_func_des_cbc_encrypt" = "yes" -a \
+"$ac_cv_func_MD4_Init"  = "yes" -a \
+"$ac_cv_func_MD5_Init"  = "yes" -a \
+"$ac_cv_func_SHA1_Init" = "yes" -a \
+"$ac_cv_func_RC4" = "yes"; then
+  DIR_des=''
+  LIB_des="-R $krb4_libdir -L$krb4_libdir $ac_cv_funclib_MD4_Init"
+  LIB_des_appl="$LIB_des"
+else
+  DIR_des='des'
+  LIB_des='$(top_builddir)/lib/des/libdes.la'
+  LIB_des_appl="-ldes"
+fi
 
-
-
-
-
-
-
-echo $ac_n "checking for el_init""... $ac_c" 1>&6
-echo "configure:12195: checking for el_init" >&5
-if eval "test \"`echo '$''{'ac_cv_funclib_el_init'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+echo "$as_me:21355: checking for el_init" >&5
+echo $ECHO_N "checking for el_init... $ECHO_C" >&6
+if test "${ac_cv_funclib_el_init+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
+
 if eval "test \"\$ac_cv_func_el_init\" != yes" ; then
 	ac_save_LIBS="$LIBS"
 	for ac_lib in "" edit; do
-		if test -n "$ac_lib"; then 
+		if test -n "$ac_lib"; then
 			ac_lib="-l$ac_lib"
 		else
 			ac_lib=""
 		fi
 		LIBS=" $ac_lib $LIB_tgetent $ac_save_LIBS"
-		cat > conftest.$ac_ext <<EOF
-#line 12210 "configure"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 21371 "configure"
 #include "confdefs.h"
 
-int main() {
+int
+main ()
+{
 el_init()
-; return 0; }
-EOF
-if { (eval echo configure:12217: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:21383: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:21386: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:21388: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:21391: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_el_init=$ac_lib; else ac_cv_funclib_el_init=yes; fi";break
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
-rm -f conftest*
+rm -f conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_el_init=\${ac_cv_funclib_el_init-no}"
 	LIBS="$ac_save_LIBS"
@@ -12228,14 +21403,79 @@ fi
 
 fi
 
-
 eval "ac_res=\$ac_cv_funclib_el_init"
 
-: << END
-@@@funcs="$funcs el_init"@@@
-@@@libs="$libs "" edit"@@@
-END
+if false; then
+
+for ac_func in el_init
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:21413: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 21419 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:21450: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:21453: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:21455: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:21458: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:21468: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
 
+fi
+done
+
+fi
 # el_init
 eval "ac_tr_func=HAVE_`echo el_init | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
 eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
@@ -12245,71 +21485,85 @@ case "$ac_res" in
 	yes)
 	eval "ac_cv_func_el_init=yes"
 	eval "LIB_el_init="
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	echo "$ac_t""yes" 1>&6
+	echo "$as_me:21492: result: yes" >&5
+echo "${ECHO_T}yes" >&6
 	;;
 	no)
 	eval "ac_cv_func_el_init=no"
 	eval "LIB_el_init="
-	echo "$ac_t""no" 1>&6
+	echo "$as_me:21498: result: no" >&5
+echo "${ECHO_T}no" >&6
 	;;
 	*)
 	eval "ac_cv_func_el_init=yes"
 	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_func 1
 EOF
 
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $ac_tr_lib 1
 EOF
 
-	echo "$ac_t""yes, in $ac_res" 1>&6
+	echo "$as_me:21512: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
 	;;
 esac
 
-
 if test "$ac_cv_func_el_init" = yes ; then
-	echo $ac_n "checking for four argument el_init""... $ac_c" 1>&6
-echo "configure:12278: checking for four argument el_init" >&5
-if eval "test \"`echo '$''{'ac_cv_func_el_init_four'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
+	echo "$as_me:21518: checking for four argument el_init" >&5
+echo $ECHO_N "checking for four argument el_init... $ECHO_C" >&6
+if test "${ac_cv_func_el_init_four+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  
-		cat > conftest.$ac_ext <<EOF
-#line 12284 "configure"
+
+		cat >conftest.$ac_ext <<_ACEOF
+#line 21525 "configure"
 #include "confdefs.h"
 #include <stdio.h>
 			#include <histedit.h>
-int main() {
+int
+main ()
+{
 el_init("", NULL, NULL, NULL);
-; return 0; }
-EOF
-if { (eval echo configure:12292: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-  rm -rf conftest*
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:21538: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:21541: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:21543: \"test -s conftest.$ac_objext\"") >&5
+  (eval test -s conftest.$ac_objext) 2>&5
+  ac_status=$?
+  echo "$as_me:21546: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
   ac_cv_func_el_init_four=yes
 else
-  echo "configure: failed program was:" >&5
-  cat conftest.$ac_ext >&5
-  rm -rf conftest*
-  ac_cv_func_el_init_four=no
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_el_init_four=no
 fi
-rm -f conftest*
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-
-echo "$ac_t""$ac_cv_func_el_init_four" 1>&6
+echo "$as_me:21556: result: $ac_cv_func_el_init_four" >&5
+echo "${ECHO_T}$ac_cv_func_el_init_four" >&6
 	if test "$ac_cv_func_el_init_four" = yes; then
-		cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define HAVE_FOUR_VALUED_EL_INIT 1
 EOF
 
 	fi
 fi
 
-
 ac_foo=no
 if test "$with_readline" = yes; then
 	:
@@ -12317,12 +21571,11 @@ elif test "$ac_cv_func_readline" = yes; then
 	:
 elif test "$ac_cv_func_el_init" = yes; then
 	ac_foo=yes
-	LIB_readline="\$(top_builddir)/lib/editline/libel_compat.a $LIB_el_init"
+	LIB_readline="\$(top_builddir)/lib/editline/libel_compat.la $LIB_el_init"
 else
-	LIB_readline='$(top_builddir)/lib/editline/libeditline.a'
+	LIB_readline='$(top_builddir)/lib/editline/libeditline.la'
 fi
 
-
 if test "$ac_foo" = yes; then
   el_compat_TRUE=
   el_compat_FALSE='#'
@@ -12334,28 +21587,33 @@ if test "$readline_libdir"; then
 	LIB_readline="-rpath $readline_libdir $LIB_readline"
 fi
 LIB_readline="$LIB_readline \$(LIB_tgetent)"
-cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define HAVE_READLINE 1
 EOF
 
-
-cat >> confdefs.h <<\EOF
+cat >>confdefs.h <<\EOF
 #define AUTHENTICATION 1
 EOF
-cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define ENCRYPTION 1
 EOF
-cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define DES_ENCRYPTION 1
 EOF
-cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define DIAGNOSTICS 1
 EOF
-cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define OLD_ENVIRON 1
 EOF
 if false; then
-cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define ENV_HACK 1
 EOF
 
@@ -12366,27 +21624,145 @@ fi
 #
 # And also something wierd has happend with dec-osf1, fallback to bsd-ptys
 
-echo $ac_n "checking for streamspty""... $ac_c" 1>&6
-echo "configure:12371: checking for streamspty" >&5
+echo "$as_me:21627: checking for getmsg" >&5
+echo $ECHO_N "checking for getmsg... $ECHO_C" >&6
+if test "${ac_cv_func_getmsg+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 21633 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char getmsg (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char getmsg ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_getmsg) || defined (__stub___getmsg)
+choke me
+#else
+f = getmsg;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:21664: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:21667: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { (eval echo "$as_me:21669: \"test -s conftest$ac_exeext\"") >&5
+  (eval test -s conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:21672: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_func_getmsg=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_getmsg=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:21682: result: $ac_cv_func_getmsg" >&5
+echo "${ECHO_T}$ac_cv_func_getmsg" >&6
+
+if test "$ac_cv_func_getmsg" = "yes"; then
+
+echo "$as_me:21687: checking for working getmsg" >&5
+echo $ECHO_N "checking for working getmsg... $ECHO_C" >&6
+if test "${ac_cv_func_getmsg_work+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test "$cross_compiling" = yes; then
+  ac_cv_func_getmsg_work=no
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 21696 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <errno.h>
+
+int main()
+{
+  int ret;
+  ret = getmsg(open("/dev/null", 0), NULL, NULL, NULL);
+  if(ret < 0 && errno == ENOSYS)
+    return 1;
+  return 0;
+}
+
+_ACEOF
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:21713: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:21716: \$? = $ac_status" >&5
+  (exit $ac_status); } && { (eval echo "$as_me:21717: \"./conftest$ac_exeext\"") >&5
+  (eval ./conftest$ac_exeext) 2>&5
+  ac_status=$?
+  echo "$as_me:21720: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_cv_func_getmsg_work=yes
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_getmsg_work=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+fi
+echo "$as_me:21732: result: $ac_cv_func_getmsg_work" >&5
+echo "${ECHO_T}$ac_cv_func_getmsg_work" >&6
+test "$ac_cv_func_getmsg_work" = "yes" &&
+
+cat >>confdefs.h <<\EOF
+#define HAVE_GETMSG 1
+EOF
+
+fi
+
+if test "$ac_cv_func_getmsg_work" = yes; then
+echo "$as_me:21743: checking for streamspty" >&5
+echo $ECHO_N "checking for streamspty... $ECHO_C" >&6
 case "$host" in
-*-*-aix3*|*-*-sunos4*|*-*-osf*|*-*-hpux10*)
+*-*-aix3*|*-*-sunos4*|*-*-osf*|*-*-hpux1[01]*)
 	krb_cv_sys_streamspty=no
 	;;
 *)
-	krb_cv_sys_streamspty="$ac_cv_func_getmsg"
+	krb_cv_sys_streamspty=yes
 	;;
 esac
+echo "$as_me:21753: result: $krb_cv_sys_streamspty" >&5
+echo "${ECHO_T}$krb_cv_sys_streamspty" >&6
+fi
 if test "$krb_cv_sys_streamspty" = yes; then
-	cat >> confdefs.h <<\EOF
+
+cat >>confdefs.h <<\EOF
 #define STREAMSPTY 1
 EOF
 
 fi
-echo "$ac_t""$krb_cv_sys_streamspty" 1>&6
 
-
-echo $ac_n "checking which authentication modules should be built""... $ac_c" 1>&6
-echo "configure:12390: checking which authentication modules should be built" >&5
+echo "$as_me:21764: checking which authentication modules should be built" >&5
+echo $ECHO_N "checking which authentication modules should be built... $ECHO_C" >&6
 
 LIB_AUTH_SUBDIRS=
 
@@ -12402,10 +21778,8 @@ case "${host}" in
 *-*-irix[56]*) LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS afskauthlib" ;;
 esac
 
-echo "$ac_t""$LIB_AUTH_SUBDIRS" 1>&6
-
-
-
+echo "$as_me:21781: result: $LIB_AUTH_SUBDIRS" >&5
+echo "${ECHO_T}$LIB_AUTH_SUBDIRS" >&6
 
 test "x$prefix" = xNONE && prefix=$ac_default_prefix
 test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
@@ -12419,7 +21793,7 @@ for i in bin lib libexec sbin; do
 		x="$y"
 		eval y="$x"
 	done
-	cat >> confdefs.h <<EOF
+	cat >>confdefs.h <<EOF
 #define $foo "$x"
 EOF
 
@@ -12431,581 +21805,1057 @@ if false; then
 fi
 LTLIBOBJS=`echo "$LIBOBJS" | sed 's/\.o/\.lo/g'`
 
-trap '' 1 2 15
-cat > confcache <<\EOF
+ac_config_files="$ac_config_files Makefile include/Makefile include/kadm5/Makefile lib/Makefile lib/45/Makefile lib/auth/Makefile lib/auth/afskauthlib/Makefile lib/auth/pam/Makefile lib/auth/sia/Makefile lib/asn1/Makefile lib/com_err/Makefile lib/des/Makefile lib/editline/Makefile lib/gssapi/Makefile lib/hdb/Makefile lib/kadm5/Makefile lib/kafs/Makefile lib/kdfs/Makefile lib/krb5/Makefile lib/otp/Makefile lib/roken/Makefile lib/sl/Makefile lib/vers/Makefile kuser/Makefile kpasswd/Makefile kadmin/Makefile admin/Makefile kdc/Makefile appl/Makefile appl/afsutil/Makefile appl/ftp/Makefile appl/ftp/common/Makefile appl/ftp/ftp/Makefile appl/ftp/ftpd/Makefile appl/kx/Makefile appl/login/Makefile appl/otp/Makefile appl/popper/Makefile appl/push/Makefile appl/rsh/Makefile appl/rcp/Makefile appl/su/Makefile appl/xnlock/Makefile appl/telnet/Makefile appl/telnet/libtelnet/Makefile appl/telnet/telnet/Makefile appl/telnet/telnetd/Makefile appl/test/Makefile appl/kf/Makefile appl/dceutils/Makefile doc/Makefile tools/Makefile"
+
+cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
 # tests run on this system so they can be shared between configure
-# scripts and configure runs.  It is not useful on other systems.
-# If it contains results you don't want to keep, you may remove or edit it.
+# scripts and configure runs, see configure's option --config-cache.
+# It is not useful on other systems.  If it contains results you don't
+# want to keep, you may remove or edit it.
 #
-# By default, configure uses ./config.cache as the cache file,
-# creating it if it does not exist already.  You can give configure
-# the --cache-file=FILE option to use a different cache file; that is
-# what configure does when it calls configure scripts in
-# subdirectories, so they share the cache.
-# Giving --cache-file=/dev/null disables caching, for debugging configure.
-# config.status only pays attention to the cache file if you give it the
-# --recheck option to rerun configure.
+# config.status only pays attention to the cache file if you give it
+# the --recheck option to rerun configure.
 #
-EOF
+# `ac_cv_env_foo' variables (set or unset) will be overriden when
+# loading this file, other *unset* `ac_cv_foo' will be assigned the
+# following values.
+
+_ACEOF
+
 # The following way of writing the cache mishandles newlines in values,
 # but we know of no workaround that is simple, portable, and efficient.
 # So, don't put newlines in cache variables' values.
 # Ultrix sh set writes to stderr and can't be redirected directly,
 # and sets the high bit in the cache file unless we assign to the vars.
-(set) 2>&1 |
-  case `(ac_space=' '; set | grep ac_space) 2>&1` in
-  *ac_space=\ *)
-    # `set' does not quote correctly, so add quotes (double-quote substitution
-    # turns \\\\ into \\, and sed turns \\ into \).
-    sed -n \
-      -e "s/'/'\\\\''/g" \
-      -e "s/^\\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\\)=\\(.*\\)/\\1=\${\\1='\\2'}/p"
-    ;;
-  *)
-    # `set' quotes correctly as required by POSIX, so do not add quotes.
-    sed -n -e 's/^\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\)=\(.*\)/\1=${\1=\2}/p'
-    ;;
-  esac >> confcache
-if cmp -s $cache_file confcache; then
-  :
-else
+{
+  (set) 2>&1 |
+    case `(ac_space=' '; set | grep ac_space) 2>&1` in
+    *ac_space=\ *)
+      # `set' does not quote correctly, so add quotes (double-quote
+      # substitution turns \\\\ into \\, and sed turns \\ into \).
+      sed -n \
+        "s/'/'\\\\''/g;
+    	  s/^\\([_$ac_cr_alnum]*_cv_[_$ac_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
+      ;;
+    *)
+      # `set' quotes correctly as required by POSIX, so do not add quotes.
+      sed -n \
+        "s/^\\([_$ac_cr_alnum]*_cv_[_$ac_cr_alnum]*\\)=\\(.*\\)/\\1=\\2/p"
+      ;;
+    esac;
+} |
+  sed '
+     t clear
+     : clear
+     s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/
+     t end
+     /^ac_cv_env/!s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/
+     : end' >>confcache
+if cmp -s $cache_file confcache; then :; else
   if test -w $cache_file; then
-    echo "updating cache $cache_file"
-    cat confcache > $cache_file
+    test "x$cache_file" != "x/dev/null" && echo "updating cache $cache_file"
+    cat confcache >$cache_file
   else
     echo "not updating unwritable cache $cache_file"
   fi
 fi
 rm -f confcache
 
-trap 'rm -fr conftest* confdefs* core core.* *.core $ac_clean_files; exit 1' 1 2 15
-
 test "x$prefix" = xNONE && prefix=$ac_default_prefix
 # Let make expand exec_prefix.
 test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
 
-# Any assignment to VPATH causes Sun make to only execute
-# the first set of double-colon rules, so remove it if not needed.
-# If there is a colon in the path, we need to keep it.
+# VPATH is dangerous, but if there is a colon in the path, we need to
+# keep it.
 if test "x$srcdir" = x.; then
   ac_vpsub='/^[ 	]*VPATH[ 	]*=[^:]*$/d'
 fi
 
-trap 'rm -f $CONFIG_STATUS conftest*; exit 1' 1 2 15
-
 DEFS=-DHAVE_CONFIG_H
 
-# Without the "./", some shells look in PATH for config.status.
 : ${CONFIG_STATUS=./config.status}
-
-echo creating $CONFIG_STATUS
-rm -f $CONFIG_STATUS
-cat > $CONFIG_STATUS <<EOF
+ac_clean_files_save=$ac_clean_files
+ac_clean_files="$ac_clean_files $CONFIG_STATUS"
+{ echo "$as_me:21880: creating $CONFIG_STATUS" >&5
+echo "$as_me: creating $CONFIG_STATUS" >&6;}
+cat >$CONFIG_STATUS <<\_ACEOF
 #! /bin/sh
 # Generated automatically by configure.
 # Run this file to recreate the current configuration.
-# This directory was configured as follows,
-# on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
-#
-# $0 $ac_configure_args
-#
 # Compiler output produced by configure, useful for debugging
-# configure, is in ./config.log if it exists.
+# configure, is in config.log if it exists.
 
-ac_cs_usage="Usage: $CONFIG_STATUS [--recheck] [--version] [--help]"
-for ac_option
+debug=false
+as_me=`echo "$0" | sed 's,.*/,,'`
+SHELL=${CONFIG_SHELL-/bin/sh}
+
+# Be Bourne compatible
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+elif test -n "${BASH_VERSION+set}" && (set -o posix) >/dev/null 2>&1; then
+  set -o posix
+fi
+
+if expr a : '\(a\)' >/dev/null 2>&1; then
+  as_expr=expr
+else
+  as_expr=false
+fi
+
+rm -f conftest conftest.exe conftest.file
+echo >conftest.file
+if ln -s conftest.file conftest 2>/dev/null; then
+  # We could just check for DJGPP; but this test a) works b) is more generic
+  # and c) will remain valid once DJGPP supports symlinks (DJGPP 2.04).
+  if test -f conftest.exe; then
+    # Don't use ln at all; we don't have any links
+    as_ln_s='cp -p'
+  else
+    as_ln_s='ln -s'
+  fi
+elif ln conftest.file conftest 2>/dev/null; then
+  as_ln_s=ln
+else
+  as_ln_s='cp -p'
+fi
+rm -f conftest conftest.exe conftest.file
+
+# Find out how to test for executable files. Don't use a zero-byte file,
+# as systems may use methods other than mode bits to determine executability.
+cat >conftest.file <<_ASEOF
+#! /bin/sh
+exit 0
+_ASEOF
+chmod +x conftest.file
+if test -x conftest.file >/dev/null 2>&1; then
+  as_executable_p="test -x"
+elif test -f conftest.file >/dev/null 2>&1; then
+  as_executable_p="test -f"
+else
+  { { echo "$as_me:21937: error: cannot check whether a file is executable on this system" >&5
+echo "$as_me: error: cannot check whether a file is executable on this system" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+rm -f conftest.file
+
+# Support unset when possible.
+if (FOO=FOO; unset FOO) >/dev/null 2>&1; then
+  as_unset=unset
+else
+  as_unset=false
+fi
+
+# NLS nuisances.
+$as_unset LANG || test "${LANG+set}" != set || { LANG=C; export LANG; }
+$as_unset LC_ALL || test "${LC_ALL+set}" != set || { LC_ALL=C; export LC_ALL; }
+$as_unset LC_TIME || test "${LC_TIME+set}" != set || { LC_TIME=C; export LC_TIME; }
+$as_unset LC_CTYPE || test "${LC_CTYPE+set}" != set || { LC_CTYPE=C; export LC_CTYPE; }
+$as_unset LANGUAGE || test "${LANGUAGE+set}" != set || { LANGUAGE=C; export LANGUAGE; }
+$as_unset LC_COLLATE || test "${LC_COLLATE+set}" != set || { LC_COLLATE=C; export LC_COLLATE; }
+$as_unset LC_NUMERIC || test "${LC_NUMERIC+set}" != set || { LC_NUMERIC=C; export LC_NUMERIC; }
+$as_unset LC_MESSAGES || test "${LC_MESSAGES+set}" != set || { LC_MESSAGES=C; export LC_MESSAGES; }
+
+# IFS
+# We need space, tab and new line, in precisely that order.
+as_nl='
+'
+IFS=" 	$as_nl"
+
+# CDPATH.
+$as_unset CDPATH || test "${CDPATH+set}" != set || { CDPATH=:; export CDPATH; }
+
+# File descriptor usage:
+# 0 standard input
+# 1 file creation
+# 2 errors and warnings
+# 5 compiler messages saved in config.log
+# 6 checking for... messages and results
+exec 5>>config.log
+exec 6>&1
+
+cat >&5 << EOF
+
+## ----------------------- ##
+## Running config.status.  ##
+## ----------------------- ##
+
+This file was extended by $as_me (heimdal 0.3e) 2.49d, executed with
+ > $0 $@
+on `(hostname || uname -n) 2>/dev/null | sed 1q`
+
+EOF
+
+_ACEOF
+
+# Files that config.status was made for.
+if test -n "$ac_config_files"; then
+  echo "config_files=\"$ac_config_files\"" >>$CONFIG_STATUS
+fi
+
+if test -n "$ac_config_headers"; then
+  echo "config_headers=\"$ac_config_headers\"" >>$CONFIG_STATUS
+fi
+
+if test -n "$ac_config_links"; then
+  echo "config_links=\"$ac_config_links\"" >>$CONFIG_STATUS
+fi
+
+if test -n "$ac_config_commands"; then
+  echo "config_commands=\"$ac_config_commands\"" >>$CONFIG_STATUS
+fi
+
+cat >>$CONFIG_STATUS <<\EOF
+
+ac_cs_usage="\
+\`$as_me' instantiates files from templates according to the
+current configuration.
+
+Usage: $0 [OPTIONS] [FILE]...
+
+  -h, --help       print this help, then exit
+  -V, --version    print version number, then exit
+  -d, --debug      don't remove temporary files
+      --recheck    update $as_me by reconfiguring in the same conditions
+  --file=FILE[:TEMPLATE]
+                   instantiate the configuration file FILE
+  --header=FILE[:TEMPLATE]
+                   instantiate the configuration header FILE
+
+Configuration files:
+$config_files
+
+Configuration headers:
+$config_headers
+
+Configuration commands:
+$config_commands
+
+Report bugs to <bug-autoconf@gnu.org>."
+EOF
+
+cat >>$CONFIG_STATUS <<EOF
+ac_cs_version="\\
+$CONFIG_STATUS generated by $as_me (Autoconf 2.49d).
+Configured on host $ac_hostname by
+  `echo "$0 $ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`"
+srcdir=$srcdir
+INSTALL="$INSTALL"
+EOF
+
+cat >>$CONFIG_STATUS <<\EOF
+# If no file are specified by the user, then we need to provide default
+# value.  By we need to know if files were specified by the user.
+ac_need_defaults=:
+while test $# != 0
 do
-  case "\$ac_option" in
+  case $1 in
+  --*=*)
+    ac_option=`expr "x$1" : 'x\([^=]*\)='`
+    ac_optarg=`expr "x$1" : 'x[^=]*=\(.*\)'`
+    shift
+    set dummy "$ac_option" "$ac_optarg" ${1+"$@"}
+    shift
+    ;;
+  -*);;
+  *) # This is not an option, so the user has probably given explicit
+     # arguments.
+     ac_need_defaults=false;;
+  esac
+
+  case $1 in
+  # Handling of the options.
+EOF
+cat >>$CONFIG_STATUS <<EOF
   -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
-    echo "running \${CONFIG_SHELL-/bin/sh} $0 $ac_configure_args --no-create --no-recursion"
-    exec \${CONFIG_SHELL-/bin/sh} $0 $ac_configure_args --no-create --no-recursion ;;
-  -version | --version | --versio | --versi | --vers | --ver | --ve | --v)
-    echo "$CONFIG_STATUS generated by autoconf version 2.13"
-    exit 0 ;;
-  -help | --help | --hel | --he | --h)
-    echo "\$ac_cs_usage"; exit 0 ;;
-  *) echo "\$ac_cs_usage"; exit 1 ;;
+    echo "running $SHELL $0 " $ac_configure_args " --no-create --no-recursion"
+    exec $SHELL $0 $ac_configure_args --no-create --no-recursion ;;
+EOF
+cat >>$CONFIG_STATUS <<\EOF
+  --version | --vers* | -V )
+    echo "$ac_cs_version"; exit 0 ;;
+  --he | --h)
+    # Conflict between --help and --header
+    { { echo "$as_me:22080: error: ambiguous option: $1
+Try \`$0 --help' for more information." >&5
+echo "$as_me: error: ambiguous option: $1
+Try \`$0 --help' for more information." >&2;}
+   { (exit 1); exit 1; }; };;
+  --help | --hel | -h )
+    echo "$ac_cs_usage"; exit 0 ;;
+  --debug | --d* | -d )
+    debug=: ;;
+  --file | --fil | --fi | --f )
+    shift
+    CONFIG_FILES="$CONFIG_FILES $1"
+    ac_need_defaults=false;;
+  --header | --heade | --head | --hea )
+    shift
+    CONFIG_HEADERS="$CONFIG_HEADERS $1"
+    ac_need_defaults=false;;
+
+  # Handling of arguments.
+  'Makefile' ) CONFIG_FILES="$CONFIG_FILES Makefile" ;;
+  'include/Makefile' ) CONFIG_FILES="$CONFIG_FILES include/Makefile" ;;
+  'include/kadm5/Makefile' ) CONFIG_FILES="$CONFIG_FILES include/kadm5/Makefile" ;;
+  'lib/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/Makefile" ;;
+  'lib/45/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/45/Makefile" ;;
+  'lib/auth/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/auth/Makefile" ;;
+  'lib/auth/afskauthlib/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/auth/afskauthlib/Makefile" ;;
+  'lib/auth/pam/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/auth/pam/Makefile" ;;
+  'lib/auth/sia/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/auth/sia/Makefile" ;;
+  'lib/asn1/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/asn1/Makefile" ;;
+  'lib/com_err/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/com_err/Makefile" ;;
+  'lib/des/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/des/Makefile" ;;
+  'lib/editline/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/editline/Makefile" ;;
+  'lib/gssapi/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/gssapi/Makefile" ;;
+  'lib/hdb/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/hdb/Makefile" ;;
+  'lib/kadm5/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/kadm5/Makefile" ;;
+  'lib/kafs/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/kafs/Makefile" ;;
+  'lib/kdfs/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/kdfs/Makefile" ;;
+  'lib/krb5/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/krb5/Makefile" ;;
+  'lib/otp/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/otp/Makefile" ;;
+  'lib/roken/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/roken/Makefile" ;;
+  'lib/sl/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/sl/Makefile" ;;
+  'lib/vers/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/vers/Makefile" ;;
+  'kuser/Makefile' ) CONFIG_FILES="$CONFIG_FILES kuser/Makefile" ;;
+  'kpasswd/Makefile' ) CONFIG_FILES="$CONFIG_FILES kpasswd/Makefile" ;;
+  'kadmin/Makefile' ) CONFIG_FILES="$CONFIG_FILES kadmin/Makefile" ;;
+  'admin/Makefile' ) CONFIG_FILES="$CONFIG_FILES admin/Makefile" ;;
+  'kdc/Makefile' ) CONFIG_FILES="$CONFIG_FILES kdc/Makefile" ;;
+  'appl/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/Makefile" ;;
+  'appl/afsutil/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/afsutil/Makefile" ;;
+  'appl/ftp/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/ftp/Makefile" ;;
+  'appl/ftp/common/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/ftp/common/Makefile" ;;
+  'appl/ftp/ftp/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/ftp/ftp/Makefile" ;;
+  'appl/ftp/ftpd/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/ftp/ftpd/Makefile" ;;
+  'appl/kx/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/kx/Makefile" ;;
+  'appl/login/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/login/Makefile" ;;
+  'appl/otp/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/otp/Makefile" ;;
+  'appl/popper/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/popper/Makefile" ;;
+  'appl/push/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/push/Makefile" ;;
+  'appl/rsh/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/rsh/Makefile" ;;
+  'appl/rcp/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/rcp/Makefile" ;;
+  'appl/su/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/su/Makefile" ;;
+  'appl/xnlock/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/xnlock/Makefile" ;;
+  'appl/telnet/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/telnet/Makefile" ;;
+  'appl/telnet/libtelnet/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/telnet/libtelnet/Makefile" ;;
+  'appl/telnet/telnet/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/telnet/telnet/Makefile" ;;
+  'appl/telnet/telnetd/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/telnet/telnetd/Makefile" ;;
+  'appl/test/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/test/Makefile" ;;
+  'appl/kf/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/kf/Makefile" ;;
+  'appl/dceutils/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/dceutils/Makefile" ;;
+  'doc/Makefile' ) CONFIG_FILES="$CONFIG_FILES doc/Makefile" ;;
+  'tools/Makefile' ) CONFIG_FILES="$CONFIG_FILES tools/Makefile" ;;
+  'default-1' ) CONFIG_COMMANDS="$CONFIG_COMMANDS default-1" ;;
+  'default-2' ) CONFIG_COMMANDS="$CONFIG_COMMANDS default-2" ;;
+  'include/config.h' ) CONFIG_HEADERS="$CONFIG_HEADERS include/config.h" ;;
+
+  # This is an error.
+  -*) { { echo "$as_me:22156: error: unrecognized option: $1
+Try \`$0 --help' for more information." >&5
+echo "$as_me: error: unrecognized option: $1
+Try \`$0 --help' for more information." >&2;}
+   { (exit 1); exit 1; }; } ;;
+  *) { { echo "$as_me:22161: error: invalid argument: $1" >&5
+echo "$as_me: error: invalid argument: $1" >&2;}
+   { (exit 1); exit 1; }; };;
   esac
+  shift
 done
 
-ac_given_srcdir=$srcdir
-ac_given_INSTALL="$INSTALL"
-
-trap 'rm -fr `echo "Makefile 			\
-	include/Makefile		\
-	include/kadm5/Makefile		\
-	lib/Makefile			\
-	lib/45/Makefile			\
-	lib/auth/Makefile		\
-	lib/auth/afskauthlib/Makefile	\
-	lib/auth/pam/Makefile		\
-	lib/auth/sia/Makefile		\
-	lib/asn1/Makefile		\
-	lib/com_err/Makefile		\
-	lib/des/Makefile		\
-	lib/editline/Makefile		\
-	lib/gssapi/Makefile		\
-	lib/hdb/Makefile		\
-	lib/kadm5/Makefile		\
-	lib/kafs/Makefile		\
-	lib/krb5/Makefile		\
-	lib/otp/Makefile		\
-	lib/roken/Makefile		\
-	lib/sl/Makefile			\
-	kuser/Makefile			\
-	kpasswd/Makefile		\
-	kadmin/Makefile			\
-	admin/Makefile			\
-	kdc/Makefile			\
-	appl/Makefile			\
-	appl/afsutil/Makefile		\
-	appl/ftp/Makefile		\
-	appl/ftp/common/Makefile	\
-	appl/ftp/ftp/Makefile		\
-	appl/ftp/ftpd/Makefile		\
-	appl/kauth/Makefile		\
-	appl/kx/Makefile		\
-	appl/login/Makefile		\
-	appl/otp/Makefile		\
-	appl/popper/Makefile		\
-	appl/push/Makefile		\
-	appl/rsh/Makefile		\
-	appl/su/Makefile		\
-	appl/xnlock/Makefile		\
-	appl/telnet/Makefile		\
-	appl/telnet/libtelnet/Makefile	\
-	appl/telnet/telnet/Makefile	\
-	appl/telnet/telnetd/Makefile	\
-	appl/test/Makefile		\
-	appl/kf/Makefile		\
-	doc/Makefile			\
- include/config.h" | sed "s/:[^ ]*//g"` conftest*; exit 1' 1 2 15
-EOF
-cat >> $CONFIG_STATUS <<EOF
-
-# Protect against being on the right side of a sed subst in config.status.
-sed 's/%@/@@/; s/@%/@@/; s/%g\$/@g/; /@g\$/s/[\\\\&%]/\\\\&/g;
- s/@@/%@/; s/@@/@%/; s/@g\$/%g/' > conftest.subs <<\\CEOF
-$ac_vpsub
-$extrasub
-s%@SHELL@%$SHELL%g
-s%@CFLAGS@%$CFLAGS%g
-s%@CPPFLAGS@%$CPPFLAGS%g
-s%@CXXFLAGS@%$CXXFLAGS%g
-s%@FFLAGS@%$FFLAGS%g
-s%@DEFS@%$DEFS%g
-s%@LDFLAGS@%$LDFLAGS%g
-s%@LIBS@%$LIBS%g
-s%@exec_prefix@%$exec_prefix%g
-s%@prefix@%$prefix%g
-s%@program_transform_name@%$program_transform_name%g
-s%@bindir@%$bindir%g
-s%@sbindir@%$sbindir%g
-s%@libexecdir@%$libexecdir%g
-s%@datadir@%$datadir%g
-s%@sysconfdir@%$sysconfdir%g
-s%@sharedstatedir@%$sharedstatedir%g
-s%@localstatedir@%$localstatedir%g
-s%@libdir@%$libdir%g
-s%@includedir@%$includedir%g
-s%@oldincludedir@%$oldincludedir%g
-s%@infodir@%$infodir%g
-s%@mandir@%$mandir%g
-s%@INSTALL_PROGRAM@%$INSTALL_PROGRAM%g
-s%@INSTALL_SCRIPT@%$INSTALL_SCRIPT%g
-s%@INSTALL_DATA@%$INSTALL_DATA%g
-s%@PACKAGE@%$PACKAGE%g
-s%@VERSION@%$VERSION%g
-s%@ACLOCAL@%$ACLOCAL%g
-s%@AUTOCONF@%$AUTOCONF%g
-s%@AUTOMAKE@%$AUTOMAKE%g
-s%@AUTOHEADER@%$AUTOHEADER%g
-s%@MAKEINFO@%$MAKEINFO%g
-s%@SET_MAKE@%$SET_MAKE%g
-s%@host@%$host%g
-s%@host_alias@%$host_alias%g
-s%@host_cpu@%$host_cpu%g
-s%@host_vendor@%$host_vendor%g
-s%@host_os@%$host_os%g
-s%@CANONICAL_HOST@%$CANONICAL_HOST%g
-s%@CC@%$CC%g
-s%@OBJEXT@%$OBJEXT%g
-s%@EXEEXT@%$EXEEXT%g
-s%@YACC@%$YACC%g
-s%@LEX@%$LEX%g
-s%@LEXLIB@%$LEXLIB%g
-s%@CPP@%$CPP%g
-s%@LEX_OUTPUT_ROOT@%$LEX_OUTPUT_ROOT%g
-s%@RANLIB@%$RANLIB%g
-s%@AWK@%$AWK%g
-s%@LN_S@%$LN_S%g
-s%@LD@%$LD%g
-s%@NM@%$NM%g
-s%@LIBTOOL@%$LIBTOOL%g
-s%@WFLAGS@%$WFLAGS%g
-s%@WFLAGS_NOUNUSED@%$WFLAGS_NOUNUSED%g
-s%@WFLAGS_NOIMPLICITINT@%$WFLAGS_NOIMPLICITINT%g
-s%@INCLUDE_krb4@%$INCLUDE_krb4%g
-s%@LIB_krb4@%$LIB_krb4%g
-s%@EXTRA_LIB45@%$EXTRA_LIB45%g
-s%@LIB_krb_enable_debug@%$LIB_krb_enable_debug%g
-s%@LIB_krb_disable_debug@%$LIB_krb_disable_debug%g
-s%@LIB_krb_get_our_ip_for_realm@%$LIB_krb_get_our_ip_for_realm%g
-s%@KRB4_TRUE@%$KRB4_TRUE%g
-s%@KRB4_FALSE@%$KRB4_FALSE%g
-s%@KRB5_TRUE@%$KRB5_TRUE%g
-s%@KRB5_FALSE@%$KRB5_FALSE%g
-s%@LIB_kdb@%$LIB_kdb%g
-s%@AIX_TRUE@%$AIX_TRUE%g
-s%@AIX_FALSE@%$AIX_FALSE%g
-s%@AIX4_TRUE@%$AIX4_TRUE%g
-s%@AIX4_FALSE@%$AIX4_FALSE%g
-s%@AIX_DYNAMIC_AFS_TRUE@%$AIX_DYNAMIC_AFS_TRUE%g
-s%@AIX_DYNAMIC_AFS_FALSE@%$AIX_DYNAMIC_AFS_FALSE%g
-s%@LIB_dlopen@%$LIB_dlopen%g
-s%@HAVE_DLOPEN_TRUE@%$HAVE_DLOPEN_TRUE%g
-s%@HAVE_DLOPEN_FALSE@%$HAVE_DLOPEN_FALSE%g
-s%@AFS_EXTRA_LD@%$AFS_EXTRA_LD%g
-s%@AIX_EXTRA_KAFS@%$AIX_EXTRA_KAFS%g
-s%@LIB_otp@%$LIB_otp%g
-s%@OTP_TRUE@%$OTP_TRUE%g
-s%@OTP_FALSE@%$OTP_FALSE%g
-s%@LIB_security@%$LIB_security%g
-s%@NROFF@%$NROFF%g
-s%@GROFF@%$GROFF%g
-s%@CATMAN@%$CATMAN%g
-s%@CATMAN_TRUE@%$CATMAN_TRUE%g
-s%@CATMAN_FALSE@%$CATMAN_FALSE%g
-s%@CATMANEXT@%$CATMANEXT%g
-s%@INCLUDE_readline@%$INCLUDE_readline%g
-s%@LIB_readline@%$LIB_readline%g
-s%@INCLUDE_hesiod@%$INCLUDE_hesiod%g
-s%@LIB_hesiod@%$LIB_hesiod%g
-s%@X_CFLAGS@%$X_CFLAGS%g
-s%@X_PRE_LIBS@%$X_PRE_LIBS%g
-s%@X_LIBS@%$X_LIBS%g
-s%@X_EXTRA_LIBS@%$X_EXTRA_LIBS%g
-s%@MAKE_X_PROGS_BIN_PROGS@%$MAKE_X_PROGS_BIN_PROGS%g
-s%@MAKE_X_PROGS_BIN_SCRPTS@%$MAKE_X_PROGS_BIN_SCRPTS%g
-s%@MAKE_X_PROGS_LIBEXEC_PROGS@%$MAKE_X_PROGS_LIBEXEC_PROGS%g
-s%@LIB_XauWriteAuth@%$LIB_XauWriteAuth%g
-s%@LIB_XauReadAuth@%$LIB_XauReadAuth%g
-s%@LIB_XauFileName@%$LIB_XauFileName%g
-s%@NEED_WRITEAUTH_TRUE@%$NEED_WRITEAUTH_TRUE%g
-s%@NEED_WRITEAUTH_FALSE@%$NEED_WRITEAUTH_FALSE%g
-s%@have_err_h_TRUE@%$have_err_h_TRUE%g
-s%@have_err_h_FALSE@%$have_err_h_FALSE%g
-s%@have_fnmatch_h_TRUE@%$have_fnmatch_h_TRUE%g
-s%@have_fnmatch_h_FALSE@%$have_fnmatch_h_FALSE%g
-s%@LIB_socket@%$LIB_socket%g
-s%@LIB_gethostbyname@%$LIB_gethostbyname%g
-s%@LIB_syslog@%$LIB_syslog%g
-s%@LIB_logwtmp@%$LIB_logwtmp%g
-s%@LIB_tgetent@%$LIB_tgetent%g
-s%@LIB_gethostbyname2@%$LIB_gethostbyname2%g
-s%@LIB_res_search@%$LIB_res_search%g
-s%@LIB_dn_expand@%$LIB_dn_expand%g
-s%@have_glob_h_TRUE@%$have_glob_h_TRUE%g
-s%@have_glob_h_FALSE@%$have_glob_h_FALSE%g
-s%@LIB_dbopen@%$LIB_dbopen%g
-s%@LIB_dbm_firstkey@%$LIB_dbm_firstkey%g
-s%@DBLIB@%$DBLIB%g
-s%@LIB_getpwnam_r@%$LIB_getpwnam_r%g
-s%@LIB_getsockopt@%$LIB_getsockopt%g
-s%@LIB_setsockopt@%$LIB_setsockopt%g
-s%@VOID_RETSIGTYPE@%$VOID_RETSIGTYPE%g
-s%@LIB_hstrerror@%$LIB_hstrerror%g
-s%@LIBOBJS@%$LIBOBJS%g
-s%@LIB_crypt@%$LIB_crypt%g
-s%@LIB_roken@%$LIB_roken%g
-s%@LIB_MD4Init@%$LIB_MD4Init%g
-s%@LIB_MD4_Init@%$LIB_MD4_Init%g
-s%@LIB_MD5Init@%$LIB_MD5Init%g
-s%@LIB_MD5_Init@%$LIB_MD5_Init%g
-s%@LIB_SHA1Init@%$LIB_SHA1Init%g
-s%@LIB_SHA1_Init@%$LIB_SHA1_Init%g
-s%@LIB_des_cbc_encrypt@%$LIB_des_cbc_encrypt%g
-s%@LIB_el_init@%$LIB_el_init%g
-s%@el_compat_TRUE@%$el_compat_TRUE%g
-s%@el_compat_FALSE@%$el_compat_FALSE%g
-s%@LIB_AUTH_SUBDIRS@%$LIB_AUTH_SUBDIRS%g
-s%@LTLIBOBJS@%$LTLIBOBJS%g
+EOF
+
+cat >>$CONFIG_STATUS <<\EOF
+# If the user did not use the arguments to specify the items to instantiate,
+# then the envvar interface is used.  Set only those that are not.
+# We use the long form for the default assignment because of an extremely
+# bizarre bug on SunOS 4.1.3.
+if $ac_need_defaults; then
+  test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files
+  test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers
+  test "${CONFIG_COMMANDS+set}" = set || CONFIG_COMMANDS=$config_commands
+fi
+
+# Create a temporary directory, and hook for its removal unless debugging.
+$debug ||
+{
+  trap 'exit_status=$?; rm -rf $tmp && exit $exit_status' 0
+  trap '{ (exit $?); exit $?; }' 1 2 13 15
+}
+
+# Create a (secure) tmp directory for tmp files.
+: ${TMPDIR=/tmp}
+{
+  tmp=`(umask 077 && mktemp -d -q "$TMPDIR/csXXXXXX") 2>/dev/null` &&
+  test -n "$tmp" && test -d "$tmp"
+}  ||
+{
+  tmp=$TMPDIR/cs$$-$RANDOM
+  (umask 077 && mkdir $tmp)
+} ||
+{
+   echo "$me: cannot create a temporary directory in $TMPDIR" >&2
+   { (exit 1); exit 1; }
+}
 
-CEOF
 EOF
 
-cat >> $CONFIG_STATUS <<\EOF
+cat >>$CONFIG_STATUS <<EOF
+#
+# INIT-COMMANDS section.
+#
 
-# Split the substitutions into bite-sized pieces for seds with
-# small command number limits, like on Digital OSF/1 and HP-UX.
-ac_max_sed_cmds=90 # Maximum number of lines to put in a sed script.
-ac_file=1 # Number of current file.
-ac_beg=1 # First line for current file.
-ac_end=$ac_max_sed_cmds # Line after last line for current file.
-ac_more_lines=:
-ac_sed_cmds=""
-while $ac_more_lines; do
-  if test $ac_beg -gt 1; then
-    sed "1,${ac_beg}d; ${ac_end}q" conftest.subs > conftest.s$ac_file
-  else
-    sed "${ac_end}q" conftest.subs > conftest.s$ac_file
-  fi
-  if test ! -s conftest.s$ac_file; then
-    ac_more_lines=false
-    rm -f conftest.s$ac_file
-  else
-    if test -z "$ac_sed_cmds"; then
-      ac_sed_cmds="sed -f conftest.s$ac_file"
+AMDEP="$AMDEP"
+ac_aux_dir="$ac_aux_dir"
+
+EOF
+
+cat >>$CONFIG_STATUS <<EOF
+
+#
+# CONFIG_FILES section.
+#
+
+# No need to generate the scripts if there are no CONFIG_FILES.
+# This happens for instance when ./config.status config.h
+if test -n "\$CONFIG_FILES"; then
+  # Protect against being on the right side of a sed subst in config.status.
+  sed 's/,@/@@/; s/@,/@@/; s/,;t t\$/@;t t/; /@;t t\$/s/[\\\\&,]/\\\\&/g;
+   s/@@/,@/; s/@@/@,/; s/@;t t\$/,;t t/' >\$tmp/subs.sed <<\\CEOF
+s,@SHELL@,$SHELL,;t t
+s,@exec_prefix@,$exec_prefix,;t t
+s,@prefix@,$prefix,;t t
+s,@program_transform_name@,$program_transform_name,;t t
+s,@bindir@,$bindir,;t t
+s,@sbindir@,$sbindir,;t t
+s,@libexecdir@,$libexecdir,;t t
+s,@datadir@,$datadir,;t t
+s,@sysconfdir@,$sysconfdir,;t t
+s,@sharedstatedir@,$sharedstatedir,;t t
+s,@localstatedir@,$localstatedir,;t t
+s,@libdir@,$libdir,;t t
+s,@includedir@,$includedir,;t t
+s,@oldincludedir@,$oldincludedir,;t t
+s,@infodir@,$infodir,;t t
+s,@mandir@,$mandir,;t t
+s,@PACKAGE_NAME@,$PACKAGE_NAME,;t t
+s,@PACKAGE_TARNAME@,$PACKAGE_TARNAME,;t t
+s,@PACKAGE_VERSION@,$PACKAGE_VERSION,;t t
+s,@PACKAGE_STRING@,$PACKAGE_STRING,;t t
+s,@PACKAGE_BUGREPORT@,$PACKAGE_BUGREPORT,;t t
+s,@ECHO_C@,$ECHO_C,;t t
+s,@ECHO_N@,$ECHO_N,;t t
+s,@ECHO_T@,$ECHO_T,;t t
+s,@DEFS@,$DEFS,;t t
+s,@LIBS@,$LIBS,;t t
+s,@CC@,$CC,;t t
+s,@CFLAGS@,$CFLAGS,;t t
+s,@LDFLAGS@,$LDFLAGS,;t t
+s,@ac_ct_CC@,$ac_ct_CC,;t t
+s,@OBJEXT@,$OBJEXT,;t t
+s,@EXEEXT@,$EXEEXT,;t t
+s,@CPP@,$CPP,;t t
+s,@CPPFLAGS@,$CPPFLAGS,;t t
+s,@INSTALL_PROGRAM@,$INSTALL_PROGRAM,;t t
+s,@INSTALL_SCRIPT@,$INSTALL_SCRIPT,;t t
+s,@INSTALL_DATA@,$INSTALL_DATA,;t t
+s,@PACKAGE@,$PACKAGE,;t t
+s,@VERSION@,$VERSION,;t t
+s,@ACLOCAL@,$ACLOCAL,;t t
+s,@AUTOCONF@,$AUTOCONF,;t t
+s,@AUTOMAKE@,$AUTOMAKE,;t t
+s,@AUTOHEADER@,$AUTOHEADER,;t t
+s,@MAKEINFO@,$MAKEINFO,;t t
+s,@AMTAR@,$AMTAR,;t t
+s,@install_sh@,$install_sh,;t t
+s,@AWK@,$AWK,;t t
+s,@SET_MAKE@,$SET_MAKE,;t t
+s,@AMDEP@,$AMDEP,;t t
+s,@AMDEPBACKSLASH@,$AMDEPBACKSLASH,;t t
+s,@DEPDIR@,$DEPDIR,;t t
+s,@CCDEPMODE@,$CCDEPMODE,;t t
+s,@build@,$build,;t t
+s,@build_cpu@,$build_cpu,;t t
+s,@build_vendor@,$build_vendor,;t t
+s,@build_os@,$build_os,;t t
+s,@host@,$host,;t t
+s,@host_cpu@,$host_cpu,;t t
+s,@host_vendor@,$host_vendor,;t t
+s,@host_os@,$host_os,;t t
+s,@CANONICAL_HOST@,$CANONICAL_HOST,;t t
+s,@YACC@,$YACC,;t t
+s,@LEX@,$LEX,;t t
+s,@LEXLIB@,$LEXLIB,;t t
+s,@LEX_OUTPUT_ROOT@,$LEX_OUTPUT_ROOT,;t t
+s,@RANLIB@,$RANLIB,;t t
+s,@ac_ct_RANLIB@,$ac_ct_RANLIB,;t t
+s,@LN_S@,$LN_S,;t t
+s,@STRIP@,$STRIP,;t t
+s,@ac_ct_STRIP@,$ac_ct_STRIP,;t t
+s,@LIBTOOL@,$LIBTOOL,;t t
+s,@WFLAGS@,$WFLAGS,;t t
+s,@WFLAGS_NOUNUSED@,$WFLAGS_NOUNUSED,;t t
+s,@WFLAGS_NOIMPLICITINT@,$WFLAGS_NOIMPLICITINT,;t t
+s,@LIB_dbopen@,$LIB_dbopen,;t t
+s,@LIB_dbm_firstkey@,$LIB_dbm_firstkey,;t t
+s,@LIB_db_create@,$LIB_db_create,;t t
+s,@DBLIB@,$DBLIB,;t t
+s,@VOID_RETSIGTYPE@,$VOID_RETSIGTYPE,;t t
+s,@have_err_h_TRUE@,$have_err_h_TRUE,;t t
+s,@have_err_h_FALSE@,$have_err_h_FALSE,;t t
+s,@have_fnmatch_h_TRUE@,$have_fnmatch_h_TRUE,;t t
+s,@have_fnmatch_h_FALSE@,$have_fnmatch_h_FALSE,;t t
+s,@have_ifaddrs_h_TRUE@,$have_ifaddrs_h_TRUE,;t t
+s,@have_ifaddrs_h_FALSE@,$have_ifaddrs_h_FALSE,;t t
+s,@have_vis_h_TRUE@,$have_vis_h_TRUE,;t t
+s,@have_vis_h_FALSE@,$have_vis_h_FALSE,;t t
+s,@LIB_socket@,$LIB_socket,;t t
+s,@LIB_gethostbyname@,$LIB_gethostbyname,;t t
+s,@LIB_syslog@,$LIB_syslog,;t t
+s,@LIB_gethostbyname2@,$LIB_gethostbyname2,;t t
+s,@LIB_res_search@,$LIB_res_search,;t t
+s,@LIB_dn_expand@,$LIB_dn_expand,;t t
+s,@have_glob_h_TRUE@,$have_glob_h_TRUE,;t t
+s,@have_glob_h_FALSE@,$have_glob_h_FALSE,;t t
+s,@LIB_getsockopt@,$LIB_getsockopt,;t t
+s,@LIB_setsockopt@,$LIB_setsockopt,;t t
+s,@LIB_hstrerror@,$LIB_hstrerror,;t t
+s,@LIBOBJS@,$LIBOBJS,;t t
+s,@LIB_pidfile@,$LIB_pidfile,;t t
+s,@LIB_crypt@,$LIB_crypt,;t t
+s,@DIR_roken@,$DIR_roken,;t t
+s,@LIB_roken@,$LIB_roken,;t t
+s,@INCLUDES_roken@,$INCLUDES_roken,;t t
+s,@INCLUDE_openldap@,$INCLUDE_openldap,;t t
+s,@LIB_openldap@,$LIB_openldap,;t t
+s,@INCLUDE_krb4@,$INCLUDE_krb4,;t t
+s,@LIB_krb4@,$LIB_krb4,;t t
+s,@EXTRA_LIB45@,$EXTRA_LIB45,;t t
+s,@LIB_krb_enable_debug@,$LIB_krb_enable_debug,;t t
+s,@LIB_krb_disable_debug@,$LIB_krb_disable_debug,;t t
+s,@LIB_krb_get_our_ip_for_realm@,$LIB_krb_get_our_ip_for_realm,;t t
+s,@KRB4_TRUE@,$KRB4_TRUE,;t t
+s,@KRB4_FALSE@,$KRB4_FALSE,;t t
+s,@KRB5_TRUE@,$KRB5_TRUE,;t t
+s,@KRB5_FALSE@,$KRB5_FALSE,;t t
+s,@do_roken_rename_TRUE@,$do_roken_rename_TRUE,;t t
+s,@do_roken_rename_FALSE@,$do_roken_rename_FALSE,;t t
+s,@LIB_kdb@,$LIB_kdb,;t t
+s,@DCE_TRUE@,$DCE_TRUE,;t t
+s,@DCE_FALSE@,$DCE_FALSE,;t t
+s,@dpagaix_CFLAGS@,$dpagaix_CFLAGS,;t t
+s,@dpagaix_LDADD@,$dpagaix_LDADD,;t t
+s,@LIB_otp@,$LIB_otp,;t t
+s,@OTP_TRUE@,$OTP_TRUE,;t t
+s,@OTP_FALSE@,$OTP_FALSE,;t t
+s,@LIB_security@,$LIB_security,;t t
+s,@NROFF@,$NROFF,;t t
+s,@GROFF@,$GROFF,;t t
+s,@CATMAN@,$CATMAN,;t t
+s,@CATMAN_TRUE@,$CATMAN_TRUE,;t t
+s,@CATMAN_FALSE@,$CATMAN_FALSE,;t t
+s,@CATMANEXT@,$CATMANEXT,;t t
+s,@INCLUDE_readline@,$INCLUDE_readline,;t t
+s,@LIB_readline@,$LIB_readline,;t t
+s,@INCLUDE_hesiod@,$INCLUDE_hesiod,;t t
+s,@LIB_hesiod@,$LIB_hesiod,;t t
+s,@AIX_TRUE@,$AIX_TRUE,;t t
+s,@AIX_FALSE@,$AIX_FALSE,;t t
+s,@AIX4_TRUE@,$AIX4_TRUE,;t t
+s,@AIX4_FALSE@,$AIX4_FALSE,;t t
+s,@AIX_DYNAMIC_AFS_TRUE@,$AIX_DYNAMIC_AFS_TRUE,;t t
+s,@AIX_DYNAMIC_AFS_FALSE@,$AIX_DYNAMIC_AFS_FALSE,;t t
+s,@LIB_dlopen@,$LIB_dlopen,;t t
+s,@HAVE_DLOPEN_TRUE@,$HAVE_DLOPEN_TRUE,;t t
+s,@HAVE_DLOPEN_FALSE@,$HAVE_DLOPEN_FALSE,;t t
+s,@AIX_EXTRA_KAFS@,$AIX_EXTRA_KAFS,;t t
+s,@IRIX_TRUE@,$IRIX_TRUE,;t t
+s,@IRIX_FALSE@,$IRIX_FALSE,;t t
+s,@X_CFLAGS@,$X_CFLAGS,;t t
+s,@X_PRE_LIBS@,$X_PRE_LIBS,;t t
+s,@X_LIBS@,$X_LIBS,;t t
+s,@X_EXTRA_LIBS@,$X_EXTRA_LIBS,;t t
+s,@HAVE_X_TRUE@,$HAVE_X_TRUE,;t t
+s,@HAVE_X_FALSE@,$HAVE_X_FALSE,;t t
+s,@LIB_XauWriteAuth@,$LIB_XauWriteAuth,;t t
+s,@LIB_XauReadAuth@,$LIB_XauReadAuth,;t t
+s,@LIB_XauFileName@,$LIB_XauFileName,;t t
+s,@NEED_WRITEAUTH_TRUE@,$NEED_WRITEAUTH_TRUE,;t t
+s,@NEED_WRITEAUTH_FALSE@,$NEED_WRITEAUTH_FALSE,;t t
+s,@LIB_logwtmp@,$LIB_logwtmp,;t t
+s,@LIB_tgetent@,$LIB_tgetent,;t t
+s,@LIB_getpwnam_r@,$LIB_getpwnam_r,;t t
+s,@LIB_MD4_Init@,$LIB_MD4_Init,;t t
+s,@LIB_MD5_Init@,$LIB_MD5_Init,;t t
+s,@LIB_SHA1_Init@,$LIB_SHA1_Init,;t t
+s,@LIB_des_cbc_encrypt@,$LIB_des_cbc_encrypt,;t t
+s,@LIB_RC4@,$LIB_RC4,;t t
+s,@DIR_des@,$DIR_des,;t t
+s,@LIB_des@,$LIB_des,;t t
+s,@LIB_des_appl@,$LIB_des_appl,;t t
+s,@LIB_el_init@,$LIB_el_init,;t t
+s,@el_compat_TRUE@,$el_compat_TRUE,;t t
+s,@el_compat_FALSE@,$el_compat_FALSE,;t t
+s,@LIB_AUTH_SUBDIRS@,$LIB_AUTH_SUBDIRS,;t t
+s,@LTLIBOBJS@,$LTLIBOBJS,;t t
+CEOF
+
+EOF
+
+  cat >>$CONFIG_STATUS <<\EOF
+  # Split the substitutions into bite-sized pieces for seds with
+  # small command number limits, like on Digital OSF/1 and HP-UX.
+  ac_max_sed_lines=48
+  ac_sed_frag=1 # Number of current file.
+  ac_beg=1 # First line for current file.
+  ac_end=$ac_max_sed_lines # Line after last line for current file.
+  ac_more_lines=:
+  ac_sed_cmds=
+  while $ac_more_lines; do
+    if test $ac_beg -gt 1; then
+      sed "1,${ac_beg}d; ${ac_end}q" $tmp/subs.sed >$tmp/subs.frag
+    else
+      sed "${ac_end}q" $tmp/subs.sed >$tmp/subs.frag
+    fi
+    if test ! -s $tmp/subs.frag; then
+      ac_more_lines=false
     else
-      ac_sed_cmds="$ac_sed_cmds | sed -f conftest.s$ac_file"
+      # The purpose of the label and of the branching condition is to
+      # speed up the sed processing (if there are no `@' at all, there
+      # is no need to browse any of the substitutions).
+      # These are the two extra sed commands mentioned above.
+      (echo ':t
+  /@[a-zA-Z_][a-zA-Z_0-9]*@/!b' && cat $tmp/subs.frag) >$tmp/subs-$ac_sed_frag.sed
+      if test -z "$ac_sed_cmds"; then
+  	ac_sed_cmds="sed -f $tmp/subs-$ac_sed_frag.sed"
+      else
+  	ac_sed_cmds="$ac_sed_cmds | sed -f $tmp/subs-$ac_sed_frag.sed"
+      fi
+      ac_sed_frag=`expr $ac_sed_frag + 1`
+      ac_beg=$ac_end
+      ac_end=`expr $ac_end + $ac_max_sed_lines`
     fi
-    ac_file=`expr $ac_file + 1`
-    ac_beg=$ac_end
-    ac_end=`expr $ac_end + $ac_max_sed_cmds`
+  done
+  if test -z "$ac_sed_cmds"; then
+    ac_sed_cmds=cat
   fi
-done
-if test -z "$ac_sed_cmds"; then
-  ac_sed_cmds=cat
-fi
-EOF
-
-cat >> $CONFIG_STATUS <<EOF
-
-CONFIG_FILES=\${CONFIG_FILES-"Makefile 			\
-	include/Makefile		\
-	include/kadm5/Makefile		\
-	lib/Makefile			\
-	lib/45/Makefile			\
-	lib/auth/Makefile		\
-	lib/auth/afskauthlib/Makefile	\
-	lib/auth/pam/Makefile		\
-	lib/auth/sia/Makefile		\
-	lib/asn1/Makefile		\
-	lib/com_err/Makefile		\
-	lib/des/Makefile		\
-	lib/editline/Makefile		\
-	lib/gssapi/Makefile		\
-	lib/hdb/Makefile		\
-	lib/kadm5/Makefile		\
-	lib/kafs/Makefile		\
-	lib/krb5/Makefile		\
-	lib/otp/Makefile		\
-	lib/roken/Makefile		\
-	lib/sl/Makefile			\
-	kuser/Makefile			\
-	kpasswd/Makefile		\
-	kadmin/Makefile			\
-	admin/Makefile			\
-	kdc/Makefile			\
-	appl/Makefile			\
-	appl/afsutil/Makefile		\
-	appl/ftp/Makefile		\
-	appl/ftp/common/Makefile	\
-	appl/ftp/ftp/Makefile		\
-	appl/ftp/ftpd/Makefile		\
-	appl/kauth/Makefile		\
-	appl/kx/Makefile		\
-	appl/login/Makefile		\
-	appl/otp/Makefile		\
-	appl/popper/Makefile		\
-	appl/push/Makefile		\
-	appl/rsh/Makefile		\
-	appl/su/Makefile		\
-	appl/xnlock/Makefile		\
-	appl/telnet/Makefile		\
-	appl/telnet/libtelnet/Makefile	\
-	appl/telnet/telnet/Makefile	\
-	appl/telnet/telnetd/Makefile	\
-	appl/test/Makefile		\
-	appl/kf/Makefile		\
-	doc/Makefile			\
-"}
-EOF
-cat >> $CONFIG_STATUS <<\EOF
-for ac_file in .. $CONFIG_FILES; do if test "x$ac_file" != x..; then
+fi # test -n "$CONFIG_FILES"
+
+EOF
+cat >>$CONFIG_STATUS <<\EOF
+for ac_file in : $CONFIG_FILES; do test "x$ac_file" = x: && continue
   # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
-  case "$ac_file" in
-  *:*) ac_file_in=`echo "$ac_file"|sed 's%[^:]*:%%'`
-       ac_file=`echo "$ac_file"|sed 's%:.*%%'` ;;
-  *) ac_file_in="${ac_file}.in" ;;
+  case $ac_file in
+  - | *:- | *:-:* ) # input from stdin
+        cat >$tmp/stdin
+        ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
+        ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
+  *:* ) ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
+        ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
+  * )   ac_file_in=$ac_file.in ;;
   esac
 
-  # Adjust a relative srcdir, top_srcdir, and INSTALL for subdirectories.
-
-  # Remove last slash and all that follows it.  Not all systems have dirname.
-  ac_dir=`echo $ac_file|sed 's%/[^/][^/]*$%%'`
+  # Compute @srcdir@, @top_srcdir@, and @INSTALL@ for subdirectories.
+  ac_dir=`$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+         X"$ac_file" : 'X\(//\)[^/]' \| \
+         X"$ac_file" : 'X\(//\)$' \| \
+         X"$ac_file" : 'X\(/\)' \| \
+         .     : '\(.\)' 2>/dev/null ||
+echo X"$ac_file" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
+  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
+  	  /^X\(\/\/\)$/{ s//\1/; q; }
+  	  /^X\(\/\).*/{ s//\1/; q; }
+  	  s/.*/./; q'`
   if test "$ac_dir" != "$ac_file" && test "$ac_dir" != .; then
-    # The file is in a subdirectory.
-    test ! -d "$ac_dir" && mkdir "$ac_dir"
-    ac_dir_suffix="/`echo $ac_dir|sed 's%^\./%%'`"
+    { case "$ac_dir" in
+  [\\/]* | ?:[\\/]* ) as_incr_dir=;;
+  *)                      as_incr_dir=.;;
+esac
+as_dummy="$ac_dir"
+for as_mkdir_dir in `IFS='/\\'; set X $as_dummy; shift; echo "$@"`; do
+  case $as_mkdir_dir in
+    # Skip DOS drivespec
+    ?:) as_incr_dir=$as_mkdir_dir ;;
+    *)
+      as_incr_dir=$as_incr_dir/$as_mkdir_dir
+      test -d "$as_incr_dir" || mkdir "$as_incr_dir"
+    ;;
+  esac
+done; }
+
+    ac_dir_suffix="/`echo $ac_dir|sed 's,^\./,,'`"
     # A "../" for each directory in $ac_dir_suffix.
-    ac_dots=`echo $ac_dir_suffix|sed 's%/[^/]*%../%g'`
+    ac_dots=`echo "$ac_dir_suffix" | sed 's,/[^/]*,../,g'`
   else
     ac_dir_suffix= ac_dots=
   fi
 
-  case "$ac_given_srcdir" in
-  .)  srcdir=.
-      if test -z "$ac_dots"; then top_srcdir=.
-      else top_srcdir=`echo $ac_dots|sed 's%/$%%'`; fi ;;
-  /*) srcdir="$ac_given_srcdir$ac_dir_suffix"; top_srcdir="$ac_given_srcdir" ;;
+  case $srcdir in
+  .)  ac_srcdir=.
+      if test -z "$ac_dots"; then
+         ac_top_srcdir=.
+      else
+         ac_top_srcdir=`echo $ac_dots | sed 's,/$,,'`
+      fi ;;
+  [\\/]* | ?:[\\/]* )
+      ac_srcdir=$srcdir$ac_dir_suffix;
+      ac_top_srcdir=$srcdir ;;
   *) # Relative path.
-    srcdir="$ac_dots$ac_given_srcdir$ac_dir_suffix"
-    top_srcdir="$ac_dots$ac_given_srcdir" ;;
+    ac_srcdir=$ac_dots$srcdir$ac_dir_suffix
+    ac_top_srcdir=$ac_dots$srcdir ;;
   esac
 
-  case "$ac_given_INSTALL" in
-  [/$]*) INSTALL="$ac_given_INSTALL" ;;
-  *) INSTALL="$ac_dots$ac_given_INSTALL" ;;
+  case $INSTALL in
+  [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;;
+  *) ac_INSTALL=$ac_dots$INSTALL ;;
   esac
 
-  echo creating "$ac_file"
-  rm -f "$ac_file"
-  configure_input="Generated automatically from `echo $ac_file_in|sed 's%.*/%%'` by configure."
-  case "$ac_file" in
-  *Makefile*) ac_comsub="1i\\
-# $configure_input" ;;
-  *) ac_comsub= ;;
-  esac
+  if test x"$ac_file" != x-; then
+    { echo "$as_me:22517: creating $ac_file" >&5
+echo "$as_me: creating $ac_file" >&6;}
+    rm -f "$ac_file"
+  fi
+  # Let's still pretend it is `configure' which instantiates (i.e., don't
+  # use $as_me), people would be surprised to read:
+  #    /* config.h.  Generated automatically by config.status.  */
+  configure_input="Generated automatically from `echo $ac_file_in |
+                                                 sed 's,.*/,,'` by configure."
+
+  # First look for the input files in the build tree, otherwise in the
+  # src tree.
+  ac_file_inputs=`IFS=:
+    for f in $ac_file_in; do
+      case $f in
+      -) echo $tmp/stdin ;;
+      [\\/$]* | ?:[\\/]*)
+         # Absolute
+         test -f "$f" || { { echo "$as_me:22535: error: cannot find input file: $f" >&5
+echo "$as_me: error: cannot find input file: $f" >&2;}
+   { (exit 1); exit 1; }; }
+         echo $f;;
+      *) # Relative
+         if test -f "$f"; then
+           # Build tree
+           echo $f
+         elif test -f "$srcdir/$f"; then
+           # Source tree
+           echo $srcdir/$f
+         else
+           # /dev/null tree
+           { { echo "$as_me:22548: error: cannot find input file: $f" >&5
+echo "$as_me: error: cannot find input file: $f" >&2;}
+   { (exit 1); exit 1; }; }
+         fi;;
+      esac
+    done` || { (exit 1); exit 1; }
+EOF
+cat >>$CONFIG_STATUS <<EOF
+  sed "$ac_vpsub
+$extrasub
+EOF
+cat >>$CONFIG_STATUS <<\EOF
+:t
+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
+s,@configure_input@,$configure_input,;t t
+s,@srcdir@,$ac_srcdir,;t t
+s,@top_srcdir@,$ac_top_srcdir,;t t
+s,@INSTALL@,$ac_INSTALL,;t t
+" $ac_file_inputs | (eval "$ac_sed_cmds") >$tmp/out
+  rm -f $tmp/stdin
+  if test x"$ac_file" != x-; then
+    mv $tmp/out $ac_file
+  else
+    cat $tmp/out
+    rm -f $tmp/out
+  fi
 
-  ac_file_inputs=`echo $ac_file_in|sed -e "s%^%$ac_given_srcdir/%" -e "s%:% $ac_given_srcdir/%g"`
-  sed -e "$ac_comsub
-s%@configure_input@%$configure_input%g
-s%@srcdir@%$srcdir%g
-s%@top_srcdir@%$top_srcdir%g
-s%@INSTALL@%$INSTALL%g
-" $ac_file_inputs | (eval "$ac_sed_cmds") > $ac_file
-fi; done
-rm -f conftest.s*
+done
+EOF
+cat >>$CONFIG_STATUS <<\EOF
+
+#
+# CONFIG_HEADER section.
+#
 
 # These sed commands are passed to sed as "A NAME B NAME C VALUE D", where
 # NAME is the cpp macro being defined and VALUE is the value it is being given.
 #
 # ac_d sets the value in "#define NAME VALUE" lines.
-ac_dA='s%^\([ 	]*\)#\([ 	]*define[ 	][ 	]*\)'
-ac_dB='\([ 	][ 	]*\)[^ 	]*%\1#\2'
-ac_dC='\3'
-ac_dD='%g'
-# ac_u turns "#undef NAME" with trailing blanks into "#define NAME VALUE".
-ac_uA='s%^\([ 	]*\)#\([ 	]*\)undef\([ 	][ 	]*\)'
-ac_uB='\([ 	]\)%\1#\2define\3'
+ac_dA='s,^\([ 	]*\)#\([ 	]*define[ 	][ 	]*\)'
+ac_dB='[ 	].*$,\1#\2'
+ac_dC=' '
+ac_dD=',;t'
+# ac_u turns "#undef NAME" without trailing blanks into "#define NAME VALUE".
+ac_uA='s,^\([ 	]*\)#\([ 	]*\)undef\([ 	][ 	]*\)'
+ac_uB='$,\1#\2define\3'
 ac_uC=' '
-ac_uD='\4%g'
-# ac_e turns "#undef NAME" without trailing blanks into "#define NAME VALUE".
-ac_eA='s%^\([ 	]*\)#\([ 	]*\)undef\([ 	][ 	]*\)'
-ac_eB='$%\1#\2define\3'
-ac_eC=' '
-ac_eD='%g'
+ac_uD=',;t'
 
-if test "${CONFIG_HEADERS+set}" != set; then
-EOF
-cat >> $CONFIG_STATUS <<EOF
-  CONFIG_HEADERS="include/config.h"
-EOF
-cat >> $CONFIG_STATUS <<\EOF
-fi
-for ac_file in .. $CONFIG_HEADERS; do if test "x$ac_file" != x..; then
+for ac_file in : $CONFIG_HEADERS; do test "x$ac_file" = x: && continue
   # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
-  case "$ac_file" in
-  *:*) ac_file_in=`echo "$ac_file"|sed 's%[^:]*:%%'`
-       ac_file=`echo "$ac_file"|sed 's%:.*%%'` ;;
-  *) ac_file_in="${ac_file}.in" ;;
+  case $ac_file in
+  - | *:- | *:-:* ) # input from stdin
+        cat >$tmp/stdin
+        ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
+        ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
+  *:* ) ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
+        ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
+  * )   ac_file_in=$ac_file.in ;;
   esac
 
-  echo creating $ac_file
-
-  rm -f conftest.frag conftest.in conftest.out
-  ac_file_inputs=`echo $ac_file_in|sed -e "s%^%$ac_given_srcdir/%" -e "s%:% $ac_given_srcdir/%g"`
-  cat $ac_file_inputs > conftest.in
-
-EOF
-
-# Transform confdefs.h into a sed script conftest.vals that substitutes
-# the proper values into config.h.in to produce config.h.  And first:
-# Protect against being on the right side of a sed subst in config.status.
-# Protect against being in an unquoted here document in config.status.
-rm -f conftest.vals
-cat > conftest.hdr <<\EOF
-s/[\\&%]/\\&/g
-s%[\\$`]%\\&%g
-s%#define \([A-Za-z_][A-Za-z0-9_]*\) *\(.*\)%${ac_dA}\1${ac_dB}\1${ac_dC}\2${ac_dD}%gp
-s%ac_d%ac_u%gp
-s%ac_u%ac_e%gp
-EOF
-sed -n -f conftest.hdr confdefs.h > conftest.vals
-rm -f conftest.hdr
+  test x"$ac_file" != x- && { echo "$as_me:22609: creating $ac_file" >&5
+echo "$as_me: creating $ac_file" >&6;}
+
+  # First look for the input files in the build tree, otherwise in the
+  # src tree.
+  ac_file_inputs=`IFS=:
+    for f in $ac_file_in; do
+      case $f in
+      -) echo $tmp/stdin ;;
+      [\\/$]* | ?:[\\/]*)
+         # Absolute
+         test -f "$f" || { { echo "$as_me:22620: error: cannot find input file: $f" >&5
+echo "$as_me: error: cannot find input file: $f" >&2;}
+   { (exit 1); exit 1; }; }
+         echo $f;;
+      *) # Relative
+         if test -f "$f"; then
+           # Build tree
+           echo $f
+         elif test -f "$srcdir/$f"; then
+           # Source tree
+           echo $srcdir/$f
+         else
+           # /dev/null tree
+           { { echo "$as_me:22633: error: cannot find input file: $f" >&5
+echo "$as_me: error: cannot find input file: $f" >&2;}
+   { (exit 1); exit 1; }; }
+         fi;;
+      esac
+    done` || { (exit 1); exit 1; }
+  # Remove the trailing spaces.
+  sed 's/[ 	]*$//' $ac_file_inputs >$tmp/in
+
+EOF
+
+# Transform confdefs.h into two sed scripts, `conftest.defines' and
+# `conftest.undefs', that substitutes the proper values into
+# config.h.in to produce config.h.  The first handles `#define'
+# templates, and the second `#undef' templates.
+# And first: Protect against being on the right side of a sed subst in
+# config.status.  Protect against being in an unquoted here document
+# in config.status.
+rm -f conftest.defines conftest.undefs
+# Using a here document instead of a string reduces the quoting nightmare.
+# Putting comments in sed scripts is not portable.
+#
+# `end' is used to avoid that the second main sed command (meant for
+# 0-ary CPP macros) applies to n-ary macro definitions.
+# See the Autoconf documentation for `clear'.
+cat >confdef2sed.sed <<\EOF
+s/[\\&,]/\\&/g
+s,[\\$`],\\&,g
+t clear
+: clear
+s,^[ 	]*#[ 	]*define[ 	][ 	]*\(\([^ 	(][^ 	(]*\)([^)]*)\)[ 	]*\(.*\)$,${ac_dA}\2${ac_dB}\1${ac_dC}\3${ac_dD},gp
+t end
+s,^[ 	]*#[ 	]*define[ 	][ 	]*\([^ 	][^ 	]*\)[ 	]*\(.*\)$,${ac_dA}\1${ac_dB}\1${ac_dC}\2${ac_dD},gp
+: end
+EOF
+# If some macros were called several times there might be several times
+# the same #defines, which is useless.  Nevertheless, we may not want to
+# sort them, since we want the *last* AC-DEFINE to be honored.
+uniq confdefs.h | sed -n -f confdef2sed.sed >conftest.defines
+sed 's/ac_d/ac_u/g' conftest.defines >conftest.undefs
+rm -f confdef2sed.sed
 
 # This sed command replaces #undef with comments.  This is necessary, for
 # example, in the case of _POSIX_SOURCE, which is predefined and required
 # on some systems where configure will not decide to define it.
-cat >> conftest.vals <<\EOF
-s%^[ 	]*#[ 	]*undef[ 	][ 	]*[a-zA-Z_][a-zA-Z_0-9]*%/* & */%
+cat >>conftest.undefs <<\EOF
+s,^[ 	]*#[ 	]*undef[ 	][ 	]*[a-zA-Z_][a-zA-Z_0-9]*,/* & */,
 EOF
 
-# Break up conftest.vals because some shells have a limit on
-# the size of here documents, and old seds have small limits too.
+# Break up conftest.defines because some shells have a limit on the size
+# of here documents, and old seds have small limits too (100 cmds).
+echo '  # Handle all the #define templates only if necessary.' >>$CONFIG_STATUS
+echo '  if egrep "^[ 	]*#[ 	]*define" $tmp/in >/dev/null; then' >>$CONFIG_STATUS
+echo '  # If there are no defines, we may have an empty if/fi' >>$CONFIG_STATUS
+echo '  :' >>$CONFIG_STATUS
+rm -f conftest.tail
+while grep . conftest.defines >/dev/null
+do
+  # Write a limited-size here document to $tmp/defines.sed.
+  echo '  cat >$tmp/defines.sed <<CEOF' >>$CONFIG_STATUS
+  # Speed up: don't consider the non `#define' lines.
+  echo '/^[ 	]*#[ 	]*define/!b' >>$CONFIG_STATUS
+  # Work around the forget-to-reset-the-flag bug.
+  echo 't clr' >>$CONFIG_STATUS
+  echo ': clr' >>$CONFIG_STATUS
+  sed ${ac_max_here_lines}q conftest.defines >>$CONFIG_STATUS
+  echo 'CEOF
+  sed -f $tmp/defines.sed $tmp/in >$tmp/out
+  rm -f $tmp/in
+  mv $tmp/out $tmp/in
+' >>$CONFIG_STATUS
+  sed 1,${ac_max_here_lines}d conftest.defines >conftest.tail
+  rm -f conftest.defines
+  mv conftest.tail conftest.defines
+done
+rm -f conftest.defines
+echo '  fi # egrep' >>$CONFIG_STATUS
+echo >>$CONFIG_STATUS
 
+# Break up conftest.undefs because some shells have a limit on the size
+# of here documents, and old seds have small limits too (100 cmds).
+echo '  # Handle all the #undef templates' >>$CONFIG_STATUS
 rm -f conftest.tail
-while :
+while grep . conftest.undefs >/dev/null
 do
-  ac_lines=`grep -c . conftest.vals`
-  # grep -c gives empty output for an empty file on some AIX systems.
-  if test -z "$ac_lines" || test "$ac_lines" -eq 0; then break; fi
-  # Write a limited-size here document to conftest.frag.
-  echo '  cat > conftest.frag <<CEOF' >> $CONFIG_STATUS
-  sed ${ac_max_here_lines}q conftest.vals >> $CONFIG_STATUS
+  # Write a limited-size here document to $tmp/undefs.sed.
+  echo '  cat >$tmp/undefs.sed <<CEOF' >>$CONFIG_STATUS
+  # Speed up: don't consider the non `#undef'
+  echo '/^[ 	]*#[ 	]*undef/!b' >>$CONFIG_STATUS
+  # Work around the forget-to-reset-the-flag bug.
+  echo 't clr' >>$CONFIG_STATUS
+  echo ': clr' >>$CONFIG_STATUS
+  sed ${ac_max_here_lines}q conftest.undefs >>$CONFIG_STATUS
   echo 'CEOF
-  sed -f conftest.frag conftest.in > conftest.out
-  rm -f conftest.in
-  mv conftest.out conftest.in
-' >> $CONFIG_STATUS
-  sed 1,${ac_max_here_lines}d conftest.vals > conftest.tail
-  rm -f conftest.vals
-  mv conftest.tail conftest.vals
-done
-rm -f conftest.vals
-
-cat >> $CONFIG_STATUS <<\EOF
-  rm -f conftest.frag conftest.h
-  echo "/* $ac_file.  Generated automatically by configure.  */" > conftest.h
-  cat conftest.in >> conftest.h
-  rm -f conftest.in
-  if cmp -s $ac_file conftest.h 2>/dev/null; then
-    echo "$ac_file is unchanged"
-    rm -f conftest.h
+  sed -f $tmp/undefs.sed $tmp/in >$tmp/out
+  rm -f $tmp/in
+  mv $tmp/out $tmp/in
+' >>$CONFIG_STATUS
+  sed 1,${ac_max_here_lines}d conftest.undefs >conftest.tail
+  rm -f conftest.undefs
+  mv conftest.tail conftest.undefs
+done
+rm -f conftest.undefs
+
+cat >>$CONFIG_STATUS <<\EOF
+  # Let's still pretend it is `configure' which instantiates (i.e., don't
+  # use $as_me), people would be surprised to read:
+  #    /* config.h.  Generated automatically by config.status.  */
+  if test x"$ac_file" = x-; then
+    echo "/* Generated automatically by configure.  */" >$tmp/config.h
   else
-    # Remove last slash and all that follows it.  Not all systems have dirname.
-      ac_dir=`echo $ac_file|sed 's%/[^/][^/]*$%%'`
+    echo "/* $ac_file.  Generated automatically by configure.  */" >$tmp/config.h
+  fi
+  cat $tmp/in >>$tmp/config.h
+  rm -f $tmp/in
+  if test x"$ac_file" != x-; then
+    if cmp -s $ac_file $tmp/config.h 2>/dev/null; then
+      { echo "$as_me:22750: $ac_file is unchanged" >&5
+echo "$as_me: $ac_file is unchanged" >&6;}
+    else
+      ac_dir=`$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+         X"$ac_file" : 'X\(//\)[^/]' \| \
+         X"$ac_file" : 'X\(//\)$' \| \
+         X"$ac_file" : 'X\(/\)' \| \
+         .     : '\(.\)' 2>/dev/null ||
+echo X"$ac_file" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
+  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
+  	  /^X\(\/\/\)$/{ s//\1/; q; }
+  	  /^X\(\/\).*/{ s//\1/; q; }
+  	  s/.*/./; q'`
       if test "$ac_dir" != "$ac_file" && test "$ac_dir" != .; then
-      # The file is in a subdirectory.
-      test ! -d "$ac_dir" && mkdir "$ac_dir"
+        { case "$ac_dir" in
+  [\\/]* | ?:[\\/]* ) as_incr_dir=;;
+  *)                      as_incr_dir=.;;
+esac
+as_dummy="$ac_dir"
+for as_mkdir_dir in `IFS='/\\'; set X $as_dummy; shift; echo "$@"`; do
+  case $as_mkdir_dir in
+    # Skip DOS drivespec
+    ?:) as_incr_dir=$as_mkdir_dir ;;
+    *)
+      as_incr_dir=$as_incr_dir/$as_mkdir_dir
+      test -d "$as_incr_dir" || mkdir "$as_incr_dir"
+    ;;
+  esac
+done; }
+
+      fi
+      rm -f $ac_file
+      mv $tmp/config.h $ac_file
     fi
-    rm -f $ac_file
-    mv conftest.h $ac_file
+  else
+    cat $tmp/config.h
+    rm -f $tmp/config.h
   fi
-fi; done
-
+done
 EOF
-cat >> $CONFIG_STATUS <<EOF
-
+cat >>$CONFIG_STATUS <<\EOF
 
+#
+# CONFIG_COMMANDS section.
+#
+for ac_file in : $CONFIG_COMMANDS; do test "x$ac_file" = x: && continue
+  ac_dest=`echo "$ac_file" | sed 's,:.*,,'`
+  ac_source=`echo "$ac_file" | sed 's,[^:]*:,,'`
+
+  case $ac_dest in
+    default-1 ) test -z "$CONFIG_HEADERS" || echo timestamp > include/stamp-h ;;
+    default-2 )
+test x"$AMDEP" != x"" ||
+for mf in $CONFIG_FILES; do
+  case "$mf" in
+  Makefile) dirpart=.;;
+  */Makefile) dirpart=`echo "$mf" | sed -e 's|/[^/]*$||'`;;
+  *) continue;;
+  esac
+  grep '^DEP_FILES *= *[^ #]' < "$mf" > /dev/null || continue
+  # Extract the definition of DEP_FILES from the Makefile without
+  # running `make'.
+  DEPDIR=`sed -n -e '/^DEPDIR = / s///p' < "$mf"`
+  test -z "$DEPDIR" && continue
+  # When using ansi2knr, U may be empty or an underscore; expand it
+  U=`sed -n -e '/^U = / s///p' < "$mf"`
+  test -d "$dirpart/$DEPDIR" || mkdir "$dirpart/$DEPDIR"
+  # We invoke sed twice because it is the simplest approach to
+  # changing $(DEPDIR) to its actual value in the expansion.
+  for file in `sed -n -e '
+    /^DEP_FILES = .*\\\\$/ {
+      s/^DEP_FILES = //
+      :loop
+	s/\\\\$//
+	p
+	n
+	/\\\\$/ b loop
+      p
+    }
+    /^DEP_FILES = / s/^DEP_FILES = //p' < "$mf" | \
+       sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do
+    # Make sure the directory exists.
+    test -f "$dirpart/$file" && continue
+    fdir=`echo "$file" | sed -e 's|/[^/]*$||'`
+    $ac_aux_dir/mkinstalldirs "$dirpart/$fdir" > /dev/null 2>&1
+    # echo "creating $dirpart/$file"
+    echo '# dummy' > "$dirpart/$file"
+  done
+done
+ ;;
+  esac
+done
 EOF
-cat >> $CONFIG_STATUS <<\EOF
-test -z "$CONFIG_HEADERS" || echo timestamp > include/stamp-h
+
+cat >>$CONFIG_STATUS <<\EOF
 
 exit 0
 EOF
 chmod +x $CONFIG_STATUS
-rm -fr confdefs* $ac_clean_files
-test "$no_create" = yes || ${CONFIG_SHELL-/bin/sh} $CONFIG_STATUS || exit 1
+ac_clean_files=$ac_clean_files_save
 
+test "$no_create" = yes || $SHELL $CONFIG_STATUS || { (exit 1); exit 1; }
 
 HEIMDALVERSION="$PACKAGE-$VERSION"
 
 cat > include/newversion.h.in <<EOF
-char *heimdal_long_version = "@(#)\$Version: $HEIMDALVERSION by @USER@ on @HOST@ ($host) @DATE@ \$";
-char *heimdal_version = "$HEIMDALVERSION";
+const char *heimdal_long_version = "@(#)\$Version: $HEIMDALVERSION by @USER@ on @HOST@ ($host) @DATE@ \$";
+const char *heimdal_version = "$HEIMDALVERSION";
 EOF
 
 if test -f include/version.h && cmp -s include/newversion.h.in include/version.h.in; then
diff --git a/crypto/heimdal/configure.in b/crypto/heimdal/configure.in
index 844aa83..b0b2e1c 100644
--- a/crypto/heimdal/configure.in
+++ b/crypto/heimdal/configure.in
@@ -1,9 +1,15 @@
 dnl Process this file with autoconf to produce a configure script.
-AC_REVISION($Revision: 1.218 $)
-AC_INIT(lib/krb5/send_to_kdc.c)
+AC_REVISION($Revision: 1.270 $)
+AC_PREREQ(2.14.-1.1)dnl 2.14a
+AC_INIT(heimdal, 0.3e, heimdal-bugs@pdc.kth.se)
 AM_CONFIG_HEADER(include/config.h)
 
-AM_INIT_AUTOMAKE(heimdal,0.2p)
+dnl Checks for programs.
+AC_PROG_CC
+AC_PROG_CPP
+AC_PROG_CC_STDC
+
+AM_INIT_AUTOMAKE(heimdal,0.3e)
 
 AC_PREFIX_DEFAULT(/usr/heimdal)
 
@@ -19,6 +25,9 @@ case "$host" in
 *-*-solaris2.7)
 	sunos=57
 	;;
+*-*-solaris2.8)
+	sunos=58
+	;;
 *-*-solaris2*)
 	sunos=50
 	;;
@@ -40,10 +49,6 @@ esac
 
 #test -z "$CFLAGS" && CFLAGS="-g"
 
-dnl Checks for programs.
-AC_PROG_CC
-
-AC_CYGWIN
 AC_OBJEXT
 AC_EXEEXT
 
@@ -60,20 +65,25 @@ libdir="$libdir$abilibdirext"
 
 AC_C___ATTRIBUTE__
 
-AM_DISABLE_SHARED
-AM_PROG_LIBTOOL
+AC_ENABLE_SHARED(no)
+AC_PROG_LIBTOOL
 
 AC_WFLAGS(-Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs)
 
-berkeley_db=db
-AC_ARG_WITH(berkeley-db,
-[  --without-berkeley-db   if you don't want berkeley db],[
-if test "$withval" = no; then
-	berkeley_db=""
+rk_DB
+
+dnl AC_ROKEN(10,[/usr/heimdal /usr/athena],[lib/roken],[$(top_builddir)/lib/roken/libroken.la],[-I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken])
+
+rk_ROKEN(lib/roken)
+LIB_roken="\$(top_builddir)/lib/vers/libvers.la $LIB_roken"
+
+AC_TEST_PACKAGE_NEW(openldap,[#include <ldap.h>],[-lldap -llber],,,OPENLDAP)
+
+if test "$openldap_libdir"; then
+	LIB_openldap="-R $openldap_libdir $LIB_openldap"
 fi
-])
 
-AC_TEST_PACKAGE_NEW(krb4,[#include <krb.h>],-lkrb,-ldes,/usr/athena)
+AC_TEST_PACKAGE_NEW(krb4,[#include <krb.h>],-lkrb,-ldes,/usr/athena, KRB4)
 
 LIB_kdb=
 if test "$with_krb4" != "no"; then
@@ -94,6 +104,12 @@ if test "$with_krb4" != "no"; then
 		AC_DEFINE(HAVE_FOUR_VALUED_KRB_PUT_INT, 1,
 			[define if krb_put_int takes four arguments.])
 	fi
+	AH_BOTTOM([#if defined(HAVE_FOUR_VALUED_KRB_PUT_INT) || !defined(KRB4)
+#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (L), (S))
+#else
+#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (S))
+#endif
+])
 	AC_CACHE_CHECK(for KRB_VERIFY_SECURE, ac_cv_func_krb_verify_secure,
 		[AC_TRY_COMPILE([#include <krb.h>],[
 		int x = KRB_VERIFY_SECURE],
@@ -120,42 +136,52 @@ if test "$with_krb4" != "no"; then
 	AC_FIND_FUNC(krb_enable_debug)
 	AC_FIND_FUNC(krb_disable_debug)
 	AC_FIND_FUNC(krb_get_our_ip_for_realm)
+	AC_CACHE_CHECK(for krb_mk_req with const arguments,
+		ac_cv_func_krb_mk_req_const,
+		[AC_TRY_COMPILE([#include <krb.h>
+		int krb_mk_req(KTEXT a, const char *s, const char *i,
+			       const char *r, int32_t checksum)
+		{ return 17; }], [],
+		ac_cv_func_krb_mk_req_const=yes,
+		ac_cv_func_krb_mk_req_const=no)
+	])
+	if test "$ac_cv_func_krb_mk_req_const" = "yes"; then
+		AC_DEFINE(KRB_MK_REQ_CONST, 1,
+			[Define if krb_mk_req takes cons char *])
+	fi
+
 	LIBS="$save_LIBS"
 	CFLAGS="$save_CFLAGS"
 	LIB_kdb="-lkdb -lkrb"
 	if test "$krb4_libdir"; then
-		LIB_krb4="-rpath $krb4_libdir $LIB_krb4"
-		LIB_kdb="-rpath $krb4_libdir -L$krb4_libdir $LIB_kdb"
+		LIB_krb4="-R $krb4_libdir $LIB_krb4"
+		LIB_kdb="-R $krb4_libdir -L$krb4_libdir $LIB_kdb"
 	fi
 fi
 AM_CONDITIONAL(KRB4, test "$with_krb4" != "no")
 AM_CONDITIONAL(KRB5, true)
+AM_CONDITIONAL(do_roken_rename, true)
+
 AC_DEFINE(KRB5, 1, [Enable Kerberos 5 support in applications.])dnl
 AC_SUBST(LIB_kdb)dnl
-AM_CONDITIONAL(AIX, test "$aix" != no)dnl
-AM_CONDITIONAL(AIX4, test "$aix" = 4)
-aix_dynamic_afs=yes
-AM_CONDITIONAL(AIX_DYNAMIC_AFS, test "$aix_dynamic_afs" = yes)dnl
-
-AC_FIND_FUNC_NO_LIBS(dlopen, dl)
-
-if test "$aix" != no; then
-	if test "$aix_dynamic_afs" = yes; then
-		if test "$ac_cv_funclib_dlopen" = yes; then
-			AIX_EXTRA_KAFS=
-		elif test "$ac_cv_funclib_dlopen" != no; then
-			AIX_EXTRA_KAFS="$ac_cv_funclib_dlopen"
-		else
-			AIX_EXTRA_KAFS=-lld
-		fi
-	else
-		AIX_EXTRA_KAFS=
-	fi
+
+AC_ARG_ENABLE(dce, [  --enable-dce	if you want support for DCE/DFS PAG's.])
+if test "$enable_dce" = yes; then
+    AC_DEFINE(DCE, 1, [Define if you want support for DCE/DFS PAG's.])
 fi
+AM_CONDITIONAL(DCE, test "$enable_dce" = yes)
+
+## XXX quite horrible:
+if test -f /etc/ibmcxx.cfg; then
+	dpagaix_LDADD=`sed -n '/^xlc_r4/,/^$/p' /etc/ibmcxx.cfg | sed -n -e '/libraries/{;s/^[^=]*=\(.*\)/\1/;s/,/ /gp;}'`
+	dpagaix_CFLAGS=`sed -n '/^xlc_r4/,/^$/p' /etc/ibmcxx.cfg | sed -n -e '/options/{;s/^[^=]*=\(.*\)/\1/;s/-q[^,]*//;s/,/ /gp;}'`
+else
+	dpagaix_CFLAGS="-D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce"
+	dpagaix_LDADD="-L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r"
+fi
+AC_SUBST(dpagaix_CFLAGS)
+AC_SUBST(dpagaix_LDADD)
 
-AM_CONDITIONAL(HAVE_DLOPEN, test "$ac_cv_funclib_dlopen" != no)dnl
-AC_SUBST(AFS_EXTRA_LD)dnl
-AC_SUBST(AIX_EXTRA_KAFS)dnl
 
 AC_ARG_ENABLE(kaserver,
 [  --enable-kaserver	  if you want the KDC to try to emulate a kaserver])
@@ -196,31 +222,23 @@ AM_CONDITIONAL(OTP, test "$otp" = yes)dnl
 
 AC_CHECK_OSFC2
 
-AC_CHECK_MAN
+rk_CHECK_MAN
 
 AC_TEST_PACKAGE_NEW(readline,
 [#include <stdio.h>
- #include <readline.h>],-lreadline)
+ #include <readline.h>],-lreadline,,, READLINE)
 
-AC_TEST_PACKAGE_NEW(hesiod,[#include <hesiod.h>],-lhesiod)
+AC_TEST_PACKAGE_NEW(hesiod,[#include <hesiod.h>],-lhesiod,,, HESIOD)
 
 KRB_C_BIGENDIAN
 AC_C_INLINE
 
+KRB_AIX
+KRB_IRIX
+
 KRB_CHECK_X
 
-if test "$no_x" = "yes" ; then
-	MAKE_X_PROGS_BIN_PROGS=""
-	MAKE_X_PROGS_BIN_SCRPTS=""
-	MAKE_X_PROGS_LIBEXEC_PROGS=""
-else
-	MAKE_X_PROGS_BIN_PROGS='$(X_PROGS_BIN_PROGS)'
-	MAKE_X_PROGS_BIN_SCRPTS='$(X_PROGS_BIN_SCRPTS)'
-	MAKE_X_PROGS_LIBEXEC_PROGS='$(X_PROGS_LIBEXEC_PROGS)'
-fi
-AC_SUBST(MAKE_X_PROGS_BIN_PROGS)dnl
-AC_SUBST(MAKE_X_PROGS_BIN_SCRPTS)dnl
-AC_SUBST(MAKE_X_PROGS_LIBEXEC_PROGS)dnl
+AM_CONDITIONAL(HAVE_X, test "$no_x" != yes)
 
 AC_CHECK_XAU
 
@@ -242,13 +260,6 @@ AC_STRUCT_TM
 dnl Checks for header files.
 AC_HEADER_STDC
 
-if test "$berkeley_db"; then
-  AC_CHECK_HEADERS([				\
-	db.h					\
-	db_185.h				\
-  ])
-fi
-
 AC_CHECK_HEADERS([\
 	arpa/ftp.h				\
 	arpa/inet.h				\
@@ -265,6 +276,7 @@ AC_CHECK_HEADERS([\
 	errno.h					\
 	fcntl.h					\
 	fnmatch.h				\
+	gdbm/ndbm.h				\
 	grp.h					\
 	inttypes.h				\
 	io.h					\
@@ -333,6 +345,8 @@ AC_CHECK_HEADERS([\
 	tmpdir.h				\
 	udb.h					\
 	unistd.h				\
+	userconf.h				\
+	usersec.h				\
 	util.h					\
 	utmp.h					\
 	utmpx.h					\
@@ -405,39 +419,39 @@ dnl Checks for library functions.
 AC_BROKEN_SNPRINTF
 AC_BROKEN_VSNPRINTF
 
-AC_BROKEN_GLOB
-
-if test "$ac_cv_func_glob_working" != yes; then
-	LIBOBJS="$LIBOBJS glob.o"
-fi
-AM_CONDITIONAL(have_glob_h, test "$ac_cv_func_glob_working" = yes)
-
-dnl these should happen after tests for *snprintf
-
-AC_FIND_FUNC_NO_LIBS(dbopen, $berkeley_db)
-AC_FIND_FUNC_NO_LIBS(dbm_firstkey, $berkeley_db gdbm ndbm)
-
-DBLIB="$LIB_dbopen"
-if test "$LIB_dbopen" != "$LIB_dbm_firstkey"; then
-	DBLIB="$DBLIB $LIB_dbm_firstkey"
-fi
-AC_SUBST(DBLIB)dnl
-
-AC_CHECK_FUNCS(_getpty _scrsize asnprintf asprintf cgetent fcntl)
-AC_CHECK_FUNCS(getmsg getrlimit getspnam gettimeofday getuid)
-AC_CHECK_FUNCS(grantpt mktime ptsname rand random setproctitle)
-AC_CHECK_FUNCS(revoke select setitimer setpcred setpgid)
-AC_CHECK_FUNCS(setregid setresgid setresuid setreuid setutent)
-AC_CHECK_FUNCS(setsid sigaction strstr)
-AC_CHECK_FUNCS(sysconf sysctl timegm ttyname ttyslot umask uname)
-AC_CHECK_FUNCS(unlockpt vasnprintf vasprintf vhangup)
-AC_CHECK_FUNCS(yp_get_default_domain)
-
-if test "$ac_cv_func_cgetent" = no; then
-	LIBOBJS="$LIBOBJS getcap.o"
-fi
-
-AC_FUNC_GETLOGIN
+AC_CHECK_FUNCS([				\
+	_getpty					\
+	_scrsize				\
+	fcntl					\
+	gettimeofday				\
+	getuid					\
+	grantpt					\
+	mktime					\
+	ptsname					\
+	rand					\
+	random					\
+	revoke					\
+	select					\
+	setitimer				\
+	setpcred				\
+	setpgid					\
+	setproctitle				\
+	setregid				\
+	setresgid				\
+	setresuid				\
+	setreuid				\
+	setsid					\
+	setutent				\
+	sigaction				\
+	strstr					\
+	timegm					\
+	ttyname					\
+	ttyslot					\
+	umask					\
+	unlockpt				\
+	vhangup					\
+	yp_get_default_domain			\
+])
 
 KRB_CAPABILITIES
 
@@ -463,243 +477,13 @@ AC_FIND_FUNC_NO_LIBS(setsockopt,,
 dnl Cray stuff
 AC_CHECK_FUNCS(getudbnam setlim)
 
-AC_TYPE_SIGNAL
-if test "$ac_cv_type_signal" = "void" ; then
-	AC_DEFINE(VOID_RETSIGTYPE, 1, [Define if signal handlers return void.])
-fi
-AC_SUBST(VOID_RETSIGTYPE)
-
-AC_FIND_IF_NOT_BROKEN(hstrerror, resolv,
-[#ifdef HAVE_NETDB_H
-#include <netdb.h>
-#endif],
-17)
-if test "$ac_cv_func_hstrerror" = yes; then
-AC_NEED_PROTO([
-#ifdef HAVE_NETDB_H
-#include <netdb.h>
-#endif],
-hstrerror)
-fi
-
-dnl sigh, wish this could be done in a loop
-if test "$ac_cv_func_asprintf" = yes; then
-AC_NEED_PROTO([
-#include <stdio.h>
-#include <string.h>],
-asprintf)dnl
-fi
-if test "$ac_cv_func_vasprintf" = yes; then
-AC_NEED_PROTO([
-#include <stdio.h>
-#include <string.h>],
-vasprintf)dnl
-fi
-if test "$ac_cv_func_asnprintf" = yes; then
-AC_NEED_PROTO([
-#include <stdio.h>
-#include <string.h>],
-asnprintf)dnl
-fi
-if test "$ac_cv_func_vasnprintf" = yes; then
-AC_NEED_PROTO([
-#include <stdio.h>
-#include <string.h>],
-vasnprintf)dnl
-fi
-
-AC_BROKEN(chown copyhostent daemon err errx fchown flock fnmatch)
-AC_BROKEN(freeaddrinfo freehostent gai_strerror getaddrinfo)
-AC_BROKEN(getcwd getdtablesize gethostname getipnodebyaddr getipnodebyname)
-AC_BROKEN(geteuid getgid getegid)
-AC_BROKEN(getnameinfo getopt getusershell)
-AC_BROKEN(inet_aton inet_ntop inet_pton initgroups innetgr iruserok lstat)
-AC_BROKEN(memmove)
-AC_BROKEN(mkstemp putenv rcmd readv recvmsg sendmsg setegid setenv seteuid)
-AC_BROKEN(strcasecmp strncasecmp strdup strerror strftime)
-AC_BROKEN(strlcat strlcpy strlwr)
-AC_BROKEN(strndup strnlen strptime strsep strtok_r strupr)
-AC_BROKEN(swab unsetenv verr verrx vsyslog)
-AC_BROKEN(vwarn vwarnx warn warnx writev)
-
-AC_NEED_PROTO([#include <stdlib.h>], setenv)
-AC_NEED_PROTO([#include <stdlib.h>], unsetenv)
-AC_NEED_PROTO([#include <unistd.h>], gethostname)
-AC_NEED_PROTO([#include <unistd.h>], mkstemp)
-AC_NEED_PROTO([#include <unistd.h>], getusershell)
-
-AC_NEED_PROTO([
-#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_SYS_SOCKET_H
-#include <sys/socket.h>
-#endif
-#ifdef HAVE_NETINET_IN_H
-#include <netinet/in.h>
-#endif
-#ifdef HAVE_ARPA_INET_H
-#include <arpa/inet.h>
-#endif],
-inet_aton)
-
-AC_FIND_FUNC_NO_LIBS(crypt, crypt)dnl
-
-dnl
-dnl libroken references crypt and dbopen
-dnl
-
-LIB_roken='$(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen)'
-AC_SUBST(LIB_roken)dnl
-
-AC_CACHE_CHECK(if realloc if broken, ac_cv_func_realloc_broken, [
-ac_cv_func_realloc_broken=no
-AC_TRY_RUN([
-#include <stddef.h>
-#include <stdlib.h>
+rk_RETSIGTYPE
 
-int main()
-{
-	return realloc(NULL, 17) == NULL;
-}
-],:, ac_cv_func_realloc_broken=yes, :)
-])
-if test "$ac_cv_func_realloc_broken" = yes ; then
-	AC_DEFINE(BROKEN_REALLOC, 1, [Define if realloc(NULL) doesn't work.])
-fi
+rk_BROKEN_REALLOC
 
 dnl AC_KRB_FUNC_GETCWD_BROKEN
 
 dnl
-dnl Checks for prototypes and declarations
-dnl
-
-AC_PROTO_COMPAT([
-#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_SYS_SOCKET_H
-#include <sys/socket.h>
-#endif
-#ifdef HAVE_NETINET_IN_H
-#include <netinet/in.h>
-#endif
-#ifdef HAVE_ARPA_INET_H
-#include <arpa/inet.h>
-#endif
-#ifdef HAVE_NETDB_H
-#include <netdb.h>
-#endif
-],
-gethostbyname, struct hostent *gethostbyname(const char *))
-
-AC_PROTO_COMPAT([
-#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_SYS_SOCKET_H
-#include <sys/socket.h>
-#endif
-#ifdef HAVE_NETINET_IN_H
-#include <netinet/in.h>
-#endif
-#ifdef HAVE_ARPA_INET_H
-#include <arpa/inet.h>
-#endif
-#ifdef HAVE_NETDB_H
-#include <netdb.h>
-#endif
-],
-gethostbyaddr, struct hostent *gethostbyaddr(const void *, size_t, int))
-
-AC_PROTO_COMPAT([
-#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_SYS_SOCKET_H
-#include <sys/socket.h>
-#endif
-#ifdef HAVE_NETINET_IN_H
-#include <netinet/in.h>
-#endif
-#ifdef HAVE_ARPA_INET_H
-#include <arpa/inet.h>
-#endif
-#ifdef HAVE_NETDB_H
-#include <netdb.h>
-#endif
-],
-getservbyname, struct servent *getservbyname(const char *, const char *))
-
-AC_PROTO_COMPAT([
-#ifdef HAVE_SYSLOG_H
-#include <syslog.h>
-#endif
-],
-openlog, void openlog(const char *, int, int))
-
-AC_NEED_PROTO([
-#ifdef HAVE_CRYPT_H
-#include <crypt.h>
-#endif
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-],
-crypt)
-
-AC_NEED_PROTO([
-#include <string.h>
-],
-strtok_r)
-
-AC_NEED_PROTO([
-#include <string.h>
-],
-strsep)
-
-AC_CHECK_VAR([#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_NETDB_H
-#include <netdb.h>
-#endif],
-h_errno)
-
-AC_CHECK_VAR([#ifdef HAVE_NETDB_H
-#include <netdb.h>
-#endif],
-h_errlist)
-
-AC_CHECK_VAR([#ifdef HAVE_NETDB_H
-#include <netdb.h>
-#endif],
-h_nerr)
-
-AC_CHECK_VAR([#ifdef HAVE_ERR_H
-#include <err.h>
-#endif],[__progname])
-
-AC_CHECK_DECLARATION([#include <stdlib.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif], optarg)
-AC_CHECK_DECLARATION([#include <stdlib.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif], optind)
-AC_CHECK_DECLARATION([#include <stdlib.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif], opterr)
-AC_CHECK_DECLARATION([#include <stdlib.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif], optopt)
-
-AC_CHECK_DECLARATION([#include <stdlib.h>], environ)
-
-dnl
 dnl Check for fields in struct utmp
 dnl
 
@@ -723,9 +507,7 @@ dnl
 dnl or do we have a variable `timezone' ?
 dnl
 
-AC_CHECK_VAR(
-[#include <time.h>],
-timezone)
+rk_CHECK_VAR(timezone, [#include <time.h>])
 
 AC_HAVE_TYPE([sa_family_t],[#include <sys/socket.h>])
 
@@ -757,60 +539,45 @@ AC_HAVE_STRUCT_FIELD(struct sockaddr, sa_len, [#include <sys/types.h>
 #include <sys/socket.h>])
 
 
-AC_GROK_TYPES(int8_t int16_t int32_t int64_t)
-AC_GROK_TYPES(u_int8_t u_int16_t u_int32_t u_int64_t)
+AC_GROK_TYPES([int8_t int16_t int32_t int64_t \
+	u_int8_t u_int16_t u_int32_t u_int64_t \
+	uint8_t uint16_t uint32_t uint64_t])
 
 dnl
 dnl crypto functions tests
 dnl
 
-AC_FIND_FUNC_NO_LIBS(MD4Init, crypto)
-AC_FIND_FUNC_NO_LIBS(MD4_Init, crypto)
-AC_FIND_FUNC_NO_LIBS(MD5Init, crypto)
-AC_FIND_FUNC_NO_LIBS(MD5_Init, crypto)
-AC_FIND_FUNC_NO_LIBS(SHA1Init, crypto)
-AC_FIND_FUNC_NO_LIBS(SHA1_Init, crypto)
-AC_FIND_FUNC_NO_LIBS(des_cbc_encrypt, crypto des)
-
-dnl
-dnl Tests for editline
-dnl
-
-dnl el_init
-
-AC_FIND_FUNC_NO_LIBS(el_init, edit, [], [], [$LIB_tgetent])
-if test "$ac_cv_func_el_init" = yes ; then
-	AC_CACHE_CHECK(for four argument el_init, ac_cv_func_el_init_four,[
-		AC_TRY_COMPILE([#include <stdio.h>
-			#include <histedit.h>],
-			[el_init("", NULL, NULL, NULL);],
-			ac_cv_func_el_init_four=yes,
-			ac_cv_func_el_init_four=no)])
-	if test "$ac_cv_func_el_init_four" = yes; then
-		AC_DEFINE(HAVE_FOUR_VALUED_EL_INIT, 1, [Define if el_init takes four arguments.])
-	fi
-fi
-
-dnl readline
+AC_CHECK_HEADERS([				\
+	openssl/md4.h				\
+	openssl/md5.h				\
+	openssl/sha.h				\
+	openssl/des.h				\
+	openssl/rc4.h				\
+])
 
-ac_foo=no
-if test "$with_readline" = yes; then
-	:
-elif test "$ac_cv_func_readline" = yes; then
-	:
-elif test "$ac_cv_func_el_init" = yes; then
-	ac_foo=yes
-	LIB_readline="\$(top_builddir)/lib/editline/libel_compat.a $LIB_el_init"
+AC_FIND_FUNC_NO_LIBS2(MD4_Init, crypto des, [], [], [], [$LIB_krb4])
+AC_FIND_FUNC_NO_LIBS2(MD5_Init, crypto des, [], [], [], [$LIB_krb4])
+AC_FIND_FUNC_NO_LIBS2(SHA1_Init, crypto des, [], [], [], [$LIB_krb4])
+AC_FIND_FUNC_NO_LIBS2(des_cbc_encrypt, crypto des, [], [], [], [$LIB_krb4])
+AC_FIND_FUNC_NO_LIBS2(RC4, crypto des, [], [], [], [$LIB_krb4])
+if test "$ac_cv_func_des_cbc_encrypt" = "yes" -a \
+"$ac_cv_func_MD4_Init"  = "yes" -a \
+"$ac_cv_func_MD5_Init"  = "yes" -a \
+"$ac_cv_func_SHA1_Init" = "yes" -a \
+"$ac_cv_func_RC4" = "yes"; then
+  DIR_des=''
+  LIB_des="-R $krb4_libdir -L$krb4_libdir $ac_cv_funclib_MD4_Init"
+  LIB_des_appl="$LIB_des"
 else
-	LIB_readline='$(top_builddir)/lib/editline/libeditline.a'
-fi
-AM_CONDITIONAL(el_compat, test "$ac_foo" = yes)
-if test "$readline_libdir"; then
-	LIB_readline="-rpath $readline_libdir $LIB_readline"
+  DIR_des='des'
+  LIB_des='$(top_builddir)/lib/des/libdes.la'
+  LIB_des_appl="-ldes"
 fi
-LIB_readline="$LIB_readline \$(LIB_tgetent)"
-AC_DEFINE(HAVE_READLINE, 1, 
-	[Define if you have a readline compatible library.])dnl
+AC_SUBST(DIR_des)
+AC_SUBST(LIB_des)
+AC_SUBST(LIB_des_appl)
+
+KRB_READLINE
 
 dnl telnet muck --------------------------------------------------
 
@@ -834,20 +601,46 @@ fi
 #
 # And also something wierd has happend with dec-osf1, fallback to bsd-ptys
 
+AC_CHECK_FUNC(getmsg)
+
+if test "$ac_cv_func_getmsg" = "yes"; then
+
+AC_CACHE_CHECK(for working getmsg, ac_cv_func_getmsg_work,
+AC_TRY_RUN(
+[
+#include <stdio.h>
+#include <errno.h>
+
+int main()
+{
+  int ret;
+  ret = getmsg(open("/dev/null", 0), NULL, NULL, NULL);
+  if(ret < 0 && errno == ENOSYS)
+    return 1;
+  return 0;
+}
+], ac_cv_func_getmsg_work=yes, ac_cv_func_getmsg_work=no,
+ac_cv_func_getmsg_work=no))
+test "$ac_cv_func_getmsg_work" = "yes" &&
+AC_DEFINE(HAVE_GETMSG, 1, [Define if you have a working getmsg.])
+
+fi
+
+if test "$ac_cv_func_getmsg_work" = yes; then
 AC_MSG_CHECKING(for streamspty)
 case "$host" in
-*-*-aix3*|*-*-sunos4*|*-*-osf*|*-*-hpux10*)
+*-*-aix3*|*-*-sunos4*|*-*-osf*|*-*-hpux1[[01]]*)
 	krb_cv_sys_streamspty=no
 	;;
 *)
-	krb_cv_sys_streamspty="$ac_cv_func_getmsg"
+	krb_cv_sys_streamspty=yes
 	;;
 esac
+AC_MSG_RESULT($krb_cv_sys_streamspty)
+fi
 if test "$krb_cv_sys_streamspty" = yes; then
 	AC_DEFINE(STREAMSPTY, 1, [Define if you have streams ptys.])
 fi
-dnl AC_SUBST(STREAMSPTY)
-AC_MSG_RESULT($krb_cv_sys_streamspty)
 
 AC_AUTH_MODULES
 
@@ -867,6 +660,10 @@ for i in bin lib libexec sbin; do
 	done
 	AC_DEFINE_UNQUOTED($foo,"$x")
 done
+AH_BOTTOM([#undef BINDIR 
+#undef LIBDIR
+#undef LIBEXECDIR
+#undef SBINDIR])
 
 if false; then
 	# hack to shut up automake
@@ -874,7 +671,7 @@ if false; then
 fi
 LTLIBOBJS=`echo "$LIBOBJS" | sed 's/\.o/\.lo/g'`
 AC_SUBST(LTLIBOBJS)
-AC_OUTPUT(Makefile 			\
+AC_CONFIG_FILES(Makefile 		\
 	include/Makefile		\
 	include/kadm5/Makefile		\
 	lib/Makefile			\
@@ -891,10 +688,12 @@ AC_OUTPUT(Makefile 			\
 	lib/hdb/Makefile		\
 	lib/kadm5/Makefile		\
 	lib/kafs/Makefile		\
+	lib/kdfs/Makefile		\
 	lib/krb5/Makefile		\
 	lib/otp/Makefile		\
 	lib/roken/Makefile		\
 	lib/sl/Makefile			\
+	lib/vers/Makefile		\
 	kuser/Makefile			\
 	kpasswd/Makefile		\
 	kadmin/Makefile			\
@@ -906,13 +705,13 @@ AC_OUTPUT(Makefile 			\
 	appl/ftp/common/Makefile	\
 	appl/ftp/ftp/Makefile		\
 	appl/ftp/ftpd/Makefile		\
-	appl/kauth/Makefile		\
 	appl/kx/Makefile		\
 	appl/login/Makefile		\
 	appl/otp/Makefile		\
 	appl/popper/Makefile		\
 	appl/push/Makefile		\
 	appl/rsh/Makefile		\
+	appl/rcp/Makefile		\
 	appl/su/Makefile		\
 	appl/xnlock/Makefile		\
 	appl/telnet/Makefile		\
@@ -921,17 +720,21 @@ AC_OUTPUT(Makefile 			\
 	appl/telnet/telnetd/Makefile	\
 	appl/test/Makefile		\
 	appl/kf/Makefile		\
+	appl/dceutils/Makefile		\
 	doc/Makefile			\
+	tools/Makefile			\
 )
 
+AC_OUTPUT
+
 dnl
 dnl This is the release version name-number[beta]
 dnl
 HEIMDALVERSION="$PACKAGE-$VERSION"
 
 cat > include/newversion.h.in <<EOF
-char *heimdal_long_version = "@(#)\$Version: $HEIMDALVERSION by @USER@ on @HOST@ ($host) @DATE@ \$";
-char *heimdal_version = "$HEIMDALVERSION";
+const char *heimdal_long_version = "@(#)\$Version: $HEIMDALVERSION by @USER@ on @HOST@ ($host) @DATE@ \$";
+const char *heimdal_version = "$HEIMDALVERSION";
 EOF
 
 if test -f include/version.h && cmp -s include/newversion.h.in include/version.h.in; then
diff --git a/crypto/heimdal/doc/Makefile.in b/crypto/heimdal/doc/Makefile.in
index 710abb8..2638ef1 100644
--- a/crypto/heimdal/doc/Makefile.in
+++ b/crypto/heimdal/doc/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.6 1999/03/20 13:58:16 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.6 1999/03/20 13:58:16 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies no-texinfo.tex
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,29 +170,26 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
 info_TEXINFOS = heimdal.texi
 heimdal_TEXINFOS = intro.texi install.texi setup.texi kerberos4.texi
+subdir = doc
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -182,17 +197,18 @@ CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES = 
 TEXI2DVI = texi2dvi
 INFO_DEPS = heimdal.info
 DVIS = heimdal.dvi
 TEXINFOS = heimdal.texi
+depcomp = 
 DIST_COMMON =  $(heimdal_TEXINFOS) Makefile.am Makefile.in mdate-sh
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
 all: all-redirect
 .SUFFIXES:
@@ -217,7 +233,7 @@ DVIPS = dvips
 	  && $(MAKEINFO) `echo $< | sed 's,.*/,,'`
 
 .texi.dvi:
-	TEXINPUTS=.:$$TEXINPUTS \
+	TEXINPUTS=$(srcdir):$$TEXINPUTS \
 	  MAKEINFO='$(MAKEINFO) -I $(srcdir)' $(TEXI2DVI) $<
 
 .texi:
@@ -236,7 +252,7 @@ DVIPS = dvips
 	  && $(MAKEINFO) `echo $< | sed 's,.*/,,'`
 
 .texinfo.dvi:
-	TEXINPUTS=.:$$TEXINPUTS \
+	TEXINPUTS=$(srcdir):$$TEXINPUTS \
 	  MAKEINFO='$(MAKEINFO) -I $(srcdir)' $(TEXI2DVI) $<
 
 .txi.info:
@@ -245,7 +261,7 @@ DVIPS = dvips
 	  && $(MAKEINFO) `echo $< | sed 's,.*/,,'`
 
 .txi.dvi:
-	TEXINPUTS=.:$$TEXINPUTS \
+	TEXINPUTS=$(srcdir):$$TEXINPUTS \
 	  MAKEINFO='$(MAKEINFO) -I $(srcdir)' $(TEXI2DVI) $<
 
 .txi:
@@ -261,7 +277,7 @@ install-info-am: $(INFO_DEPS)
 	@list='$(INFO_DEPS)'; \
 	for file in $$list; do \
 	  d=$(srcdir); \
-	  for ifile in `cd $$d && echo $$file $$file-[0-9] $$file-[0-9][0-9]`; do \
+	  for ifile in `CDPATH=: && cd $$d && echo $$file $$file-[0-9] $$file-[0-9][0-9]`; do \
 	    if test -f $$d/$$ifile; then \
 	      echo " $(INSTALL_DATA) $$d/$$ifile $(DESTDIR)$(infodir)/$$ifile"; \
 	      $(INSTALL_DATA) $$d/$$ifile $(DESTDIR)$(infodir)/$$ifile; \
@@ -280,35 +296,37 @@ install-info-am: $(INFO_DEPS)
 uninstall-info:
 	$(PRE_UNINSTALL)
 	@if $(SHELL) -c 'install-info --version | sed 1q | fgrep -s -v -i debian' >/dev/null 2>&1; then \
-	  ii=yes; \
-	else ii=; fi; \
-	list='$(INFO_DEPS)'; \
-	for file in $$list; do \
-	  test -z "$ii" \
-	    || install-info --info-dir=$(DESTDIR)$(infodir) --remove $$file; \
-	done
+	  list='$(INFO_DEPS)'; \
+	  for file in $$list; do \
+	    echo " install-info --info-dir=$(DESTDIR)$(infodir) --remove $(DESTDIR)$(infodir)/$$file"; \
+	    install-info --info-dir=$(DESTDIR)$(infodir) --remove $(DESTDIR)$(infodir)/$$file; \
+	  done; \
+	else :; fi
 	@$(NORMAL_UNINSTALL)
-	list='$(INFO_DEPS)'; \
+	@list='$(INFO_DEPS)'; \
 	for file in $$list; do \
-	  (cd $(DESTDIR)$(infodir) && rm -f $$file $$file-[0-9] $$file-[0-9][0-9]); \
+	  (if cd $(DESTDIR)$(infodir); then \
+	     echo " rm -f $$file $$file-[0-9] $$file-[0-9][0-9])"; \
+	     rm -f $$file $$file-[0-9] $$file-[0-9][0-9]; \
+	   else :; fi); \
 	done
 
 dist-info: $(INFO_DEPS)
 	list='$(INFO_DEPS)'; \
 	for base in $$list; do \
 	  d=$(srcdir); \
-	  for file in `cd $$d && eval echo $$base*`; do \
+	  for file in `CDPATH=: && cd $$d && eval echo $$base*`; do \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
 	    || cp -p $$d/$$file $(distdir)/$$file; \
 	  done; \
 	done
 
 mostlyclean-aminfo:
 	-rm -f heimdal.aux heimdal.cp heimdal.cps heimdal.dvi heimdal.fn \
-	  heimdal.fns heimdal.ky heimdal.kys heimdal.ps heimdal.log \
-	  heimdal.pg heimdal.toc heimdal.tp heimdal.tps heimdal.vr \
-	  heimdal.vrs heimdal.op heimdal.tr heimdal.cv heimdal.cn
+	  heimdal.fns heimdal.pgs heimdal.ky heimdal.kys heimdal.ps \
+	  heimdal.log heimdal.pg heimdal.toc heimdal.tp heimdal.tps \
+	  heimdal.vr heimdal.vrs heimdal.op heimdal.tr heimdal.cv \
+	  heimdal.cn heimdal.cm heimdal.ov
 
 clean-aminfo:
 
@@ -327,17 +345,16 @@ TAGS:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = doc
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-info
@@ -367,7 +384,7 @@ uninstall: uninstall-am
 all-am: Makefile $(INFO_DEPS) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
 	$(mkinstalldirs)  $(DESTDIR)$(infodir)
 
@@ -381,6 +398,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-aminfo mostlyclean-generic
 
 mostlyclean: mostlyclean-am
@@ -406,9 +424,9 @@ distclean-aminfo clean-aminfo maintainer-clean-aminfo tags distdir \
 info-am info dvi-am dvi check-local check check-am installcheck-am \
 installcheck install-exec-am install-exec install-data-local \
 install-data-am install-data install-am install uninstall-am uninstall \
-all-local all-redirect all-am all installdirs mostlyclean-generic \
-distclean-generic clean-generic maintainer-clean-generic clean \
-mostlyclean distclean maintainer-clean
+all-local all-redirect all-am all install-strip installdirs \
+mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
 
 
 install-suid-programs:
@@ -416,7 +434,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -428,8 +449,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -498,87 +519,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/doc/ack.texi b/crypto/heimdal/doc/ack.texi
index 1594194..eedbc53 100644
--- a/crypto/heimdal/doc/ack.texi
+++ b/crypto/heimdal/doc/ack.texi
@@ -1,3 +1,5 @@
+@c $Id: ack.texi,v 1.13 2001/01/30 01:57:31 assar Exp $
+
 @node  Acknowledgments, , Windows 2000 compatability, Top
 @comment  node-name,  next,  previous,  up
 @appendix Acknowledgments
@@ -26,7 +28,7 @@ Bugfixes, documentation, encouragement, and code has been contributed by:
 @item Johan Ihrén
 @email{johani@@pdc.kth.se}
 @item Love Hörnquist-Åstrand
-@email{e96_lho@@e.kth.se}
+@email{lha@@stacken.kth.se}
 @item Magnus Ahltorp
 @email{map@@stacken.kth.se}
 @item Mark Eichin
@@ -51,6 +53,10 @@ Bugfixes, documentation, encouragement, and code has been contributed by:
 @email{bmay@@snoopy.apana.org.au}
 @item Chaskiel M Grundman
 @email{cg2v@@andrew.cmu.edu}
+@item Richard Nyberg
+@email{rnyberg@@it.su.se}
+@item Frank van der Linden
+@email{fvdl@@netbsd.org}
 @item and we hope that those not mentioned here will forgive us.
 @end table
 
diff --git a/crypto/heimdal/doc/heimdal.texi b/crypto/heimdal/doc/heimdal.texi
index 4cf1b3f..3d9d4cd 100644
--- a/crypto/heimdal/doc/heimdal.texi
+++ b/crypto/heimdal/doc/heimdal.texi
@@ -1,6 +1,6 @@
 \input texinfo @c -*- texinfo -*-
 @c %**start of header
-@c $Id: heimdal.texi,v 1.14 2000/01/02 04:09:00 assar Exp $
+@c $Id: heimdal.texi,v 1.16 2000/07/28 15:43:36 assar Exp $
 @setfilename heimdal.info
 @settitle HEIMDAL
 @iftex
@@ -15,9 +15,9 @@
 @c %**end of header
 
 @c not yet @include version.texi
-@set UPDATED $Date: 2000/01/02 04:09:00 $
-@set EDITION 0.0
-@set VERSION 0.2k
+@set UPDATED $Date: 2000/07/28 15:43:36 $
+@set EDITION 0.1
+@set VERSION 0.3a
 
 @ifinfo
 @dircategory Heimdal
@@ -227,6 +227,7 @@ to the following restrictions:
 * Things in search for a better place::  
 * Kerberos 4 issues::           
 * Windows 2000 compatability::
+* Migration::
 * Acknowledgments::             
 
 @end menu
@@ -237,6 +238,7 @@ to the following restrictions:
 @include setup.texi
 @include misc.texi
 @include kerberos4.texi
+@include migration.texi
 @include win2k.texi
 @include ack.texi
 
diff --git a/crypto/heimdal/doc/install.texi b/crypto/heimdal/doc/install.texi
index 5d195a6..aa56cea 100644
--- a/crypto/heimdal/doc/install.texi
+++ b/crypto/heimdal/doc/install.texi
@@ -1,3 +1,5 @@
+@c $Id: install.texi,v 1.16 2001/01/28 22:11:22 assar Exp $
+
 @node Building and Installing, Setting up a realm, What is Kerberos?, Top
 @comment  node-name,  next,  previous,  up
 @chapter Building and Installing
@@ -60,6 +62,10 @@ used by the ``KDC'' in AFS. Requires Kerberos 4 support.
 Enables experimental support for reading kaserver databases in hprop.
 This is useful when migrating from a kaserver to a Heimdal KDC.
 
+@item @kbd{--enable-dce}
+Enables support for getting DCE credentials and tokens.  See the README
+files in @file{appl/dceutils} for more information.
+
 @item @kbd{--disable-otp}
 By default some of the application programs will build with support for
 one-time passwords (OTP).  Use this option to disable that support.
@@ -83,4 +89,21 @@ Probably only useful (and working) on NextStep/Mac OS X.
 @item @kbd{--without-ipv6}
 Disable the IPv6 support.
 
+@item @kbd{--with-openldap}
+Compile Heimdal with support for storing the database in LDAP.  Requires
+OpenLDAP @url{http://www.openldap.org}.  See
+@url{http://www.padl.com/~lukeh/heimdal/} for more information.
+
+@item @kbd{--enable-bigendian}
+@item @kbd{--enable-littleendian}
+Normally, the build process will figure out by itself if the machine is
+big or little endian.  It might fail in some cases when
+cross-compiling.  If it does fail to figure it out, use the relevant of
+these two options.
+
+@item @kbd{--with-mips-abi=@var{abi}}
+On Irix there are three different ABIs that can be used (@samp{32},
+@samp{n32}, or @samp{64}).  This option allows you to override the
+automatic selection.
+
 @end table
diff --git a/crypto/heimdal/doc/intro.texi b/crypto/heimdal/doc/intro.texi
index 518aada..6c6ff3a 100644
--- a/crypto/heimdal/doc/intro.texi
+++ b/crypto/heimdal/doc/intro.texi
@@ -1,3 +1,5 @@
+@c $Id: intro.texi,v 1.12 2001/01/28 22:11:22 assar Exp $
+
 @node Introduction, What is Kerberos?, Top, Top
 @c @node Introduction, What is Kerberos?, Top, Top
 @comment  node-name,  next,  previous,  up
diff --git a/crypto/heimdal/doc/kerberos4.texi b/crypto/heimdal/doc/kerberos4.texi
index 2e4f92c..92614c8 100644
--- a/crypto/heimdal/doc/kerberos4.texi
+++ b/crypto/heimdal/doc/kerberos4.texi
@@ -1,13 +1,19 @@
-@node Kerberos 4 issues, Windows 2000 compatability, Things in search for a better place, Top
+@c $Id: kerberos4.texi,v 1.12 2001/01/30 17:07:03 assar Exp $
+
+@node Kerberos 4 issues, Migration, Things in search for a better place, Top
 @comment  node-name,  next,  previous,  up
 @chapter Kerberos 4 issues
 
 If compiled with version 4 support, the KDC can serve requests from a
 Kerberos 4 client. There are a few things you must do for this to work.
 
+You might also want use the built in kaserver emulation in the kdc
+when you have AFS-clients that use @code{klog}.
+
 @menu
 * Principal conversion issues::  
 * Converting a version 4 database::  
+* kaserver::
 @end menu
 
 @node Principal conversion issues, Converting a version 4 database, Kerberos 4 issues, Kerberos 4 issues
@@ -51,7 +57,7 @@ principal exists in the database. The KDC will use
 @code{krb5_425_conv_principal_ext} to convert principals when handling
 to version 4 requests.
 
-@node Converting a version 4 database,  , Principal conversion issues, Kerberos 4 issues
+@node Converting a version 4 database, kaserver , Principal conversion issues, Kerberos 4 issues
 @section Converting a version 4 database
 
 If you want to convert an existing version 4 database, the principal
@@ -153,13 +159,19 @@ the @samp{[libdefaults]} section.
 
 @subsection Converting a database
 
-The database conversion is done with @samp{hprop}. Assuming that you
-have the @samp{kadmin/hprop} key in the keytab @file{hprop.keytab}, you
-can run this command to propagate the database to the machine called
+The database conversion is done with @samp{hprop}. You can run this
+command to propagate the database to the machine called
 @samp{slave-server} (which should be running a @samp{hpropd}).
 
 @example
-hprop -4 -E -k hprop.keytab slave-server
+hprop --source=krb4-db -E slave-server
+@end example
+
+This command can also be to use for converting the v4 database on the
+server:
+
+@example
+hprop -n --source=krb4-db -d /var/kerberos/principal -E | hpropd -n
 @end example
 
 @section Version 4 Kadmin
@@ -177,3 +189,38 @@ version 4 uses port 751, not 749).
 
 @emph{And then there are a many more things you can do; more on this in
 a later version of this manual. Until then, UTSL.}
+
+@node kaserver, , Converting a version 4 database, Kerberos 4 issues
+@section kaserver
+
+@subsection kaserver emulation
+
+The Heimdal kdc can emulate a kaserver. The kaserver is a Kerberos 4
+server with pre-authentication using Rx as the on-wire protocol. The kdc
+contains a minimalistic Rx implementation.
+
+There are three parts of the kaserver; KAA (Authentication), KAT (Ticket
+Granting), and KAM (Maintenance). The KAA interface and KAT interface
+both passes over DES encrypted data-blobs (just like the
+Kerberos-protocol) and thus o not need any other protection.  The KAM
+interface uses @code{rxkad} (Kerberos authentication layer for Rx) for
+security and data protection, and is used for example for changing
+passwords.  This part is not implemented in the kdc.
+
+Another difference between the ka-protocol and the Kerberos 4 protocol
+is that the pass-phrase is salted with the cellname in the @code{string to
+key} function in the ka-protocol, while in the Kerberos 4 protocol there
+is no salting of the password at all. To make sure AFS-compatible keys
+are added to each principals when they are created or their password are
+changed, @samp{afs3-salt} should be added to
+@samp{[kadmin]default_keys}.
+
+@subsection Transarc AFS Windows client
+
+The Transarc Windows client uses Kerberos 4 to obtain tokens, and thus
+does not need a kaserver. The Windows client assumes that the Kerberos
+server is on the same machine as the AFS-database server. If you do not
+like to do that you can add a small program that runs on the database
+servers that forward all kerberos requests to the real kerberos
+server. A program that does this is @code{krb-forward}
+(@url{ftp://ftp.stacken.kth.se/pub/projekts/krb-forward}).
diff --git a/crypto/heimdal/doc/migration.texi b/crypto/heimdal/doc/migration.texi
new file mode 100644
index 0000000..90deed7
--- /dev/null
+++ b/crypto/heimdal/doc/migration.texi
@@ -0,0 +1,43 @@
+@c $Id: migration.texi,v 1.2 2001/01/28 22:03:36 assar Exp $
+
+@node Migration, Windows 2000 compatability, Kerberos 4 issues, Top
+@chapter Migration
+
+@section General issues
+
+When migrating from a Kerberos 4 KDC.
+
+@section Order in what to do things:
+
+@itemize @bullet
+
+@item Convert the database, check all principals that hprop complains
+about.
+
+@samp{hprop -n --source=<NNN>| hpropd -n}
+
+Replace <NNN> with whatever source you have, like krb4-db or krb4-dump.
+
+@item Run a Kerberos 5 slave for a while.
+
+@c XXX Add you slave first to your kdc list in you kdc.
+
+@item Figure out if it does everything you want it to.
+
+Make sure that all things that you use works for you.
+
+@item Let a small number of controlled users use Kerberos 5 tools.
+
+Find a sample population of your users and check what programs they use,
+you can also check the kdc-log to check what ticket are checked out.
+
+@item Burn the bridge and change the master.
+@item Let all users use the Kerberos 5 tools by default.
+@item Turn off services that do not need Kerberos 4 authentication.
+
+Things that might be hard to get away is old programs with support for
+Kerberos 4. Example applications are old Eudora installations using
+KPOP, and Zephyr. Eudora can use the Kerberos 4 kerberos in the Heimdal
+kdc.
+
+@end itemize
diff --git a/crypto/heimdal/doc/misc.texi b/crypto/heimdal/doc/misc.texi
index e926536..994f6f2 100644
--- a/crypto/heimdal/doc/misc.texi
+++ b/crypto/heimdal/doc/misc.texi
@@ -1,14 +1,16 @@
+@c $Id: misc.texi,v 1.5 2001/01/28 22:11:23 assar Exp $
+
 @node Things in search for a better place, Kerberos 4 issues, Setting up a realm, Top
 @chapter Things in search for a better place
 
 @section Making things work on Ciscos
 
 Modern versions of Cisco IOS has some support for authenticating via
-Kerberos 5. This can be used both to verify passwords via a ticket
-exchange Kerberos 5 (boring), and to use Kerberos authenticated telnet
-to access your router (less boring). The following has been tested on
-IOS 11.2(12), things might be different with other versions. Old
-versions are known to have bugs.
+Kerberos 5. This can be used both by having the router get a ticket when
+you login (boring), and by using Kerberos authenticated telnet to access
+your router (less boring). The following has been tested on IOS
+11.2(12), things might be different with other versions. Old versions
+are known to have bugs.
 
 To make this work, you will first have to configure your router to use
 Kerberos (this is explained in the documentation). A sample
@@ -24,31 +26,25 @@ kerberos server FOO.SE 10.0.0.1
 kerberos instance map admin 15
 @end example
 
-This tells you (among other things) that the when logging in, the router
-should try to authenticate with kerberized telnet, and if that fails try
+This tells you (among other things) that when logging in, the router
+should try to authenticate with kerberised telnet, and if that fails try
 to verify a plain text password via a Kerberos ticket exchange (as
-opposed to a local database or RADIUS or something similar), and if that
+opposed to a local database, RADIUS or something similar), and if that
 fails try the local enable password. If you're not careful when you
 specify the `login default' authentication mechanism, you might not be
-able to login. The `instance map' and `authorization exec' lines says
-that people with `admin' instances should be given `enabled' shells when
-logging in.
+able to login at all. The `instance map' and `authorization exec' lines
+says that people with `admin' instances should be given `enabled' shells
+when logging in.
+
+The numbers after the principal on the `srvtab' line are principal type,
+timestamp (in seconds since 1970), key version number (4), keytype (1 ==
+des), key length (always 8 with des), and then the key.
 
 To make the Heimdal KDC produce tickets that the Cisco can decode you
 might have to turn on the @samp{encode_as_rep_as_tgs_rep} flag in the
 KDC. You will also have to specify that the router can't handle anything
-but @samp{des-cbc-crc}. There currently isn't an easy way to do
-this. The best you can do is to dump your database (with @samp{kadmin -l
-dump}), remove all entries for keys other than @samp{des-cbc-crc}, and
-then reloading the database (@samp{kadmin -l load}). An example should
-clarify this. You should have something like (again, truncated):
-@example 
-host/router.foo.se@@FOO.SE 4:0:1:...:-:... - - - - - - - 126
-@end example
-Change this to:
-@example 
-host/router.foo.se@@FOO.SE 4:0:1:...:- - - - - - - - 126
-@end example
+but @samp{des-cbc-crc}. This can be done with the @samp{del_enctype}
+command of @samp{kadmin}.
 
 This all fine and so, but unless you have an IOS version with encryption
 (available only in the U.S) it doesn't really solve any problems. Sure
diff --git a/crypto/heimdal/doc/setup.texi b/crypto/heimdal/doc/setup.texi
index a43eb7e..ed14306 100644
--- a/crypto/heimdal/doc/setup.texi
+++ b/crypto/heimdal/doc/setup.texi
@@ -1,6 +1,21 @@
+@c $Id: setup.texi,v 1.21 2001/01/29 04:39:46 assar Exp $
+
 @node Setting up a realm, Things in search for a better place, Building and Installing, Top
+
 @chapter Setting up a realm
 
+@menu
+* Configuration file::          
+* Creating the database::       
+* keytabs::                     
+* Remote administration::       
+* Password changing::           
+* Testing clients and servers::  
+* Slave Servers::               
+* Incremental propagation::     
+* Salting::
+@end menu
+
 A
 @cindex realm
 realm is an administrative domain.  The name of a Kerberos realm is
@@ -8,6 +23,7 @@ usually the Internet domain name in uppercase.  Call your realm the same
 as your Internet domain name if you do not have strong reasons for not
 doing so.  It will make life easier for you and everyone else.
 
+@node  Configuration file, Creating the database, Setting up a realm, Setting up a realm
 @section Configuration file
 
 To setup a realm you will first have to create a configuration file:
@@ -77,6 +93,7 @@ If you use a realm name equal to your domain name, you can omit the
 SRV-record for your realm, or your kerberos server has CNAME called
 @samp{kerberos.my.realm}, you can omit the @samp{realms} section too.
 
+@node Creating the database, keytabs, Configuration file, Setting up a realm
 @section Creating the database
 
 The database library will look for the database in @file{/var/heimdal},
@@ -148,15 +165,16 @@ krbtgt/MY.REALM@@MY.REALM 1:0:1:52b53b61c875ce16:-:0:7:c8943be ...
 kadmin/changepw@@MY.REALM 1:0:1:f48c8af2b340e9fb:-:0:7:e3e6088 ...
 @end smallexample
 
+@node keytabs, Remote administration, Creating the database, Setting up a realm
 @section keytabs
 
 To extract a service ticket from the database and put it in a keytab you
 need to first create the principal in the database with @samp{ank}
-(using the @kbd{--random} flag to get a random password) and then
+(using the @kbd{--random-key} flag to get a random key) and then
 extract it with @samp{ext_keytab}.
 
 @example
-kadmin> add --random host/my.host.name
+kadmin> add --random-key host/my.host.name
 Max ticket life [unlimited]:
 Max renewable life [unlimited]:
 Attributes []:
@@ -169,11 +187,13 @@ Version  Type             Principal
      1   des3-cbc-sha1    host/my.host.name@@MY.REALM
 @end example
 
+@node Remote administration, Password changing, keytabs, Setting up a realm
 @section Remote administration
 
-The administration server, @samp{kadmind}, is started by @samp{inetd}
-and you should add a line similar to the one below to your
-@file{/etc/inetd.conf}.
+The administration server, @samp{kadmind}, can be started by
+@samp{inetd} (which isn't recommended) or run as a normal daemon. If you
+want to start it from @samp{inetd} you should add a line similar to the
+one below to your @file{/etc/inetd.conf}.
 
 @example
 kerberos-adm stream     tcp     nowait  root /usr/heimdal/libexec/kadmind kadmind
@@ -186,7 +206,7 @@ Access to the admin server is controlled by an acl-file, (default
 @file{/var/heimdal/kadmind.acl}.) The lines in the access file, has the
 following syntax:
 @smallexample
-principal       [priv1,priv2,...]
+principal       [priv1,priv2,...]       [glob-pattern]
 @end smallexample
 
 The privileges you can assign to a principal are: @samp{add},
@@ -195,6 +215,26 @@ The privileges you can assign to a principal are: @samp{add},
 @samp{all}. All of these roughly corresponds to the different commands
 in @samp{kadmin}.
 
+If a @var{glob-pattern} is given on a line, it restricts the right for
+the principal to only apply for the subjects that match the pattern.
+The patters are of the same type as those used in shell globbing, see
+@url{none,,fnmatch(3)}.
+
+In the example below @samp{lha/admin} can change every principal in the
+database. @samp{jimmy/admin} can only modify principals that belong to
+the realm @samp{E.KTH.SE}. @samp{mille/admin} is working at the
+helpdesk, so he should only be able to change the passwords for single
+component principals (ordinary users). He will not be able to change any
+@samp{/admin} principal.
+
+@example
+lha/admin@@E.KTH.SE	all
+jimmy/admin@@E.KTH.SE	all		*@@E.KTH.SE
+jimmy/admin@@E.KTH.SE	all		*/*@@E.KTH.SE
+mille/admin@@E.KTH.SE	change-password	*@@E.KTH.SE
+@end example
+
+@node Password changing, Testing clients and servers, Remote administration, Setting up a realm
 @section Password changing
 
 To allow users to change their passwords, you should run @samp{kpasswdd}.
@@ -241,7 +281,155 @@ the patch available at
 If no password quality checking function is configured, it is only
 verified that it is at least six characters of length.
 
+@node Testing clients and servers, Slave Servers, Password changing, Setting up a realm
 @section Testing clients and servers
 
 Now you should be able to run all the clients and servers.  Refer to the
 appropriate man pages for information on how to use them.
+
+@node Slave Servers, Incremental propagation, Testing clients and servers, Setting up a realm
+@section Slave servers, Incremental propagation, Testing clients and servers, Setting up a realm
+
+It is desirable to have at least one backup (slave) server in case the
+master server fails. It is possible to have any number of such slave
+servers but more than three usually doesn't buy much more redundancy.
+
+All Kerberos servers for a realm shall have the same database so that
+they present the same service to all the users.  The
+@pindex hprop
+@code{hprop} program, running on the master, will propagate the database
+to the slaves, running
+@pindex hpropd
+@code{hpropd} processes.
+
+Every slave needs a keytab with a principal,
+@samp{hprop/@var{hostname}}.  Add that with the
+@pindex ktutil
+@code{ktutil} command and start
+@pindex hpropd
+@code{propd}, as follows:
+
+@example
+slave# ktutil get -p foo/admin host/`hostname`
+slave# hpropd
+@end example
+
+The master will use the principal @samp{kadmin/hprop} to authenticate to
+the slaves.  This principal should be added when running @kbd{kadmin -l
+init} but if you do not have it in your database for whatever reason,
+please add it with @kbd{kadmin -l add}.
+
+Then run
+@pindex hprop
+@code{hprop} on the master:
+
+@example
+master# hprop slave
+@end example
+
+This was just an on-hands example to make sure that everything was
+working properly.  Doing it manually is of course the wrong way and to
+automate this you will want to start
+@pindex hpropd
+@code{hpropd} from @code{inetd} on the slave(s) and regularly run
+@pindex hprop
+@code{hprop} on the master to regularly propagate the database.
+Starting the propagation once an hour from @code{cron} is probably a
+good idea.
+
+@node Incremental propagation, Salting , Slave Servers, Setting up a realm
+@section Incremental propagation
+
+There is also a newer and still somewhat experimental mechanism for
+doing incremental propagation in Heimdal.  Instead of sending the whole
+database regularly, it sends the changes as they happen on the master to
+the slaves.  The master keeps track of all the changes by assigned a
+version number to every change to the database.  The slaves know which
+was the latest version they saw and in this way it can be determined if
+they are in sync or not.  A log of all the changes is kept on the master
+and when a slave is at an older versioner than the oldest one in the
+log, the whole database has to be sent.
+
+Protocol-wise, all the slaves connects to the master and as a greeting
+tell it the latest version that they have (@samp{IHAVE} message).  The
+master then responds by sending all the changes between that version and
+the current version at the master (a series of @samp{FORYOU} messages)
+or the whole database in a @samp{TELLYOUEVERYTHING} message.
+
+@subsection Configuring incremental propagation
+
+The program that runs on the master is @code{ipropd-master} and all
+clients run @code{ipropd-slave}.
+
+Create the file @file{/var/heimdal/slaves} on the master containing all
+the slaves that the database should be propagated to.  Each line contains
+the full name of the principal (for example
+@samp{iprop/hemligare.foo.se@@FOO.SE}).
+
+You should already have @samp{iprop/tcp} defined as 2121, in your
+@file{/etc/services}.  Otherwise, or if you need to use a different port
+for some peculiar reason, you can use the @kbd{--port} option.  This is
+useful when you have multiple realms to distribute from one server.
+
+Then you need to create these principals that you added in the
+configuration file.  Create one @samp{iprop/hostname} for the master and
+for every slave.
+
+
+@example
+master# /usr/heimdal/sbin/ktutil get iprop/`hostname`
+@end example
+
+The next step is to start the @code{ipropd-master} process on the master
+server.  The @code{ipropd-master} listens on the UNIX-socket
+@file{/var/heimdal/signal} to know when changes have been made to the
+database so they can be propagated to the slaves.  There is also a
+safety feature of testing the version number regularly (every 30
+seconds) to see if it has been modified by some means that do not raise
+this signal.  Then, start @code{ipropd-slave} on all the slaves:
+
+@example
+master# /usr/heimdal/libexec/ipropd-master &
+slave#  /usr/heimdal/libexec/ipropd-slave master &
+@end example
+
+@node Salting, , Incremental propagation, Setting up a realm
+@section Salting
+@cindex Salting
+
+Salting is used to make it harder to precalculate all possible
+keys. Using a salt increases the search space to make it almost
+impossible to precalculate all keys. In salting you just append the salt
+to the password, or somehow merge the password with the salt.
+
+In Kerberos 5 the salting is determined by the encryption-type, except
+in case of @code{des}. In @code{des} there is the kerberos 4 salting
+(none at all) or the afs-salting (using the cell (realm in
+afs-lingo)). @code{[kadmin]default_keys} in @file{krb5.conf} controls
+what salting to use,
+
+The syntax of @code{[kadmin]default_keys} is
+@samp{[etype:]salt-type[:salt-string]}. @samp{etype} is the encryption
+type (des, des3, arcfour), @code{salt-type} is the type of salt (pw-salt
+or afs3-salt), and the salt-string is the string that will be used as
+salt (remember that if the salt is appened/prepended, the empty salt ""
+is the same thing as no salt at all).
+
+Common types of salting includes
+
+@itemize
+@item @code{v4} (or @code{des:pw-salt:})
+
+The Kerberos 4 salting is using no salt att all. Reson there is colon
+that the end is that 
+
+@item @code{v5} (or @code{pw-salt})
+
+@code{pw-salt} means all regular encryption-types that is regular 
+
+@item @code{afs3-salt}
+
+@code{afs3-salt} is the salting that is used with Transarc kaserver. Its
+the cell appended to the password.
+
+@end itemize
diff --git a/crypto/heimdal/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-02.txt b/crypto/heimdal/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-02.txt
new file mode 100644
index 0000000..85d7456
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-02.txt
@@ -0,0 +1,5 @@
+This Internet-Draft has expired and is no longer available.
+
+Unrevised documents placed in the Internet-Drafts directories have a
+maximum life of six months. After that time, they must be updated, or
+they will be deleted. This document was deleted on July 17, 2000.
diff --git a/crypto/heimdal/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-03.txt b/crypto/heimdal/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-03.txt
new file mode 100644
index 0000000..202d44e
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-03.txt
@@ -0,0 +1,587 @@
+CAT working group                                              M. Swift 
+Internet Draft                                                J. Brezak 
+Document: draft-brezak-win2k-krb-rc4-hmac-03.txt              Microsoft 
+Category: Informational                                       June 2000 
+ 
+ 
+           The Windows 2000 RC4-HMAC Kerberos encryption type 
+ 
+ 
+Status of this Memo 
+ 
+   This document is an Internet-Draft and is in full conformance with 
+   all provisions of Section 10 of RFC2026 [1]. Internet-Drafts are 
+   working documents of the Internet Engineering Task Force (IETF), its 
+   areas, and its working groups. Note that other groups may also 
+   distribute working documents as Internet-Drafts. Internet-Drafts are 
+   draft documents valid for a maximum of six months and may be 
+   updated, replaced, or obsoleted by other documents at any time. It 
+   is inappropriate to use Internet- Drafts as reference material or to 
+   cite them other than as "work in progress." 
+     
+   The list of current Internet-Drafts can be accessed at 
+   http://www.ietf.org/ietf/1id-abstracts.txt  
+   The list of Internet-Draft Shadow Directories can be accessed at 
+   http://www.ietf.org/shadow.html. 
+    
+1. Abstract 
+    
+   The Windows 2000 implementation of Kerberos introduces a new 
+   encryption type based on the RC4 encryption algorithm and using an 
+   MD5 HMAC for checksum. This is offered as an alternative to using 
+   the existing DES based encryption types. 
+    
+   The RC4-HMAC encryption types are used to ease upgrade of existing 
+   Windows NT environments, provide strong crypto (128-bit key 
+   lengths), and provide exportable (meet United States government 
+   export restriction requirements) encryption. 
+    
+   The Windows 2000 implementation of Kerberos contains new encryption 
+   and checksum types for two reasons: for export reasons early in the 
+   development process, 56 bit DES encryption could not be exported, 
+   and because upon upgrade from Windows NT 4.0 to Windows 2000, 
+   accounts will not have the appropriate DES keying material to do the 
+   standard DES encryption. Furthermore, 3DES is not available for 
+   export, and there was a desire to use a single flavor of encryption 
+   in the product for both US and international products. 
+    
+   As a result, there are two new encryption types and one new checksum 
+   type introduced in Windows 2000. 
+    
+    
+2. Conventions used in this document 
+    
+
+  
+Swift                  Category - Informational                      1 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
+   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in 
+   this document are to be interpreted as described in RFC-2119 [2]. 
+    
+3. Key Generation 
+    
+   On upgrade from existing Windows NT domains, the user accounts would 
+   not have a DES based key available to enable the use of DES base 
+   encryption types specified in RFC 1510. The key used for RC4-HMAC is 
+   the same as the existing Windows NT key (NT Password Hash) for 
+   compatibility reasons. Once the account password is changed, the DES 
+   based keys are created and maintained. Once the DES keys are 
+   available DES based encryption types can be used with Kerberos.  
+    
+   The RC4-HMAC String to key function is defined as follow: 
+    
+   String2Key(password) 
+    
+        K = MD4(UNICODE(password)) 
+         
+   The RC4-HMAC keys are generated by using the Windows UNICODE version 
+   of the password. Each Windows UNICODE character is encoded in 
+   little-endian format of 2 octets each. Then performing an MD4 [6] 
+   hash operation on just the UNICODE characters of the password (not 
+   including the terminating zero octets). 
+    
+   For an account with a password of "foo", this String2Key("foo") will 
+   return: 
+    
+        0xac, 0x8e, 0x65, 0x7f, 0x83, 0xdf, 0x82, 0xbe, 
+        0xea, 0x5d, 0x43, 0xbd, 0xaf, 0x78, 0x00, 0xcc 
+    
+4. Basic Operations 
+    
+   The MD5 HMAC function is defined in [3]. It is used in this 
+   encryption type for checksum operations. Refer to [3] for details on 
+   its operation. In this document this function is referred to as 
+   HMAC(Key, Data) returning the checksum using the specified key on 
+   the data. 
+    
+   The basic MD5 hash operation is used in this encryption type and 
+   defined in [7]. In this document this function is referred to as 
+   MD5(Data) returning the checksum of the data. 
+    
+   RC4 is a stream cipher licensed by RSA Data Security [RSADSI]. A       
+   compatible cipher is described in [8]. In this document the function 
+   is referred to as RC4(Key, Data) returning the encrypted data using 
+   the specified key on the data. 
+    
+   These encryption types use key derivation as defined in [9] (RFC-
+   1510BIS) in Section titled "Key Derivation". With each message, the 
+   message type (T) is used as a component of the keying material. This 
+   summarizes the different key derivation values used in the various 
+  
+Swift                  Category - Informational                      2 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+   operations. Note that these differ from the key derivations used in 
+   other Kerberos encryption types. 
+    
+        T = 1 for TS-ENC-TS in the AS-Request 
+        T = 8 for the AS-Reply  
+        T = 7 for the Authenticator in the TGS-Request 
+        T = 8 for the TGS-Reply  
+        T = 2 for the Server Ticket in the AP-Request 
+        T = 11 for the Authenticator in the AP-Request 
+        T = 12 for the Server returned AP-Reply 
+        T = 15 in the generation of checksum for the MIC token 
+        T = 0 in the generation of sequence number for the MIC token  
+        T = 13 in the generation of checksum for the WRAP token 
+        T = 0 in the generation of sequence number for the WRAP token  
+        T = 0 in the generation of encrypted data for the WRAPPED token 
+    
+   All strings in this document are ASCII unless otherwise specified. 
+   The lengths of ASCII encoded character strings include the trailing 
+   terminator character (0). 
+    
+   The concat(a,b,c,...) function will return the logical concatenation 
+   (left to right) of the values of the arguments. 
+    
+   The nonce(n) function returns a pseudo-random number of "n" octets. 
+    
+5. Checksum Types 
+    
+   There is one checksum type used in this encryption type. The 
+   Kerberos constant for this type is: 
+        #define KERB_CHECKSUM_HMAC_MD5 (-138) 
+    
+   The function is defined as follows: 
+    
+   K - is the Key 
+   T - the message type, encoded as a little-endian four byte integer 
+    
+   CHKSUM(K, T, data) 
+    
+        Ksign = HMAC(K, "signaturekey")  //includes zero octet at end 
+        tmp = MD5(concat(T, data)) 
+        CHKSUM = HMAC(Ksign, tmp) 
+    
+    
+6. Encryption Types 
+    
+   There are two encryption types used in these encryption types. The 
+   Kerberos constants for these types are: 
+        #define KERB_ETYPE_RC4_HMAC             23 
+        #define KERB_ETYPE_RC4_HMAC_EXP         24 
+    
+   The basic encryption function is defined as follow: 
+    
+   T = the message type, encoded as a little-endian four byte integer. 
+  
+Swift                  Category - Informational                      3 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+    
+        BYTE L40[14] = "fortybits"; 
+        BYTE SK = "signaturekey"; 
+         
+        ENCRYPT (K, fRC4_EXP, T, data, data_len, edata, edata_len) 
+        { 
+            if (fRC4_EXP){ 
+                *((DWORD *)(L40+10)) = T; 
+                HMAC (K, L40, 10 + 4, K1); 
+            }else{ 
+                HMAC (K, &T, 4, K1); 
+            } 
+            memcpy (K2, K1, 16); 
+            if (fRC4_EXP) memset (K1+7, 0xAB, 9); 
+            add_8_random_bytes(data, data_len, conf_plus_data); 
+            HMAC (K2, conf_plus_data, 8 + data_len, checksum); 
+            HMAC (K1, checksum, 16, K3); 
+            RC4(K3, conf_plus_data, 8 + data_len, edata + 16); 
+            memcpy (edata, checksum, 16); 
+            edata_len = 16 + 8 + data_len; 
+        }         
+         
+        DECRYPT (K, fRC4_EXP, T, edata, edata_len, data, data_len) 
+        { 
+            if (fRC4_EXP){ 
+                *((DWORD *)(L40+10)) = T; 
+                HMAC (K, L40, 14, K1); 
+            }else{ 
+                HMAC (K, &T, 4, K1); 
+            } 
+            memcpy (K2, K1, 16); 
+            if (fRC4_EXP) memset (K1+7, 0xAB, 9); 
+            HMAC (K1, edata, 16, K3); // checksum is at edata 
+            RC4(K3, edata + 16, edata_len - 16, edata + 16); 
+            data_len = edata_len - 16 - 8; 
+            memcpy (data, edata + 16 + 8, data_len); 
+             
+            // verify generated and received checksums 
+            HMAC (K2, edata + 16, edata_len - 16, checksum); 
+            if (memcmp(edata, checksum, 16) != 0)  
+                printf("CHECKSUM ERROR  !!!!!!\n"); 
+        } 
+    
+   The header field on the encrypted data in KDC messages is: 
+    
+        typedef struct _RC4_MDx_HEADER { 
+            UCHAR Checksum[16]; 
+            UCHAR Confounder[8]; 
+        } RC4_MDx_HEADER, *PRC4_MDx_HEADER; 
+         
+   The KDC message is encrypted using the ENCRYPT function not 
+   including the Checksum in the RC4_MDx_HEADER. 
+    
+  
+Swift                  Category - Informational                      4 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+   The character constant "fortybits" evolved from the time when a 40-
+   bit key length was all that was exportable from the United States. 
+   It is now used to recognize that the key length is of "exportable" 
+   length. In this description, the key size is actually 56-bits. 
+    
+7. Key Strength Negotiation 
+    
+   A Kerberos client and server can negotiate over key length if they 
+   are using mutual authentication. If the client is unable to perform 
+   full strength encryption, it may propose a key in the "subkey" field 
+   of the authenticator, using a weaker encryption type. The server 
+   must then either return the same key or suggest its own key in the 
+   subkey field of the AP reply message. The key used to encrypt data 
+   is derived from the key returned by the server. If the client is 
+   able to perform strong encryption but the server is not, it may 
+   propose a subkey in the AP reply without first being sent a subkey 
+   in the authenticator. 
+ 
+8. GSSAPI Kerberos V5 Mechanism Type  
+ 
+8.1 Mechanism Specific Changes 
+    
+   The GSSAPI per-message tokens also require new checksum and 
+   encryption types. The GSS-API per-message tokens must be changed to 
+   support these new encryption types (See [5] Section 1.2.2). The 
+   sealing algorithm identifier (SEAL_ALG) for an RC4 based encryption 
+   is: 
+        Byte 4..5 SEAL_ALG      0x10 0x00 - RC4 
+    
+   The signing algorithm identifier (SGN_ALG) for MD5 HMAC is: 
+        Byte 2..3 SGN ALG       0x11 0x00 - HMAC 
+    
+   The only support quality of protection is: 
+        #define GSS_KRB5_INTEG_C_QOP_DEFAULT    0x0 
+    
+   In addition, when using an RC4 based encryption type, the sequence 
+   number is sent in big-endian rather than little-endian order. 
+    
+   The Windows 2000 implementation also defines new GSSAPI flags in the 
+   initial token passed when initializing a security context. These 
+   flags are passed in the checksum field of the authenticator (See [5] 
+   Section 1.1.1). 
+    
+   GSS_C_DCE_STYLE - This flag was added for use with Microsoft’s 
+   implementation of DCE RPC, which initially expected three legs of 
+   authentication. Setting this flag causes an extra AP reply to be 
+   sent from the client back to the server after receiving the server’s 
+   AP reply. In addition, the context negotiation tokens do not have 
+   GSSAPI framing - they are raw AP message and do not include object 
+   identifiers. 
+        #define GSS_C_DCE_STYLE                 0x1000 
+    
+
+  
+Swift                  Category - Informational                      5 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+   GSS_C_IDENTIFY_FLAG - This flag allows the client to indicate to the 
+   server that it should only allow the server application to identify 
+   the client by name and ID, but not to impersonate the client. 
+        #define GSS_C_IDENTIFY_FLAG             0x2000 
+         
+   GSS_C_EXTENDED_ERROR_FLAG - Setting this flag indicates that the 
+   client wants to be informed of extended error information. In 
+   particular, Windows 2000 status codes may be returned in the data 
+   field of a Kerberos error message. This allows the client to 
+   understand a server failure more precisely. In addition, the server 
+   may return errors to the client that are normally handled at the 
+   application layer in the server, in order to let the client try to 
+   recover. After receiving an error message, the client may attempt to 
+   resubmit an AP request. 
+        #define GSS_C_EXTENDED_ERROR_FLAG       0x4000 
+    
+   These flags are only used if a client is aware of these conventions 
+   when using the SSPI on the Windows platform, they are not generally 
+   used by default. 
+    
+   When NetBIOS addresses are used in the GSSAPI, they are identified 
+   by the GSS_C_AF_NETBIOS value. This value is defined as: 
+        #define GSS_C_AF_NETBIOS                0x14 
+   NetBios addresses are 16-octet addresses typically composed of 1 to 
                                                                 th
   15 characters, trailing blank (ascii char 20) filled, with a 16  
+   octet of 0x0. 
+    
+8.2 GSSAPI Checksum Type 
+    
+   The GSSAPI checksum type and algorithm is defined in Section 5. Only 
+   the first 8 octets of the checksum are used. The resulting checksum 
+   is stored in the SGN_CKSUM field (See [5] Section 1.2) for 
+   GSS_GetMIC() and GSS_Wrap(conf_flag=FALSE). 
+    
+        MIC (K, fRC4_EXP, seq_num, MIC_hdr, msg, msg_len, 
+             MIC_seq, MIC_checksum) 
+        { 
+            HMAC (K, SK, 13, K4); 
+            T = 15; 
+            memcpy (T_plus_hdr_plus_msg + 00, &T, 4); 
+            memcpy (T_plus_hdr_plus_msg + 04, MIC_hdr, 8);  
+                                                // 0101 1100 FFFFFFFF 
+            memcpy (T_plus_hdr_plus_msg + 12, msg, msg_len); 
+            MD5 (T_hdr_msg, 4 + 8 + msg_len, MD5_of_T_hdr_msg); 
+            HMAC (K4, MD5_of_T_hdr_msg, CHKSUM); 
+            memcpy (MIC_checksum, CHKSUM, 8); // use only first 8 bytes 
+          
+            T = 0; 
+            if (fRC4_EXP){  
+                *((DWORD *)(L40+10)) = T; 
+                HMAC (K, L40, 14, K5); 
+            }else{ 
+                HMAC (K, &T, 4, K5); 
+  
+Swift                  Category - Informational                      6 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+            } 
+            if (fRC4_EXP) memset(K5+7, 0xAB, 9); 
+            HMAC(K5, MIT_checksum, 8, K6); 
+            copy_seq_num_in_big_endian(seq_num, seq_plus_direction); 
+        //0x12345678 
+            copy_direction_flag (direction_flag, seq_plus_direction + 
+        4); //0x12345678FFFFFFFF 
+            RC4(K6, seq_plus_direction, 8, MIC_seq); 
+        } 
+    
+8.3 GSSAPI Encryption Types 
+    
+   There are two encryption types for GSSAPI message tokens, one that 
+   is 128 bits in strength, and one that is 56 bits in strength as 
+   defined in Section 6. 
+    
+   All padding is rounded up to 1 byte. One byte is needed to say that 
+   there is 1 byte of padding. The DES based mechanism type uses 8 byte 
+   padding. See [5] Section 1.2.2.3. 
+    
+   The encryption mechanism used for GSS wrap based messages is as 
+   follow: 
+    
+    
+        WRAP (K, fRC4_EXP, seq_num, WRAP_hdr, msg, msg_len, 
+              WRAP_seq, WRAP_checksum, edata, edata_len) 
+        { 
+            HMAC (K, SK, 13, K7); 
+            T = 13; 
+            PAD = 1; 
+            memcpy (T_hdr_conf_msg_pad + 00, &T, 4); 
+            memcpy (T_hdr_conf_msg_pad + 04, WRAP_hdr, 8); // 0101 1100 
+        FFFFFFFF 
+            memcpy (T_hdr_conf_msg_pad + 12, msg, msg_len); 
+            memcpy (T_hdr_conf_msg_pad + 12 + msg_len, &PAD, 1); 
+            MD5 (T_hdr_conf_msg_pad, 
+                 4 + 8 + 8 + msg_len + 1, 
+                 MD5_of_T_hdr_conf_msg_pad); 
+            HMAC (K7, MD5_of_T_hdr_conf_msg_pad, CHKSUM); 
+            memcpy (WRAP_checksum, CHKSUM, 8); // use only first 8 
+        bytes 
+          
+            T = 0; 
+            if (fRC4_EXP){  
+                *((DWORD *)(L40+10)) = T; 
+                HMAC (K, L40, 14, K8); 
+            }else{ 
+                HMAC (K, &T, 4, K8); 
+            } 
+            if (fRC4_EXP) memset(K8+7, 0xAB, 9); 
+            HMAC(K8, WRAP_checksum, 8, K9); 
+            copy_seq_num_in_big_endian(seq_num, seq_plus_direction); 
+        //0x12345678 
+  
+Swift                  Category - Informational                      7 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+            copy_direction_flag (direction_flag, seq_plus_direction + 
+        4); //0x12345678FFFFFFFF 
+            RC4(K9, seq_plus_direction, 8, WRAP_seq); 
+          
+            for (i = 0; i < 16; i++) K10 [i] ^= 0xF0; // XOR each byte 
+        of key with 0xF0 
+            T = 0; 
+            if (fRC4_EXP){ 
+                *(DWORD *)(L40+10) = T; 
+                HMAC(K10, L40, 14, K11); 
+                memset(K11+7, 0xAB, 9); 
+            }else{ 
+                HMAC(K10, &T, 4, K11);  
+            } 
+            HMAC(K11, seq_num, 4, K12); 
+            RC4(K12, T_hdr_conf_msg_pad + 4 + 8, 8 + msg_len + 1, 
+        edata); /* skip T & hdr */ 
+            edata_len = 8 + msg_len + 1; // conf + msg_len + pad 
+         } 
+          
+    
+   The character constant "fortybits" evolved from the time when a 40-
+   bit key length was all that was exportable from the United States. 
+   It is now used to recognize that the key length is of "exportable" 
+   length. In this description, the key size is actually 56-bits. 
+    
+9. Security Considerations 
+ 
+   Care must be taken in implementing this encryption type because it 
+   uses a stream cipher. If a different IV isn’t used in each direction 
+   when using a session key, the encryption is weak. By using the 
+   sequence number as an IV, this is avoided. 
+    
+10. Acknowledgements 
+    
+   We would like to thank Salil Dangi for the valuable input in 
+   refining the descriptions of the functions and review input. 
+     
+11. References 
+ 
+   1  Bradner, S., "The Internet Standards Process -- Revision 3", BCP 
+      9, RFC 2026, October 1996. 
+    
+   2  Bradner, S., "Key words for use in RFCs to Indicate Requirement 
+      Levels", BCP 14, RFC 2119, March 1997 
+    
+   3  Krawczyk, H., Bellare, M., Canetti, R.,"HMAC: Keyed-Hashing for 
+      Message Authentication", RFC 2104, February 1997 
+    
+   4  Kohl, J., Neuman, C., "The Kerberos Network Authentication 
+      Service (V5)", RFC 1510, September 1993 
+ 
+ 
+  
+Swift                  Category - Informational                      8 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+ 
+   5  Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC-1964, 
+      June 1996 
+ 
+   6  R. Rivest, "The MD4 Message-Digest Algorithm", RFC-1320, April 
+      1992 
+ 
+   7  R. Rivest, "The MD5 Message-Digest Algorithm", RFC-1321, April 
+      1992 
+ 
+   8  Thayer, R. and K. Kaukonen, "A Stream Cipher Encryption             
+      Algorithm", Work in Progress. 
+ 
+   9  RC4 is a proprietary encryption algorithm available under license 
+      from RSA Data Security Inc.  For licensing information, contact: 
+       
+         RSA Data Security, Inc. 
+         100 Marine Parkway 
+         Redwood City, CA 94065-1031 
+ 
+   10 Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network 
+      Authentication Service (V5)", draft-ietf-cat-kerberos-revisions-
+      04.txt, June 25, 1999 
+ 
+    
+12. Author's Addresses 
+    
+   Mike Swift 
+   Dept. of Computer Science 
+   Sieg Hall 
+   University of Washington 
+   Seattle, WA 98105 
+   Email: mikesw@cs.washington.edu  
+    
+   John Brezak 
+   Microsoft 
+   One Microsoft Way 
+   Redmond, Washington 
+   Email: jbrezak@microsoft.com 
+    
+    
+
+
+
+
+
+
+
+
+
+
+
+
+  
+Swift                  Category - Informational                      9 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type    October 1999 
+ 
+ 
+    
+13. Full Copyright Statement 
+ 
+   "Copyright (C) The Internet Society (2000). All Rights Reserved. 
+    
+   This document and translations of it may be copied and          
+   furnished to others, and derivative works that comment on or          
+   otherwise explain it or assist in its implementation may be          
+   prepared, copied, published and distributed, in whole or in          
+   part, without restriction of any kind, provided that the above          
+   copyright notice and this paragraph are included on all such          
+   copies and derivative works.  However, this document itself may          
+   not be modified in any way, such as by removing the copyright          
+   notice or references to the Internet Society or other Internet          
+   organizations, except as needed for the purpose of developing          
+   Internet standards in which case the procedures for copyrights          
+   defined in the Internet Standards process must be followed, or          
+   as required to translate it into languages other than English. 
+    
+   The limited permissions granted above are perpetual and will          
+   not be revoked by the Internet Society or its successors or          
+   assigns. 
+    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+  
+Swift                  Category - Informational                     10 
+
diff --git a/crypto/heimdal/doc/standardisation/draft-hornstein-dhc-kerbauth-02.txt b/crypto/heimdal/doc/standardisation/draft-hornstein-dhc-kerbauth-02.txt
new file mode 100644
index 0000000..89e6452
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-hornstein-dhc-kerbauth-02.txt
@@ -0,0 +1,1594 @@
+
+DHC Working Group                                          Ken Hornstein
+INTERNET-DRAFT                                                       NRL
+Category: Standards Track                                      Ted Lemon
+<draft-hornstein-dhc-kerbauth-02.txt>             Internet Engines, Inc.
+20 February 2000                                           Bernard Aboba
+Expires: September 1, 2000                                     Microsoft
+                                                        Jonathan Trostle
+                                                           Cisco Systems
+
+                   DHCP Authentication Via Kerberos V
+
+This document is an Internet-Draft and is in full conformance with all
+provisions of Section 10 of RFC2026.
+
+Internet-Drafts are working documents of the Internet Engineering Task
+Force (IETF), its areas, and its working groups.  Note that other groups
+may also distribute working documents as Internet- Drafts.
+
+Internet-Drafts are draft documents valid for a maximum of six months
+and may be updated, replaced, or obsoleted by other documents at any
+time.  It is inappropriate to use Internet-Drafts as reference material
+or to cite them other than as "work in progress."
+
+The list of current Internet-Drafts can be accessed at
+http://www.ietf.org/ietf/1id-abstracts.txt
+
+The list of Internet-Draft Shadow Directories can be accessed at
+http://www.ietf.org/shadow.html.
+
+The distribution of this memo is unlimited.
+
+1.  Copyright Notice
+
+Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+2.  Abstract
+
+The Dynamic Host Configuration Protocol (DHCP) provides a mechanism for
+host configuration. In some circumstances, it is useful for the DHCP
+client and server to be able to mutually authenticate as well as to
+guarantee the integrity of DHCP packets in transit.  This document
+describes how Kerberos V may be used in order to allow a DHCP client and
+server to mutually authenticate as well as to protect the integrity of
+the DHCP exchange. The protocol described in this document is capable of
+handling both intra-realm and inter-realm authentication.
+
+
+
+
+
+
+Hornstein, et al.            Standards Track                    [Page 1]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+3.  Introduction
+
+The Dynamic Host Configuration Protocol (DHCP) provides a mechanism for
+host configuration. In some circumstances, it is useful for the DHCP
+client and server to be able to mutually authenticate as well as to
+guarantee the integrity of DHCP packets in transit.  This document
+describes how Kerberos V may be used in order to allow a DHCP client and
+server to mutually authenticate as well as to protect the integrity of
+the DHCP exchange.  The protocol described in this document is capable
+of handling both intra-realm and inter-realm authentication.
+
+3.1.  Terminology
+
+This document uses the following terms:
+
+DHCP client
+          A DHCP client or "client" is an Internet host using DHCP to
+          obtain configuration parameters such as a network address.
+
+DHCP server
+          A DHCP server or "server" is an Internet host that returns
+          configuration parameters to DHCP clients.
+
+Home KDC  The KDC corresponding to the DHCP client's realm.
+
+Local KDC The KDC corresponding to the DHCP server's realm.
+
+3.2.  Requirements language
+
+In this document, the key words "MAY", "MUST,  "MUST  NOT",  "optional",
+"recommended",  "SHOULD",  and  "SHOULD  NOT",  are to be interpreted as
+described in [1].
+
+4.  Protocol overview
+
+In DHCP authentication via Kerberos V, DHCP clients and servers utilize
+a Kerberos session key in order to compute a message integrity check
+value included within the DHCP authentication option. The message
+integrity check serves to authenticate as well as integrity protect the
+messages, while remaining compatible with the operation of a DHCP relay.
+Replay protection is also provided by a replay counter within the
+authentication option, as described in [3].
+
+Each server maintains a list of session keys and identifiers for
+clients, so that the server can retrieve the session key and identifier
+used by a client to which the server has provided previous configuration
+information.  Each server MUST save the replay counter from the previous
+authenticated message. To avoid replay attacks, the server MUST discard
+
+
+
+Hornstein, et al.            Standards Track                    [Page 2]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+any incoming message whose replay counter is not strictly greater than
+the replay counter from the previous message.
+
+DHCP authentication, described in [3], must work within the existing
+DHCP state machine described in [4].  For a client in INIT state, this
+means that the client must obtain a valid TGT, as well as a session key,
+within the two round-trips provided by the
+DHCPDISCOVER/OFFER/REQUEST/ACK sequence.
+
+In INIT state, the DHCP client submits an incomplete AS_REQ to the DHCP
+server within the DHCPDISCOVER message.  The DHCP server then completes
+the AS_REQ using the IP address to be assigned to the client, and
+submits this to the client's home KDC in order to obtain a TGT on the
+client's behalf. Once the home KDC responds with an AS_REP, the DHCP
+server extracts the client TGT and submits this along with its own TGT
+to the home KDC, in order to obtain a user-to-user ticket to the DHCP
+client. The AS_REP as well as the AP_REQ are included by the DHCP server
+in the DHCPOFFER. The DHCP client can then decrypt the AS_REP to obtain
+a home realm TGT and TGT session key, using the latter to decrypt the
+user-to-user ticket to obtain the user-to-user session key. It is the
+user-to-user session key that is used to authenticate and integrity
+protect the client's DHCPREQUEST, and DHCPDECLINE messages. Similarly,
+this same session key is used to compute the integrity attribute in the
+server's DHCPOFFER, DHCPACK and DHCPNAK messages, as described in [3].
+
+In the INIT-REBOOT, REBINDING, or RENEWING states, the server can submit
+the home realm TGT in the DHCPREQUEST, along with authenticating and
+integrity protecting the message using an integrity attribute within the
+authentication option. The integrity attribute is computed using the
+existing session key.  The DHCP server can then return a renewed user-
+to-user ticket within the DHCPACK message. The authenticated DHCPREQUEST
+message from a client in INIT-REBOOT state can only be validated by
+servers that used the same session key to compute the integrity
+attribute in their DHCPOFFER messages.
+
+Other servers will discard the DHCPREQUEST messages. Thus, only servers
+that used the user-to-user session key selected by the client will be
+able to determine that their offered configuration information was not
+selected, returning the offered network address to the server's pool of
+available addresses.  The servers that cannot validate the DHCPREQUEST
+message will eventually return their offered network addresses to their
+pool of available addresses as described in section 3.1 of the DHCP
+specification [4].
+
+When sending a DHCPINFORM, there are two possible procedures.  If the
+client knows the DHCP server it will be interacting with, then it can
+obtain a ticket to the DHCP server from the local realm KDC. This will
+require obtaining a TGT to its home realm, as well as possibly a cross-
+
+
+
+Hornstein, et al.            Standards Track                    [Page 3]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+realm TGT to the local realm if the local and home realms differ. Once
+the DHCP client has a local realm TGT, it can then request a DHCP server
+ticket in a TGS_REQ. The DHCP client can then include AP_REQ and
+integrity attributes within the DHCPINFORM. The integrity attribute is
+computed as described in [3], using the session key obtained from the
+TGS_REP. The DHCP server replies with a DHCPACK/DHCPNAK, authenticated
+using the same session key.
+
+If the DHCP client does not know the DHCP server it is interacting with
+then it will not be able to obtain a ticket to it and a different
+procedure is needed.  In this case, the client will include in the
+DHCPINFORM an authentication option with a ticket attribute containing
+its home realm TGT. The DHCP server will then use this TGT in order to
+request a user-to-user ticket from the home KDC in a TGS_REQ.  The DHCP
+server will return the user-to-user ticket and will authenticate and
+integrity protect the DHCPACK/DHCPNAK message. This is accomplished by
+including AP_REQ and integrity attributes within the authentication
+option included with the DHCPACK/DHCPNAK messages.
+
+In order to support the DHCP client's ability to authenticate the DHCP
+server in the case where the server name is unknown, the Kerberos
+principal name for the DHCP server must be of type KRB_NT_SRV_HST with
+the service name component equal to 'dhcp'. For example, the DHCP server
+principal name for the host srv.foo.org would be of the form
+dhcp/srv.foo.org.  The client MUST validate that the DHCP server
+principal name has the above format. This convention requires that the
+administrator ensure that non-DHCP server principals do not have names
+that match the above format.
+
+4.1.  Authentication Option Format
+
+A summary of the authentication option  format for DHCP authentication
+via Kerberos V is shown below.  The fields are transmitted from left to
+right.
+
+0                   1                   2                   3
+0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+|     Code      |     Length    |   Protocol    | Algorithm     |
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+|                      Global Replay Counter                    |
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+|                      Global Replay Counter                    |
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+|                           Attributes...
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+Code
+
+
+
+Hornstein, et al.            Standards Track                    [Page 4]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+   TBD - DHCP Authentication
+
+Length
+
+   The length field is a single octet and indicates the length of the
+   Protocol, Algorith, and Authentication Information fields.  Octets
+   outside the range of the length field should be ignored on reception.
+
+Protocol
+
+   TBD - DHCP Kerberos V authentication
+
+Algorithm
+
+   The algorithm field is a single octet and defines the specific
+   algorithm to be used for computation of the authentication option.
+   Values for the field are as follows:
+
+   0 - reserved
+   1 - HMAC-MD5
+   2 - HMAC-SHA
+   3 - 255 reserved
+
+Global Replay Counter
+
+   As described in [3], the global replay counter field is 8 octets in
+   length. It MUST be set to the value of a monotonically increasing
+   counter. Using a counter value such as the current time of day (e.g.,
+   an NTP-format timestamp [10]) can reduce the danger of replay
+   attacks.
+
+Attributes
+
+   The attributes field consists of type-length-value attributes of the
+   following format:
+
+   0                   1                   2                   3
+   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |     Type      |  Reserved     |       Payload Length          |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |                           Attribute value...
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+Type
+   The type field is a single octet and is defined as follows:
+
+   0  - Integrity check
+
+
+
+Hornstein, et al.            Standards Track                    [Page 5]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+   1  - TICKET
+   2  - Authenticator
+   3  - EncTicketPart
+   10 - AS_REQ
+   11 - AS_REP
+   12 - TGS_REQ
+   13 - TGS_REP
+   14 - AP_REQ
+   15 - AP_REP
+   20 - KRB_SAFE
+   21 - KRB_PRIV
+   22 - KRB_CRED
+   25 - EncASRepPart
+   26 - EncTGSRepPart
+   27 - EncAPRepPart
+   28 - EncKrbPrvPart
+   29 - EncKrbCredPart
+   30 - KRB_ERROR
+
+   Note that the values of the Type field are the same as in the
+   Kerberos MSG-TYPE field. As a result, no new number spaces are
+   created for IANA administration.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hornstein, et al.            Standards Track                    [Page 6]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+   The following attribute types are allowed within the following
+   messages:
+
+   DISCOVER  OFFER  REQUEST  DECLINE   #    Attribute
+   --------------------------------------------------------
+      0        1       1        1      0    Integrity check
+      0        0      0-1       0      1    Ticket
+      1        0       0        0     10    AS_REQ
+      0        1       0        0     11    AS_REP
+      0        1       0        0     14    AP_REQ
+      0       0-1      0        0     30    KRB_ERROR
+
+   RELEASE   ACK   NAK    INFORM   INFORM      #    Attribute
+                          w/known  w/unknown
+                          server   server
+   ---------------------------------------------------------------
+      1       1     1        1        0        0    Integrity check
+      0       0     0        0        1        1    Ticket
+      0       0     0        0        0       10    AS_REQ
+      0       0     0        0        0       11    AS_REP
+      0      0-1    0        1        0       14    AP_REQ
+      0       0    0-1       0        0       30    KRB_ERROR
+
+4.2.  Client behavior
+
+The following section, which incorporates material from [3], describes
+client behavior in detail.
+
+4.2.1.  INIT state
+
+When in INIT state, the client behaves as follows:
+
+
+[1]  As described in [3], the client MUST include the authentication
+     request option in its DHCPDISCOVER message along with option 61
+     [11] to identify itself uniquely to the server. An AS_REQ attribute
+     MUST be included within the authentication request option. This
+     (incomplete) AS_REQ will set the FORWARDABLE and RENEWABLE flags
+     and MAY include pre-authentication data (PADATA) if the client
+     knows what PADATA its home KDC will require. The ADDRESSES field in
+     the AS_REQ will be ommitted since the client does not yet know its
+     IP address. The ETYPE field will be set to an encryption type that
+     the client can accept.
+
+[2]  The client MUST validate DHCPOFFER messages that include an
+     authentication option. Messages including an authentication option
+     with a KRB_ERROR attribute and no integrity attribute are treated
+     as though they are unauthenticated. More typically, authentication
+
+
+
+Hornstein, et al.            Standards Track                    [Page 7]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+     options within the DHCPOFFER message will include AS_REP, AP_REQ,
+     and integrity attributes. To validate the authentication option,
+     the client decrypts the enc-part of the AS_REP in order to obtain
+     the TGT session key. This is used to decrypt the enc-part of the
+     AP_REQ in order to obtain the user-to-user session key. The user-
+     to-user session key is then used to compute the message integrity
+     check as described in [3], and the computed value is compared to
+     the value within the integrity attribute. The client MUST discard
+     any messages which fail to pass validation and MAY log the
+     validation failure.
+
+     As described in [3], the client selects one DHCPOFFER message as
+     its selected configuration. If none of the DHCPOFFER messages
+     received by the client include an authentication option, the client
+     MAY choose an unauthenticated message as its selected
+     configuration.  DHCPOFFER messages including an authentication
+     option with a KRB_ERROR attribute and no integrity attribute are
+     treated as though they are unauthenticated.  The client SHOULD be
+     configurable to accept or reject unauthenticated DHCPOFFER
+     messages.
+
+[3]  The client replies with a DHCPREQUEST message that MUST include an
+     authentication option. The authentication option MUST include an
+     integrity attribute, computed as described in [3], using the user
+     to user session key recovered in step 2.
+
+[4]  As noted in [3], the client MUST validate a DHCPACK message from
+     the server that includes an authentication option. DHCPACK or
+     DHCPNAK messages including an authentication option with a
+     KRB_ERROR attribute and no integrity attribute are treated as
+     though they are unauthenticated. The client MUST silently discard
+     the DHCPACK if the message fails to pass validation and MAY log the
+     validation failure. If the DHCPACK fails to pass validation, the
+     client MUST revert to the INIT state and return to step 1. The
+     client MAY choose to remember which server replied with an invalid
+     DHCPACK message and discard subsequent messages from that server.
+
+4.2.2.  INIT-REBOOT state
+
+When in INIT-REBOOT state, if the user-to-user ticket is still valid,
+the client MUST re-use the session key from the DHCP server user-to-user
+ticket in its DHCPREQUEST message. This is used to generate the
+integrity attribute contained within the authentication option, as
+described in [3]. In the DHCPREQUEST, the DHCP client also includes its
+home realm TGT in a ticket attribute in the authentication option in
+order to assist the DHCP server in renewing the user-to-user ticket.  To
+ensure that the user-to-user ticket remains valid throughout the DHCP
+lease period so that the renewal process can proceed, the Kerberos
+
+
+
+Hornstein, et al.            Standards Track                    [Page 8]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+ticket lifetime SHOULD be set to exceed the DHCP lease time.  If the
+user-to-user ticket is expired, then the client MUST return to the INIT
+state.
+
+The client MAY choose to accept unauthenticated DHCPACK/DHCPNAK messages
+if no authenticated messages were received. DHCPACK/DHCPNAK messages
+with an authentication option containing a KRB_ERROR attribute and no
+integrity attribute are treated as though they are unauthenticated. The
+client MUST treat the receipt (or lack thereof) of any DHCPACK/DHCPNAK
+messages as specified in section 3.2 of the DHCP specification [4].
+
+4.2.3.  RENEWING state
+
+When in RENEWING state, the DHCP client can be assumed to have a valid
+IP address, as well as a TGT to the home realm, a user-to-user ticket
+provided by the DHCP server, and a session key with the DHCP server, all
+obtained during the original DHCP conversation.  If the user-to-user
+ticket is still valid, the client MUST re-use the session key from the
+user-to-user ticket in its DHCPREQUEST message to generate the integrity
+attribute contained within the authentication option.
+
+Since the DHCP client can renew the TGT to the home realm, it is
+possible for it to continue to hold a valid home realm TGT.  However,
+since the DHCP client did not obtain the user-to-user ticket on its own,
+it will need to rely on the DHCP server to renew this ticket. In the
+DHCPREQUEST, the DHCP client includes its home realm TGT in a ticket
+attribute in the authentication option in order to assist the DHCP
+server in renewing the user-to-user ticket.
+
+If the DHCP server user-to-user ticket is expired, then the client MUST
+return to INIT state.  To ensure that the user-to-user ticket remains
+valid throughout the DHCP lease period so that the renewal process can
+proceed, the Kerberos ticket lifetime SHOULD be set to exceed the DHCP
+lease time.  If client receives no DHCPACK messages or none of the
+DHCPACK messages pass validation, the client behaves as if it had not
+received a DHCPACK message in section 4.4.5 of the DHCP specification
+[4].
+
+4.2.4.  REBINDING state
+
+When in REBINDING state, the DHCP client can be assumed to have a valid
+IP address, as well as a TGT to the home realm, a user-to-user ticket
+and a session key with the DHCP server, all obtained during the original
+DHCP conversation.  If the user-to-user ticket is still valid, the
+client MUST re-use the session key from the user-to-user ticket in its
+DHCPREQUEST message to generate the integrity attribute contained within
+the authentication option, as described in [3].
+
+
+
+
+Hornstein, et al.            Standards Track                    [Page 9]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+Since the DHCP client can renew the TGT to the home realm, it is
+possible for it to continue to hold a valid home realm TGT.  However,
+since the DHCP client did not obtain the user-to-user ticket on its own,
+it will need to rely on the DHCP server to renew this ticket. In the
+DHCPREQUEST, the DHCP client includes its home realm TGT in a ticket
+attribute in the authentication option in order to assist the DHCP
+server in renewing the user-to-user ticket.
+
+If the user-to-user ticket is expired, then the client MUST return to
+INIT state.  To ensure that the user-to-user ticket remains valid
+throughout the DHCP lease period so that the renewal process can
+proceed, the Kerberos ticket lifetime SHOULD be set to exceed the DHCP
+lease time.  If client receives no DHCPACK messages or none of the
+DHCPACK messages pass validation, the client behaves as if it had not
+received a DHCPACK message in section 4.4.5 of the DHCP specification
+[4].
+
+4.2.5.  DHCPRELEASE message
+
+Clients sending a DHCPRELEASE MUST include an authentication option. The
+authentication option MUST include an integrity attribute, computed as
+described in [3], using the user to user session key.
+
+4.2.6.  DHCPDECLINE message
+
+Clients sending a DHCPDECLINE MUST include an authentication option. The
+authentication option MUST include an integrity attribute, computed as
+described in [3], using the user to user session key.
+
+4.2.7.  DHCPINFORM message
+
+Since the client already has some configuration information, it can be
+assumed that it has the ability to obtain a home or local realm TGT
+prior to sending the DHCPINFORM.
+
+If the DHCP client knows which DHCP server it will be interacting with,
+then it SHOULD include an authentication option containing AP_REQ and
+integrity attributes within the DHCPINFORM.  The DHCP client first
+requests a TGT to the local realm via an AS_REQ and then using the TGT
+returned in the AS_REP to request a ticket to the DHCP server from the
+local KDC in a TGS_REQ. The session key obtained from the TGS_REP will
+be used to generate the integrity attribute as described in [3].
+
+If the DHCP client does not know what DHCP server it will be talking to,
+then it cannot obtain a ticket to the DHCP server. In this case, the
+DHCP client MAY send an unauthenticated DHCPINFORM or it MAY include an
+authentication option including a ticket attribute only.  The ticket
+attribute includes a TGT for the home realm. The client MUST validate
+
+
+
+Hornstein, et al.            Standards Track                   [Page 10]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+that the DHCP server name in the received Kerberos AP_REQ message is of
+the form dhcp/.... as described in section 4.
+
+The client MAY choose to accept unauthenticated DHCPACK/DHCPNAK messages
+if no authenticated messages were received. DHCPACK/DHCPNAK messages
+with an authentication option containing a KRB_ERROR attribute and no
+integrity attribute are treated as though they are unauthenticated. The
+client MUST treat the receipt (or lack thereof) of any DHCPACK/DHCPNAK
+messages as specified in section 3.2 of the DHCP specification [4].
+
+4.3.  Server behavior
+
+This section, which relies on material from [3], describes the behavior
+of a server in response to client messages.
+
+4.3.1.  After receiving a DHCPDISCOVER message
+
+For installations where IP addresses are required within tickets, the
+DHCP server MAY complete the AS_REQ by filling in the ADDRESSES field
+based on the IP address that it will include in the DHCPOFFER.  The DHCP
+server sends the AS_REQ to the home KDC with the FORWARDABLE flag set.
+The home KDC then replies to the DHCP server with an AS_REP.  The DHCP
+server extracts the client TGT from the AS_REP and forms a TGS_REQ,
+which it sends to  the home KDC.
+
+If the DHCP server and client are in different realms, then the DHCP
+server will need to obtain a TGT to the home realm from the KDC of its
+own (local) realm prior to sending the TGS_REQ. The TGS_REQ includes the
+DHCP server's TGT within the home realm, has the ENC-TKT-IN-SKEY flag
+set and includes the client home realm TGT in the ADDITIONAL-TICKETS
+field, thus requesting a user-to ticket to the DHCP client.  The home
+KDC then returns a user-to-user ticket in a TGS_REP. The user-to-user
+ticket is encrypted in the client's home realm TGT session key.
+
+In order to recover the user-to-user session key, the DHCP server
+decrypts the enc-part of the TGS_REP. To accomplish this, the DHCP
+server uses the session key that it shares with the home realm, obtained
+in the AS_REQ/AS_REP conversation that it used to obtain its own TGT to
+the home realm.
+
+The DHCP server then sends a DHCPOFFER to the client, including AS_REP,
+AP_REQ and integrity attributes within the authentication option.  The
+AS_REP attribute encapsulates the AS_REP sent to the DHCP server by the
+home KDC. The AP_REQ attribute includes an AP_REQ constructed by the
+DHCP server based on the TGS_REP sent to it by the home KDC. The server
+also includes an integrity attribute generated as specified in [3] from
+the user-to-user session key.  The server MUST record the user-to-user
+session key selected for the client and use that session key for
+
+
+
+Hornstein, et al.            Standards Track                   [Page 11]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+validating subsequent messages with the client.
+
+4.3.2.  After receiving a DHCPREQUEST message
+
+The DHCP server uses the user-to-user session key in order to validate
+the integrity attribute contained within the authentication option,
+using the method specified in [3]. If the message fails to pass
+validation, it MUST discard the message and MAY choose to log the
+validation failure.
+
+If the message passes the validation procedure, the server responds as
+described in [4], including an integrity attribute computed as specified
+in [3] within the DHCPACK or DHCPNAK message.
+
+If the authentication option included within the DHCPREQUEST message
+contains a ticket attribute then the DHCP server will use the home realm
+TGT included in the ticket attribute in order to renew the user-to-user
+ticket, which it returns in an AP_REQ attribute within the DHCPACK.
+DHCPACK or DHCPNAK messages then include an integrity attribute
+generated as specified in [3], using the new user-to-user session key
+included within the AP_REQ.
+
+4.3.3.  After receiving a DHCPINFORM message
+
+The server MAY choose to accept unauthenticated DHCPINFORM messages, or
+only accept authenticated DHCPINFORM messages based on a site policy.
+
+When a client includes an authentication option in a DHCPINFORM message,
+the server MUST respond with an authenticated DHCPACK or DHCPNAK
+message. If the DHCPINFORM message includes an authentication option
+including AP_REQ and integrity attributes, the DHCP server decrypts the
+AP_REQ attribute and then recovers the session key. The DHCP server than
+validates the integrity attribute included in the authentication option
+using the session key. If the integrity attribute is invalid then the
+DHCP server MUST silently discard the DHCPINFORM message.
+
+If the authentication option only includes a ticket attribute and no
+integrity or AP_REQ attributes, then the DHCP server should assume that
+the client needs the server to obtain a user-to-user ticket from the
+home realm KDC.  In this case, the DHCP server includes the client home
+realm TGT and its own home realm TGT in a TGS_REQ to the home realm KDC.
+It then receives a user-to-user ticket from the home realm KDC in a
+TGS_REP. The DHCP server will then include AP_REQ and integrity
+attributes within the DHCPACK/DHCPNAK.
+
+If the client does not include an authentication option in the
+DHCPINFORM, the server can either respond with an unauthenticated
+DHCPACK message, or a DHCPNAK if the server does not accept
+
+
+
+Hornstein, et al.            Standards Track                   [Page 12]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+unauthenticated clients.
+
+4.3.4.  After receiving a DHCPRELEASE message
+
+The DHCP server uses the session key in order to validate the integrity
+attribute contained within the authentication option, using the method
+specified in [3]. If the message fails to pass validation, it MUST
+discard the message and MAY choose to log the validation failure.
+
+If the message passes the validation procedure, the server responds as
+described in [4], marking the client's network address as not allocated.
+
+4.3.5.  After receiving a DHCPDECLINE message
+
+The DHCP server uses the session key in order to validate the integrity
+attribute contained within the authentication option, using the method
+specified in [3]. If the message fails to pass validation, it MUST
+discard the message and MAY choose to log the validation failure.
+
+If the message passes the validation procedure, the server proceeds as
+described in [4].
+
+4.4.  Error handling
+
+When an error condition occurs during a Kerberos exchange, Kerberos
+error messages can be returned by either side.  These Kerberos error
+messages MAY be logged by the receiving and sending parties.
+
+In some cases, it may be possible for these error messages to be
+included within the authentication option via the KRB_ERROR attribute.
+However, in most cases, errors will result in messages being silently
+discarded and so no response will be returned.
+
+For example, if the home KDC returns a KRB_ERROR in response to the
+AS_REQ submitted by the DHCP server on the client's behalf, then the
+DHCP server will conclude that the DHCPDISCOVER was not authentic, and
+will silently discard it.
+
+However, if the AS_REQ included PADATA and the home KDC responds with an
+AS_REP, then the DHCP server can conclude that the client is authentic.
+If the subsequent TGS_REQ is unsuccessful, with a KRB_ERROR returned by
+the home KDC in the TGS_REP, then the fault may lie with the DHCP server
+rather than with the client. In this case, the DHCP server MAY choose to
+return a KRB_ERROR within the authentication option included in the
+DHCPOFFER. The client will then treat this as an unauthenticated
+DHCPOFFER.
+
+
+
+
+
+Hornstein, et al.            Standards Track                   [Page 13]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+Similarly, if the integrity attribute contained in the DHCPOFFER proves
+invalid, the client will silently discard the DHCPOFFER and instead
+accept an offer from another server if one is available. If the
+integrity attribute included in the DHCPACK/DHCPNAK proves invalid, then
+the client behaves as if it did not receive a DHCPACK/DHCPNAK.
+
+When in INIT-REBOOT, REBINDING or RENEWING state, the client will
+include a ticket attribute and integrity attribute within the
+authentication option of the DHCPREQUEST, in order to assist the DHCP
+server in renewing the user-to-user ticket.  If the integrity attribute
+is invalid, then the DHCP server MUST silently discard the DHCPREQUEST.
+
+However, if the integrity attribute is successfully validated by the
+DHCP server, but the home realm TGT included in the ticket attribute is
+invalid (e.g. expired), then the DHCP server will receive a KRB_ERROR in
+response to its TGS_REQ to the home KDC.  In this case, the DHCP server
+MAY respond with a DHCPNAK including a KRB_ERROR attribute and no
+integrity attribute within the authentication option. This will force
+the client back to the INIT state, where it can receive a valid home
+realm TGT.
+
+Where the client included PADATA in the AS_REQ attribute of the
+authentication option within the DHCPDISCOVER and the AS_REQ was
+successfully validated by the KDC, the DHCP server will conclude that
+the DHCP client is authentic. In this case if the client successfully
+validates the integrity attribute in the DHCPOFFER, but the server does
+not validate the integrity attribute in the client's DHCPREQUEST, the
+server MAY choose to respond with an authenticated DHCPNAK containing a
+KRB_ERROR attribute.
+
+4.5.  PKINIT issues
+
+When public key authentication is supported with Kerberos as described
+in [8], the client certificate and a signature accompany the initial
+request in the preauthentication fields.  As a result, it is conceivable
+that the incomplete AS_REQ included in the DHCPDISCOVER packet may
+exceed the size of a single DHCP option, or even the MTU size.  As noted
+in [4], a single option may be as large as 255 octets. If the value to
+be passed is larger than this the client concatenates together the
+values of multiple instances of the same option.
+
+4.6.  Examples
+
+4.6.1.  INIT state
+
+In the intra-realm case where the DHCP Kerberos mutual authentication is
+successful, the conversation will appear as follows:
+
+
+
+
+Hornstein, et al.            Standards Track                   [Page 14]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+   DHCP               DHCP
+   Client             Server            KDC
+--------------     -------------     ---------
+DHCPDISCOVER
+ (Incomplete
+ AS_REQ)  ->
+                   AS_REQ ->
+                                      <- AS_REP
+                   TGS_REQ
+                    U-2-U ->
+                                      <- TGS_REP
+                <- DHCPOFFER,
+                    (AS_REP,
+                    AP_REQ,
+                    Integrity)
+DHCPREQUEST
+ (Integrity) ->
+                <- DHCPACK
+                    (Integrity)
+
+In the case where the KDC returns a KRB_ERROR in response to the AS_REQ,
+the server will silently discard the DHCPDISCOVER and the conversation
+will appear as follows:
+
+   DHCP               DHCP
+   Client             Server            KDC
+--------------     -------------     ---------
+DHCPDISCOVER
+ (Incomplete
+ AS_REQ)  ->
+                   AS_REQ ->
+                                     <- KRB_ERROR
+
+In the inter-realm case where the DHCP Kerberos mutual authentication is
+successful, the conversation will appear as follows:
+
+   DHCP            DHCP           Home      Local
+   Client          Server         KDC        KDC
+--------------  -------------  ---------  ---------
+DHCPDISCOVER
+(Incomplete
+ AS_REQ)  ->
+                   AS_REQ ->
+                                <- AS_REP
+                   TGS_REQ ->
+                   (cross realm,
+                   for home
+                   KDC)
+
+
+
+Hornstein, et al.            Standards Track                   [Page 15]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+                                           <- TGS_REP
+
+                   TGS_REQ
+                    U-2-U ->
+                                <- TGS_REP
+                <- DHCPOFFER,
+                    (AS_REP,
+                    AP_REQ,
+                    Integrity)
+DHCPREQUEST
+ (Integrity) ->
+                <- DHCPACK
+                    (Integrity)
+
+In the case where the client includes PADATA in the AS_REQ attribute
+within the authentication option of the DHCPDISCOVER and the KDC returns
+an error-free AS_REP indicating successful validation of the PADATA, the
+DHCP server will conclude that the DHCP client is authentic.  If the KDC
+then returns a KRB_ERROR in response to the TGS_REQ, indicating a fault
+that lies with the DHCP server, the server MAY choose not to silently
+discard the DHCPDISCOVER.  Instead it MAY respond with a DHCPOFFER
+including a KRB_ERROR attribute within the authentication option. The
+client will then treat this as an unauthenticated DHCPOFFER.  The
+conversation will appear as follows:
+
+   DHCP               DHCP
+   Client             Server            KDC
+--------------     -------------     ---------
+DHCPDISCOVER
+ (Incomplete
+ AS_REQ
+ w/PADATA)  ->
+                   AS_REQ ->
+                                     <- AS_REP
+                   TGS_REQ
+                    U-2-U ->
+                                     <- KRB_ERROR
+                <- DHCPOFFER,
+                    (KRB_ERROR)
+DHCPREQUEST ->
+                <- DHCPACK
+
+In the intra-realm case where the client included PADATA in the AS_REQ
+attribute of the authentication option and the AS_REQ was successfully
+validated by the KDC, the DHCP server will conclude that the DHCP client
+is authentic. In this case if the client successfully validates the
+integrity attribute in the DHCPOFFER, but the server does not validate
+the integrity attribute in the client's DHCPREQUEST, the server MAY
+
+
+
+Hornstein, et al.            Standards Track                   [Page 16]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+choose to respond with an authenticated DHCPNAK containing a KRB_ERROR
+attribute.  The conversation will appear as follows:
+
+   DHCP               DHCP
+   Client             Server            KDC
+--------------     -------------     ---------
+DHCPDISCOVER
+ (Incomplete
+ AS_REQ
+ w/PADATA)  ->
+                   AS_REQ ->
+                                     <- AS_REP
+                   TGS_REQ
+                    U-2-U ->
+                                     <- TGS_REP
+                <- DHCPOFFER,
+                    (AS_REP,
+                    AP_REQ,
+                    Integrity)
+DHCPREQUEST
+ (Integrity) ->
+                <- DHCNAK
+                    (KRB_ERROR,
+                     Integrity)
+DHCPDISCOVER
+ (Incomplete
+ AS_REQ)  ->
+
+In the intra-realm case where the DHCP client cannot validate the
+integrity attribute in the DHCPOFFER, the client silently discards the
+DHCPOFFER. The conversation will appear as follows:
+
+   DHCP               DHCP
+   Client             Server            KDC
+--------------     -------------     ---------
+DHCPDISCOVER
+ (Incomplete
+ AS_REQ)  ->
+                   AS_REQ ->
+                                     <- AS_REP
+                   TGS_REQ
+                    U-2-U ->
+                                     <- TGS_REP
+                <- DHCPOFFER,
+                   (AS_REP,
+                   AP_REQ,
+                   Integrity)
+DHCPREQUEST
+
+
+
+Hornstein, et al.            Standards Track                   [Page 17]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+ [To another server]
+ (Integrity) ->
+
+In the intra-realm case where the DHCP client cannot validate the
+integrity attribute in the DHCPACK, the client reverts to INIT state.
+The conversation will appear as follows:
+
+   DHCP               DHCP
+   Client             Server            KDC
+--------------     -------------     ---------
+DHCPDISCOVER
+(Incomplete
+ AS_REQ)  ->
+                   AS_REQ ->
+                                     <- AS_REP
+                   TGS_REQ
+                    U-2-U ->
+                                     <- TGS_REP
+                <- DHCPOFFER,
+                    (AS_REP,
+                    AP_REQ,
+                    Integrity)
+DHCPREQUEST
+ (Integrity) ->
+                <- DHCPACK
+                    (Integrity)
+DHCPDISCOVER
+ (Incomplete
+ AS_REQ)  ->
+
+4.6.2.  INIT-REBOOT, RENEWING or REBINDING
+
+In the intra-realm or inter-realm case where the original user-to-user
+ticket is still valid, and the DHCP server still has a valid TGT to the
+home realm, the conversation will appear as follows:
+
+   DHCP               DHCP             Home
+   Client             Server            KDC
+--------------     -------------     ---------
+
+DHCPREQUEST
+ (TGT,
+ Integrity)  ->
+                   TGS_REQ
+                    U-2-U ->
+                                     <- TGS_REP
+                <- DHCPACK
+                    (AP_REQ,
+
+
+
+Hornstein, et al.            Standards Track                   [Page 18]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+                    Integrity)
+
+In the intra-realm or inter-realm case where the DHCP server validates
+the integrity attribute in the DHCPREQUEST, but receives a KRB_ERROR in
+response to the TGS_REQ to the KDC, the DHCP sever MAY choose not to
+silently discard the DHCPREQUEST and MAY return an authenticated DHCPNAK
+to the client instead, using the user-to-user session key previously
+established with the client. The conversation appears as follows:
+
+   DHCP               DHCP             Home
+   Client             Server            KDC
+--------------     -------------     ---------
+
+DHCPREQUEST
+ (TGT,
+ Integrity)  ->
+                   TGS_REQ
+                    U-2-U ->
+                                     <- KRB_ERROR
+                <- DHCPNAK
+                    (KRB_ERROR,
+                    Integrity)
+DHCPDISCOVER
+ (Incomplete
+ AS_REQ)  ->
+
+In the intra-realm or inter-realm case where the DHCP server cannot
+validate the integrity attribute in the DHCPREQUEST, the DHCP server
+MUST silently discard the DHCPREQUEST and the conversation will appear
+as follows:
+
+   DHCP               DHCP
+   Client             Server            KDC
+--------------     -------------     ---------
+
+DHCPREQUEST
+ (TGT,
+ Integrity)  ->
+                   Silent discard
+[Sequence repeats
+ until timeout]
+
+DHCPDISCOVER
+ (Incomplete
+ AS_REQ)  ->
+
+In the intra-realm or inter-realm case where the original user-to-user
+ticket is still valid, the server validates the integrity attribute in
+
+
+
+Hornstein, et al.            Standards Track                   [Page 19]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+the DHCPREQUEST, but the client fails to validate the integrity
+attribute in the DHCPACK, the client will silently discard the DHCPACK.
+The conversation will appear as follows:
+
+   DHCP               DHCP
+   Client             Server            KDC
+--------------     -------------     ---------
+
+DHCPREQUEST
+ (TGT,
+ Integrity)  ->
+
+                <- DHCPACK
+                    (AP_REQ,
+                    Integrity)
+DHCPDISCOVER
+ (Incomplete
+ AS_REQ)  ->
+
+4.6.3.  DHCPINFORM (with known DHCP server)
+
+In the case where the DHCP client knows the DHCP server it will be
+interacting with, the DHCP client will obtain a ticket to the DHCP
+server and will include AP_REQ and integrity attributes within the
+DHCPINFORM.
+
+Where the DHCP Kerberos mutual authentication is successful, the
+conversation will appear as follows:
+
+   DHCP               DHCP
+   Client             Server            KDC
+--------------     -------------     ---------
+AS_REQ ->
+                                     <- AS_REP
+TGS_REQ ->
+                                     <- TGS_REP
+DHCPINFORM
+ (AP_REQ,
+ Integrity) ->
+                <- DHCPACK
+                    (Integrity)
+
+In the inter-realm case where the DHCP Kerberos mutual authentication is
+successful, the conversation will appear as follows:
+
+   DHCP            DHCP           Home      Local
+   Client          Server         KDC        KDC
+--------------  -------------  ---------  ---------
+
+
+
+Hornstein, et al.            Standards Track                   [Page 20]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+AS_REQ ->
+                                          <- AS_REP
+TGS_REQ ->
+                                          <- TGS_REP
+TGS_REQ ->
+                               <- TGS_REP
+DHCPINFORM
+ (AP_REQ,
+ Integrity) ->
+                <- DHCPACK
+                    (Integrity)
+
+In the inter-realm case where the DHCP server fails to validate the
+integrity attribute in the DHCPINFORM, the server MUST silently discard
+the DHCPINFORM. The conversation will appear as follows:
+
+   DHCP            DHCP           Home      Local
+   Client          Server         KDC        KDC
+--------------  -------------  ---------  ---------
+AS_REQ ->
+                                          <- AS_REP
+TGS_REQ ->
+                                          <- TGS_REP
+TGS_REQ ->
+                               <- TGS_REP
+DHCPINFORM
+ (AP_REQ,
+ Integrity) ->
+                <- DHCPACK
+                    (Integrity)
+DHCPINFORM
+ (AP_REQ,
+ Integrity) ->
+
+In the inter-realm case where the DHCP client fails to validate the
+integrity attribute in the DHCPACK, the client MUST silently discard the
+DHCPACK.  The conversation will appear as follows:
+
+   DHCP            DHCP           Home      Local
+   Client          Server         KDC        KDC
+--------------  -------------  ---------  ---------
+AS_REQ ->
+                                          <- AS_REP
+TGS_REQ ->
+                                          <- TGS_REP
+TGS_REQ ->
+                               <- TGS_REP
+DHCPINFORM
+
+
+
+Hornstein, et al.            Standards Track                   [Page 21]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+ (AP_REQ,
+ Integrity) ->
+
+4.6.4.  DHCPINFORM (with unknown DHCP server)
+
+In the case where the DHCP client does not know the DHCP server it will
+be interacting with, the DHCP client will only include a ticket
+attribute within the DHCPINFORM.  Thus the DHCP server will not be able
+to validate the authentication option.
+
+Where the DHCP client is able to validate the DHCPACK and no error
+occur, the onversation will appear as follows:
+
+   DHCP               DHCP
+   Client             Server            KDC
+--------------     -------------     ---------
+AS_REQ ->
+                                     <- AS_REP
+DHCPINFORM
+ (Ticket) ->
+                   TGS_REQ
+                    U-2-U ->
+                                     <- TGS_REP
+                <- DHCPACK
+                    (AP_REQ,
+                    Integrity)
+
+In the inter-realm case where the DHCP server needs to obtain a TGT to
+the home realm, and where the client successfully validates the DHCPACK,
+the conversation will appear as follows:
+
+   DHCP            DHCP           Home      Local
+   Client          Server         KDC        KDC
+--------------  -------------  ---------  ---------
+AS_REQ ->
+                                          <- AS_REP
+DHCPINFORM
+ (Ticket) ->
+                   AS_REQ ->
+                                <- AS_REP
+                   TGS_REQ ->
+                   (cross realm,
+                   for home
+                   KDC)
+                                           <- TGS_REP
+
+                   TGS_REQ
+                    U-2-U ->
+
+
+
+Hornstein, et al.            Standards Track                   [Page 22]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+                                <- TGS_REP
+                <- DHCPACK
+                    (AP_REQ,
+                    Integrity)
+
+In the inter-realm case where the local KDC returns a KRB_ERROR in
+response to the TGS_REQ from the DHCP server, the DHCP server MAY return
+a KRB_ERROR within the DHCP authentication option included in a DHCPNAK.
+The conversation will appear as follows:
+
+   DHCP            DHCP           Home      Local
+   Client          Server         KDC        KDC
+--------------  -------------  ---------  ---------
+AS_REQ ->
+                                          <- AS_REP
+DHCPINFORM
+ (Ticket) ->
+                   AS_REQ ->
+                                <- AS_REP
+                   TGS_REQ ->
+                   (cross realm,
+                   for home
+                   KDC)
+                                           <- KRB_ERROR
+                <- DHCPNAK
+                    (KRB_ERROR)
+
+
+In the inter-realm case where the DHCP client fails to validate the
+integrity attribute in the DHCPACK, the client MUST silently discard the
+DHCPACK.  The conversation will appear as follows:
+
+   DHCP            DHCP           Home      Local
+   Client          Server         KDC        KDC
+--------------  -------------  ---------  ---------
+AS_REQ ->
+                                          <- AS_REP
+DHCPINFORM
+ (Ticket) ->
+                   AS_REQ ->
+                                <- AS_REP
+                   TGS_REQ ->
+                   (cross realm,
+                   for home
+                   KDC)
+                                           <- TGS_REP
+
+                   TGS_REQ
+
+
+
+Hornstein, et al.            Standards Track                   [Page 23]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+                    U-2-U ->
+                                <- TGS_REP
+                <- DHCPACK
+                    (AP_REQ,
+                    Integrity)
+DHCPINFORM
+ (Ticket) ->
+
+5.  References
+
+
+[1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
+     Levels", BCP 14, RFC 2119, March 1997.
+
+[2]  Kohl, J., Neuman, C., "The Kerberos Network Authentication Service
+     (V5)", RFC 1510, September 1993.
+
+[3]  Droms, R., Arbaugh, W., "Authentication for DHCP Messages",
+     Internet draft (work in progress), draft-ietf-dhc-
+     authentication-11.txt, June 1999.
+
+[4]  Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, March
+     1997.
+
+[5]  Alexander, S., Droms, R., "DHCP Options and BOOTP Vendor
+     Extensions", RFC 2132, March 1997.
+
+[6]  Perkins, C., "IP Mobility Support", RFC 2002, October 1996.
+
+[7]  Jain, V., Congdon, P., Roese, J., "Network Port Authentication",
+     IEEE 802.1 PAR submission, June 1999.
+
+[8]  Tung, B., Neuman, C., Hur, M., Medvinsky, A., Medvinsky, S., Wray,
+     J., Trostle, J., "Public Key Cryptography for Initial
+     Authentication in Kerberos", Internet draft (work in progress),
+     draft-ietf-cat-kerberos-pk-init-09.txt, June 1999.
+
+[9]  Tung, B., Ryutov, T., Neuman, C., Tsudik, G., Sommerfeld, B.,
+     Medvinsky, A., Hur, M.,  "Public Key Cryptography for Cross-Realm
+     Authentication in Kerberos", Internet draft (work in progress),
+     draft-ietf-cat-kerberos-pk-cross-04.txt, June 1999.
+
+[10] Mills, D., "Network Time Protocol (Version 3)", RFC-1305, March
+     1992.
+
+[11] Henry, M., "DHCP Option 61 UUID Type Definition", Internet draft
+     (work in progress), draft-henry-DHCP-opt61-UUID-type-00.txt,
+     November 1998.
+
+
+
+Hornstein, et al.            Standards Track                   [Page 24]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+6.  Security Considerations
+
+DHCP authentication, described in [3], addresses the following threats:
+
+     Modification of messages
+     Rogue servers
+     Unauthorized clients
+
+This section describes how DHCP authentication via Kerberos V addresses
+each of these threats.
+
+6.1.  Client security
+
+As noted in [3], it may be desirable to ensure that IP addresses are
+only allocated to authorized clients. This can serve to protect against
+denial of service attacks. To address this issue it is necessary for
+DHCP client messages to be authenticated. In order to guard against
+message modification, it is also necessary for DHCP client messages to
+be integrity protected.
+
+Note that this protocol does not make use of KRB_SAFE, so as to allow
+modification of mutable fields by the DHCP relay. Replay protection is
+therefore provided within the DHCP authentication option itself.
+
+In DHCP authentication via Kerberos V the DHCP client will authenticate,
+integrity and replay-protect the DHCPREQUEST, DHCPDECLINE and
+DHCPRELEASE messages using a user-to-user session key obtained by the
+DHCP server from the home KDC. If the DHCP client knows the DHCP server
+it will be interacting with, then the DHCP client MAY also authenticate,
+integrity and replay-protect the DHCPINFORM message using a session key
+obtained from the local realm KDC for the DHCP server it expects to
+converse with.
+
+Since the client has not yet obtained a session key, DHCPDISCOVER
+packets cannot be authenticated using the session key. However, the
+client MAY include pre-authentication data in the PADATA field included
+in the DHCPDISCOVER packet. Since the PADATA will then be used by the
+DHCP server to request a ticket on the client's behalf, the DHCP server
+will learn from the AS_REP whether the PADATA was acceptable or not.
+Therefore in this case, the DHCPDISCOVER will be authenticated but not
+integrity protected.
+
+Where the DHCP client does not know the DHCP server it will be
+interacting with ahead of time, the DHCPINFORM message will not be
+authenticated, integrity or replay protected.
+
+Note that snooping of PADATA and TGTs on the wire may provide an
+attacker with a means of mounting a dictionary attack, since these items
+
+
+
+Hornstein, et al.            Standards Track                   [Page 25]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+are typically encrypted with a key derived from the user's password.
+Thus use of strong passwords and/or pre-authentication methods utilizing
+strong cryptography (see [8]) are recommended.
+
+6.2.  Network access control
+
+DHCP authentication has been proposed as a method of limiting access to
+network media that are not physically secured such as wireless LANs and
+ports in college residence halls.  However, it is not particularly well
+suited to this purpose since even if address allocation is denied an
+inauthentic client may use a statically assigned IP address instead, or
+may attempt to access the network using non-IP protocols.  As a result,
+other methods, described in [6]-[7], have been proposed for controlling
+access to wireless media and switched LANs.
+
+6.3.  Server security
+
+As noted in [3], it may be desirable to protect against rogue DHCP
+servers put on the network either intentionally or by accident.  To
+address this issue it is necessary for DHCP server messages to be
+authenticated. In order to guard against message modification, it is
+also necessary for DHCP server messages to be integrity protected.
+Replay protection is also provided within the DHCP authentication
+option.
+
+All messages sent by the DHCP server are authenticated and integrity and
+replaly protected using a session key.  This includes the DHCPOFFER,
+DHCPACK, and DHCPNAK messages.  The session key is used to compute the
+DHCP authentication option, which is verified by the client.
+
+In order to provide protection against rogue servers it is necessary to
+prevent rogue servers from obtaining the credentials necessary to act as
+a DHCP server. As noted in Section 4, the Kerberos principal name for
+the DHCP server  must be of type KRB_NT_SRV_HST with  the service name
+component equal to 'dhcp'. The client MUST validate that the DHCP server
+principal name has the above  format. This convention requires that the
+administrator ensure that non-DHCP  server principals do not have names
+that match the above format.
+
+7.  IANA Considerations
+
+This draft does not create any new number spaces for IANA
+administration.
+
+8.  Acknowledgements
+
+The authors would like to acknowledge Ralph Droms and William Arbaugh,
+authors of the DHCP authentication draft [3]. This draft incorporates
+
+
+
+Hornstein, et al.            Standards Track                   [Page 26]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+material from their work; however, any mistakes in this document are
+solely the responsibility of the authors.
+
+9.  Authors' Addresses
+
+Ken Hornstein
+US Naval Research Laboratory
+Bldg A-49, Room 2
+4555 Overlook Avenue
+Washington DC  20375 USA
+
+Phone: +1 (202) 404-4765
+EMail: kenh@cmf.nrl.navy.mil
+
+Ted Lemon
+Internet Engines, Inc.
+950 Charter Street
+Redwood City, CA 94063
+
+Phone: +1 (650) 779 6031
+Email: mellon@iengines.net
+
+Bernard Aboba
+Microsoft Corporation
+One Microsoft Way
+Redmond, WA 98052
+
+Phone: +1 (425) 936-6605
+EMail: bernarda@microsoft.com
+
+Jonathan Trostle
+170 W. Tasman Dr.
+San Jose, CA 95134, U.S.A.
+
+Email: jtrostle@cisco.com
+Phone: +1 (408) 527-6201
+
+
+10.  Intellectual Property Statement
+
+The IETF takes no position regarding the validity or scope of any
+intellectual property or other rights that might be claimed to  pertain
+to the implementation or use of the technology described in this
+document or the extent to which any license under such rights might or
+might not be available; neither does it represent that it has made any
+effort to identify any such rights.  Information on the IETF's
+procedures with respect to rights in standards-track and standards-
+related documentation can be found in BCP-11.  Copies of claims of
+
+
+
+Hornstein, et al.            Standards Track                   [Page 27]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+rights made available for publication and any assurances of licenses to
+be made available, or the result of an attempt made to obtain a general
+license or permission for the use of such proprietary rights by
+implementors or users of this specification can be obtained from the
+IETF Secretariat.
+
+The IETF invites any interested party to bring to its attention any
+copyrights, patents or patent applications, or other proprietary rights
+which may cover technology that may be required to practice this
+standard.  Please address the information to the IETF Executive
+Director.
+
+11.  Full Copyright Statement
+
+Copyright (C) The Internet Society (2000).  All Rights Reserved.
+This document and translations of it may be copied and furnished to
+others, and derivative works that comment on or otherwise explain it or
+assist in its implmentation may be prepared, copied, published and
+distributed, in whole or in part, without restriction of any kind,
+provided that the above copyright notice and this paragraph are included
+on all such copies and derivative works.  However, this document itself
+may not be modified in any way, such as by removing the copyright notice
+or references to the Internet Society or other Internet organizations,
+except as needed for the purpose of developing Internet standards in
+which case the procedures for copyrights defined in the Internet
+Standards process must be followed, or as required to translate it into
+languages other than English.  The limited permissions granted above are
+perpetual and will not be revoked by the Internet Society or its
+successors or assigns.  This document and the information contained
+herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE
+INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
+
+12.  Expiration Date
+
+This memo is filed as <draft-hornstein-dhc-kerbauth-02.txt>,  and
+expires October 1, 2000.
+
+
+
+
+
+
+
+
+
+
+
+
+Hornstein, et al.            Standards Track                   [Page 28]
+
+
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-iakerb-04.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-iakerb-04.txt
new file mode 100644
index 0000000..208d057
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-iakerb-04.txt
@@ -0,0 +1,301 @@
+INTERNET-DRAFT                                        Mike Swift
+draft-ietf-cat-iakerb-04.txt                          Microsoft
+Updates: RFC 1510                                     Jonathan Trostle
+July 2000					      Cisco Systems
+                                  
+
+         Initial Authentication and Pass Through Authentication 
+                Using Kerberos V5 and the GSS-API (IAKERB)
+
+
+0. Status Of This Memo
+
+   This document is an Internet-Draft and is in full conformance
+   with all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as
+   Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six
+   months and may be updated, replaced, or obsoleted by other
+   documents at any time.  It is inappropriate to use Internet-
+   Drafts as reference material or to cite them other than as
+   "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This draft expires on January 31st, 2001.
+
+
+1. Abstract
+
+   This document defines an extension to the Kerberos protocol
+   specification (RFC 1510 [1]) and GSSAPI Kerberos mechanism (RFC 
+   1964 [2]) that enables a client to obtain Kerberos tickets for 
+   services where:
+
+   (1) The client knows its principal name and password, but not
+   its realm name (applicable in the situation where a user is already 
+   on the network but needs to authenticate to an ISP, and the user  
+   does not know his ISP realm name).
+   (2) The client is able to obtain the IP address of the service in 
+   a realm which it wants to send a request to, but is otherwise unable 
+   to locate or communicate with a KDC in the service realm or one of 
+   the intermediate realms. (One example would be a dial up user who 
+   does not have direct IP connectivity).
+   (3) The client does not know the realm name of the service.
+
+
+2. Motivation
+
+   When authenticating using Kerberos V5, clients obtain tickets from
+   a KDC and present them to services. This method of operation works
+
+   well in many situations, but is not always applicable since it
+   requires the client to know its own realm, the realm of the target 
+   service, the names of the KDC's, and to be able to connect to the 
+   KDC's. 
+  
+   This document defines an extension to the Kerberos protocol
+   specification (RFC 1510) [1] that enables a client to obtain
+   Kerberos tickets for services where:
+
+   (1) The client knows its principal name and password, but not
+   its realm name (applicable in the situation where a user is already 
+   on the network but needs to authenticate to an ISP, and the user 
+   does not know his ISP realm name).
+   (2) The client is able to obtain the IP address of the service in 
+   a realm which it wants to send a request to, but is otherwise unable 
+   to locate or communicate with a KDC in the service realm or one of 
+   the intermediate realms. (One example would be a dial up user who 
+   does not have direct IP connectivity).
+   (3) The client does not know the realm name of the service.
+
+   In this proposal, the client sends KDC request messages directly 
+   to application servers if one of the above failure cases develops. 
+   The application server acts as a proxy, forwarding messages back
+   and forth between the client and various KDC's (see Figure 1).
+
+
+           Client <---------> App Server <----------> KDC
+                               proxies
+
+
+                     Figure 1: IAKERB proxying
+
+
+   In the case where the client has sent a TGS_REQ message to the 
+   application server without a realm name in the request, the 
+   application server will forward an error message to the client 
+   with its realm name in the e-data field of the error message. 
+   The client will attempt to proceed using conventional Kerberos. 
+
+3. When Clients Should Use IAKERB
+
+   We list several, but possibly not all, cases where the client
+   should use IAKERB. In general, the existing Kerberos paradigm
+   where clients contact the KDC to obtain service tickets should
+   be preserved where possible.
+
+   (a) AS_REQ cases:
+
+   (i) The client is unable to locate the user's KDC or the KDC's
+   in the user's realm are not responding, or
+   (ii) The user has not entered a name which can be converted 
+   into a realm name (and the realm name cannot be derived from
+   a certificate). 
+
+   (b) TGS_REQ cases:
+
+   (i) the client determines that the KDC(s) in either an 
+   intermediate realm or the service realm are not responding or
+
+   the client is unable to locate a KDC, 
+
+   (ii) the client is not able to generate the application server 
+   realm name. 
+
+
+4. GSSAPI Encapsulation
+
+   The mechanism ID for IAKERB GSS-API Kerberos, in accordance with the 
+   mechanism proposed by SPNEGO for negotiating protocol variations, is:
+   {iso(1) member-body(2) United States(840) mit(113554) infosys(1) 
+   gssapi(2) krb5(2) initialauth(4)}
+
+   The AS request, AS reply, TGS request, and TGS reply messages are all 
+   encapsulated using the format defined by RFC1964 [2].  This consists 
+   of the GSS-API token framing defined in appendix B of RFC1508 [3]: 
+
+   InitialContextToken ::= 
+   [APPLICATION 0] IMPLICIT SEQUENCE { 
+           thisMech        MechType 
+                   -- MechType is OBJECT IDENTIFIER 
+                   -- representing "Kerberos V5" 
+           innerContextToken ANY DEFINED BY thisMech
+                   -- contents mechanism-specific;
+                   -- ASN.1 usage within innerContextToken
+                   -- is not required
+           }
+
+   The innerContextToken consists of a 2-byte TOK_ID field (defined 
+   below), followed by the Kerberos V5 KRB-AS-REQ, KRB-AS-REP, 
+   KRB-TGS-REQ, or KRB-TGS-REP messages, as appropriate. The TOK_ID field
+   shall be one of the following values, to denote that the message is 
+   either a request to the KDC or a response from the KDC.
+
+   Message         TOK_ID
+   KRB-KDC-REQ      00 03
+   KRB-KDC-REP      01 03
+   
+
+5. The Protocol
+
+   a. The user supplies a password (AS_REQ): Here the Kerberos client
+      will send an AS_REQ message to the application server if it cannot
+      locate a KDC for the user's realm, or such KDC's do not respond,
+      or the user does not enter a name from which the client can derive
+      the user's realm name. The client sets the realm field of the 
+      request equal to its own realm if the realm name is known, 
+      otherwise the realm length is set to 0. Upon receipt of the AS_REQ 
+      message, the application server checks if the client has included 
+      a realm. 
+
+      If the realm was not included in the original request, the 
+      application server must determine the realm and add it to the 
+      AS_REQ message before forwarding it. If the application server 
+      cannot determine the client realm, it returns the 
+      KRB_AP_ERR_REALM_REQUIRED error-code in an error message to 
+      the client:
+
+            KRB_AP_ERR_REALM_REQUIRED         77  
+
+      The error message can be sent in response to either an AS_REQ
+      message, or in response to a TGS_REQ message, in which case the 
+      realm and principal name of the application server are placed
+      into the realm and sname fields respectively, of the KRB-ERROR 
+      message. In the AS_REQ case, once the realm is filled in, the 
+      application server forwards the request to a KDC in the user's 
+      realm. It will retry the request if necessary, and forward the 
+      KDC response back to the client.
+
+      At the time the user enters a username and password, the client
+      should create a new credential with an INTERNAL NAME [3] that can
+      be used as an input into the GSS_Acquire_cred function call.
+
+      This functionality is useful when there is no trust relationship
+      between the user's logon realm and the target realm (Figure 2).
+
+
+                                     User Realm KDC        
+                                      /                
+                                     /                
+                                    /                
+                                   / 2,3   
+                      1,4         /      
+           Client<-------------->App Server
+
+
+      1 Client sends AS_REQ to App Server
+      2 App server forwards AS_REQ to User Realm KDC
+      3 App server receives AS_REP from User Realm KDC
+      4 App server sends AS_REP back to Client
+
+
+                      Figure 2: IAKERB AS_REQ
+
+
+
+   b. The user does not supply a password (TGS_REQ): The user includes a 
+      TGT targetted at the user's realm, or an intermediate realm, in a 
+      TGS_REQ message. The TGS_REQ message is sent to the application 
+      server. 
+
+      If the client has included the realm name in the TGS request, then
+      the application server will forward the request to a KDC in the
+      request TGT srealm. It will forward the response back to the client.
+
+      If the client has not included the realm name in the TGS request,
+      then the application server will return its realm name and principal 
+      name to the client using the KRB_AP_ERR_REALM_REQUIRED error 
+      described above. Sending a TGS_REQ message to the application server 
+      without a realm name in the request, followed by a TGS request using 
+      the returned realm name and then sending an AP request with a mutual 
+      authentication flag should be subject to a local policy decision 
+      (see security considerations below). Using the returned server 
+      principal name in a TGS request followed by sending an AP request 
+      message using the received ticket MUST NOT set any mutual 
+      authentication flags.
+
+
+6. Addresses in Tickets
+
+   In IAKERB, the machine sending requests to the KDC is the server and 
+   not the client. As a result, the client should not include its 
+   addresses in any KDC requests for two reasons. First, the KDC may
+   reject the forwarded request as being from the wrong client. Second,
+   in the case of initial authentication for a dial-up client, the client
+   machine may not yet possess a network address. Hence, as allowed by 
+   RFC1510 [1], the addresses field of the AS and TGS requests should be
+   blank and the caddr field of the ticket should similarly be left blank. 
+
+
+7. Combining IAKERB with Other Kerberos Extensions
+   
+   This protocol is usable with other proposed Kerberos extensions such as 
+   PKINIT (Public Key Cryptography for Initial Authentication in Kerberos 
+   [4]). In such cases, the messages which would normally be sent to the 
+   KDC by the GSS runtime are instead sent by the client application to the 
+   server, which then forwards them to a KDC.
+
+
+8. Security Considerations
+
+   A principal is identified by its principal name and realm. A client
+   that sends a TGS request to an application server without the request
+   realm name will only be able to mutually authenticate the server
+   up to its principal name. Thus when requesting mutual authentication, 
+   it is preferable if clients can either determine the server realm name 
+   beforehand, or apply some policy checks to the realm name obtained from 
+   the returned error message.
+   
+
+9. Bibliography
+ 
+   [1] J. Kohl, C. Neuman. The Kerberos Network Authentication
+   Service (V5). Request for Comments 1510.
+
+   [2]  J. Linn.  The Kerberos Version 5 GSS-API Mechanism. Request 
+   for Comments 1964 
+
+   [3]  J. Linn. Generic Security Service Application Program Interface.  
+   Request for Comments 1508 
+
+   [4] B. Tung, C. Neuman, M. Hur, A. Medvinsky, S. Medvinsky, J. Wray, 
+   J. Trostle, Public Key Cryptography for Initial Authentication in 
+   Kerberos, http://www.ietf.org/internet-drafts/draft-ietf-cat-kerberos-
+   pkinit-10.txt.
+
+
+10. This draft expires on January 31st, 2001. 
+
+
+11. Authors' Addresses
+
+   Michael Swift
+   Microsoft
+   One Microsoft Way
+   Redmond, Washington, 98052, U.S.A.
+   Email: mikesw@microsoft.com
+
+   Jonathan Trostle
+   170 W. Tasman Dr. 
+   San Jose, CA 95134, U.S.A.
+   Email: jtrostle@cisco.com
+   Phone: (408) 527-6201
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-extra-tgt-02.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-extra-tgt-02.txt
new file mode 100644
index 0000000..b3ec336
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-extra-tgt-02.txt
@@ -0,0 +1,174 @@
+INTERNET-DRAFT                                        Jonathan Trostle
+draft-ietf-cat-kerberos-extra-tgt-02.txt              Cisco Systems
+Updates: RFC 1510                                     Michael M. Swift
+expires January 30, 2000                              University of WA
+
+
+    Extension to Kerberos V5 For Additional Initial Encryption
+
+0. Status Of This Memo
+
+   This document is an Internet-Draft and is in full conformance
+   with all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as
+   Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six
+   months and may be updated, replaced, or obsoleted by other
+   documents at any time.  It is inappropriate to use Internet-
+   Drafts as reference material or to cite them other than as
+   "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+1. Abstract
+
+   This document defines an extension to the Kerberos protocol
+   specification (RFC 1510) [1] to enable a preauthentication field in
+   the AS_REQ message to carry a ticket granting ticket. The session
+   key from this ticket granting ticket will be used to
+   cryptographically strengthen the initial exchange in either the
+   conventional Kerberos V5 case or in the case the user stores their
+   encrypted private key on the KDC [2].
+
+
+2. Motivation
+
+   In Kerberos V5, the initial exchange with the KDC consists of the
+   AS_REQ and AS_REP messages. For users, the encrypted part of the
+   AS_REP message is encrypted in a key derived from a password.
+   Although a password policy may be in place to prevent dictionary
+   attacks, brute force attacks may still be a concern due to
+   insufficient key length.
+
+   This draft specifies an extension to the Kerberos V5 protocol to
+   allow a ticket granting ticket to be included in an AS_REQ message
+   preauthentication field. The session key from this ticket granting
+   ticket will be used to cryptographically strengthen the initial
+
+   exchange in either the conventional Kerberos V5 case or in the case
+   the user stores their encrypted private key on the KDC [2]. The
+   session key from the ticket granting ticket is combined with the
+   user password key (key K2 in the encrypted private key on KDC
+   option) using HMAC to obtain a new triple des key that is used in
+   place of the user key in the initial exchange. The ticket granting
+   ticket could be obtained by the workstation using its host key.
+
+3. The Extension
+
+   The following new preauthentication type is proposed:
+
+      PA-EXTRA-TGT                         22
+
+   The preauthentication-data field contains a ticket granting ticket
+   encoded as an ASN.1 octet string. The server realm of the ticket
+   granting ticket must be equal to the realm in the KDC-REQ-BODY of
+   the AS_REQ message. In the absence of a trust relationship, the
+   local Kerberos client should send the AS_REQ message without this
+   extension.
+
+   In the conventional (non-pkinit) case, we require the RFC 1510
+   PA-ENC-TIMESTAMP preauthentication field in the AS_REQ message.
+   If neither it or the PA-PK-KEY-REQ preauthentication field is
+   included in the AS_REQ message, the KDC will reply with a
+   KDC_ERR_PREAUTH_FAILED error message.
+
+   We propose the following new etypes:
+
+     des3-cbc-md5-xor                              16
+     des3-cbc-sha1-xor                             17
+
+   The encryption key is obtained by:
+
+   (1) Obtaining an output M from the HMAC-SHA1 function [3] using
+       the user password key (the key K2 in the encrypted private
+       key on KDC option of pkinit) as the text and the triple des
+       session key as the K input in HMAC:
+
+       M = H(K XOR opad, H(K XOR ipad, text)) where H = SHA1.
+
+       The session key from the accompanying ticket granting ticket
+       must be a triple des key when one of the triple des xor
+       encryption types is used.
+   (2) Concatenate the output M (20 bytes) with the first 8 non-parity
+       bits of the triple-des ticket granting ticket session key to
+       get 168 bits that will be used for the new triple-des encryption
+       key.
+   (3) Set the parity bits of the resulting key.
+
+   The resulting triple des key is used to encrypt the timestamp
+   for the PA-ENC-TIMESTAMP preauthentication value (or in the
+   encrypted private key on KDC option of pkinit, it is used in
+   place of the key K2 to both sign in the PA-PK-KEY-REQ and for
+   encryption in the PA-PK-KEY-REP preauthentication types).
+
+   If the KDC decrypts the encrypted timestamp and it is not within
+   the appropriate clock skew period, the KDC will reply with the
+   KDC_ERR_PREAUTH_FAILED error. The same error will also be sent if
+   the above ticket granting ticket fails to decrypt properly, or if
+   it is not a valid ticket.
+
+   The KDC will create the shared triple des key from the ticket
+   granting ticket session key and the user password key (the key K2
+   in the encrypted private key on KDC case) using HMAC as specified
+   above and use it to validate the AS_REQ message and then to
+   encrypt the encrypted part of the AS_REP message (use it in place
+   of the key K2 for encryption in the PA-PK-KEY-REP preauthentication
+   field).
+
+   Local workstation policy will determine the exact behaviour of
+   the Kerberos client with respect to the extension protocol. For
+   example, the client should consult policy to decide when to use
+   use the extension. This policy could be dependent on the user
+   identity, or whether the workstation is in the same realm as the
+   user. One possibility is for the workstation logon to fail if
+   the extension is not used. Another possibility is for the KDC
+   to set a flag in tickets issued when this extension is used.
+
+   A similar idea was proposed in OSF DCE RFC 26.0 [4]; there a
+   preauthentication field containing a ticket granting ticket,
+   a randomly generated subkey encrypted in the session key from
+   the ticket, and a timestamp structure encrypted in the user
+   password and then the randomly generated subkey was proposed.
+   Some advantages of the current proposal are that the KDC has two
+   fewer decryptions to perform per request and the client does not
+   have to generate a random key.
+
+4. Bibliography
+
+   [1] J. Kohl, C. Neuman. The Kerberos Network Authentication
+   Service (V5). Request for Comments 1510.
+
+   [2] B. Tung, C. Neuman, J. Wray, A. Medvinsky, M. Hur, J. Trostle.
+   Public Key Cryptography for Initial Authentication in Kerberos.
+   ftp://ds.internic.net/internet-drafts/
+   draft-ietf-cat-kerberos-pkinit-08.txt
+
+   [3] H. Krawczyk, M. Bellare, R. Canetti. HMAC: Keyed-Hashing for
+   Message Authentication. Request for Comments 2104.
+
+   [4] J. Pato. Using Pre-authentication to Avoid Password Guessing
+   Attacks. OSF DCE SIG Request for Comments 26.0.
+
+5. Acknowledgement: We thank Ken Hornstein for some helpful comments.
+
+6. Expires January 30, 2000.
+
+7. Authors' Addresses
+
+   Jonathan Trostle
+   170 W. Tasman Dr.
+   San Jose, CA 95134, U.S.A.
+
+   Email: jtrostle@cisco.com
+   Phone: (408) 527-6201
+
+   Michael Swift
+   Email: mikesw@cs.washington.edu
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-extra-tgt-03.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-extra-tgt-03.txt
new file mode 100644
index 0000000..d09a2de
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-extra-tgt-03.txt
@@ -0,0 +1,5 @@
+This Internet-Draft has expired and is no longer available.
+
+Unrevised documents placed in the Internet-Drafts directories have a
+maximum life of six months. After that time, they must be updated, or
+they will be deleted. This document was deleted on March 20, 2000.
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-06.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-06.txt
new file mode 100644
index 0000000..1ab2b03
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-06.txt
@@ -0,0 +1,523 @@
+
+INTERNET-DRAFT                                               Matthew Hur
+draft-ietf-cat-kerberos-pk-cross-06.txt            CyberSafe Corporation
+Updates: RFC 1510                                             Brian Tung
+expires October 10, 2000                                  Tatyana Ryutov
+                                                         Clifford Neuman
+                                                             Gene Tsudik
+                                                                     ISI
+                                                           Ari Medvinsky
+                                                                Keen.com
+                                                         Bill Sommerfeld
+                                                         Hewlett-Packard
+
+
+    Public Key Cryptography for Cross-Realm Authentication in Kerberos
+
+
+0.  Status Of this Memo
+
+    This document is an Internet-Draft and is in full conformance with
+    all provisions of Section 10 of RFC 2026.  Internet-Drafts are
+    working documents of the Internet Engineering Task Force (IETF),
+    its areas, and its working groups.  Note that other groups may
+    also distribute working documents as Internet-Drafts.
+
+    Internet-Drafts are draft documents valid for a maximum of six
+    months and may be updated, replaced, or obsoleted by other
+    documents at any time.  It is inappropriate to use Internet-Drafts
+    as reference material or to cite them other than as ``work in
+    progress.''
+
+     The list of current Internet-Drafts can be accessed at
+     http://www.ietf.org/ietf/1id-abstracts.txt
+
+     The list of Internet-Draft Shadow Directories can be accessed at
+     http://www.ietf.org/shadow.html.
+
+
+
+    To learn the current status of any Internet-Draft, please check
+    the ``1id-abstracts.txt'' listing contained in the Internet-Drafts
+    Shadow Directories on ftp.ietf.org (US East Coast),
+    nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or
+    munnari.oz.au (Pacific Rim).
+
+    The distribution of this memo is unlimited.  It is filed as
+    draft-ietf-cat-kerberos-pk-cross-06.txt, and expires May 15, 1999.
+    Please send comments to the authors.
+
+
+1.  Abstract
+
+    This document defines extensions to the Kerberos protocol 
+    specification [1] to provide a method for using public key 
+    cryptography to enable cross-realm authentication.  The methods 
+    defined here specify the way in which message exchanges are to be 
+    used to transport cross-realm secret keys protected by encryption 
+    under public keys certified as belonging to KDCs.
+
+
+2.  Introduction
+
+    The Kerberos authentication protocol [2]  can leverage the 
+    advantages provided by public key cryptography.  PKINIT [3] 
+    describes the use of public key cryptography in the initial 
+    authentication exchange in Kerberos.  PKTAPP [4] describes how an 
+    application service can essentially issue a kerberos ticket to 
+    itself after utilizing public key cryptography for authentication. 
+    Another informational document species the use of public key 
+    crypography for anonymous authentication in Kerberos [5].  This 
+    specification describes the use of public key crpytography in cross- 
+    realm authentication.
+
+    Without the use of public key cryptography, administrators must 
+    maintain separate keys for every realm which wishes to exchange 
+    authentication information with another realm (which implies n(n-1) 
+    keys), or they must utilize a hierachichal arrangement of realms, 
+    which may complicate the trust model by requiring evaluation of 
+    transited realms.
+
+    Even with the multi-hop cross-realm authentication, there must be 
+    some way to locate the path by which separate realms are to be 
+    transited.  The current method, which makes use of the DNS-like 
+    realm names typical to Kerberos, requires trust of the intermediate 
+    KDCs.
+
+    PKCROSS utilizes a public key infrastructure (PKI) [6] to simplify 
+    the administrative burden of maintaining cross-realm keys.  Such 
+    usage leverages a PKI for a non-centrally-administratable environment 
+    (namely, inter-realm).  Thus, a shared key for cross-realm 
+    authentication can be established for a set period of time, and a 
+    remote realm is able to issue policy information that is returned to 
+    itself when a client requests cross-realm authentication. Such policy 
+    information may be in the form of restrictions [7].  Furthermore, 
+    these methods are transparent to the client; therefore, only the KDCs 
+    need to be modified to use them.  In this way, we take advantage of 
+    the the distributed trust management capabilities of public key 
+    crypography while maintaining the advantages of localized trust 
+    management provided by Kerberos.
+
+
+    Although this specification utilizes the protocol specfied in the 
+    PKINIT specification, it is not necessary to implement client 
+    changes in order to make use of the changes in this document.
+
+
+3.  Objectives
+
+    The objectives of this specification are as follows:
+    
+      1.  Simplify the administration required to establish Kerberos
+          cross-realm keys.
+          
+      2.  Avoid modification of clients and application servers.
+
+      3.  Allow remote KDC to control its policy on cross-realm
+          keys shared between KDCs, and on cross-realm tickets
+          presented by clients.
+
+      4.  Remove any need for KDCs to maintain state about keys
+          shared with other KDCs.
+
+      5.  Leverage the work done for PKINIT to provide the public key
+          protocol for establishing symmetric cross realm keys.
+
+
+4.  Definitions
+
+    The following notation is used throughout this specification:
+    KDC_l ........... local KDC
+    KDC_r ........... remote KDC
+    XTKT_(l,r) ...... PKCROSS ticket that the remote KDC issues to the
+                      local KDC
+    TGT_(c,r) ....... cross-realm TGT that the local KDC issues to the
+                      client for presentation to the remote KDC
+
+    This specification defines the following new types to be added to the 
+    Kerberos specification:
+      PKCROSS kdc-options field in the AS_REQ is bit 9
+      TE-TYPE-PKCROSS-KDC       2
+      TE-TYPE-PKCROSS-CLIENT    3
+
+    This specification defines the following ASN.1 type for conveying
+    policy information:
+    CrossRealmTktData ::= SEQUENCE OF TypedData
+
+    This specification defines the following types for policy information 
+    conveyed in CrossRealmTktData:
+      PLC_LIFETIME              1
+      PLC_SET_TKT_FLAGS         2
+      PLC_NOSET_TKT_FLAGS       3
+
+    TicketExtensions are defined per the Kerberos specification [8]:
+    TicketExtensions ::= SEQUENCE OF TypedData
+      Where
+        TypedData ::=   SEQUENCE {
+            data-type[0]   INTEGER,
+            data-value[1]  OCTET STRING OPTIONAL
+        }
+
+
+5.  Protocol Specification
+
+    We assume that the client has already obtained a TGT.  To perform
+    cross-realm authentication, the client does exactly what it does
+    with ordinary (i.e. non-public-key-enabled) Kerberos; the only
+    changes are in the KDC; although the ticket which the client
+    forwards to the remote realm may be changed.  This is acceptable
+    since the client treats the ticket as opaque.
+
+
+5.1.  Overview of Protocol
+
+    The basic operation of the PKCROSS protocol is as follows:
+
+        1.  The client submits a request to the local KDC for
+            credentials for the remote realm.  This is just a typical
+            cross realm request that may occur with or without PKCROSS. 
+
+        2.  The local KDC submits a PKINIT request to the remote KDC to
+            obtain a "special" PKCROSS ticket.  This is a standard
+            PKINIT request, except that PKCROSS flag (bit 9) is set in
+            the kdc-options field in the AS_REQ.
+
+        3.  The remote KDC responds as per PKINIT, except that
+            the ticket contains a TicketExtension, which contains
+            policy information such as lifetime of cross realm tickets
+            issued by KDC_l to a client.  The local KDC must reflect
+            this policy information in the credentials it forwards to
+            the client.  Call this ticket XTKT_(l,r) to indicate that
+            this ticket is used to authenticate the local KDC to the
+            remote KDC.
+
+        4.  The local KDC passes a ticket, TGT_(c,r) (the cross realm
+            TGT between the client and remote KDC), to the client.
+            This ticket contains in its TicketExtension field the
+            ticket, XTKT_(l,r), which contains the cross-realm key.
+            The TGT_(c,r) ticket is encrypted using the key sealed in
+            XTKT_(l,r).  (The TicketExtension field is not encrypted.)
+            The local KDC may optionally include another TicketExtension
+            type that indicates the hostname and/or IP address for the
+            remote KDC.
+
+        5.  The client submits the request directly to the remote
+            KDC, as before.
+            
+        6.  The remote KDC extracts XTKT_(l,r) from the TicketExtension
+            in order to decrypt the encrypted part of TGT_(c,r).
+
+    --------------------------------------------------------------------
+    
+    Client                Local KDC (KDC_l)           Remote KDC (KDC_r)
+    ------                -----------------           ------------------
+    Normal Kerberos
+    request for
+    cross-realm
+    ticket for KDC_r
+    ---------------------->
+    
+                          PKINIT request for
+                          XTKT(l,r) - PKCROSS flag
+                          set in the AS-REQ
+                          * ------------------------->
+                          
+                                                      PKINIT reply with
+                                                      XTKT_(l,r) and
+                                                      policy info in
+                                                      ticket extension
+                                           <-------------------------- *
+
+                          Normal Kerberos reply
+                          with TGT_(c,r) and
+                          XTKT(l,r) in ticket
+                          extension
+         <--------------------------------- 
+
+    Normal Kerberos
+    cross-realm TGS-REQ
+    for remote
+    application
+    service with
+    TGT_(c,r) and
+    XTKT(l,r) in ticket
+    extension
+    ------------------------------------------------->
+
+                                                      Normal Kerberos
+                                                      cross-realm
+                                                      TGS-REP
+        <---------------------------------------------------------------
+
+    * Note that the KDC to KDC messages occur only periodically, since
+      the local KDC caches the XTKT_(l,r).
+    --------------------------------------------------------------------
+    
+
+    Sections 5.2 through 5.4 describe in detail steps 2 through 4
+    above.  Section 5.6 describes the conditions under which steps
+    2 and 3 may be skipped.
+
+    Note that the mechanism presented above requires infrequent KDC to 
+    KDC communication (as dictated by policy - this is discussed
+    later).  Without such an exchange, there are the following issues:
+    1) KDC_l would have to issue a ticket with the expectation that
+       KDC_r will accept it.
+    2) In the message that the client sends to KDC_r, KDC_l would have
+       to authenticate KDC_r with credentials that KDC_r trusts.
+    3) There is no way for KDC_r to convey policy information to KDC_l.
+    4) If, based on local policy, KDC_r does not accept a ticket from
+       KDC_l, then the client gets stuck in the middle.  To address such
+       an issue would require modifications to standard client
+       processing behavior.
+    Therefore, the infreqeunt use of KDC to KDC communication assures
+    that inter-realm KDC keys may be established in accordance with local
+    policies and that clients may continue to operate without
+    modification.
+
+
+5.2.  Local KDC's Request to Remote KDC
+
+    When the local KDC receives a request for cross-realm authentication, 
+    it first checks its ticket cache to see if it has a valid PKCROSS 
+    ticket, XTKT_(l,r).  If it has a valid XTKT_(l,r), then it does not 
+    need to send a request to the remote KDC (see section 5.5).
+
+    If the local KDC does not have a valid XTKT_(l,r), it sends a     
+    request to the remote KDC in order to establish a cross realm key and 
+    obtain the XTKT_(l,r).  This request is in fact a PKINIT request as 
+    described in the PKINIT specification; i.e., it consists of an AS-REQ 
+    with a PA-PK-AS-REQ included as a preauthentication field.  Note, 
+    that the AS-REQ MUST have the PKCROSS flag (bit 9) set in the 
+    kdc_options field of the AS-REQ.  Otherwise, this exchange exactly 
+    follows the description given in the PKINIT specification.  In 
+    addition, the naming
+
+
+5.3.  Remote KDC's Response to Local KDC
+
+    When the remote KDC receives the PKINIT/PKCROSS request from the
+    local KDC, it sends back a PKINIT response as described in
+    the PKINIT specification with the following exception: the encrypted
+    part of the Kerberos ticket is not encrypted with the krbtgt key;
+    instead, it is encrypted with the ticket granting server's PKCROSS
+    key.  This key, rather than the krbtgt key, is used because it
+    encrypts a ticket used for verifying a cross realm request rather
+    than for issuing an application service ticket.  Note that, as a
+    matter of policy, the session key for the XTKT_(l,r) MAY be of
+    greater strength than that of a session key for a normal PKINIT
+    reply, since the XTKT_(l,r) SHOULD be much longer lived than a
+    normal application service ticket.
+
+    In addition, the remote KDC SHOULD include policy information in the 
+    XTKT_(l,r).  This policy information would then be reflected in the 
+    cross-realm TGT, TGT_(c,r).  Otherwise, the policy for TGT_(c,r) 
+    would be dictated by KDC_l rather than by KDC_r.  The local KDC MAY 
+    enforce a more restrictive local policy when creating a cross-realm 
+    ticket, TGT_(c,r).  For example, KDC_r  may dictate a lifetime 
+    policy of eight hours, but KDC_l may create TKT_(c,r) with a 
+    lifetime of four hours, as dictated by local policy.  Also, the 
+    remote KDC MAY include other information about itself along with the 
+    PKCROSS ticket.  These items are further discussed in section 6 
+    below.
+
+
+5.4.  Local KDC's Response to Client
+
+    Upon receipt of the PKINIT/CROSS response from the remote KDC,
+    the local KDC formulates a response to the client.  This reply
+    is constructed exactly as in the Kerberos specification, except
+    for the following:
+
+    A) The local KDC places XTKT_(l,r) in the TicketExtension field of
+       the client's cross-realm, ticket, TGT_(c,r), for the remote realm.
+       Where
+          data-type   equals 3 for TE-TYPE-PKCROSS-CLIENT
+          data-value  is ASN.1 encoding of XTKT_(l,r)
+     
+    B) The local KDC adds the name of its CA to the transited field of
+       TGT_(c,r).
+
+
+5.5   Remote KDC's Processing of Client Request
+
+    When the remote KDC, KDC_r, receives a cross-realm ticket, 
+    TGT_(c,r), and it detects that the ticket contains a ticket 
+    extension of type TE-TYPE-PKCROSS-CLIENT, KDC_r must first decrypt 
+    the ticket, XTKT_(l,r), that is encoded in the ticket extension.  
+    KDC_r uses its PKCROSS key in order to decrypt XTKT_(l,r).  KDC_r 
+    then uses the key obtained from XTKT_(l,r) in order to decrypt the 
+    cross-realm ticket, TGT_(c,r).
+
+    KDC_r MUST verify that the cross-realm ticket, TGT_(c,r) is in 
+    compliance with any policy information contained in XTKT_(l,r) (see 
+    section 6).  If the TGT_(c,r) is not in compliance with policy, then 
+    the KDC_r responds to the client with a KRB-ERROR message of type 
+    KDC_ERR_POLICY.
+
+    
+5.6.  Short-Circuiting the KDC-to-KDC Exchange
+
+    As we described earlier, the KDC to KDC exchange is required only 
+    for establishing a symmetric, inter-realm key.  Once this key is 
+    established (via the PKINIT exchange), no KDC to KDC communication 
+    is required until that key needs to be renewed.  This section 
+    describes the circumstances under which the KDC to KDC exchange 
+    described in Sections 5.2 and 5.3 may be skipped.
+
+    The local KDC has a known lifetime for TGT_(c,r).  This lifetime may 
+    be determined by policy information included in XTKT_(l,r), and/or 
+    it may be determined by local KDC policy.  If the local KDC already 
+    has a ticket XTKT(l,r), and the start time plus the lifetime for 
+    TGT_(c,r) does not exceed the expiration time for XTGT_(l,r), then 
+    the local KDC may skip the exchange with the remote KDC, and issue a 
+    cross-realm ticket to the client as described in Section 5.4.
+
+    Since the remote KDC may change its PKCROSS key (referred to in 
+    Section 5.2) while there are PKCROSS tickets still active, it SHOULD 
+    cache the old PKCROSS keys until the last issued PKCROSS ticket 
+    expires.  Otherwise, the remote KDC will respond to a client with a 
+    KRB-ERROR message of type KDC_ERR_TGT_REVOKED.
+
+
+6.  Extensions for the PKCROSS Ticket
+
+    As stated in section 5.3, the remote KDC SHOULD include policy 
+    information in XTKT_(l,r).  This policy information is contained in 
+    a TicketExtension, as defined by the Kerberos specification, and the 
+    authorization data of the ticket will contain an authorization 
+    record of type AD-IN-Ticket-Extensions.  The TicketExtension defined 
+    for use by PKCROSS is TE-TYPE-PKCROSS-KDC.
+      Where
+        data-type   equals 2 for TE-TYPE-PKCROSS-KDC
+        data-value  is ASN.1 encoding of CrossRealmTktData
+
+      CrossRealmTktData ::= SEQUENCE OF TypedData
+
+
+      ------------------------------------------------------------------
+      CrossRealmTktData types and the corresponding data are interpreted 
+      as follows:
+
+                                                            ASN.1 data
+      type                value   interpretation            encoding
+      ----------------    -----   --------------            ----------
+      PLC_LIFETIME          1     lifetime (in seconds)     INTEGER
+                                  for TGT_(c,r) 
+                                  - cross-realm tickets
+                                    issued for clients by
+                                    TGT_l
+
+      PLC_SET_TKT_FLAGS     2     TicketFlags that must     BITSTRING
+                                  be set
+                                  - format defined by
+                                    Kerberos specification
+
+      PLC_NOSET_TKT_FLAGS   3     TicketFlags that must     BITSTRING
+                                  not be set
+                                  - format defined by
+                                    Kerberos specification
+
+      Further types may be added to this table.
+      ------------------------------------------------------------------
+
+
+7.  Usage of Certificates
+
+    In the cases of PKINIT and PKCROSS, the trust in a certification 
+    authority is equivalent to Kerberos cross realm trust.  For this 
+    reason, an implementation MAY choose to use the same KDC certificate 
+    when the KDC is acting in any of the following three roles:
+      1) KDC is authenticating clients via PKINIT
+      2) KDC is authenticating another KDC for PKCROSS 
+      3) KDC is the client in a PKCROSS exchange with another KDC
+
+    Note that per PKINIT, the KDC X.509 certificate (the server in a 
+    PKINIT exchange) MUST contain the principal name of the KDC in the 
+    subjectAltName field.
+
+
+8.  Transport Issues
+
+    Because the messages between the KDCs involve PKINIT exchanges, and 
+    PKINIT recommends TCP as a transport mechanism (due to the length of 
+    the messages and the likelihood that they will fragment), the same 
+    recommendation for TCP applies to PKCROSS as well.
+
+    
+9. Security Considerations
+
+   Since PKCROSS utilizes PKINIT, it is subject to the same security
+   considerations as PKINIT.  Administrators should assure adherence 
+   to security policy - for example, this affects the PKCROSS policies
+   for cross realm key lifetime and for policy propogation from the 
+   PKCROSS ticket, issued from a remote KDC to a local KDC, to
+   cross realm tickets that are issued by a local KDC to a client.
+
+
+10. Bibliography
+
+  [1] J. Kohl, C. Neuman.  The Kerberos Network Authentication Service 
+  (V5).  Request for Comments 1510.
+
+  [2] B.C. Neuman, Theodore Ts'o. Kerberos: An Authentication Service
+  for Computer Networks, IEEE Communications, 32(9):33-38.  September
+  1994.
+
+  [3] B. Tung, C. Neuman, M. Hur, A. Medvinsky, S.Medvinsky, J. Wray
+  J. Trostle.  Public Key Cryptography for Initial Authentication
+  in Kerberos.
+  draft-ietf-cat-kerberos-pk-init-11.txt
+
+  [4] A. Medvinsky, M. Hur, S. Medvinsky, B. Clifford Neuman.  Public 
+  Key Utilizing Tickets for Application Servers (PKTAPP). draft-ietf-
+  cat-pktapp-02.txt
+
+  [5] A. Medvinsky, J. Cargille, M. Hur.  Anonymous Credentials in
+  Kerberos. draft-ietf-cat-kerberos-anoncred-01.txt
+
+  [6] ITU-T (formerly CCITT) Information technology - Open Systems
+  Interconnection - The Directory: Authentication Framework
+  Recommendation X.509 ISO/IEC 9594-8
+    
+  [7] B.C. Neuman, Proxy-Based Authorization and Accounting for 
+  Distributed Systems.  In Proceedings of the 13th International 
+  Conference on Distributed Computing Systems, May 1993.
+
+  [8] C.Neuman, J. Kohl, T. Ts'o.  The Kerberos Network Authentication 
+  Service (V5). draft-ietf-cat-kerberos-revisions-05.txt
+
+
+11. Authors' Addresses
+
+    Matthew Hur
+    CyberSafe Corporation
+    1605 NW Sammamish Road
+    Issaquah WA 98027-5378
+    Phone: +1 425 391 6000
+    E-mail: matt.hur@cybersafe.com
+
+    Brian Tung
+    Tatyana Ryutov
+    Clifford Neuman
+    Gene Tsudik
+    USC/Information Sciences Institute
+    4676 Admiralty Way Suite 1001
+    Marina del Rey, CA 90292-6695
+    Phone: +1 310 822 1511
+    E-Mail: {brian, tryutov, bcn, gts}@isi.edu
+
+    Ari Medvinsky
+    Keen.com
+    2480 Sand Hill Road, Suite 200
+    Menlo Park, CA 94025
+    Phone +1 650 289 3134
+    E-mail: ari@keen.com
+
+    Bill Sommerfeld
+    Hewlett Packard
+    300 Apollo Drive
+    Chelmsford MA 01824
+    Phone: +1 508 436 4352
+    E-Mail: sommerfeld@apollo.hp.com
+
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-11.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-11.txt
new file mode 100644
index 0000000..9b0e76ad
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-11.txt
@@ -0,0 +1,1059 @@
+INTERNET-DRAFT                                                Brian Tung
+draft-ietf-cat-kerberos-pk-init-11.txt                   Clifford Neuman
+Updates: RFC 1510                                                USC/ISI
+expires September 15, 2000                                   Matthew Hur
+                                                   CyberSafe Corporation
+                                                           Ari Medvinsky
+                                                          Keen.com, Inc.
+                                                         Sasha Medvinsky
+                                                                Motorola
+                                                               John Wray
+                                                   Iris Associates, Inc.
+                                                        Jonathan Trostle
+                                                                   Cisco
+
+    Public Key Cryptography for Initial Authentication in Kerberos
+
+0.  Status Of This Memo
+
+    This document is an Internet-Draft and is in full conformance with
+    all provisions of Section 10 of RFC 2026.  Internet-Drafts are
+    working documents of the Internet Engineering Task Force (IETF),
+    its areas, and its working groups.  Note that other groups may also
+    distribute working documents as Internet-Drafts.
+
+    Internet-Drafts are draft documents valid for a maximum of six
+    months and may be updated, replaced, or obsoleted by other
+    documents at any time.  It is inappropriate to use Internet-Drafts
+    as reference material or to cite them other than as "work in
+    progress."
+
+    The list of current Internet-Drafts can be accessed at
+    http://www.ietf.org/ietf/1id-abstracts.txt
+
+    The list of Internet-Draft Shadow Directories can be accessed at
+    http://www.ietf.org/shadow.html.
+
+    To learn the current status of any Internet-Draft, please check
+    the "1id-abstracts.txt" listing contained in the Internet-Drafts
+    Shadow Directories on ftp.ietf.org (US East Coast),
+    nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or
+    munnari.oz.au (Pacific Rim).
+
+    The distribution of this memo is unlimited.  It is filed as
+    draft-ietf-cat-kerberos-pk-init-11.txt, and expires September 15,
+    2000.  Please send comments to the authors.
+
+1.  Abstract
+
+    This document defines extensions (PKINIT) to the Kerberos protocol
+    specification (RFC 1510 [1]) to provide a method for using public
+    key cryptography during initial authentication.  The methods
+    defined specify the ways in which preauthentication data fields and
+    error data fields in Kerberos messages are to be used to transport
+    public key data.
+
+2.  Introduction
+
+    The popularity of public key cryptography has produced a desire for
+    its support in Kerberos [2].  The advantages provided by public key
+    cryptography include simplified key management (from the Kerberos
+    perspective) and the ability to leverage existing and developing
+    public key certification infrastructures.
+
+    Public key cryptography can be integrated into Kerberos in a number
+    of ways.  One is to associate a key pair with each realm, which can
+    then be used to facilitate cross-realm authentication; this is the
+    topic of another draft proposal.  Another way is to allow users with
+    public key certificates to use them in initial authentication.  This
+    is the concern of the current document.
+
+    PKINIT utilizes ephemeral-ephemeral Diffie-Hellman keys in
+    combination with digital signature keys as the primary, required
+    mechanism.  It also allows for the use of RSA keys and/or (static)
+    Diffie-Hellman certificates.  Note in particular that PKINIT supports
+    the use of separate signature and encryption keys.
+
+    PKINIT enables access to Kerberos-secured services based on initial
+    authentication utilizing public key cryptography.  PKINIT utilizes
+    standard public key signature and encryption data formats within the
+    standard Kerberos messages.  The basic mechanism is as follows:  The
+    user sends an AS-REQ message to the KDC as before, except that if that
+    user is to use public key cryptography in the initial authentication
+    step, his certificate and a signature accompany the initial request
+    in the preauthentication fields.  Upon receipt of this request, the
+    KDC verifies the certificate and issues a ticket granting ticket
+    (TGT) as before, except that the encPart from the AS-REP message
+    carrying the TGT is now encrypted utilizing either a Diffie-Hellman
+    derived key or the user's public key.  This message is authenticated
+    utilizing the public key signature of the KDC.
+
+    Note that PKINIT does not require the use of certificates.  A KDC
+    may store the public key of a principal as part of that principal's
+    record.  In this scenario, the KDC is the trusted party that vouches
+    for the principal (as in a standard, non-cross realm, Kerberos
+    environment).  Thus, for any principal, the KDC may maintain a
+    secret key, a public key, or both.
+
+    The PKINIT specification may also be used as a building block for
+    other specifications.  PKCROSS [3] utilizes PKINIT for establishing
+    the inter-realm key and associated inter-realm policy to be applied
+    in issuing cross realm service tickets.  As specified in [4],
+    anonymous Kerberos tickets can be issued by applying a NULL
+    signature in combination with Diffie-Hellman in the PKINIT exchange.
+    Additionally, the PKINIT specification may be used for direct peer
+    to peer authentication without contacting a central KDC. This
+    application of PKINIT is described in PKTAPP [5] and is based on
+    concepts introduced in [6, 7]. For direct client-to-server
+    authentication, the client uses PKINIT to authenticate to the end
+    server (instead of a central KDC), which then issues a ticket for
+    itself.  This approach has an advantage over TLS [8] in that the
+    server does not need to save state (cache session keys).
+    Furthermore, an additional benefit is that Kerberos tickets can
+    facilitate delegation (see [9]).
+
+3.  Proposed Extensions
+
+    This section describes extensions to RFC 1510 for supporting the
+    use of public key cryptography in the initial request for a ticket
+    granting ticket (TGT).
+
+    In summary, the following change to RFC 1510 is proposed:
+
+        * Users may authenticate using either a public key pair or a
+          conventional (symmetric) key.  If public key cryptography is
+          used, public key data is transported in preauthentication
+          data fields to help establish identity.  The user presents
+          a public key certificate and obtains an ordinary TGT that may
+          be used for subsequent authentication, with such
+          authentication using only conventional cryptography.
+
+    Section 3.1 provides definitions to help specify message formats.
+    Section 3.2 describes the extensions for the initial authentication
+    method.
+
+3.1.  Definitions
+
+    The extensions involve new preauthentication fields; we introduce
+    the following preauthentication types:
+
+        PA-PK-AS-REQ                            14
+        PA-PK-AS-REP                            15
+
+    The extensions also involve new error types; we introduce the
+    following types:
+
+        KDC_ERR_CLIENT_NOT_TRUSTED              62
+        KDC_ERR_KDC_NOT_TRUSTED                 63
+        KDC_ERR_INVALID_SIG                     64
+        KDC_ERR_KEY_TOO_WEAK                    65
+        KDC_ERR_CERTIFICATE_MISMATCH            66
+        KDC_ERR_CANT_VERIFY_CERTIFICATE         70
+        KDC_ERR_INVALID_CERTIFICATE             71
+        KDC_ERR_REVOKED_CERTIFICATE             72
+        KDC_ERR_REVOCATION_STATUS_UNKNOWN       73
+        KDC_ERR_REVOCATION_STATUS_UNAVAILABLE   74
+        KDC_ERR_CLIENT_NAME_MISMATCH            75
+        KDC_ERR_KDC_NAME_MISMATCH               76
+
+    We utilize the following typed data for errors:
+
+        TD-PKINIT-CMS-CERTIFICATES             101
+        TD-KRB-PRINCIPAL                       102
+        TD-KRB-REALM                           103
+        TD-TRUSTED-CERTIFIERS                  104
+        TD-CERTIFICATE-INDEX                   105
+
+    We utilize the following encryption types (which map directly to
+    OIDs):
+
+        dsaWithSHA1-CmsOID                       9
+        md5WithRSAEncryption-CmsOID             10
+        sha1WithRSAEncryption-CmsOID            11
+        rc2CBC-EnvOID                           12
+        rsaEncryption-EnvOID (PKCS#1 v1.5)      13
+        rsaES-OAEP-ENV-OID   (PKCS#1 v2.0)      14
+        des-ede3-cbc-Env-OID                    15
+
+    These mappings are provided so that a client may send the
+    appropriate enctypes in the AS-REQ message in order to indicate
+    support for the corresponding OIDs (for performing PKINIT).
+
+    In many cases, PKINIT requires the encoding of the X.500 name of a
+    certificate authority as a Realm.  When such a name appears as
+    a realm it will be represented using the "other" form of the realm
+    name as specified in the naming constraints section of RFC1510.
+    For a realm derived from an X.500 name, NAMETYPE will have the value
+    X500-RFC2253.  The full realm name will appear as follows:
+
+        <nametype> + ":" + <string>
+
+    where nametype is "X500-RFC2253" and string is the result of doing
+    an RFC2253 encoding of the distinguished name, i.e.
+
+        "X500-RFC2253:" + RFC2253Encode(DistinguishedName)
+
+    where DistinguishedName is an X.500 name, and RFC2253Encode is a
+    function returing a readable UTF encoding of an X.500 name, as
+    defined by RFC 2253 [14] (part of LDAPv3 [18]).
+
+    To ensure that this encoding is unique, we add the following rule
+    to those specified by RFC 2253:
+
+        The order in which the attributes appear in the RFC 2253
+        encoding must be the reverse of the order in the ASN.1
+        encoding of the X.500 name that appears in the public key
+        certificate. The order of the relative distinguished names
+        (RDNs), as well as the order of the AttributeTypeAndValues
+        within each RDN, will be reversed. (This is despite the fact
+        that an RDN is defined as a SET of AttributeTypeAndValues, where
+        an order is normally not important.)
+
+    Similarly, in cases where the KDC does not provide a specific
+    policy based mapping from the X.500 name or X.509 Version 3
+    SubjectAltName extension in the user's certificate to a Kerberos
+    principal name, PKINIT requires the direct encoding of the X.500
+    name as a PrincipalName.  In this case, the name-type of the
+    principal name shall be set to KRB_NT-X500-PRINCIPAL.  This new
+    name type is defined in RFC 1510 as:
+
+        KRB_NT_X500_PRINCIPAL    6
+
+    The name-string shall be set as follows:
+
+        RFC2253Encode(DistinguishedName)
+
+    as described above.  When this name type is used, the principal's
+    realm shall be set to the certificate authority's distinguished
+    name using the X500-RFC2253 realm name format described earlier in
+    this section
+
+    RFC 1510 specifies the ASN.1 structure for PrincipalName as follows:
+
+        PrincipalName ::=   SEQUENCE {
+                        name-type[0]     INTEGER,
+                        name-string[1]   SEQUENCE OF GeneralString
+        }
+
+    For the purposes of encoding an X.500 name as a Kerberos name for
+    use in Kerberos structures, the name-string shall be encoded as a
+    single GeneralString.  The name-type should be KRB_NT_X500_PRINCIPAL,
+    as noted above.  All Kerberos names must conform to validity
+    requirements as given in RFC 1510.  Note that name mapping may be
+    required or optional, based on policy.
+
+    We also define the following similar ASN.1 structure:
+
+        CertPrincipalName ::= SEQUENCE {
+                        name-type[0]     INTEGER,
+                        name-string[1]   SEQUENCE OF UTF8String
+        }
+
+    When a Kerberos PrincipalName is to be placed within an X.509 data
+    structure, the CertPrincipalName structure is to be used, with the
+    name-string encoded as a single UTF8String.  The name-type should be
+    as identified in the original PrincipalName structure.  The mapping
+    between the GeneralString and UTF8String formats can be found in
+    [19].
+
+    The following rules relate to the the matching of PrincipalNames (or
+    corresponding CertPrincipalNames) with regard to the PKI name
+    constraints for CAs as laid out in RFC 2459 [15].  In order to be
+    regarded as a match (for permitted and excluded name trees), the
+    following must be satisfied.
+
+        1.  If the constraint is given as a user plus realm name, or
+            as a user plus instance plus realm name (as specified in
+            RFC 1510), the realm name must be valid (see 2.a-d below)
+            and the match must be exact, byte for byte.
+
+        2.  If the constraint is given only as a realm name, matching
+            depends on the type of the realm:
+
+            a.  If the realm contains a colon (':') before any equal
+                sign ('='), it is treated as a realm of type Other,
+                and must match exactly, byte for byte.
+
+            b.  Otherwise, if the realm contains an equal sign, it
+                is treated as an X.500 name.  In order to match, every
+                component in the constraint MUST be in the principal
+                name, and have the same value.  For example, 'C=US'
+                matches 'C=US/O=ISI' but not 'C=UK'.
+
+            c.  Otherwise, if the realm name conforms to rules regarding
+                the format of DNS names, it is considered a realm name of
+                type Domain.  The constraint may be given as a realm
+                name 'FOO.BAR', which matches any PrincipalName within
+                the realm 'FOO.BAR' but not those in subrealms such as
+                'CAR.FOO.BAR'.  A constraint of the form '.FOO.BAR'
+                matches PrincipalNames in subrealms of the form
+                'CAR.FOO.BAR' but not the realm 'FOO.BAR' itself.
+
+            d.  Otherwise, the realm name is invalid and does not match
+                under any conditions.
+
+3.1.1.  Encryption and Key Formats
+
+    In the exposition below, we use the terms public key and private
+    key generically.  It should be understood that the term "public
+    key" may be used to refer to either a public encryption key or a
+    signature verification key, and that the term "private key" may be
+    used to refer to either a private decryption key or a signature
+    generation key.  The fact that these are logically distinct does
+    not preclude the assignment of bitwise identical keys for RSA
+    keys.
+
+    In the case of Diffie-Hellman, the key shall be produced from the
+    agreed bit string as follows:
+
+        * Truncate the bit string to the appropriate length.
+        * Rectify parity in each byte (if necessary) to obtain the key.
+
+    For instance, in the case of a DES key, we take the first eight
+    bytes of the bit stream, and then adjust the least significant bit
+    of each byte to ensure that each byte has odd parity.
+
+3.1.2. Algorithm Identifiers
+
+    PKINIT does not define, but does permit, the algorithm identifiers
+    listed below.
+
+3.1.2.1. Signature Algorithm Identifiers
+
+    The following signature algorithm identifiers specified in [11] and
+    in [15] shall be used with PKINIT:
+
+    id-dsa-with-sha1       (DSA with SHA1)
+    md5WithRSAEncryption   (RSA with MD5)
+    sha-1WithRSAEncryption (RSA with SHA1)
+
+3.1.2.2 Diffie-Hellman Key Agreement Algorithm Identifier
+
+    The following algorithm identifier shall be used within the
+    SubjectPublicKeyInfo data structure: dhpublicnumber
+
+    This identifier and the associated algorithm parameters are
+    specified in RFC 2459 [15].
+
+3.1.2.3. Algorithm Identifiers for RSA Encryption
+
+    These algorithm identifiers are used inside the EnvelopedData data
+    structure, for encrypting the temporary key with a public key:
+
+        rsaEncryption (RSA encryption, PKCS#1 v1.5)
+        id-RSAES-OAEP (RSA encryption, PKCS#1 v2.0)
+
+    Both of the above RSA encryption schemes are specified in [16].
+    Currently, only PKCS#1 v1.5 is specified by CMS [11], although the
+    CMS specification says that it will likely include PKCS#1 v2.0 in
+    the future.  (PKCS#1 v2.0 addresses adaptive chosen ciphertext
+    vulnerability discovered in PKCS#1 v1.5.)
+
+3.1.2.4. Algorithm Identifiers for Encryption with Secret Keys
+
+    These algorithm identifiers are used inside the EnvelopedData data
+    structure in the PKINIT Reply, for encrypting the reply key with the
+    temporary key:
+        des-ede3-cbc (3-key 3-DES, CBC mode)
+        rc2-cbc      (RC2, CBC mode)
+
+    The full definition of the above algorithm identifiers and their
+    corresponding parameters (an IV for block chaining) is provided in
+    the CMS specification [11].
+
+3.2.  Public Key Authentication
+
+    Implementation of the changes in this section is REQUIRED for
+    compliance with PKINIT.
+
+3.2.1.  Client Request
+
+    Public keys may be signed by some certification authority (CA), or
+    they may be maintained by the KDC in which case the KDC is the
+    trusted authority.  Note that the latter mode does not require the
+    use of certificates.
+
+    The initial authentication request is sent as per RFC 1510, except
+    that a preauthentication field containing data signed by the user's
+    private key accompanies the request:
+
+    PA-PK-AS-REQ ::= SEQUENCE {
+                                -- PA TYPE 14
+        signedAuthPack          [0] SignedData
+                                    -- Defined in CMS [11];
+                                    -- AuthPack (below) defines the
+                                    -- data that is signed.
+        trustedCertifiers       [1] SEQUENCE OF TrustedCas OPTIONAL,
+                                    -- This is a list of CAs that the
+                                    -- client trusts and that certify
+                                    -- KDCs.
+        kdcCert                 [2] IssuerAndSerialNumber OPTIONAL
+                                    -- As defined in CMS [11];
+                                    -- specifies a particular KDC
+                                    -- certificate if the client
+                                    -- already has it.
+        encryptionCert          [3] IssuerAndSerialNumber OPTIONAL
+                                    -- For example, this may be the
+                                    -- client's Diffie-Hellman
+                                    -- certificate, or it may be the
+                                    -- client's RSA encryption
+                                    -- certificate.
+    }
+
+    TrustedCas ::= CHOICE {
+        principalName         [0] KerberosName,
+                                  -- as defined below
+        caName                [1] Name
+                                  -- fully qualified X.500 name
+                                  -- as defined by X.509
+        issuerAndSerial       [2] IssuerAndSerialNumber
+                                  -- Since a CA may have a number of
+                                  -- certificates, only one of which
+                                  -- a client trusts
+    }
+
+    Usage of SignedData:
+
+        The SignedData data type is specified in the Cryptographic
+        Message Syntax, a product of the S/MIME working group of the
+        IETF.  The following describes how to fill in the fields of
+        this data:
+
+        1.  The encapContentInfo field must contain the PKAuthenticator
+            and, optionally, the client's Diffie Hellman public value.
+
+            a.  The eContentType field shall contain the OID value for
+                pkdata: iso (1) org (3) dod (6) internet (1) security (5)
+                kerberosv5 (2) pkinit (3) pkdata (1)
+
+            b.  The eContent field is data of the type AuthPack (below).
+
+        2.  The signerInfos field contains the signature of AuthPack.
+
+        3.  The Certificates field, when non-empty, contains the client's
+            certificate chain.  If present, the KDC uses the public key
+            from the client's certificate to verify the signature in the
+            request.  Note that the client may pass different certificate
+            chains that are used for signing or for encrypting.  Thus,
+            the KDC may utilize a different client certificate for
+            signature verification than the one it uses to encrypt the
+            reply to the client.  For example, the client may place a
+            Diffie-Hellman certificate in this field in order to convey
+            its static Diffie Hellman certificate to the KDC to enable
+            static-ephemeral Diffie-Hellman mode for the reply; in this
+            case, the client does NOT place its public value in the
+            AuthPack (defined below).  As another example, the client may
+            place an RSA encryption certificate in this field.  However,
+            there must always be (at least) a signature certificate.
+
+    AuthPack ::= SEQUENCE {
+        pkAuthenticator         [0] PKAuthenticator,
+        clientPublicValue       [1] SubjectPublicKeyInfo OPTIONAL
+                                    -- if client is using Diffie-Hellman
+                                    -- (ephemeral-ephemeral only)
+    }
+
+    PKAuthenticator ::= SEQUENCE {
+        kdcName                 [0] PrincipalName,
+        kdcRealm                [1] Realm,
+        cusec                   [2] INTEGER,
+                                    -- for replay prevention as in RFC1510
+        ctime                   [3] KerberosTime,
+                                    -- for replay prevention as in RFC1510
+        nonce                   [4] INTEGER
+    }
+
+    SubjectPublicKeyInfo ::= SEQUENCE {
+        algorithm                   AlgorithmIdentifier,
+                                    -- dhKeyAgreement
+        subjectPublicKey            BIT STRING
+                                    -- for DH, equals
+                                    -- public exponent (INTEGER encoded
+                                    -- as payload of BIT STRING)
+    }   -- as specified by the X.509 recommendation [10]
+
+    AlgorithmIdentifier ::= SEQUENCE {
+        algorithm                   ALGORITHM.&id,
+        parameters                  ALGORITHM.&type
+    }   -- as specified by the X.509 recommendation [10]
+
+    If the client passes an issuer and serial number in the request,
+    the KDC is requested to use the referred-to certificate.  If none
+    exists, then the KDC returns an error of type
+    KDC_ERR_CERTIFICATE_MISMATCH.  It also returns this error if, on the
+    other hand, the client does not pass any trustedCertifiers,
+    believing that it has the KDC's certificate, but the KDC has more
+    than one certificate.  The KDC should include information in the
+    KRB-ERROR message that indicates the KDC certificate(s) that a
+    client may utilize.  This data is specified in the e-data, which
+    is defined in RFC 1510 revisions as a SEQUENCE of TypedData:
+
+    TypedData ::=  SEQUENCE {
+                    data-type      [0] INTEGER,
+                    data-value     [1] OCTET STRING,
+    } -- per Kerberos RFC 1510 revisions
+
+    where:
+    data-type = TD-PKINIT-CMS-CERTIFICATES = 101
+    data-value = CertificateSet // as specified by CMS [11]
+
+    The PKAuthenticator carries information to foil replay attacks, and
+    to bind the request and response.  The PKAuthenticator is signed
+    with the client's signature key.
+
+3.2.2.  KDC Response
+
+    Upon receipt of the AS_REQ with PA-PK-AS-REQ pre-authentication
+    type, the KDC attempts to verify the user's certificate chain
+    (userCert), if one is provided in the request.  This is done by
+    verifying the certification path against the KDC's policy of
+    legitimate certifiers.  This may be based on a certification
+    hierarchy, or it may be simply a list of recognized certifiers in a
+    system like PGP.
+
+    If the client's certificate chain contains no certificate signed by
+    a CA trusted by the KDC, then the KDC sends back an error message
+    of type KDC_ERR_CANT_VERIFY_CERTIFICATE.  The accompanying e-data
+    is a SEQUENCE of one TypedData (with type TD-TRUSTED-CERTIFIERS=104)
+    whose data-value is an OCTET STRING which is the DER encoding of
+
+        TrustedCertifiers ::= SEQUENCE OF PrincipalName
+                              -- X.500 name encoded as a principal name
+                              -- see Section 3.1
+
+    If while verifying a certificate chain the KDC determines that the
+    signature on one of the certificates in the CertificateSet from
+    the signedAuthPack fails verification, then the KDC returns an
+    error of type KDC_ERR_INVALID_CERTIFICATE.  The accompanying
+    e-data is a SEQUENCE of one TypedData (with type
+    TD-CERTIFICATE-INDEX=105) whose data-value is an OCTET STRING
+    which is the DER encoding of the index into the CertificateSet
+    ordered as sent by the client.
+
+        CertificateIndex  ::= INTEGER
+                              -- 0 = 1st certificate,
+                              --     (in order of encoding)
+                              -- 1 = 2nd certificate, etc
+
+    The KDC may also check whether any of the certificates in the
+    client's chain has been revoked.  If one of the certificates has
+    been revoked, then the KDC returns an error of type
+    KDC_ERR_REVOKED_CERTIFICATE; if such a query reveals that
+    the certificate's revocation status is unknown or not
+    available, then if required by policy, the KDC returns the
+    appropriate error of type KDC_ERR_REVOCATION_STATUS_UNKNOWN or
+    KDC_ERR_REVOCATION_STATUS_UNAVAILABLE.  In any of these three
+    cases, the affected certificate is identified by the accompanying
+    e-data, which contains a CertificateIndex as described for
+    KDC_ERR_INVALID_CERTIFICATE.
+
+    If the certificate chain can be verified, but the name of the
+    client in the certificate does not match the client's name in the
+    request, then the KDC returns an error of type
+    KDC_ERR_CLIENT_NAME_MISMATCH.  There is no accompanying e-data
+    field in this case.
+
+    Finally, if the certificate chain is verified, but the KDC's name
+    or realm as given in the PKAuthenticator does not match the KDC's
+    actual principal name, then the KDC returns an error of type
+    KDC_ERR_KDC_NAME_MISMATCH.  The accompanying e-data field is again
+    a SEQUENCE of one TypedData (with type TD-KRB-PRINCIPAL=102 or
+    TD-KRB-REALM=103 as appropriate) whose data-value is an OCTET
+    STRING whose data-value is the DER encoding of a PrincipalName or
+    Realm as defined in RFC 1510 revisions.
+
+    Even if all succeeds, the KDC may--for policy reasons--decide not
+    to trust the client.  In this case, the KDC returns an error message
+    of type KDC_ERR_CLIENT_NOT_TRUSTED.  One specific case of this is
+    the presence or absence of an Enhanced Key Usage (EKU) OID within
+    the certificate extensions.  The rules regarding acceptability of
+    an EKU sequence (or the absence of any sequence) are a matter of
+    local policy.  For the benefit of implementers, we define a PKINIT
+    EKU OID as the following: iso (1) org (3) dod (6) internet (1)
+    security (5) kerberosv5 (2) pkinit (3) pkekuoid (2).
+
+    If a trust relationship exists, the KDC then verifies the client's
+    signature on AuthPack.  If that fails, the KDC returns an error
+    message of type KDC_ERR_INVALID_SIG.  Otherwise, the KDC uses the
+    timestamp (ctime and cusec) in the PKAuthenticator to assure that
+    the request is not a replay.  The KDC also verifies that its name
+    is specified in the PKAuthenticator.
+
+    If the clientPublicValue field is filled in, indicating that the
+    client wishes to use Diffie-Hellman key agreement, then the KDC
+    checks to see that the parameters satisfy its policy.  If they do
+    not (e.g., the prime size is insufficient for the expected
+    encryption type), then the KDC sends back an error message of type
+    KDC_ERR_KEY_TOO_WEAK.  Otherwise, it generates its own public and
+    private values for the response.
+
+    The KDC also checks that the timestamp in the PKAuthenticator is
+    within the allowable window and that the principal name and realm
+    are correct.  If the local (server) time and the client time in the
+    authenticator differ by more than the allowable clock skew, then the
+    KDC returns an error message of type KRB_AP_ERR_SKEW as defined in 1510.
+
+    Assuming no errors, the KDC replies as per RFC 1510, except as
+    follows.  The user's name in the ticket is determined by the
+    following decision algorithm:
+
+        1.  If the KDC has a mapping from the name in the certificate
+            to a Kerberos name, then use that name.
+            Else
+        2.  If the certificate contains the SubjectAltName extention
+            and the local KDC policy defines a mapping from the
+            SubjectAltName to a Kerberos name, then use that name.
+            Else
+        3.  Use the name as represented in the certificate, mapping
+            mapping as necessary (e.g., as per RFC 2253 for X.500
+            names).  In this case the realm in the ticket shall be the
+            name of the certifier that issued the user's certificate.
+
+    Note that a principal name may be carried in the subject alt name
+    field of a certificate. This name may be mapped to a principal
+    record in a security database based on local policy, for example
+    the subject alt name may be kerberos/principal@realm format.  In
+    this case the realm name is not that of the CA but that of the
+    local realm doing the mapping (or some realm name chosen by that
+    realm).
+
+    If a non-KDC X.509 certificate contains the principal name within
+    the subjectAltName version 3 extension , that name may utilize
+    KerberosName as defined below, or, in the case of an S/MIME
+    certificate [17], may utilize the email address.  If the KDC
+    is presented with an S/MIME certificate, then the email address
+    within subjectAltName will be interpreted as a principal and realm
+    separated by the "@" sign, or as a name that needs to be
+    canonicalized.  If the resulting name does not correspond to a
+    registered principal name, then the principal name is formed as
+    defined in section 3.1.
+
+    The trustedCertifiers field contains a list of certification
+    authorities trusted by the client, in the case that the client does
+    not possess the KDC's public key certificate.  If the KDC has no
+    certificate signed by any of the trustedCertifiers, then it returns
+    an error of type KDC_ERR_KDC_NOT_TRUSTED.
+
+    KDCs should try to (in order of preference):
+    1. Use the KDC certificate identified by the serialNumber included
+       in the client's request.
+    2. Use a certificate issued to the KDC by the client's CA (if in the
+       middle of a CA key roll-over, use the KDC cert issued under same
+       CA key as user cert used to verify request).
+    3. Use a certificate issued to the KDC by one of the client's
+       trustedCertifier(s);
+    If the KDC is unable to comply with any of these options, then the
+    KDC returns an error message of type KDC_ERR_KDC_NOT_TRUSTED to the
+    client.
+
+    The KDC encrypts the reply not with the user's long-term key, but
+    with the Diffie Hellman derived key or a random key generated
+    for this particular response which is carried in the padata field of
+    the TGS-REP message.
+
+    PA-PK-AS-REP ::= CHOICE {
+                            -- PA TYPE 15
+        dhSignedData       [0] SignedData,
+                            -- Defined in CMS and used only with
+                            -- Diffie-Hellman key exchange (if the
+                            -- client public value was present in the
+                            -- request).
+                            -- This choice MUST be supported
+                            -- by compliant implementations.
+        encKeyPack         [1] EnvelopedData,
+                            -- Defined in CMS
+                            -- The temporary key is encrypted
+                            -- using the client public key
+                            -- key
+                            -- SignedReplyKeyPack, encrypted
+                            -- with the temporary key, is also
+                            -- included.
+    }
+
+    Usage of SignedData:
+
+        When the Diffie-Hellman option is used, dhSignedData in
+        PA-PK-AS-REP provides authenticated Diffie-Hellman parameters
+        of the KDC.  The reply key used to encrypt part of the KDC reply
+        message is derived from the Diffie-Hellman exchange:
+
+        1.  Both the KDC and the client calculate a secret value
+            (g^ab mod p), where a is the client's private exponent and
+            b is the KDC's private exponent.
+
+        2.  Both the KDC and the client take the first N bits of this
+            secret value and convert it into a reply key.  N depends on
+            the reply key type.
+
+        3.  If the reply key is DES, N=64 bits, where some of the bits
+            are replaced with parity bits, according to FIPS PUB 74.
+
+        4.  If the reply key is (3-key) 3-DES, N=192 bits, where some
+            of the bits are replaced with parity bits, according to
+            FIPS PUB 74.
+
+        5.  The encapContentInfo field must contain the KdcDHKeyInfo as
+            defined below.
+
+            a.  The eContentType field shall contain the OID value for
+                pkdata: iso (1) org (3) dod (6) internet (1) security (5)
+                kerberosv5 (2) pkinit (3) pkdata (1)
+
+            b.  The eContent field is data of the type KdcDHKeyInfo
+                (below).
+
+        6.  The certificates field must contain the certificates
+            necessary for the client to establish trust in the KDC's
+            certificate based on the list of trusted certifiers sent by
+            the client in the PA-PK-AS-REQ.  This field may be empty if
+            the client did not send to the KDC a list of trusted
+            certifiers (the trustedCertifiers field was empty, meaning
+            that the client already possesses the KDC's certificate).
+
+        7.  The signerInfos field is a SET that must contain at least
+            one member, since it contains the actual signature.
+
+    KdcDHKeyInfo ::= SEQUENCE {
+                              -- used only when utilizing Diffie-Hellman
+      nonce                 [0] INTEGER,
+                                -- binds responce to the request
+      subjectPublicKey      [2] BIT STRING
+                                -- Equals public exponent (g^a mod p)
+                                -- INTEGER encoded as payload of
+                                -- BIT STRING
+    }
+
+    Usage of EnvelopedData:
+
+        The EnvelopedData data type is specified in the Cryptographic
+        Message Syntax, a product of the S/MIME working group of the
+        IETF.  It contains a temporary key encrypted with the PKINIT
+        client's public key.  It also contains a signed and encrypted
+        reply key.
+
+        1.  The originatorInfo field is not required, since that
+            information may be presented in the signedData structure
+            that is encrypted within the encryptedContentInfo field.
+
+        2.  The optional unprotectedAttrs field is not required for
+            PKINIT.
+
+        3.  The recipientInfos field is a SET which must contain exactly
+            one member of the KeyTransRecipientInfo type for encryption
+            with an RSA public key.
+
+            a.  The encryptedKey field (in KeyTransRecipientInfo)
+                contains the temporary key which is encrypted with the
+                PKINIT client's public key.
+
+        4.  The encryptedContentInfo field contains the signed and
+            encrypted reply key.
+
+            a.  The contentType field shall contain the OID value for
+                id-signedData: iso (1) member-body (2) us (840)
+                rsadsi (113549) pkcs (1) pkcs7 (7) signedData (2)
+
+            b.  The encryptedContent field is encrypted data of the CMS
+                type signedData as specified below.
+
+                i.  The encapContentInfo field must contains the
+                    ReplyKeyPack.
+
+                    * The eContentType field shall contain the OID value
+                      for pkdata: iso (1) org (3) dod (6) internet (1)
+                      security (5) kerberosv5 (2) pkinit (3) pkdata (1)
+
+                    * The eContent field is data of the type ReplyKeyPack
+                      (below).
+
+                ii.  The certificates field must contain the certificates
+                     necessary for the client to establish trust in the
+                     KDC's certificate based on the list of trusted
+                     certifiers sent by the client in the PA-PK-AS-REQ.
+                     This field may be empty if the client did not send
+                     to the KDC a list of trusted certifiers (the
+                     trustedCertifiers field was empty, meaning that the
+                     client already possesses the KDC's certificate).
+
+                iii.  The signerInfos field is a SET that must contain at
+                      least one member, since it contains the actual
+                      signature.
+
+    ReplyKeyPack ::= SEQUENCE {
+                              -- not used for Diffie-Hellman
+        replyKey             [0] EncryptionKey,
+                                 -- used to encrypt main reply
+                                 -- ENCTYPE is at least as strong as
+                                 -- ENCTYPE of session key
+        nonce                [1] INTEGER,
+                                 -- binds response to the request
+                                 -- must be same as the nonce
+                                 -- passed in the PKAuthenticator
+    }
+
+    Since each certifier in the certification path of a user's
+    certificate is equivalent to a separate Kerberos realm, the name
+    of each certifier in the certificate chain must be added to the
+    transited field of the ticket.  The format of these realm names is
+    defined in Section 3.1 of this document.  If applicable, the
+    transit-policy-checked flag should be set in the issued ticket.
+
+    The KDC's certificate(s) must bind the public key(s) of the KDC to
+    a name derivable from the name of the realm for that KDC.  X.509
+    certificates shall contain the principal name of the KDC
+    (defined in section 8.2 of RFC 1510) as the SubjectAltName version
+    3 extension. Below is the definition of this version 3 extension,
+    as specified by the X.509 standard:
+
+        subjectAltName EXTENSION ::= {
+            SYNTAX GeneralNames
+            IDENTIFIED BY id-ce-subjectAltName
+        }
+
+        GeneralNames ::= SEQUENCE SIZE(1..MAX) OF GeneralName
+
+        GeneralName ::= CHOICE {
+            otherName       [0] OtherName,
+            ...
+        }
+
+        OtherName ::= SEQUENCE {
+            type-id         OBJECT IDENTIFIER,
+            value           [0] EXPLICIT ANY DEFINED BY type-id
+        }
+
+    For the purpose of specifying a Kerberos principal name, the value
+    in OtherName shall be a KerberosName as defined in RFC 1510, but with
+    the PrincipalName replaced by CertPrincipalName as mentioned in
+    Section 3.1:
+
+        KerberosName ::= SEQUENCE {
+            realm           [0] Realm,
+            principalName   [1] CertPrincipalName  -- defined above
+        }
+
+    This specific syntax is identified within subjectAltName by setting
+    the type-id in OtherName to krb5PrincipalName, where (from the
+    Kerberos specification) we have
+
+        krb5 OBJECT IDENTIFIER ::= { iso (1)
+                                     org (3)
+                                     dod (6)
+                                     internet (1)
+                                     security (5)
+                                     kerberosv5 (2) }
+
+        krb5PrincipalName OBJECT IDENTIFIER ::= { krb5 2 }
+
+    (This specification may also be used to specify a Kerberos name
+    within the user's certificate.)  The KDC's certificate may be signed
+    directly by a CA, or there may be intermediaries if the server resides
+    within a large organization, or it may be unsigned if the client
+    indicates possession (and trust) of the KDC's certificate.
+
+    The client then extracts the random key used to encrypt the main
+    reply.  This random key (in encPaReply) is encrypted with either the
+    client's public key or with a key derived from the DH values
+    exchanged between the client and the KDC.  The client uses this
+    random key to decrypt the main reply, and subsequently proceeds as
+    described in RFC 1510.
+
+3.2.3. Required Algorithms
+
+    Not all of the algorithms in the PKINIT protocol specification have
+    to be implemented in order to comply with the proposed standard.
+    Below is a list of the required algorithms:
+
+    * Diffie-Hellman public/private key pairs
+        * utilizing Diffie-Hellman ephemeral-ephemeral mode
+    * SHA1 digest and DSA for signatures
+    * 3-key triple DES keys derived from the Diffie-Hellman Exchange
+    * 3-key triple DES Temporary and Reply keys
+
+4.  Logistics and Policy
+
+    This section describes a way to define the policy on the use of
+    PKINIT for each principal and request.
+
+    The KDC is not required to contain a database record for users
+    who use public key authentication.  However, if these users are
+    registered with the KDC, it is recommended that the database record
+    for these users be modified to an additional flag in the attributes
+    field to indicate that the user should authenticate using PKINIT.
+    If this flag is set and a request message does not contain the
+    PKINIT preauthentication field, then the KDC sends back as error of
+    type KDC_ERR_PREAUTH_REQUIRED indicating that a preauthentication
+    field of type PA-PK-AS-REQ must be included in the request.
+
+5.  Security Considerations
+
+    PKINIT raises a few security considerations, which we will address
+    in this section.
+
+    First of all, PKINIT introduces a new trust model, where KDCs do not
+    (necessarily) certify the identity of those for whom they issue
+    tickets.  PKINIT does allow KDCs to act as their own CAs, in the
+    limited capacity of self-signing their certificates, but one of the
+    additional benefits is to align Kerberos authentication with a global
+    public key infrastructure.  Anyone using PKINIT in this way must be
+    aware of how the certification infrastructure they are linking to
+    works.
+
+    Secondly, PKINIT also introduces the possibility of interactions
+    between different cryptosystems, which may be of widely varying
+    strengths.  Many systems, for instance, allow the use of 512-bit
+    public keys.  Using such keys to wrap data encrypted under strong
+    conventional cryptosystems, such as triple-DES, is inappropriate;
+    it adds a weak link to a strong one at extra cost.  Implementors
+    and administrators should take care to avoid such wasteful and
+    deceptive interactions.
+
+    Lastly, PKINIT calls for randomly generated keys for conventional
+    cryptosystems.  Many such systems contain systematically "weak"
+    keys.  PKINIT implementations MUST avoid use of these keys, either
+    by discarding those keys when they are generated, or by fixing them
+    in some way (e.g., by XORing them with a given mask).  These
+    precautions vary from system to system; it is not our intention to
+    give an explicit recipe for them here.
+
+6.  Transport Issues
+
+    Certificate chains can potentially grow quite large and span several
+    UDP packets; this in turn increases the probability that a Kerberos
+    message involving PKINIT extensions will be broken in transit.  In
+    light of the possibility that the Kerberos specification will
+    require KDCs to accept requests using TCP as a transport mechanism,
+    we make the same recommendation with respect to the PKINIT
+    extensions as well.
+
+7.  Bibliography
+
+    [1] J. Kohl, C. Neuman.  The Kerberos Network Authentication Service
+    (V5).  Request for Comments 1510.
+
+    [2] B.C. Neuman, Theodore Ts'o. Kerberos: An Authentication Service
+    for Computer Networks, IEEE Communications, 32(9):33-38.  September
+    1994.
+
+    [3] B. Tung, T. Ryutov, C. Neuman, G. Tsudik, B. Sommerfeld,
+    A. Medvinsky, M. Hur.  Public Key Cryptography for Cross-Realm
+    Authentication in Kerberos.  draft-ietf-cat-kerberos-pk-cross-04.txt
+
+    [4] A. Medvinsky, J. Cargille, M. Hur.  Anonymous Credentials in
+    Kerberos.  draft-ietf-cat-kerberos-anoncred-00.txt
+
+    [5] Ari Medvinsky, M. Hur, Alexander Medvinsky, B. Clifford Neuman.
+    Public Key Utilizing Tickets for Application Servers (PKTAPP).
+    draft-ietf-cat-pktapp-02.txt
+
+    [6] M. Sirbu, J. Chuang.  Distributed Authentication in Kerberos
+    Using Public Key Cryptography.  Symposium On Network and Distributed
+    System Security, 1997.
+
+    [7] B. Cox, J.D. Tygar, M. Sirbu.  NetBill Security and Transaction
+    Protocol.  In Proceedings of the USENIX Workshop on Electronic
+    Commerce, July 1995.
+
+    [8] T. Dierks, C. Allen.  The TLS Protocol, Version 1.0
+    Request for Comments 2246, January 1999.
+
+    [9] B.C. Neuman, Proxy-Based Authorization and Accounting for
+    Distributed Systems.  In Proceedings of the 13th International
+    Conference on Distributed Computing Systems, May 1993.
+
+    [10] ITU-T (formerly CCITT) Information technology - Open Systems
+    Interconnection - The Directory: Authentication Framework
+    Recommendation X.509 ISO/IEC 9594-8
+
+    [11] R. Housley. Cryptographic Message Syntax.
+    draft-ietf-smime-cms-13.txt, April 1999, approved for publication
+    as RFC.
+
+    [12] PKCS #7: Cryptographic Message Syntax Standard,
+    An RSA Laboratories Technical Note Version 1.5
+    Revised November 1, 1993
+
+    [13] R. Rivest, MIT Laboratory for Computer Science and RSA Data
+    Security, Inc. A Description of the RC2(r) Encryption Algorithm
+    March 1998.
+    Request for Comments 2268.
+
+    [14] M. Wahl, S. Kille, T. Howes. Lightweight Directory Access
+    Protocol (v3): UTF-8 String Representation of Distinguished Names.
+    Request for Comments 2253.
+
+    [15] R. Housley, W. Ford, W. Polk, D. Solo. Internet X.509 Public
+    Key Infrastructure, Certificate and CRL Profile, January 1999.
+    Request for Comments 2459.
+
+    [16] B. Kaliski, J. Staddon. PKCS #1: RSA Cryptography
+    Specifications, October 1998.  Request for Comments 2437.
+
+    [17] S. Dusse, P. Hoffman, B. Ramsdell, J. Weinstein.  S/MIME
+    Version 2 Certificate Handling, March 1998.  Request for
+    Comments 2312.
+
+    [18] M. Wahl, T. Howes, S. Kille.  Lightweight Directory Access
+    Protocol (v3), December 1997.  Request for Comments 2251.
+
+    [19] ITU-T (formerly CCITT) Information Processing Systems - Open
+    Systems Interconnection - Specification of Abstract Syntax Notation
+    One (ASN.1) Rec. X.680 ISO/IEC 8824-1
+
+8.  Acknowledgements
+
+    Some of the ideas on which this proposal is based arose during
+    discussions over several years between members of the SAAG, the IETF
+    CAT working group, and the PSRG, regarding integration of Kerberos
+    and SPX.  Some ideas have also been drawn from the DASS system.
+    These changes are by no means endorsed by these groups.  This is an
+    attempt to revive some of the goals of those groups, and this
+    proposal approaches those goals primarily from the Kerberos
+    perspective.  Lastly, comments from groups working on similar ideas
+    in DCE have been invaluable.
+
+9.  Expiration Date
+
+    This draft expires September 15, 2000.
+
+10. Authors
+
+    Brian Tung
+    Clifford Neuman
+    USC Information Sciences Institute
+    4676 Admiralty Way Suite 1001
+    Marina del Rey CA 90292-6695
+    Phone: +1 310 822 1511
+    E-mail: {brian, bcn}@isi.edu
+
+    Matthew Hur
+    CyberSafe Corporation
+    1605 NW Sammamish Road
+    Issaquah WA 98027-5378
+    Phone: +1 425 391 6000
+    E-mail: matt.hur@cybersafe.com
+
+    Ari Medvinsky
+    Keen.com, Inc.
+    150 Independence Drive
+    Menlo Park CA 94025
+    Phone: +1 650 289 3134
+    E-mail: ari@keen.com
+
+    Sasha Medvinsky
+    Motorola
+    6450 Sequence Drive
+    San Diego, CA 92121
+    Phone +1 619 404 2825
+    E-mail: smedvinsky@gi.com
+
+    John Wray
+    Iris Associates, Inc.
+    5 Technology Park Dr.
+    Westford, MA 01886
+    E-mail: John_Wray@iris.com
+
+    Jonathan Trostle
+    170 W. Tasman Dr.
+    San Jose, CA 95134
+    E-mail: jtrostle@cisco.com
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-12.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-12.txt
new file mode 100644
index 0000000..b1e5968
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-12.txt
@@ -0,0 +1,1080 @@
+INTERNET-DRAFT                                                Brian Tung
+draft-ietf-cat-kerberos-pk-init-12.txt                   Clifford Neuman
+Updates: RFC 1510                                                USC/ISI
+expires January 15, 2001                                     Matthew Hur
+                                                   CyberSafe Corporation
+                                                           Ari Medvinsky
+                                                          Keen.com, Inc.
+                                                         Sasha Medvinsky
+                                                                Motorola
+                                                               John Wray
+                                                   Iris Associates, Inc.
+                                                        Jonathan Trostle
+                                                                   Cisco
+
+    Public Key Cryptography for Initial Authentication in Kerberos
+
+0.  Status Of This Memo
+
+    This document is an Internet-Draft and is in full conformance with
+    all provisions of Section 10 of RFC 2026.  Internet-Drafts are
+    working documents of the Internet Engineering Task Force (IETF),
+    its areas, and its working groups.  Note that other groups may also
+    distribute working documents as Internet-Drafts.
+
+    Internet-Drafts are draft documents valid for a maximum of six
+    months and may be updated, replaced, or obsoleted by other
+    documents at any time.  It is inappropriate to use Internet-Drafts
+    as reference material or to cite them other than as "work in
+    progress."
+
+    The list of current Internet-Drafts can be accessed at
+    http://www.ietf.org/ietf/1id-abstracts.txt
+
+    The list of Internet-Draft Shadow Directories can be accessed at
+    http://www.ietf.org/shadow.html.
+
+    To learn the current status of any Internet-Draft, please check
+    the "1id-abstracts.txt" listing contained in the Internet-Drafts
+    Shadow Directories on ftp.ietf.org (US East Coast),
+    nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or
+    munnari.oz.au (Pacific Rim).
+
+    The distribution of this memo is unlimited.  It is filed as
+    draft-ietf-cat-kerberos-pk-init-11.txt, and expires January 15,
+    2001.  Please send comments to the authors.
+
+1.  Abstract
+
+    This document defines extensions (PKINIT) to the Kerberos protocol
+    specification (RFC 1510 [1]) to provide a method for using public
+    key cryptography during initial authentication.  The methods
+    defined specify the ways in which preauthentication data fields and
+    error data fields in Kerberos messages are to be used to transport
+    public key data.
+
+2.  Introduction
+
+    The popularity of public key cryptography has produced a desire for
+    its support in Kerberos [2].  The advantages provided by public key
+    cryptography include simplified key management (from the Kerberos
+    perspective) and the ability to leverage existing and developing
+    public key certification infrastructures.
+
+    Public key cryptography can be integrated into Kerberos in a number
+    of ways.  One is to associate a key pair with each realm, which can
+    then be used to facilitate cross-realm authentication; this is the
+    topic of another draft proposal.  Another way is to allow users with
+    public key certificates to use them in initial authentication.  This
+    is the concern of the current document.
+
+    PKINIT utilizes ephemeral-ephemeral Diffie-Hellman keys in
+    combination with digital signature keys as the primary, required
+    mechanism.  It also allows for the use of RSA keys and/or (static)
+    Diffie-Hellman certificates.  Note in particular that PKINIT supports
+    the use of separate signature and encryption keys.
+
+    PKINIT enables access to Kerberos-secured services based on initial
+    authentication utilizing public key cryptography.  PKINIT utilizes
+    standard public key signature and encryption data formats within the
+    standard Kerberos messages.  The basic mechanism is as follows:  The
+    user sends an AS-REQ message to the KDC as before, except that if that
+    user is to use public key cryptography in the initial authentication
+    step, his certificate and a signature accompany the initial request
+    in the preauthentication fields.  Upon receipt of this request, the
+    KDC verifies the certificate and issues a ticket granting ticket
+    (TGT) as before, except that the encPart from the AS-REP message
+    carrying the TGT is now encrypted utilizing either a Diffie-Hellman
+    derived key or the user's public key.  This message is authenticated
+    utilizing the public key signature of the KDC.
+
+    Note that PKINIT does not require the use of certificates.  A KDC
+    may store the public key of a principal as part of that principal's
+    record.  In this scenario, the KDC is the trusted party that vouches
+    for the principal (as in a standard, non-cross realm, Kerberos
+    environment).  Thus, for any principal, the KDC may maintain a
+    secret key, a public key, or both.
+
+    The PKINIT specification may also be used as a building block for
+    other specifications.  PKCROSS [3] utilizes PKINIT for establishing
+    the inter-realm key and associated inter-realm policy to be applied
+    in issuing cross realm service tickets.  As specified in [4],
+    anonymous Kerberos tickets can be issued by applying a NULL
+    signature in combination with Diffie-Hellman in the PKINIT exchange.
+    Additionally, the PKINIT specification may be used for direct peer
+    to peer authentication without contacting a central KDC. This
+    application of PKINIT is described in PKTAPP [5] and is based on
+    concepts introduced in [6, 7]. For direct client-to-server
+    authentication, the client uses PKINIT to authenticate to the end
+    server (instead of a central KDC), which then issues a ticket for
+    itself.  This approach has an advantage over TLS [8] in that the
+    server does not need to save state (cache session keys).
+    Furthermore, an additional benefit is that Kerberos tickets can
+    facilitate delegation (see [9]).
+
+3.  Proposed Extensions
+
+    This section describes extensions to RFC 1510 for supporting the
+    use of public key cryptography in the initial request for a ticket
+    granting ticket (TGT).
+
+    In summary, the following change to RFC 1510 is proposed:
+
+        * Users may authenticate using either a public key pair or a
+          conventional (symmetric) key.  If public key cryptography is
+          used, public key data is transported in preauthentication
+          data fields to help establish identity.  The user presents
+          a public key certificate and obtains an ordinary TGT that may
+          be used for subsequent authentication, with such
+          authentication using only conventional cryptography.
+
+    Section 3.1 provides definitions to help specify message formats.
+    Section 3.2 describes the extensions for the initial authentication
+    method.
+
+3.1.  Definitions
+
+    The extensions involve new preauthentication fields; we introduce
+    the following preauthentication types:
+
+        PA-PK-AS-REQ                            14
+        PA-PK-AS-REP                            15
+
+    The extensions also involve new error types; we introduce the
+    following types:
+
+        KDC_ERR_CLIENT_NOT_TRUSTED              62
+        KDC_ERR_KDC_NOT_TRUSTED                 63
+        KDC_ERR_INVALID_SIG                     64
+        KDC_ERR_KEY_TOO_WEAK                    65
+        KDC_ERR_CERTIFICATE_MISMATCH            66
+        KDC_ERR_CANT_VERIFY_CERTIFICATE         70
+        KDC_ERR_INVALID_CERTIFICATE             71
+        KDC_ERR_REVOKED_CERTIFICATE             72
+        KDC_ERR_REVOCATION_STATUS_UNKNOWN       73
+        KDC_ERR_REVOCATION_STATUS_UNAVAILABLE   74
+        KDC_ERR_CLIENT_NAME_MISMATCH            75
+        KDC_ERR_KDC_NAME_MISMATCH               76
+
+    We utilize the following typed data for errors:
+
+        TD-PKINIT-CMS-CERTIFICATES             101
+        TD-KRB-PRINCIPAL                       102
+        TD-KRB-REALM                           103
+        TD-TRUSTED-CERTIFIERS                  104
+        TD-CERTIFICATE-INDEX                   105
+
+    We utilize the following encryption types (which map directly to
+    OIDs):
+
+        dsaWithSHA1-CmsOID                       9
+        md5WithRSAEncryption-CmsOID             10
+        sha1WithRSAEncryption-CmsOID            11
+        rc2CBC-EnvOID                           12
+        rsaEncryption-EnvOID (PKCS#1 v1.5)      13
+        rsaES-OAEP-ENV-OID   (PKCS#1 v2.0)      14
+        des-ede3-cbc-Env-OID                    15
+
+    These mappings are provided so that a client may send the
+    appropriate enctypes in the AS-REQ message in order to indicate
+    support for the corresponding OIDs (for performing PKINIT).
+
+    In many cases, PKINIT requires the encoding of the X.500 name of a
+    certificate authority as a Realm.  When such a name appears as
+    a realm it will be represented using the "other" form of the realm
+    name as specified in the naming constraints section of RFC1510.
+    For a realm derived from an X.500 name, NAMETYPE will have the value
+    X500-RFC2253.  The full realm name will appear as follows:
+
+        <nametype> + ":" + <string>
+
+    where nametype is "X500-RFC2253" and string is the result of doing
+    an RFC2253 encoding of the distinguished name, i.e.
+
+        "X500-RFC2253:" + RFC2253Encode(DistinguishedName)
+
+    where DistinguishedName is an X.500 name, and RFC2253Encode is a
+    function returing a readable UTF encoding of an X.500 name, as
+    defined by RFC 2253 [14] (part of LDAPv3 [18]).
+
+    To ensure that this encoding is unique, we add the following rule
+    to those specified by RFC 2253:
+
+        The order in which the attributes appear in the RFC 2253
+        encoding must be the reverse of the order in the ASN.1
+        encoding of the X.500 name that appears in the public key
+        certificate. The order of the relative distinguished names
+        (RDNs), as well as the order of the AttributeTypeAndValues
+        within each RDN, will be reversed. (This is despite the fact
+        that an RDN is defined as a SET of AttributeTypeAndValues, where
+        an order is normally not important.)
+
+    Similarly, in cases where the KDC does not provide a specific
+    policy based mapping from the X.500 name or X.509 Version 3
+    SubjectAltName extension in the user's certificate to a Kerberos
+    principal name, PKINIT requires the direct encoding of the X.500
+    name as a PrincipalName.  In this case, the name-type of the
+    principal name shall be set to KRB_NT-X500-PRINCIPAL.  This new
+    name type is defined in RFC 1510 as:
+
+        KRB_NT_X500_PRINCIPAL    6
+
+    The name-string shall be set as follows:
+
+        RFC2253Encode(DistinguishedName)
+
+    as described above.  When this name type is used, the principal's
+    realm shall be set to the certificate authority's distinguished
+    name using the X500-RFC2253 realm name format described earlier in
+    this section
+
+    RFC 1510 specifies the ASN.1 structure for PrincipalName as follows:
+
+        PrincipalName ::=   SEQUENCE {
+                        name-type[0]     INTEGER,
+                        name-string[1]   SEQUENCE OF GeneralString
+        }
+
+    For the purposes of encoding an X.500 name as a Kerberos name for
+    use in Kerberos structures, the name-string shall be encoded as a
+    single GeneralString.  The name-type should be KRB_NT_X500_PRINCIPAL,
+    as noted above.  All Kerberos names must conform to validity
+    requirements as given in RFC 1510.  Note that name mapping may be
+    required or optional, based on policy.
+
+    We also define the following similar ASN.1 structure:
+
+        CertPrincipalName ::= SEQUENCE {
+                        name-type[0]     INTEGER,
+                        name-string[1]   SEQUENCE OF UTF8String
+        }
+
+    When a Kerberos PrincipalName is to be placed within an X.509 data
+    structure, the CertPrincipalName structure is to be used, with the
+    name-string encoded as a single UTF8String.  The name-type should be
+    as identified in the original PrincipalName structure.  The mapping
+    between the GeneralString and UTF8String formats can be found in
+    [19].
+
+    The following rules relate to the the matching of PrincipalNames (or
+    corresponding CertPrincipalNames) with regard to the PKI name
+    constraints for CAs as laid out in RFC 2459 [15].  In order to be
+    regarded as a match (for permitted and excluded name trees), the
+    following must be satisfied.
+
+        1.  If the constraint is given as a user plus realm name, or
+            as a user plus instance plus realm name (as specified in
+            RFC 1510), the realm name must be valid (see 2.a-d below)
+            and the match must be exact, byte for byte.
+
+        2.  If the constraint is given only as a realm name, matching
+            depends on the type of the realm:
+
+            a.  If the realm contains a colon (':') before any equal
+                sign ('='), it is treated as a realm of type Other,
+                and must match exactly, byte for byte.
+
+            b.  Otherwise, if the realm contains an equal sign, it
+                is treated as an X.500 name.  In order to match, every
+                component in the constraint MUST be in the principal
+                name, and have the same value.  For example, 'C=US'
+                matches 'C=US/O=ISI' but not 'C=UK'.
+
+            c.  Otherwise, if the realm name conforms to rules regarding
+                the format of DNS names, it is considered a realm name of
+                type Domain.  The constraint may be given as a realm
+                name 'FOO.BAR', which matches any PrincipalName within
+                the realm 'FOO.BAR' but not those in subrealms such as
+                'CAR.FOO.BAR'.  A constraint of the form '.FOO.BAR'
+                matches PrincipalNames in subrealms of the form
+                'CAR.FOO.BAR' but not the realm 'FOO.BAR' itself.
+
+            d.  Otherwise, the realm name is invalid and does not match
+                under any conditions.
+
+3.1.1.  Encryption and Key Formats
+
+    In the exposition below, we use the terms public key and private
+    key generically.  It should be understood that the term "public
+    key" may be used to refer to either a public encryption key or a
+    signature verification key, and that the term "private key" may be
+    used to refer to either a private decryption key or a signature
+    generation key.  The fact that these are logically distinct does
+    not preclude the assignment of bitwise identical keys for RSA
+    keys.
+
+    In the case of Diffie-Hellman, the key shall be produced from the
+    agreed bit string as follows:
+
+        * Truncate the bit string to the appropriate length.
+        * Rectify parity in each byte (if necessary) to obtain the key.
+
+    For instance, in the case of a DES key, we take the first eight
+    bytes of the bit stream, and then adjust the least significant bit
+    of each byte to ensure that each byte has odd parity.
+
+3.1.2. Algorithm Identifiers
+
+    PKINIT does not define, but does permit, the algorithm identifiers
+    listed below.
+
+3.1.2.1. Signature Algorithm Identifiers
+
+    The following signature algorithm identifiers specified in [11] and
+    in [15] shall be used with PKINIT:
+
+    id-dsa-with-sha1       (DSA with SHA1)
+    md5WithRSAEncryption   (RSA with MD5)
+    sha-1WithRSAEncryption (RSA with SHA1)
+
+3.1.2.2 Diffie-Hellman Key Agreement Algorithm Identifier
+
+    The following algorithm identifier shall be used within the
+    SubjectPublicKeyInfo data structure: dhpublicnumber
+
+    This identifier and the associated algorithm parameters are
+    specified in RFC 2459 [15].
+
+3.1.2.3. Algorithm Identifiers for RSA Encryption
+
+    These algorithm identifiers are used inside the EnvelopedData data
+    structure, for encrypting the temporary key with a public key:
+
+        rsaEncryption (RSA encryption, PKCS#1 v1.5)
+        id-RSAES-OAEP (RSA encryption, PKCS#1 v2.0)
+
+    Both of the above RSA encryption schemes are specified in [16].
+    Currently, only PKCS#1 v1.5 is specified by CMS [11], although the
+    CMS specification says that it will likely include PKCS#1 v2.0 in
+    the future.  (PKCS#1 v2.0 addresses adaptive chosen ciphertext
+    vulnerability discovered in PKCS#1 v1.5.)
+
+3.1.2.4. Algorithm Identifiers for Encryption with Secret Keys
+
+    These algorithm identifiers are used inside the EnvelopedData data
+    structure in the PKINIT Reply, for encrypting the reply key with the
+    temporary key:
+        des-ede3-cbc (3-key 3-DES, CBC mode)
+        rc2-cbc      (RC2, CBC mode)
+
+    The full definition of the above algorithm identifiers and their
+    corresponding parameters (an IV for block chaining) is provided in
+    the CMS specification [11].
+
+3.2.  Public Key Authentication
+
+    Implementation of the changes in this section is REQUIRED for
+    compliance with PKINIT.
+
+3.2.1.  Client Request
+
+    Public keys may be signed by some certification authority (CA), or
+    they may be maintained by the KDC in which case the KDC is the
+    trusted authority.  Note that the latter mode does not require the
+    use of certificates.
+
+    The initial authentication request is sent as per RFC 1510, except
+    that a preauthentication field containing data signed by the user's
+    private key accompanies the request:
+
+    PA-PK-AS-REQ ::= SEQUENCE {
+                                -- PA TYPE 14
+        signedAuthPack          [0] SignedData
+                                    -- Defined in CMS [11];
+                                    -- AuthPack (below) defines the
+                                    -- data that is signed.
+        trustedCertifiers       [1] SEQUENCE OF TrustedCas OPTIONAL,
+                                    -- This is a list of CAs that the
+                                    -- client trusts and that certify
+                                    -- KDCs.
+        kdcCert                 [2] IssuerAndSerialNumber OPTIONAL
+                                    -- As defined in CMS [11];
+                                    -- specifies a particular KDC
+                                    -- certificate if the client
+                                    -- already has it.
+        encryptionCert          [3] IssuerAndSerialNumber OPTIONAL
+                                    -- For example, this may be the
+                                    -- client's Diffie-Hellman
+                                    -- certificate, or it may be the
+                                    -- client's RSA encryption
+                                    -- certificate.
+    }
+
+    TrustedCas ::= CHOICE {
+        principalName         [0] KerberosName,
+                                  -- as defined below
+        caName                [1] Name
+                                  -- fully qualified X.500 name
+                                  -- as defined by X.509
+        issuerAndSerial       [2] IssuerAndSerialNumber
+                                  -- Since a CA may have a number of
+                                  -- certificates, only one of which
+                                  -- a client trusts
+    }
+
+    Usage of SignedData:
+
+        The SignedData data type is specified in the Cryptographic
+        Message Syntax, a product of the S/MIME working group of the
+        IETF.  The following describes how to fill in the fields of
+        this data:
+
+        1.  The encapContentInfo field must contain the PKAuthenticator
+            and, optionally, the client's Diffie Hellman public value.
+
+            a.  The eContentType field shall contain the OID value for
+                pkauthdata: iso (1) org (3) dod (6) internet (1)
+                security (5) kerberosv5 (2) pkinit (3) pkauthdata (1)
+
+            b.  The eContent field is data of the type AuthPack (below).
+
+        2.  The signerInfos field contains the signature of AuthPack.
+
+        3.  The Certificates field, when non-empty, contains the client's
+            certificate chain.  If present, the KDC uses the public key
+            from the client's certificate to verify the signature in the
+            request.  Note that the client may pass different certificate
+            chains that are used for signing or for encrypting.  Thus,
+            the KDC may utilize a different client certificate for
+            signature verification than the one it uses to encrypt the
+            reply to the client.  For example, the client may place a
+            Diffie-Hellman certificate in this field in order to convey
+            its static Diffie Hellman certificate to the KDC to enable
+            static-ephemeral Diffie-Hellman mode for the reply; in this
+            case, the client does NOT place its public value in the
+            AuthPack (defined below).  As another example, the client may
+            place an RSA encryption certificate in this field.  However,
+            there must always be (at least) a signature certificate.
+
+    AuthPack ::= SEQUENCE {
+        pkAuthenticator         [0] PKAuthenticator,
+        clientPublicValue       [1] SubjectPublicKeyInfo OPTIONAL
+                                    -- if client is using Diffie-Hellman
+                                    -- (ephemeral-ephemeral only)
+    }
+
+    PKAuthenticator ::= SEQUENCE {
+        cusec                   [0] INTEGER,
+                                    -- for replay prevention as in RFC1510
+        ctime                   [1] KerberosTime,
+                                    -- for replay prevention as in RFC1510
+        nonce                   [2] INTEGER,
+        pachecksum              [3] Checksum
+                                    -- Checksum over KDC-REQ-BODY
+                                    -- Defined by Kerberos spec
+    }
+
+    SubjectPublicKeyInfo ::= SEQUENCE {
+        algorithm                   AlgorithmIdentifier,
+                                    -- dhKeyAgreement
+        subjectPublicKey            BIT STRING
+                                    -- for DH, equals
+                                    -- public exponent (INTEGER encoded
+                                    -- as payload of BIT STRING)
+    }   -- as specified by the X.509 recommendation [10]
+
+    AlgorithmIdentifier ::= SEQUENCE {
+        algorithm                   OBJECT IDENTIFIER,
+                                    -- for dhKeyAgreement, this is
+                                    -- { iso (1) member-body (2) US (840)
+                                    -- rsadsi (113459) pkcs (1) 3 1 }
+                                    -- from PKCS #3 [20]
+        parameters                  ANY DEFINED by algorithm OPTIONAL
+                                    -- for dhKeyAgreement, this is
+                                    -- DHParameter
+    }   -- as specified by the X.509 recommendation [10]
+
+    DHParameter ::= SEQUENCE {
+        prime                       INTEGER,
+                                    -- p
+        base                        INTEGER,
+                                    -- g
+        privateValueLength          INTEGER OPTIONAL
+                                    -- l
+    }   -- as defined in PKCS #3 [20]
+
+    If the client passes an issuer and serial number in the request,
+    the KDC is requested to use the referred-to certificate.  If none
+    exists, then the KDC returns an error of type
+    KDC_ERR_CERTIFICATE_MISMATCH.  It also returns this error if, on the
+    other hand, the client does not pass any trustedCertifiers,
+    believing that it has the KDC's certificate, but the KDC has more
+    than one certificate.  The KDC should include information in the
+    KRB-ERROR message that indicates the KDC certificate(s) that a
+    client may utilize.  This data is specified in the e-data, which
+    is defined in RFC 1510 revisions as a SEQUENCE of TypedData:
+
+    TypedData ::=  SEQUENCE {
+                    data-type      [0] INTEGER,
+                    data-value     [1] OCTET STRING,
+    } -- per Kerberos RFC 1510 revisions
+
+    where:
+    data-type = TD-PKINIT-CMS-CERTIFICATES = 101
+    data-value = CertificateSet // as specified by CMS [11]
+
+    The PKAuthenticator carries information to foil replay attacks, to
+    bind the pre-authentication data to the KDC-REQ-BODY, and to bind the
+    request and response.  The PKAuthenticator is signed with the client's
+    signature key.
+
+3.2.2.  KDC Response
+
+    Upon receipt of the AS_REQ with PA-PK-AS-REQ pre-authentication
+    type, the KDC attempts to verify the user's certificate chain
+    (userCert), if one is provided in the request.  This is done by
+    verifying the certification path against the KDC's policy of
+    legitimate certifiers.  This may be based on a certification
+    hierarchy, or it may be simply a list of recognized certifiers in a
+    system like PGP.
+
+    If the client's certificate chain contains no certificate signed by
+    a CA trusted by the KDC, then the KDC sends back an error message
+    of type KDC_ERR_CANT_VERIFY_CERTIFICATE.  The accompanying e-data
+    is a SEQUENCE of one TypedData (with type TD-TRUSTED-CERTIFIERS=104)
+    whose data-value is an OCTET STRING which is the DER encoding of
+
+        TrustedCertifiers ::= SEQUENCE OF PrincipalName
+                              -- X.500 name encoded as a principal name
+                              -- see Section 3.1
+
+    If while verifying a certificate chain the KDC determines that the
+    signature on one of the certificates in the CertificateSet from
+    the signedAuthPack fails verification, then the KDC returns an
+    error of type KDC_ERR_INVALID_CERTIFICATE.  The accompanying
+    e-data is a SEQUENCE of one TypedData (with type
+    TD-CERTIFICATE-INDEX=105) whose data-value is an OCTET STRING
+    which is the DER encoding of the index into the CertificateSet
+    ordered as sent by the client.
+
+        CertificateIndex  ::= INTEGER
+                              -- 0 = 1st certificate,
+                              --     (in order of encoding)
+                              -- 1 = 2nd certificate, etc
+
+    The KDC may also check whether any of the certificates in the
+    client's chain has been revoked.  If one of the certificates has
+    been revoked, then the KDC returns an error of type
+    KDC_ERR_REVOKED_CERTIFICATE; if such a query reveals that
+    the certificate's revocation status is unknown or not
+    available, then if required by policy, the KDC returns the
+    appropriate error of type KDC_ERR_REVOCATION_STATUS_UNKNOWN or
+    KDC_ERR_REVOCATION_STATUS_UNAVAILABLE.  In any of these three
+    cases, the affected certificate is identified by the accompanying
+    e-data, which contains a CertificateIndex as described for
+    KDC_ERR_INVALID_CERTIFICATE.
+
+    If the certificate chain can be verified, but the name of the
+    client in the certificate does not match the client's name in the
+    request, then the KDC returns an error of type
+    KDC_ERR_CLIENT_NAME_MISMATCH.  There is no accompanying e-data
+    field in this case.
+
+    Finally, if the certificate chain is verified, but the KDC's name
+    or realm as given in the PKAuthenticator does not match the KDC's
+    actual principal name, then the KDC returns an error of type
+    KDC_ERR_KDC_NAME_MISMATCH.  The accompanying e-data field is again
+    a SEQUENCE of one TypedData (with type TD-KRB-PRINCIPAL=102 or
+    TD-KRB-REALM=103 as appropriate) whose data-value is an OCTET
+    STRING whose data-value is the DER encoding of a PrincipalName or
+    Realm as defined in RFC 1510 revisions.
+
+    Even if all succeeds, the KDC may--for policy reasons--decide not
+    to trust the client.  In this case, the KDC returns an error message
+    of type KDC_ERR_CLIENT_NOT_TRUSTED.  One specific case of this is
+    the presence or absence of an Enhanced Key Usage (EKU) OID within
+    the certificate extensions.  The rules regarding acceptability of
+    an EKU sequence (or the absence of any sequence) are a matter of
+    local policy.  For the benefit of implementers, we define a PKINIT
+    EKU OID as the following: iso (1) org (3) dod (6) internet (1)
+    security (5) kerberosv5 (2) pkinit (3) pkekuoid (2).
+
+    If a trust relationship exists, the KDC then verifies the client's
+    signature on AuthPack.  If that fails, the KDC returns an error
+    message of type KDC_ERR_INVALID_SIG.  Otherwise, the KDC uses the
+    timestamp (ctime and cusec) in the PKAuthenticator to assure that
+    the request is not a replay.  The KDC also verifies that its name
+    is specified in the PKAuthenticator.
+
+    If the clientPublicValue field is filled in, indicating that the
+    client wishes to use Diffie-Hellman key agreement, then the KDC
+    checks to see that the parameters satisfy its policy.  If they do
+    not (e.g., the prime size is insufficient for the expected
+    encryption type), then the KDC sends back an error message of type
+    KDC_ERR_KEY_TOO_WEAK.  Otherwise, it generates its own public and
+    private values for the response.
+
+    The KDC also checks that the timestamp in the PKAuthenticator is
+    within the allowable window and that the principal name and realm
+    are correct.  If the local (server) time and the client time in the
+    authenticator differ by more than the allowable clock skew, then the
+    KDC returns an error message of type KRB_AP_ERR_SKEW as defined in 1510.
+
+    Assuming no errors, the KDC replies as per RFC 1510, except as
+    follows.  The user's name in the ticket is determined by the
+    following decision algorithm:
+
+        1.  If the KDC has a mapping from the name in the certificate
+            to a Kerberos name, then use that name.
+            Else
+        2.  If the certificate contains the SubjectAltName extention
+            and the local KDC policy defines a mapping from the
+            SubjectAltName to a Kerberos name, then use that name.
+            Else
+        3.  Use the name as represented in the certificate, mapping
+            mapping as necessary (e.g., as per RFC 2253 for X.500
+            names).  In this case the realm in the ticket shall be the
+            name of the certifier that issued the user's certificate.
+
+    Note that a principal name may be carried in the subject alt name
+    field of a certificate. This name may be mapped to a principal
+    record in a security database based on local policy, for example
+    the subject alt name may be kerberos/principal@realm format.  In
+    this case the realm name is not that of the CA but that of the
+    local realm doing the mapping (or some realm name chosen by that
+    realm).
+
+    If a non-KDC X.509 certificate contains the principal name within
+    the subjectAltName version 3 extension , that name may utilize
+    KerberosName as defined below, or, in the case of an S/MIME
+    certificate [17], may utilize the email address.  If the KDC
+    is presented with an S/MIME certificate, then the email address
+    within subjectAltName will be interpreted as a principal and realm
+    separated by the "@" sign, or as a name that needs to be
+    canonicalized.  If the resulting name does not correspond to a
+    registered principal name, then the principal name is formed as
+    defined in section 3.1.
+
+    The trustedCertifiers field contains a list of certification
+    authorities trusted by the client, in the case that the client does
+    not possess the KDC's public key certificate.  If the KDC has no
+    certificate signed by any of the trustedCertifiers, then it returns
+    an error of type KDC_ERR_KDC_NOT_TRUSTED.
+
+    KDCs should try to (in order of preference):
+    1. Use the KDC certificate identified by the serialNumber included
+       in the client's request.
+    2. Use a certificate issued to the KDC by the client's CA (if in the
+       middle of a CA key roll-over, use the KDC cert issued under same
+       CA key as user cert used to verify request).
+    3. Use a certificate issued to the KDC by one of the client's
+       trustedCertifier(s);
+    If the KDC is unable to comply with any of these options, then the
+    KDC returns an error message of type KDC_ERR_KDC_NOT_TRUSTED to the
+    client.
+
+    The KDC encrypts the reply not with the user's long-term key, but
+    with the Diffie Hellman derived key or a random key generated
+    for this particular response which is carried in the padata field of
+    the TGS-REP message.
+
+    PA-PK-AS-REP ::= CHOICE {
+                            -- PA TYPE 15
+        dhSignedData       [0] SignedData,
+                            -- Defined in CMS and used only with
+                            -- Diffie-Hellman key exchange (if the
+                            -- client public value was present in the
+                            -- request).
+                            -- This choice MUST be supported
+                            -- by compliant implementations.
+        encKeyPack         [1] EnvelopedData,
+                            -- Defined in CMS
+                            -- The temporary key is encrypted
+                            -- using the client public key
+                            -- key
+                            -- SignedReplyKeyPack, encrypted
+                            -- with the temporary key, is also
+                            -- included.
+    }
+
+    Usage of SignedData:
+
+        When the Diffie-Hellman option is used, dhSignedData in
+        PA-PK-AS-REP provides authenticated Diffie-Hellman parameters
+        of the KDC.  The reply key used to encrypt part of the KDC reply
+        message is derived from the Diffie-Hellman exchange:
+
+        1.  Both the KDC and the client calculate a secret value
+            (g^ab mod p), where a is the client's private exponent and
+            b is the KDC's private exponent.
+
+        2.  Both the KDC and the client take the first N bits of this
+            secret value and convert it into a reply key.  N depends on
+            the reply key type.
+
+        3.  If the reply key is DES, N=64 bits, where some of the bits
+            are replaced with parity bits, according to FIPS PUB 74.
+
+        4.  If the reply key is (3-key) 3-DES, N=192 bits, where some
+            of the bits are replaced with parity bits, according to
+            FIPS PUB 74.
+
+        5.  The encapContentInfo field must contain the KdcDHKeyInfo as
+            defined below.
+
+            a.  The eContentType field shall contain the OID value for
+                pkdhkeydata: iso (1) org (3) dod (6) internet (1)
+                security (5) kerberosv5 (2) pkinit (3) pkdhkeydata (2)
+
+            b.  The eContent field is data of the type KdcDHKeyInfo
+                (below).
+
+        6.  The certificates field must contain the certificates
+            necessary for the client to establish trust in the KDC's
+            certificate based on the list of trusted certifiers sent by
+            the client in the PA-PK-AS-REQ.  This field may be empty if
+            the client did not send to the KDC a list of trusted
+            certifiers (the trustedCertifiers field was empty, meaning
+            that the client already possesses the KDC's certificate).
+
+        7.  The signerInfos field is a SET that must contain at least
+            one member, since it contains the actual signature.
+
+    KdcDHKeyInfo ::= SEQUENCE {
+                              -- used only when utilizing Diffie-Hellman
+      nonce                 [0] INTEGER,
+                                -- binds responce to the request
+      subjectPublicKey      [2] BIT STRING
+                                -- Equals public exponent (g^a mod p)
+                                -- INTEGER encoded as payload of
+                                -- BIT STRING
+    }
+
+    Usage of EnvelopedData:
+
+        The EnvelopedData data type is specified in the Cryptographic
+        Message Syntax, a product of the S/MIME working group of the
+        IETF.  It contains a temporary key encrypted with the PKINIT
+        client's public key.  It also contains a signed and encrypted
+        reply key.
+
+        1.  The originatorInfo field is not required, since that
+            information may be presented in the signedData structure
+            that is encrypted within the encryptedContentInfo field.
+
+        2.  The optional unprotectedAttrs field is not required for
+            PKINIT.
+
+        3.  The recipientInfos field is a SET which must contain exactly
+            one member of the KeyTransRecipientInfo type for encryption
+            with an RSA public key.
+
+            a.  The encryptedKey field (in KeyTransRecipientInfo)
+                contains the temporary key which is encrypted with the
+                PKINIT client's public key.
+
+        4.  The encryptedContentInfo field contains the signed and
+            encrypted reply key.
+
+            a.  The contentType field shall contain the OID value for
+                id-signedData: iso (1) member-body (2) us (840)
+                rsadsi (113549) pkcs (1) pkcs7 (7) signedData (2)
+
+            b.  The encryptedContent field is encrypted data of the CMS
+                type signedData as specified below.
+
+                i.  The encapContentInfo field must contains the
+                    ReplyKeyPack.
+
+                    * The eContentType field shall contain the OID value
+                      for pkrkeydata: iso (1) org (3) dod (6) internet (1)
+                      security (5) kerberosv5 (2) pkinit (3) pkrkeydata (3)
+
+                    * The eContent field is data of the type ReplyKeyPack
+                      (below).
+
+                ii.  The certificates field must contain the certificates
+                     necessary for the client to establish trust in the
+                     KDC's certificate based on the list of trusted
+                     certifiers sent by the client in the PA-PK-AS-REQ.
+                     This field may be empty if the client did not send
+                     to the KDC a list of trusted certifiers (the
+                     trustedCertifiers field was empty, meaning that the
+                     client already possesses the KDC's certificate).
+
+                iii.  The signerInfos field is a SET that must contain at
+                      least one member, since it contains the actual
+                      signature.
+
+    ReplyKeyPack ::= SEQUENCE {
+                              -- not used for Diffie-Hellman
+        replyKey             [0] EncryptionKey,
+                                 -- used to encrypt main reply
+                                 -- ENCTYPE is at least as strong as
+                                 -- ENCTYPE of session key
+        nonce                [1] INTEGER,
+                                 -- binds response to the request
+                                 -- must be same as the nonce
+                                 -- passed in the PKAuthenticator
+    }
+
+    Since each certifier in the certification path of a user's
+    certificate is equivalent to a separate Kerberos realm, the name
+    of each certifier in the certificate chain must be added to the
+    transited field of the ticket.  The format of these realm names is
+    defined in Section 3.1 of this document.  If applicable, the
+    transit-policy-checked flag should be set in the issued ticket.
+
+    The KDC's certificate(s) must bind the public key(s) of the KDC to
+    a name derivable from the name of the realm for that KDC.  X.509
+    certificates shall contain the principal name of the KDC
+    (defined in section 8.2 of RFC 1510) as the SubjectAltName version
+    3 extension. Below is the definition of this version 3 extension,
+    as specified by the X.509 standard:
+
+        subjectAltName EXTENSION ::= {
+            SYNTAX GeneralNames
+            IDENTIFIED BY id-ce-subjectAltName
+        }
+
+        GeneralNames ::= SEQUENCE SIZE(1..MAX) OF GeneralName
+
+        GeneralName ::= CHOICE {
+            otherName       [0] OtherName,
+            ...
+        }
+
+        OtherName ::= SEQUENCE {
+            type-id         OBJECT IDENTIFIER,
+            value           [0] EXPLICIT ANY DEFINED BY type-id
+        }
+
+    For the purpose of specifying a Kerberos principal name, the value
+    in OtherName shall be a KerberosName as defined in RFC 1510, but with
+    the PrincipalName replaced by CertPrincipalName as mentioned in
+    Section 3.1:
+
+        KerberosName ::= SEQUENCE {
+            realm           [0] Realm,
+            principalName   [1] CertPrincipalName  -- defined above
+        }
+
+    This specific syntax is identified within subjectAltName by setting
+    the type-id in OtherName to krb5PrincipalName, where (from the
+    Kerberos specification) we have
+
+        krb5 OBJECT IDENTIFIER ::= { iso (1)
+                                     org (3)
+                                     dod (6)
+                                     internet (1)
+                                     security (5)
+                                     kerberosv5 (2) }
+
+        krb5PrincipalName OBJECT IDENTIFIER ::= { krb5 2 }
+
+    (This specification may also be used to specify a Kerberos name
+    within the user's certificate.)  The KDC's certificate may be signed
+    directly by a CA, or there may be intermediaries if the server resides
+    within a large organization, or it may be unsigned if the client
+    indicates possession (and trust) of the KDC's certificate.
+
+    The client then extracts the random key used to encrypt the main
+    reply.  This random key (in encPaReply) is encrypted with either the
+    client's public key or with a key derived from the DH values
+    exchanged between the client and the KDC.  The client uses this
+    random key to decrypt the main reply, and subsequently proceeds as
+    described in RFC 1510.
+
+3.2.3. Required Algorithms
+
+    Not all of the algorithms in the PKINIT protocol specification have
+    to be implemented in order to comply with the proposed standard.
+    Below is a list of the required algorithms:
+
+    * Diffie-Hellman public/private key pairs
+        * utilizing Diffie-Hellman ephemeral-ephemeral mode
+    * SHA1 digest and DSA for signatures
+    * SHA1 digest also for the Checksum in the PKAuthenticator
+    * 3-key triple DES keys derived from the Diffie-Hellman Exchange
+    * 3-key triple DES Temporary and Reply keys
+
+4.  Logistics and Policy
+
+    This section describes a way to define the policy on the use of
+    PKINIT for each principal and request.
+
+    The KDC is not required to contain a database record for users
+    who use public key authentication.  However, if these users are
+    registered with the KDC, it is recommended that the database record
+    for these users be modified to an additional flag in the attributes
+    field to indicate that the user should authenticate using PKINIT.
+    If this flag is set and a request message does not contain the
+    PKINIT preauthentication field, then the KDC sends back as error of
+    type KDC_ERR_PREAUTH_REQUIRED indicating that a preauthentication
+    field of type PA-PK-AS-REQ must be included in the request.
+
+5.  Security Considerations
+
+    PKINIT raises a few security considerations, which we will address
+    in this section.
+
+    First of all, PKINIT introduces a new trust model, where KDCs do not
+    (necessarily) certify the identity of those for whom they issue
+    tickets.  PKINIT does allow KDCs to act as their own CAs, in the
+    limited capacity of self-signing their certificates, but one of the
+    additional benefits is to align Kerberos authentication with a global
+    public key infrastructure.  Anyone using PKINIT in this way must be
+    aware of how the certification infrastructure they are linking to
+    works.
+
+    Secondly, PKINIT also introduces the possibility of interactions
+    between different cryptosystems, which may be of widely varying
+    strengths.  Many systems, for instance, allow the use of 512-bit
+    public keys.  Using such keys to wrap data encrypted under strong
+    conventional cryptosystems, such as triple-DES, is inappropriate;
+    it adds a weak link to a strong one at extra cost.  Implementors
+    and administrators should take care to avoid such wasteful and
+    deceptive interactions.
+
+    Lastly, PKINIT calls for randomly generated keys for conventional
+    cryptosystems.  Many such systems contain systematically "weak"
+    keys.  PKINIT implementations MUST avoid use of these keys, either
+    by discarding those keys when they are generated, or by fixing them
+    in some way (e.g., by XORing them with a given mask).  These
+    precautions vary from system to system; it is not our intention to
+    give an explicit recipe for them here.
+
+6.  Transport Issues
+
+    Certificate chains can potentially grow quite large and span several
+    UDP packets; this in turn increases the probability that a Kerberos
+    message involving PKINIT extensions will be broken in transit.  In
+    light of the possibility that the Kerberos specification will
+    require KDCs to accept requests using TCP as a transport mechanism,
+    we make the same recommendation with respect to the PKINIT
+    extensions as well.
+
+7.  Bibliography
+
+    [1] J. Kohl, C. Neuman.  The Kerberos Network Authentication Service
+    (V5).  Request for Comments 1510.
+
+    [2] B.C. Neuman, Theodore Ts'o. Kerberos: An Authentication Service
+    for Computer Networks, IEEE Communications, 32(9):33-38.  September
+    1994.
+
+    [3] B. Tung, T. Ryutov, C. Neuman, G. Tsudik, B. Sommerfeld,
+    A. Medvinsky, M. Hur.  Public Key Cryptography for Cross-Realm
+    Authentication in Kerberos.  draft-ietf-cat-kerberos-pk-cross-04.txt
+
+    [4] A. Medvinsky, J. Cargille, M. Hur.  Anonymous Credentials in
+    Kerberos.  draft-ietf-cat-kerberos-anoncred-00.txt
+
+    [5] Ari Medvinsky, M. Hur, Alexander Medvinsky, B. Clifford Neuman.
+    Public Key Utilizing Tickets for Application Servers (PKTAPP).
+    draft-ietf-cat-pktapp-02.txt
+
+    [6] M. Sirbu, J. Chuang.  Distributed Authentication in Kerberos
+    Using Public Key Cryptography.  Symposium On Network and Distributed
+    System Security, 1997.
+
+    [7] B. Cox, J.D. Tygar, M. Sirbu.  NetBill Security and Transaction
+    Protocol.  In Proceedings of the USENIX Workshop on Electronic
+    Commerce, July 1995.
+
+    [8] T. Dierks, C. Allen.  The TLS Protocol, Version 1.0
+    Request for Comments 2246, January 1999.
+
+    [9] B.C. Neuman, Proxy-Based Authorization and Accounting for
+    Distributed Systems.  In Proceedings of the 13th International
+    Conference on Distributed Computing Systems, May 1993.
+
+    [10] ITU-T (formerly CCITT) Information technology - Open Systems
+    Interconnection - The Directory: Authentication Framework
+    Recommendation X.509 ISO/IEC 9594-8
+
+    [11] R. Housley. Cryptographic Message Syntax.
+    draft-ietf-smime-cms-13.txt, April 1999, approved for publication
+    as RFC.
+
+    [12] PKCS #7: Cryptographic Message Syntax Standard,
+    An RSA Laboratories Technical Note Version 1.5
+    Revised November 1, 1993
+
+    [13] R. Rivest, MIT Laboratory for Computer Science and RSA Data
+    Security, Inc. A Description of the RC2(r) Encryption Algorithm
+    March 1998.
+    Request for Comments 2268.
+
+    [14] M. Wahl, S. Kille, T. Howes. Lightweight Directory Access
+    Protocol (v3): UTF-8 String Representation of Distinguished Names.
+    Request for Comments 2253.
+
+    [15] R. Housley, W. Ford, W. Polk, D. Solo. Internet X.509 Public
+    Key Infrastructure, Certificate and CRL Profile, January 1999.
+    Request for Comments 2459.
+
+    [16] B. Kaliski, J. Staddon. PKCS #1: RSA Cryptography
+    Specifications, October 1998.  Request for Comments 2437.
+
+    [17] S. Dusse, P. Hoffman, B. Ramsdell, J. Weinstein.  S/MIME
+    Version 2 Certificate Handling, March 1998.  Request for
+    Comments 2312.
+
+    [18] M. Wahl, T. Howes, S. Kille.  Lightweight Directory Access
+    Protocol (v3), December 1997.  Request for Comments 2251.
+
+    [19] ITU-T (formerly CCITT) Information Processing Systems - Open
+    Systems Interconnection - Specification of Abstract Syntax Notation
+    One (ASN.1) Rec. X.680 ISO/IEC 8824-1
+
+    [20] PKCS #3: Diffie-Hellman Key-Agreement Standard, An RSA
+    Laboratories Technical Note, Version 1.4, Revised November 1, 1993.
+
+8.  Acknowledgements
+
+    Some of the ideas on which this proposal is based arose during
+    discussions over several years between members of the SAAG, the IETF
+    CAT working group, and the PSRG, regarding integration of Kerberos
+    and SPX.  Some ideas have also been drawn from the DASS system.
+    These changes are by no means endorsed by these groups.  This is an
+    attempt to revive some of the goals of those groups, and this
+    proposal approaches those goals primarily from the Kerberos
+    perspective.  Lastly, comments from groups working on similar ideas
+    in DCE have been invaluable.
+
+9.  Expiration Date
+
+    This draft expires January 15, 2001.
+
+10. Authors
+
+    Brian Tung
+    Clifford Neuman
+    USC Information Sciences Institute
+    4676 Admiralty Way Suite 1001
+    Marina del Rey CA 90292-6695
+    Phone: +1 310 822 1511
+    E-mail: {brian, bcn}@isi.edu
+
+    Matthew Hur
+    CyberSafe Corporation
+    1605 NW Sammamish Road
+    Issaquah WA 98027-5378
+    Phone: +1 425 391 6000
+    E-mail: matt.hur@cybersafe.com
+
+    Ari Medvinsky
+    Keen.com, Inc.
+    150 Independence Drive
+    Menlo Park CA 94025
+    Phone: +1 650 289 3134
+    E-mail: ari@keen.com
+
+    Sasha Medvinsky
+    Motorola
+    6450 Sequence Drive
+    San Diego, CA 92121
+    +1 858 404 2367
+    E-mail: smedvinsky@gi.com
+
+    John Wray
+    Iris Associates, Inc.
+    5 Technology Park Dr.
+    Westford, MA 01886
+    E-mail: John_Wray@iris.com
+
+    Jonathan Trostle
+    170 W. Tasman Dr.
+    San Jose, CA 95134
+    E-mail: jtrostle@cisco.com
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-tapp-03.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-tapp-03.txt
new file mode 100644
index 0000000..6581dd5
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-tapp-03.txt
@@ -0,0 +1,378 @@
+INTERNET-DRAFT                                    Ari Medvinsky
+draft-ietf-cat-kerberos-pk-tapp-03.txt            Keen.com, Inc.
+Expires January 14, 2001                          Matthew Hur
+Informational					  CyberSafe Corporation
+						  Sasha Medvinsky
+						  Motorola
+                                                  Clifford Neuman
+                                                  USC/ISI
+
+Public Key Utilizing Tickets for Application Servers (PKTAPP)
+
+
+0. Status Of this Memo
+
+This document is an Internet-Draft and is in full conformance with
+all provisions of Section 10 of RFC 2026.  Internet-Drafts are
+working documents of the Internet Engineering Task Force (IETF),
+its areas, and its working groups.  Note that other groups may also
+distribute working documents as Internet-Drafts.
+
+Internet-Drafts are draft documents valid for a maximum of six
+months and may be updated, replaced, or obsoleted by other
+documents at any time.  It is inappropriate to use Internet-Drafts
+as reference material or to cite them other than as "work in
+progress."
+
+The list of current Internet-Drafts can be accessed at
+http://www.ietf.org/ietf/1id-abstracts.txt
+
+The list of Internet-Draft Shadow Directories can be accessed at
+http://www.ietf.org/shadow.html.
+
+To learn the current status of any Internet-Draft, please check
+the "1id-abstracts.txt" listing contained in the Internet-Drafts
+Shadow Directories on ftp.ietf.org (US East Coast),
+nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or
+munnari.oz.au (Pacific Rim).
+
+The distribution of this memo is unlimited.  It is filed as
+draft-ietf-cat-kerberos-pk-init-10.txt, and expires April 30,
+2000.  Please send comments to the authors.
+
+1. Abstract
+
+Public key based Kerberos for Distributed Authentication[1], (PKDA) 
+proposed by Sirbu & Chuang, describes PK based authentication that 
+eliminates the use of a centralized key distribution center while 
+retaining the advantages of Kerberos tickets.  This draft describes how, 
+without any modification, the PKINIT specification[2] may be used to 
+implement the ideas introduced in PKDA.  The benefit is that only a 
+single PK Kerberos extension is needed to address the goals of PKINIT & 
+PKDA.
+
+
+
+2. Introduction
+
+With the proliferation of public key cryptography, a number of public 
+key extensions to Kerberos have been proposed to provide 
+interoperability with the PK infrastructure and to improve the Kerberos 
+authentication system [4].  Among these are PKINIT[2] (under development
+in the CAT working group) and more recently PKDA [1] proposed by Sirbu & 
+Chuang of CMU.  One of the principal goals of PKINIT is to provide for 
+interoperability between a PK infrastructure and Kerberos.  Using 
+PKINIT, a user can authenticate to the KDC via a public key certificate.  
+A ticket granting ticket (TGT), returned by the KDC, enables a PK user 
+to obtain tickets and authenticate to kerberized services.  The PKDA 
+proposal goes a step further.  It supports direct client to server 
+authentication, eliminating the need for an online key distribution 
+center.  In this draft, we describe how, without any modification, the 
+PKINIT protocol may be applied to achieve the goals of PKDA. For direct 
+client to server authentication, the client will use PKINIT to 
+authenticate to the end server (instead of a central KDC), which then, 
+will issue a ticket for itself.  The benefit of this proposal, is that a 
+single PK extension to Kerberos can addresses the goals of PKINIT and 
+PKDA.
+
+
+3. PKDA background
+
+The PKDA proposal provides direct client to server authentication, thus 
+eliminating the need for an online key distribution center.  A client 
+and server take part in an initial PK based authentication exchange, 
+with an added caveat that the server acts as a Kerberos ticket granting 
+service and issues a traditional Kerberos ticket for itself.  In 
+subsequent communication, the client makes use of the Kerberos ticket, 
+thus eliminating the need for public key operations on the server.  This 
+approach has an advantage over SSL in that the server does not need to 
+save state (cache session keys).  Furthermore, an additional benefit, is 
+that Kerberos tickets can facilitate delegation (see Neuman[3]). 
+
+Below is a brief overview of the PKDA protocol.  For a more detailed 
+description see [1]. 
+
+SCERT_REQ: Client to Server
+The client requests a certificate from the server.  If the serverÆs 
+certificate is cached locally, SCERT_REQ and SCERT_REP are omitted.
+
+SCERT_REP:  Server to Client
+The server returns its certificate to the client.
+
+PKTGS_REQ: Client to Server
+The client sends a request for a service ticket to the server.  To 
+authenticate the request, the client signs, among other fields, a time 
+stamp and a newly generated symmetric key .  The time stamp is used to 
+foil replay attacks;  the symmetric key is used by the server to secure 
+the PKTGS_REP message. 
+The client provides a certificate in the request (the certificate 
+enables the server to verify the validity of the clientÆs signature) and 
+seals it along with the signed information using the serverÆs public 
+key.  
+
+ 
+PKTGS_REP:  Server to Client
+The server returns a service ticket (which it issued for itself) along 
+with the session key for the ticket.  The session key is protected by 
+the client-generated key from the PKTGS_REQ message.  
+
+AP_REQ:  Client to Server
+After the above exchange, the client can proceed in a normal fashion, 
+using the conventional Kerberos ticket in an AP_REQ message.
+
+
+4. PKINIT background
+
+One of the principal goals of PKINIT is to provide for interoperability 
+between a public key infrastructure and Kerberos.  Using a public key 
+certificate, a client can authenticate to the KDC and receive a TGT 
+which enables the client to obtain service tickets to kerberized 
+services..  In PKINIT, the AS-REQ and AS-REP messages remain the same; 
+new preauthentication data types are used to conduct the PK exchange.  
+Client and server certificates are exchanged via the preauthentication 
+data.  Thus, the exchange of certificates , PK authentication, and 
+delivery of a TGT can occur in two messages.
+
+Below is a brief overview of the PKINIT protocol.  For a more detailed 
+description see [2]. 
+
+PreAuthentication data of AS-REQ:  Client to Server
+The client sends a list of trusted certifiers, a signed PK 
+authenticator, and its certificate.  The PK authenticator, based on the 
+Kerberos authenticator, contains the name of the KDC, a timestamp, and a 
+nonce.
+
+PreAuthentication data of AS-REP:  Server to Client
+The server responds with its certificate and the key used for decrypting 
+the encrypted part of the AS-REQ.  This key is encrypted with the 
+clientÆs public key.
+
+AP_REQ:  Client to Server
+After the above exchange, the client can proceed in a normal fashion, 
+using the conventional Kerberos ticket in an AP_REQ message.
+
+
+5. Application of PKINIT to achieve equivalence to PKDA
+
+While PKINIT is normally used to retrieve a ticket granting ticket 
+(TGT), it may also be used to request an end service ticket.  When used 
+in this fashion, PKINIT is functionally equivalent to PKDA.  We 
+introduce the concept of a local ticket granting server (LTGS) to 
+illustrate how PKINIT may be used for issuing end service tickets based 
+on public key authentication.  It is important to note that the LTGS may 
+be built into an application server, or it may be a stand-alone server 
+used for issuing tickets within a well-defined realm, such as a single 
+machine.  We will discuss both of these options.
+
+
+5.1. The LTGS
+
+The LTGS processes the Kerberos AS-REQ and AS-REP messages with PKINIT 
+preauthentication data.  When a client submits an AS-REQ to the LTGS, it
+specifies an application server, in order to receive an end service 
+ticket instead of a TGT.
+
+
+5.1.1. The LTGS as a standalone server
+
+The LTGS may run as a separate process that serves applications which 
+reside on the same machine. This serves to consolidate administrative 
+functions and provide an easier migration path for a heterogeneous 
+environment consisting of both public key and Kerberos.  The LTGS would 
+use one well-known port (port #88 - same as the KDC) for all message 
+traffic and would share a symmetric with each service.  After the client 
+receives a service ticket, it then contacts the application server 
+directly.  This approach is similar to the one suggested by Sirbu , et 
+al [1].
+
+5.1.1.1. Ticket Policy for PKTAPP Clients
+
+It is desirable for the LTGS to have access to a PKTAPP client ticket
+policy. This policy will contain information for each client, such as 
+the maximum lifetime of a ticket, whether or not a ticket can be 
+forwardable, etc. PKTAPP clients, however, use the PKINIT protocol for
+authentication and are not required to be registered as Kerberos 
+principals.
+
+As one possible solution, each public key Certification Authority could
+be registered in a secure database, along with the ticket policy 
+information for all PKTAPP clients that are certified by this
+Certification Authority.
+
+5.1.1.2. LTGS as a Kerberos Principal
+
+Since the LTGS serves only PKTAPP clients and returns only end service
+tickets for other services, it does not require a Kerberos service key 
+or a Kerberos principal identity. It is therefore not necessary for the
+LTGS to even be registered as a Kerberos principal.
+
+The LTGS still requires public key credentials for the PKINIT exchange,
+and it may be desired to have some global restrictions on the Kerberos
+tickets that it can issue. It is recommended (but not required) that
+this information be associated with a Kerberos principal entry for the
+LTGS.
+
+
+5.1.1.3. Kerberos Principal Database
+
+Since the LTGS issues tickets for Kerberos services, it will require
+access to a Kerberos principal database containing entries for at least
+the end services. Each entry must contain a service key and may also
+contain restrictions on the service tickets that are issued to clients.
+It is recommended that (for ease of administration) this principal
+database be centrally administered and distributed (replicated) to all
+hosts where an LTGS may be running.
+
+In the case that there are other clients that do not support PKINIT
+protocol, but still need access to the same Kerberos services, this
+principal database will also require entries for Kerberos clients and
+for the TGS entries.
+
+5.1.2. The LTGS as part of an application server
+
+The LTGS may be combined with an application server.  This accomplishes 
+direct client to application server authentication; however, it requires 
+that applications be modified to process AS-REQ and AS-REP messages.  
+The LTGS would communicate over the port assigned to the application 
+server or over the well known Kerberos port for that particular 
+application.
+
+5.1.2.2. Ticket Policy for PKTAPP Clients
+
+Application servers normally do not have access to a distributed 
+principal database. Therefore, they will have to find another means of
+keeping track of the ticket policy information for PKTAPP clients. It is
+recommended that this ticket policy be kept in a directory service (such
+as LDAP).  
+
+It is critical, however, that both read and write access to this ticket
+policy is restricted with strong authentication and encryption to only
+the correct application server.  An unauthorized party should not have
+the authority to modify the ticket policy. Disclosing the ticket policy
+to a 3rd party may aid an adversary in determining the best way to
+compromise the network.
+
+It is just as critical for the application server to authenticate the
+directory service. Otherwise an adversary could use a man-in-the-middle
+attack to substitute a false ticket policy with a false directory
+service.
+
+5.1.2.3. LTGS Credentials
+
+Each LTGS (combined with an application service) will require public key
+credentials in order to use the PKINIT protocol. These credentials can 
+be stored in a single file that is both encrypted with a password-
+derived symmetric key and also secured by an operating system. This
+symmetric key may be stashed somewhere on the machine for convenience,
+although such practice potentially weakens the overall system security
+and is strongly discouraged.
+
+For added security, it is recommended that the LTGS private keys are
+stored inside a temper-resistant hardware module that requires a pin
+code for access.
+
+
+5.1.2.4. Compatibility With Standard Kerberos
+
+Even though an application server is combined with the LTGS, for
+backward compatibility it should still accept service tickets that have
+been issued by the KDC. This will allow Kerberos clients that do not
+support PKTAPP to authenticate to the same application server (with the
+help of a KDC).
+
+5.1.3. Cross-Realm Authentication
+
+According to the PKINIT draft, the client's realm is the X.500 name of
+the Certification Authority that issued the client certificate. A 
+Kerberos application service will be in a standard Kerberos realm, which
+implies that the LTGS will need to issue cross-realm end service 
+tickets. This is the only case, where cross-realm end service tickets
+are issued. In a standard Kerberos model, a client first acquires a
+cross-realm TGT, and then gets an end service ticket from the KDC that
+is in the same realm as the application service.
+
+6. Protocol differences between PKINIT and PKDA
+
+Both PKINIT and PKDA will accomplish the same goal of issuing end 
+service tickets, based on initial public key authentication.  A PKINIT-
+based implementation and a PKDA implementation would be functionally 
+equivalent.  The primary differences are that 1)PKDA requires the client 
+to create the symmetric key while PKINIT requires the server to create 
+the key and 2)PKINIT accomplishes in two messages what PKDA accomplishes 
+in four messages.
+
+7. Summary
+
+The PKINIT protocol can be used, without modification to facilitate 
+client to server authentication without the use of a central KDC.  The 
+approach described in this draft  (and originally proposed in PKDA[1]) 
+is essentially a public key authentication protocol that retains the 
+advantages of Kerberos tickets.
+
+Given that PKINIT has progressed through the CAT working group of the 
+IETF, with plans for non-commercial distribution (via MITÆs v5 Kerberos)  
+as well as commercial support, it is worthwhile to provide PKDA 
+functionality, under the PKINIT umbrella.
+
+8. Security Considerations
+
+PKTAPP is based on the PKINIT protocol and all security considerations
+already listed in [2] apply here.
+
+When the LTGS is implemented as part of each application server, the
+secure storage of its public key credentials and of its ticket policy
+are both a concern.  The respective security considerations are already
+covered in sections 5.1.2.3 and 5.1.2.2 of this document.  
+
+
+9. Bibliography
+
+[1] M. Sirbu, J. Chuang.  Distributed Authentication in Kerberos Using 
+Public Key Cryptography.  Symposium On Network and Distributed System 
+Security, 1997.
+
+[2] B. Tung, C. Neuman, M. Hur, A. Medvinsky, S. Medvinsky, J. Wray,
+J. Trostle.  Public Key Cryptography for Initial Authentication in
+Kerberos.  Internet Draft, October 1999. 
+(ftp://ietf.org/internet-drafts/draft-ietf-cat-kerberos-pk-init-10.txt)
+
+[3] C. Neuman, Proxy-Based Authorization and Accounting for 
+Distributed Systems.  In Proceedings of the 13th International 
+Conference on Distributed Computing Systems, May 1993.
+
+[4] J. Kohl, C. Neuman.  The Kerberos Network Authentication Service
+(V5).  Request for Comments 1510.
+
+10.  Expiration Date
+
+This draft expires April 24, 2000.
+
+11. Authors
+
+Ari Medvinsky
+Keen.com, Inc.
+150 Independence Dr.
+Menlo Park, CA 94025
+Phone +1 650 289 3134
+E-mail: ari@keen.com
+
+Matthew Hur
+CyberSafe Corporation
+1605 NW Sammamish Road
+Issaquah, WA 98027-5378
+Phone: +1 425 391 6000
+E-mail: matt.hur@cybersafe.com
+
+Alexander Medvinsky
+Motorola
+6450 Sequence Dr.
+San Diego, CA 92121
+Phone: +1 858 404 2367
+E-mail: smedvinsky@gi.com
+
+Clifford Neuman
+USC Information Sciences Institute
+4676 Admiralty Way Suite 1001
+Marina del Rey CA 90292-6695
+Phone: +1 310 822 1511
+E-mail: bcn@isi.edu
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-05.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-05.txt
new file mode 100644
index 0000000..1592124
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-05.txt
@@ -0,0 +1,6866 @@
+INTERNET-DRAFT                                           Clifford Neuman
+                                                               John Kohl
+                                                           Theodore Ts'o
+                                                          March 10, 2000
+                                              Expires September 10, 2000
+
+The Kerberos Network Authentication Service (V5)
+draft-ietf-cat-kerberos-revisions-05.txt
+
+STATUS OF THIS MEMO
+
+This document is an Internet-Draft and is in full conformance with all
+provisions of Section 10 of RFC 2026. Internet-Drafts are working documents
+of the Internet Engineering Task Force (IETF), its areas, and its working
+groups. Note that other groups may also distribute working documents as
+Internet-Drafts.
+
+Internet-Drafts are draft documents valid for a maximum of six months and
+may be updated, replaced, or obsoleted by other documents at any time. It is
+inappropriate to use Internet-Drafts as reference material or to cite them
+other than as "work in progress."
+
+The list of current Internet-Drafts can be accessed at
+http://www.ietf.org/ietf/1id-abstracts.txt
+
+The list of Internet-Draft Shadow Directories can be accessed at
+http://www.ietf.org/shadow.html.
+
+To learn the current status of any Internet-Draft, please check the
+"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
+Directories on ftp.ietf.org (US East Coast), nic.nordu.net (Europe),
+ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
+
+The distribution of this memo is unlimited. It is filed as
+draft-ietf-cat-kerberos-revisions-05.txt, and expires September 10, 2000.
+Please send comments to: krb-protocol@MIT.EDU
+
+ABSTRACT
+
+This document provides an overview and specification of Version 5 of the
+Kerberos protocol, and updates RFC1510 to clarify aspects of the protocol
+and its intended use that require more detailed or clearer explanation than
+was provided in RFC1510. This document is intended to provide a detailed
+description of the protocol, suitable for implementation, together with
+descriptions of the appropriate use of protocol messages and fields within
+those messages.
+
+This document is not intended to describe Kerberos to the end user, system
+administrator, or application developer. Higher level papers describing
+Version 5 of the Kerberos system [NT94] and documenting version 4 [SNS88],
+are available elsewhere.
+
+OVERVIEW
+
+This INTERNET-DRAFT describes the concepts and model upon which the Kerberos
+network authentication system is based. It also specifies Version 5 of the
+Kerberos protocol.
+
+The motivations, goals, assumptions, and rationale behind most design
+decisions are treated cursorily; they are more fully described in a paper
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+available in IEEE communications [NT94] and earlier in the Kerberos portion
+of the Athena Technical Plan [MNSS87]. The protocols have been a proposed
+standard and are being considered for advancement for draft standard through
+the IETF standard process. Comments are encouraged on the presentation, but
+only minor refinements to the protocol as implemented or extensions that fit
+within current protocol framework will be considered at this time.
+
+Requests for addition to an electronic mailing list for discussion of
+Kerberos, kerberos@MIT.EDU, may be addressed to kerberos-request@MIT.EDU.
+This mailing list is gatewayed onto the Usenet as the group
+comp.protocols.kerberos. Requests for further information, including
+documents and code availability, may be sent to info-kerberos@MIT.EDU.
+
+BACKGROUND
+
+The Kerberos model is based in part on Needham and Schroeder's trusted
+third-party authentication protocol [NS78] and on modifications suggested by
+Denning and Sacco [DS81]. The original design and implementation of Kerberos
+Versions 1 through 4 was the work of two former Project Athena staff
+members, Steve Miller of Digital Equipment Corporation and Clifford Neuman
+(now at the Information Sciences Institute of the University of Southern
+California), along with Jerome Saltzer, Technical Director of Project
+Athena, and Jeffrey Schiller, MIT Campus Network Manager. Many other members
+of Project Athena have also contributed to the work on Kerberos.
+
+Version 5 of the Kerberos protocol (described in this document) has evolved
+from Version 4 based on new requirements and desires for features not
+available in Version 4. The design of Version 5 of the Kerberos protocol was
+led by Clifford Neuman and John Kohl with much input from the community. The
+development of the MIT reference implementation was led at MIT by John Kohl
+and Theodore T'so, with help and contributed code from many others. Since
+RFC1510 was issued, extensions and revisions to the protocol have been
+proposed by many individuals. Some of these proposals are reflected in this
+document. Where such changes involved significant effort, the document cites
+the contribution of the proposer.
+
+Reference implementations of both version 4 and version 5 of Kerberos are
+publicly available and commercial implementations have been developed and
+are widely used. Details on the differences between Kerberos Versions 4 and
+5 can be found in [KNT92].
+
+1. Introduction
+
+Kerberos provides a means of verifying the identities of principals, (e.g. a
+workstation user or a network server) on an open (unprotected) network. This
+is accomplished without relying on assertions by the host operating system,
+without basing trust on host addresses, without requiring physical security
+of all the hosts on the network, and under the assumption that packets
+traveling along the network can be read, modified, and inserted at will[1].
+Kerberos performs authentication under these conditions as a trusted
+third-party authentication service by using conventional (shared secret key
+[2] cryptography. Kerberos extensions have been proposed and implemented
+that provide for the use of public key cryptography during certain phases of
+the authentication protocol. These extensions provide for authentication of
+users registered with public key certification authorities, and allow the
+system to provide certain benefits of public key cryptography in situations
+where they are needed.
+
+The basic Kerberos authentication process proceeds as follows: A client
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+sends a request to the authentication server (AS) requesting 'credentials'
+for a given server. The AS responds with these credentials, encrypted in the
+client's key. The credentials consist of 1) a 'ticket' for the server and 2)
+a temporary encryption key (often called a "session key"). The client
+transmits the ticket (which contains the client's identity and a copy of the
+session key, all encrypted in the server's key) to the server. The session
+key (now shared by the client and server) is used to authenticate the
+client, and may optionally be used to authenticate the server. It may also
+be used to encrypt further communication between the two parties or to
+exchange a separate sub-session key to be used to encrypt further
+communication.
+
+Implementation of the basic protocol consists of one or more authentication
+servers running on physically secure hosts. The authentication servers
+maintain a database of principals (i.e., users and servers) and their secret
+keys. Code libraries provide encryption and implement the Kerberos protocol.
+In order to add authentication to its transactions, a typical network
+application adds one or two calls to the Kerberos library directly or
+through the Generic Security Services Application Programming Interface,
+GSSAPI, described in separate document. These calls result in the
+transmission of the necessary messages to achieve authentication.
+
+The Kerberos protocol consists of several sub-protocols (or exchanges).
+There are two basic methods by which a client can ask a Kerberos server for
+credentials. In the first approach, the client sends a cleartext request for
+a ticket for the desired server to the AS. The reply is sent encrypted in
+the client's secret key. Usually this request is for a ticket-granting
+ticket (TGT) which can later be used with the ticket-granting server (TGS).
+In the second method, the client sends a request to the TGS. The client uses
+the TGT to authenticate itself to the TGS in the same manner as if it were
+contacting any other application server that requires Kerberos
+authentication. The reply is encrypted in the session key from the TGT.
+Though the protocol specification describes the AS and the TGS as separate
+servers, they are implemented in practice as different protocol entry points
+within a single Kerberos server.
+
+Once obtained, credentials may be used to verify the identity of the
+principals in a transaction, to ensure the integrity of messages exchanged
+between them, or to preserve privacy of the messages. The application is
+free to choose whatever protection may be necessary.
+
+To verify the identities of the principals in a transaction, the client
+transmits the ticket to the application server. Since the ticket is sent "in
+the clear" (parts of it are encrypted, but this encryption doesn't thwart
+replay) and might be intercepted and reused by an attacker, additional
+information is sent to prove that the message originated with the principal
+to whom the ticket was issued. This information (called the authenticator)
+is encrypted in the session key, and includes a timestamp. The timestamp
+proves that the message was recently generated and is not a replay.
+Encrypting the authenticator in the session key proves that it was generated
+by a party possessing the session key. Since no one except the requesting
+principal and the server know the session key (it is never sent over the
+network in the clear) this guarantees the identity of the client.
+
+The integrity of the messages exchanged between principals can also be
+guaranteed using the session key (passed in the ticket and contained in the
+credentials). This approach provides detection of both replay attacks and
+message stream modification attacks. It is accomplished by generating and
+transmitting a collision-proof checksum (elsewhere called a hash or digest
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+function) of the client's message, keyed with the session key. Privacy and
+integrity of the messages exchanged between principals can be secured by
+encrypting the data to be passed using the session key contained in the
+ticket or the subsession key found in the authenticator.
+
+The authentication exchanges mentioned above require read-only access to the
+Kerberos database. Sometimes, however, the entries in the database must be
+modified, such as when adding new principals or changing a principal's key.
+This is done using a protocol between a client and a third Kerberos server,
+the Kerberos Administration Server (KADM). There is also a protocol for
+maintaining multiple copies of the Kerberos database. Neither of these
+protocols are described in this document.
+
+1.1. Cross-Realm Operation
+
+The Kerberos protocol is designed to operate across organizational
+boundaries. A client in one organization can be authenticated to a server in
+another. Each organization wishing to run a Kerberos server establishes its
+own 'realm'. The name of the realm in which a client is registered is part
+of the client's name, and can be used by the end-service to decide whether
+to honor a request.
+
+By establishing 'inter-realm' keys, the administrators of two realms can
+allow a client authenticated in the local realm to prove its identity to
+servers in other realms[3]. The exchange of inter-realm keys (a separate key
+may be used for each direction) registers the ticket-granting service of
+each realm as a principal in the other realm. A client is then able to
+obtain a ticket-granting ticket for the remote realm's ticket-granting
+service from its local realm. When that ticket-granting ticket is used, the
+remote ticket-granting service uses the inter-realm key (which usually
+differs from its own normal TGS key) to decrypt the ticket-granting ticket,
+and is thus certain that it was issued by the client's own TGS. Tickets
+issued by the remote ticket-granting service will indicate to the
+end-service that the client was authenticated from another realm.
+
+A realm is said to communicate with another realm if the two realms share an
+inter-realm key, or if the local realm shares an inter-realm key with an
+intermediate realm that communicates with the remote realm. An
+authentication path is the sequence of intermediate realms that are
+transited in communicating from one realm to another.
+
+Realms are typically organized hierarchically. Each realm shares a key with
+its parent and a different key with each child. If an inter-realm key is not
+directly shared by two realms, the hierarchical organization allows an
+authentication path to be easily constructed. If a hierarchical organization
+is not used, it may be necessary to consult a database in order to construct
+an authentication path between realms.
+
+Although realms are typically hierarchical, intermediate realms may be
+bypassed to achieve cross-realm authentication through alternate
+authentication paths (these might be established to make communication
+between two realms more efficient). It is important for the end-service to
+know which realms were transited when deciding how much faith to place in
+the authentication process. To facilitate this decision, a field in each
+ticket contains the names of the realms that were involved in authenticating
+the client.
+
+The application server is ultimately responsible for accepting or rejecting
+authentication and should check the transited field. The application server
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+may choose to rely on the KDC for the application server's realm to check
+the transited field. The application server's KDC will set the
+TRANSITED-POLICY-CHECKED flag in this case. The KDC's for intermediate
+realms may also check the transited field as they issue
+ticket-granting-tickets for other realms, but they are encouraged not to do
+so. A client may request that the KDC's not check the transited field by
+setting the DISABLE-TRANSITED-CHECK flag. KDC's are encouraged but not
+required to honor this flag.
+
+1.2. Authorization
+
+As an authentication service, Kerberos provides a means of verifying the
+identity of principals on a network. Authentication is usually useful
+primarily as a first step in the process of authorization, determining
+whether a client may use a service, which objects the client is allowed to
+access, and the type of access allowed for each. Kerberos does not, by
+itself, provide authorization. Possession of a client ticket for a service
+provides only for authentication of the client to that service, and in the
+absence of a separate authorization procedure, it should not be considered
+by an application as authorizing the use of that service.
+
+Such separate authorization methods may be implemented as application
+specific access control functions and may be based on files such as the
+application server, or on separately issued authorization credentials such
+as those based on proxies [Neu93], or on other authorization services.
+Separately authenticated authorization credentials may be embedded in a
+tickets authorization data when encapsulated by the kdc-issued authorization
+data element.
+
+Applications should not be modified to accept the mere issuance of a service
+ticket by the Kerberos server (even by a modified Kerberos server) as
+granting authority to use the service, since such applications may become
+vulnerable to the bypass of this authorization check in an environment if
+they interoperate with other KDCs or where other options for application
+authentication (e.g. the PKTAPP proposal) are provided.
+
+1.3. Environmental assumptions
+
+Kerberos imposes a few assumptions on the environment in which it can
+properly function:
+
+   * 'Denial of service' attacks are not solved with Kerberos. There are
+     places in these protocols where an intruder can prevent an application
+     from participating in the proper authentication steps. Detection and
+     solution of such attacks (some of which can appear to be nnot-uncommon
+     'normal' failure modes for the system) is usually best left to the
+     human administrators and users.
+   * Principals must keep their secret keys secret. If an intruder somehow
+     steals a principal's key, it will be able to masquerade as that
+     principal or impersonate any server to the legitimate principal.
+   * 'Password guessing' attacks are not solved by Kerberos. If a user
+     chooses a poor password, it is possible for an attacker to successfully
+     mount an offline dictionary attack by repeatedly attempting to decrypt,
+     with successive entries from a dictionary, messages obtained which are
+     encrypted under a key derived from the user's password.
+   * Each host on the network must have a clock which is 'loosely
+     synchronized' to the time of the other hosts; this synchronization is
+     used to reduce the bookkeeping needs of application servers when they
+     do replay detection. The degree of "looseness" can be configured on a
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     per-server basis, but is typically on the order of 5 minutes. If the
+     clocks are synchronized over the network, the clock synchronization
+     protocol must itself be secured from network attackers.
+   * Principal identifiers are not recycled on a short-term basis. A typical
+     mode of access control will use access control lists (ACLs) to grant
+     permissions to particular principals. If a stale ACL entry remains for
+     a deleted principal and the principal identifier is reused, the new
+     principal will inherit rights specified in the stale ACL entry. By not
+     re-using principal identifiers, the danger of inadvertent access is
+     removed.
+
+1.4. Glossary of terms
+
+Below is a list of terms used throughout this document.
+
+Authentication
+     Verifying the claimed identity of a principal.
+Authentication header
+     A record containing a Ticket and an Authenticator to be presented to a
+     server as part of the authentication process.
+Authentication path
+     A sequence of intermediate realms transited in the authentication
+     process when communicating from one realm to another.
+Authenticator
+     A record containing information that can be shown to have been recently
+     generated using the session key known only by the client and server.
+Authorization
+     The process of determining whether a client may use a service, which
+     objects the client is allowed to access, and the type of access allowed
+     for each.
+Capability
+     A token that grants the bearer permission to access an object or
+     service. In Kerberos, this might be a ticket whose use is restricted by
+     the contents of the authorization data field, but which lists no
+     network addresses, together with the session key necessary to use the
+     ticket.
+Ciphertext
+     The output of an encryption function. Encryption transforms plaintext
+     into ciphertext.
+Client
+     A process that makes use of a network service on behalf of a user. Note
+     that in some cases a Server may itself be a client of some other server
+     (e.g. a print server may be a client of a file server).
+Credentials
+     A ticket plus the secret session key necessary to successfully use that
+     ticket in an authentication exchange.
+KDC
+     Key Distribution Center, a network service that supplies tickets and
+     temporary session keys; or an instance of that service or the host on
+     which it runs. The KDC services both initial ticket and ticket-granting
+     ticket requests. The initial ticket portion is sometimes referred to as
+     the Authentication Server (or service). The ticket-granting ticket
+     portion is sometimes referred to as the ticket-granting server (or
+     service).
+Kerberos
+     Aside from the 3-headed dog guarding Hades, the name given to Project
+     Athena's authentication service, the protocol used by that service, or
+     the code used to implement the authentication service.
+Plaintext
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     The input to an encryption function or the output of a decryption
+     function. Decryption transforms ciphertext into plaintext.
+Principal
+     A uniquely named client or server instance that participates in a
+     network communication.
+Principal identifier
+     The name used to uniquely identify each different principal.
+Seal
+     To encipher a record containing several fields in such a way that the
+     fields cannot be individually replaced without either knowledge of the
+     encryption key or leaving evidence of tampering.
+Secret key
+     An encryption key shared by a principal and the KDC, distributed
+     outside the bounds of the system, with a long lifetime. In the case of
+     a human user's principal, the secret key is derived from a password.
+Server
+     A particular Principal which provides a resource to network clients.
+     The server is sometimes refered to as the Application Server.
+Service
+     A resource provided to network clients; often provided by more than one
+     server (for example, remote file service).
+Session key
+     A temporary encryption key used between two principals, with a lifetime
+     limited to the duration of a single login "session".
+Sub-session key
+     A temporary encryption key used between two principals, selected and
+     exchanged by the principals using the session key, and with a lifetime
+     limited to the duration of a single association.
+Ticket
+     A record that helps a client authenticate itself to a server; it
+     contains the client's identity, a session key, a timestamp, and other
+     information, all sealed using the server's secret key. It only serves
+     to authenticate a client when presented along with a fresh
+     Authenticator.
+
+2. Ticket flag uses and requests
+
+Each Kerberos ticket contains a set of flags which are used to indicate
+various attributes of that ticket. Most flags may be requested by a client
+when the ticket is obtained; some are automatically turned on and off by a
+Kerberos server as required. The following sections explain what the various
+flags mean, and gives examples of reasons to use such a flag.
+
+2.1. Initial and pre-authenticated tickets
+
+The INITIAL flag indicates that a ticket was issued using the AS protocol
+and not issued based on a ticket-granting ticket. Application servers that
+want to require the demonstrated knowledge of a client's secret key (e.g. a
+password-changing program) can insist that this flag be set in any tickets
+they accept, and thus be assured that the client's key was recently
+presented to the application client.
+
+The PRE-AUTHENT and HW-AUTHENT flags provide addition information about the
+initial authentication, regardless of whether the current ticket was issued
+directly (in which case INITIAL will also be set) or issued on the basis of
+a ticket-granting ticket (in which case the INITIAL flag is clear, but the
+PRE-AUTHENT and HW-AUTHENT flags are carried forward from the
+ticket-granting ticket).
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+2.2. Invalid tickets
+
+The INVALID flag indicates that a ticket is invalid. Application servers
+must reject tickets which have this flag set. A postdated ticket will
+usually be issued in this form. Invalid tickets must be validated by the KDC
+before use, by presenting them to the KDC in a TGS request with the VALIDATE
+option specified. The KDC will only validate tickets after their starttime
+has passed. The validation is required so that postdated tickets which have
+been stolen before their starttime can be rendered permanently invalid
+(through a hot-list mechanism) (see section 3.3.3.1).
+
+2.3. Renewable tickets
+
+Applications may desire to hold tickets which can be valid for long periods
+of time. However, this can expose their credentials to potential theft for
+equally long periods, and those stolen credentials would be valid until the
+expiration time of the ticket(s). Simply using short-lived tickets and
+obtaining new ones periodically would require the client to have long-term
+access to its secret key, an even greater risk. Renewable tickets can be
+used to mitigate the consequences of theft. Renewable tickets have two
+"expiration times": the first is when the current instance of the ticket
+expires, and the second is the latest permissible value for an individual
+expiration time. An application client must periodically (i.e. before it
+expires) present a renewable ticket to the KDC, with the RENEW option set in
+the KDC request. The KDC will issue a new ticket with a new session key and
+a later expiration time. All other fields of the ticket are left unmodified
+by the renewal process. When the latest permissible expiration time arrives,
+the ticket expires permanently. At each renewal, the KDC may consult a
+hot-list to determine if the ticket had been reported stolen since its last
+renewal; it will refuse to renew such stolen tickets, and thus the usable
+lifetime of stolen tickets is reduced.
+
+The RENEWABLE flag in a ticket is normally only interpreted by the
+ticket-granting service (discussed below in section 3.3). It can usually be
+ignored by application servers. However, some particularly careful
+application servers may wish to disallow renewable tickets.
+
+If a renewable ticket is not renewed by its expiration time, the KDC will
+not renew the ticket. The RENEWABLE flag is reset by default, but a client
+may request it be set by setting the RENEWABLE option in the KRB_AS_REQ
+message. If it is set, then the renew-till field in the ticket contains the
+time after which the ticket may not be renewed.
+
+2.4. Postdated tickets
+
+Applications may occasionally need to obtain tickets for use much later,
+e.g. a batch submission system would need tickets to be valid at the time
+the batch job is serviced. However, it is dangerous to hold valid tickets in
+a batch queue, since they will be on-line longer and more prone to theft.
+Postdated tickets provide a way to obtain these tickets from the KDC at job
+submission time, but to leave them "dormant" until they are activated and
+validated by a further request of the KDC. If a ticket theft were reported
+in the interim, the KDC would refuse to validate the ticket, and the thief
+would be foiled.
+
+The MAY-POSTDATE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. This flag
+must be set in a ticket-granting ticket in order to issue a postdated ticket
+based on the presented ticket. It is reset by default; it may be requested
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+by a client by setting the ALLOW-POSTDATE option in the KRB_AS_REQ message.
+This flag does not allow a client to obtain a postdated ticket-granting
+ticket; postdated ticket-granting tickets can only by obtained by requesting
+the postdating in the KRB_AS_REQ message. The life (endtime-starttime) of a
+postdated ticket will be the remaining life of the ticket-granting ticket at
+the time of the request, unless the RENEWABLE option is also set, in which
+case it can be the full life (endtime-starttime) of the ticket-granting
+ticket. The KDC may limit how far in the future a ticket may be postdated.
+
+The POSTDATED flag indicates that a ticket has been postdated. The
+application server can check the authtime field in the ticket to see when
+the original authentication occurred. Some services may choose to reject
+postdated tickets, or they may only accept them within a certain period
+after the original authentication. When the KDC issues a POSTDATED ticket,
+it will also be marked as INVALID, so that the application client must
+present the ticket to the KDC to be validated before use.
+
+2.5. Proxiable and proxy tickets
+
+At times it may be necessary for a principal to allow a service to perform
+an operation on its behalf. The service must be able to take on the identity
+of the client, but only for a particular purpose. A principal can allow a
+service to take on the principal's identity for a particular purpose by
+granting it a proxy.
+
+The process of granting a proxy using the proxy and proxiable flags is used
+to provide credentials for use with specific services. Though conceptually
+also a proxy, user's wishing to delegate their identity for ANY purpose must
+use the ticket forwarding mechanism described in the next section to forward
+a ticket granting ticket.
+
+The PROXIABLE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. When set,
+this flag tells the ticket-granting server that it is OK to issue a new
+ticket (but not a ticket-granting ticket) with a different network address
+based on this ticket. This flag is set if requested by the client on initial
+authentication. By default, the client will request that it be set when
+requesting a ticket granting ticket, and reset when requesting any other
+ticket.
+
+This flag allows a client to pass a proxy to a server to perform a remote
+request on its behalf, e.g. a print service client can give the print server
+a proxy to access the client's files on a particular file server in order to
+satisfy a print request.
+
+In order to complicate the use of stolen credentials, Kerberos tickets are
+usually valid from only those network addresses specifically included in the
+ticket[4]. When granting a proxy, the client must specify the new network
+address from which the proxy is to be used, or indicate that the proxy is to
+be issued for use from any address.
+
+The PROXY flag is set in a ticket by the TGS when it issues a proxy ticket.
+Application servers may check this flag and at their option they may require
+additional authentication from the agent presenting the proxy in order to
+provide an audit trail.
+
+2.6. Forwardable tickets
+
+Authentication forwarding is an instance of a proxy where the service is
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+granted complete use of the client's identity. An example where it might be
+used is when a user logs in to a remote system and wants authentication to
+work from that system as if the login were local.
+
+The FORWARDABLE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. The
+FORWARDABLE flag has an interpretation similar to that of the PROXIABLE
+flag, except ticket-granting tickets may also be issued with different
+network addresses. This flag is reset by default, but users may request that
+it be set by setting the FORWARDABLE option in the AS request when they
+request their initial ticket- granting ticket.
+
+This flag allows for authentication forwarding without requiring the user to
+enter a password again. If the flag is not set, then authentication
+forwarding is not permitted, but the same result can still be achieved if
+the user engages in the AS exchange specifying the requested network
+addresses and supplies a password.
+
+The FORWARDED flag is set by the TGS when a client presents a ticket with
+the FORWARDABLE flag set and requests a forwarded ticket by specifying the
+FORWARDED KDC option and supplying a set of addresses for the new ticket. It
+is also set in all tickets issued based on tickets with the FORWARDED flag
+set. Application servers may choose to process FORWARDED tickets differently
+than non-FORWARDED tickets.
+
+2.7. Other KDC options
+
+There are two additional options which may be set in a client's request of
+the KDC. The RENEWABLE-OK option indicates that the client will accept a
+renewable ticket if a ticket with the requested life cannot otherwise be
+provided. If a ticket with the requested life cannot be provided, then the
+KDC may issue a renewable ticket with a renew-till equal to the the
+requested endtime. The value of the renew-till field may still be adjusted
+by site-determined limits or limits imposed by the individual principal or
+server.
+
+The ENC-TKT-IN-SKEY option is honored only by the ticket-granting service.
+It indicates that the ticket to be issued for the end server is to be
+encrypted in the session key from the a additional second ticket-granting
+ticket provided with the request. See section 3.3.3 for specific details.
+
+3. Message Exchanges
+
+The following sections describe the interactions between network clients and
+servers and the messages involved in those exchanges.
+
+3.1. The Authentication Service Exchange
+
+                          Summary
+      Message direction       Message type    Section
+      1. Client to Kerberos   KRB_AS_REQ      5.4.1
+      2. Kerberos to client   KRB_AS_REP or   5.4.2
+                              KRB_ERROR       5.9.1
+
+The Authentication Service (AS) Exchange between the client and the Kerberos
+Authentication Server is initiated by a client when it wishes to obtain
+authentication credentials for a given server but currently holds no
+credentials. In its basic form, the client's secret key is used for
+encryption and decryption. This exchange is typically used at the initiation
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+of a login session to obtain credentials for a Ticket-Granting Server which
+will subsequently be used to obtain credentials for other servers (see
+section 3.3) without requiring further use of the client's secret key. This
+exchange is also used to request credentials for services which must not be
+mediated through the Ticket-Granting Service, but rather require a
+principal's secret key, such as the password-changing service[5]. This
+exchange does not by itself provide any assurance of the the identity of the
+user[6].
+
+The exchange consists of two messages: KRB_AS_REQ from the client to
+Kerberos, and KRB_AS_REP or KRB_ERROR in reply. The formats for these
+messages are described in sections 5.4.1, 5.4.2, and 5.9.1.
+
+In the request, the client sends (in cleartext) its own identity and the
+identity of the server for which it is requesting credentials. The response,
+KRB_AS_REP, contains a ticket for the client to present to the server, and a
+session key that will be shared by the client and the server. The session
+key and additional information are encrypted in the client's secret key. The
+KRB_AS_REP message contains information which can be used to detect replays,
+and to associate it with the message to which it replies. Various errors can
+occur; these are indicated by an error response (KRB_ERROR) instead of the
+KRB_AS_REP response. The error message is not encrypted. The KRB_ERROR
+message contains information which can be used to associate it with the
+message to which it replies. The lack of encryption in the KRB_ERROR message
+precludes the ability to detect replays, fabrications, or modifications of
+such messages.
+
+Without preautentication, the authentication server does not know whether
+the client is actually the principal named in the request. It simply sends a
+reply without knowing or caring whether they are the same. This is
+acceptable because nobody but the principal whose identity was given in the
+request will be able to use the reply. Its critical information is encrypted
+in that principal's key. The initial request supports an optional field that
+can be used to pass additional information that might be needed for the
+initial exchange. This field may be used for preauthentication as described
+in section [hl<>].
+
+3.1.1. Generation of KRB_AS_REQ message
+
+The client may specify a number of options in the initial request. Among
+these options are whether pre-authentication is to be performed; whether the
+requested ticket is to be renewable, proxiable, or forwardable; whether it
+should be postdated or allow postdating of derivative tickets; and whether a
+renewable ticket will be accepted in lieu of a non-renewable ticket if the
+requested ticket expiration date cannot be satisfied by a non-renewable
+ticket (due to configuration constraints; see section 4). See section A.1
+for pseudocode.
+
+The client prepares the KRB_AS_REQ message and sends it to the KDC.
+
+3.1.2. Receipt of KRB_AS_REQ message
+
+If all goes well, processing the KRB_AS_REQ message will result in the
+creation of a ticket for the client to present to the server. The format for
+the ticket is described in section 5.3.1. The contents of the ticket are
+determined as follows.
+
+3.1.3. Generation of KRB_AS_REP message
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+The authentication server looks up the client and server principals named in
+the KRB_AS_REQ in its database, extracting their respective keys. If
+required, the server pre-authenticates the request, and if the
+pre-authentication check fails, an error message with the code
+KDC_ERR_PREAUTH_FAILED is returned. If the server cannot accommodate the
+requested encryption type, an error message with code KDC_ERR_ETYPE_NOSUPP
+is returned. Otherwise it generates a 'random' session key[7].
+
+If there are multiple encryption keys registered for a client in the
+Kerberos database (or if the key registered supports multiple encryption
+types; e.g. DES-CBC-CRC and DES-CBC-MD5), then the etype field from the AS
+request is used by the KDC to select the encryption method to be used for
+encrypting the response to the client. If there is more than one supported,
+strong encryption type in the etype list, the first valid etype for which an
+encryption key is available is used. The encryption method used to respond
+to a TGS request is taken from the keytype of the session key found in the
+ticket granting ticket. [***I will change the example keytypes to be 3DES
+based examples 7/14***]
+
+When the etype field is present in a KDC request, whether an AS or TGS
+request, the KDC will attempt to assign the type of the random session key
+from the list of methods in the etype field. The KDC will select the
+appropriate type using the list of methods provided together with
+information from the Kerberos database indicating acceptable encryption
+methods for the application server. The KDC will not issue tickets with a
+weak session key encryption type.
+
+If the requested start time is absent, indicates a time in the past, or is
+within the window of acceptable clock skew for the KDC and the POSTDATE
+option has not been specified, then the start time of the ticket is set to
+the authentication server's current time. If it indicates a time in the
+future beyond the acceptable clock skew, but the POSTDATED option has not
+been specified then the error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise
+the requested start time is checked against the policy of the local realm
+(the administrator might decide to prohibit certain types or ranges of
+postdated tickets), and if acceptable, the ticket's start time is set as
+requested and the INVALID flag is set in the new ticket. The postdated
+ticket must be validated before use by presenting it to the KDC after the
+start time has been reached.
+
+The expiration time of the ticket will be set to the minimum of the
+following:
+
+   * The expiration time (endtime) requested in the KRB_AS_REQ message.
+   * The ticket's start time plus the maximum allowable lifetime associated
+     with the client principal (the authentication server's database
+     includes a maximum ticket lifetime field in each principal's record;
+     see section 4).
+   * The ticket's start time plus the maximum allowable lifetime associated
+     with the server principal.
+   * The ticket's start time plus the maximum lifetime set by the policy of
+     the local realm.
+
+If the requested expiration time minus the start time (as determined above)
+is less than a site-determined minimum lifetime, an error message with code
+KDC_ERR_NEVER_VALID is returned. If the requested expiration time for the
+ticket exceeds what was determined as above, and if the 'RENEWABLE-OK'
+option was requested, then the 'RENEWABLE' flag is set in the new ticket,
+and the renew-till value is set as if the 'RENEWABLE' option were requested
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+(the field and option names are described fully in section 5.4.1).
+
+If the RENEWABLE option has been requested or if the RENEWABLE-OK option has
+been set and a renewable ticket is to be issued, then the renew-till field
+is set to the minimum of:
+
+   * Its requested value.
+   * The start time of the ticket plus the minimum of the two maximum
+     renewable lifetimes associated with the principals' database entries.
+   * The start time of the ticket plus the maximum renewable lifetime set by
+     the policy of the local realm.
+
+The flags field of the new ticket will have the following options set if
+they have been requested and if the policy of the local realm allows:
+FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE. If the new
+ticket is post-dated (the start time is in the future), its INVALID flag
+will also be set.
+
+If all of the above succeed, the server formats a KRB_AS_REP message (see
+section 5.4.2), copying the addresses in the request into the caddr of the
+response, placing any required pre-authentication data into the padata of
+the response, and encrypts the ciphertext part in the client's key using the
+requested encryption method, and sends it to the client. See section A.2 for
+pseudocode.
+
+3.1.4. Generation of KRB_ERROR message
+
+Several errors can occur, and the Authentication Server responds by
+returning an error message, KRB_ERROR, to the client, with the error-code
+and e-text fields set to appropriate values. The error message contents and
+details are described in Section 5.9.1.
+
+3.1.5. Receipt of KRB_AS_REP message
+
+If the reply message type is KRB_AS_REP, then the client verifies that the
+cname and crealm fields in the cleartext portion of the reply match what it
+requested. If any padata fields are present, they may be used to derive the
+proper secret key to decrypt the message. The client decrypts the encrypted
+part of the response using its secret key, verifies that the nonce in the
+encrypted part matches the nonce it supplied in its request (to detect
+replays). It also verifies that the sname and srealm in the response match
+those in the request (or are otherwise expected values), and that the host
+address field is also correct. It then stores the ticket, session key, start
+and expiration times, and other information for later use. The
+key-expiration field from the encrypted part of the response may be checked
+to notify the user of impending key expiration (the client program could
+then suggest remedial action, such as a password change). See section A.3
+for pseudocode.
+
+Proper decryption of the KRB_AS_REP message is not sufficient to verify the
+identity of the user; the user and an attacker could cooperate to generate a
+KRB_AS_REP format message which decrypts properly but is not from the proper
+KDC. If the host wishes to verify the identity of the user, it must require
+the user to present application credentials which can be verified using a
+securely-stored secret key for the host. If those credentials can be
+verified, then the identity of the user can be assured.
+
+3.1.6. Receipt of KRB_ERROR message
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+If the reply message type is KRB_ERROR, then the client interprets it as an
+error and performs whatever application-specific tasks are necessary to
+recover.
+
+3.2. The Client/Server Authentication Exchange
+
+                             Summary
+Message direction                         Message type    Section
+Client to Application server              KRB_AP_REQ      5.5.1
+[optional] Application server to client   KRB_AP_REP or   5.5.2
+                                          KRB_ERROR       5.9.1
+
+The client/server authentication (CS) exchange is used by network
+applications to authenticate the client to the server and vice versa. The
+client must have already acquired credentials for the server using the AS or
+TGS exchange.
+
+3.2.1. The KRB_AP_REQ message
+
+The KRB_AP_REQ contains authentication information which should be part of
+the first message in an authenticated transaction. It contains a ticket, an
+authenticator, and some additional bookkeeping information (see section
+5.5.1 for the exact format). The ticket by itself is insufficient to
+authenticate a client, since tickets are passed across the network in
+cleartext[DS90], so the authenticator is used to prevent invalid replay of
+tickets by proving to the server that the client knows the session key of
+the ticket and thus is entitled to use the ticket. The KRB_AP_REQ message is
+referred to elsewhere as the 'authentication header.'
+
+3.2.2. Generation of a KRB_AP_REQ message
+
+When a client wishes to initiate authentication to a server, it obtains
+(either through a credentials cache, the AS exchange, or the TGS exchange) a
+ticket and session key for the desired service. The client may re-use any
+tickets it holds until they expire. To use a ticket the client constructs a
+new Authenticator from the the system time, its name, and optionally an
+application specific checksum, an initial sequence number to be used in
+KRB_SAFE or KRB_PRIV messages, and/or a session subkey to be used in
+negotiations for a session key unique to this particular session.
+Authenticators may not be re-used and will be rejected if replayed to a
+server[LGDSR87]. If a sequence number is to be included, it should be
+randomly chosen so that even after many messages have been exchanged it is
+not likely to collide with other sequence numbers in use.
+
+The client may indicate a requirement of mutual authentication or the use of
+a session-key based ticket by setting the appropriate flag(s) in the
+ap-options field of the message.
+
+The Authenticator is encrypted in the session key and combined with the
+ticket to form the KRB_AP_REQ message which is then sent to the end server
+along with any additional application-specific information. See section A.9
+for pseudocode.
+
+3.2.3. Receipt of KRB_AP_REQ message
+
+Authentication is based on the server's current time of day (clocks must be
+loosely synchronized), the authenticator, and the ticket. Several errors are
+possible. If an error occurs, the server is expected to reply to the client
+with a KRB_ERROR message. This message may be encapsulated in the
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+application protocol if its 'raw' form is not acceptable to the protocol.
+The format of error messages is described in section 5.9.1.
+
+The algorithm for verifying authentication information is as follows. If the
+message type is not KRB_AP_REQ, the server returns the KRB_AP_ERR_MSG_TYPE
+error. If the key version indicated by the Ticket in the KRB_AP_REQ is not
+one the server can use (e.g., it indicates an old key, and the server no
+longer possesses a copy of the old key), the KRB_AP_ERR_BADKEYVER error is
+returned. If the USE-SESSION-KEY flag is set in the ap-options field, it
+indicates to the server that the ticket is encrypted in the session key from
+the server's ticket-granting ticket rather than its secret key[10]. Since it
+is possible for the server to be registered in multiple realms, with
+different keys in each, the srealm field in the unencrypted portion of the
+ticket in the KRB_AP_REQ is used to specify which secret key the server
+should use to decrypt that ticket. The KRB_AP_ERR_NOKEY error code is
+returned if the server doesn't have the proper key to decipher the ticket.
+
+The ticket is decrypted using the version of the server's key specified by
+the ticket. If the decryption routines detect a modification of the ticket
+(each encryption system must provide safeguards to detect modified
+ciphertext; see section 6), the KRB_AP_ERR_BAD_INTEGRITY error is returned
+(chances are good that different keys were used to encrypt and decrypt).
+
+The authenticator is decrypted using the session key extracted from the
+decrypted ticket. If decryption shows it to have been modified, the
+KRB_AP_ERR_BAD_INTEGRITY error is returned. The name and realm of the client
+from the ticket are compared against the same fields in the authenticator.
+If they don't match, the KRB_AP_ERR_BADMATCH error is returned (they might
+not match, for example, if the wrong session key was used to encrypt the
+authenticator). The addresses in the ticket (if any) are then searched for
+an address matching the operating-system reported address of the client. If
+no match is found or the server insists on ticket addresses but none are
+present in the ticket, the KRB_AP_ERR_BADADDR error is returned.
+
+If the local (server) time and the client time in the authenticator differ
+by more than the allowable clock skew (e.g., 5 minutes), the KRB_AP_ERR_SKEW
+error is returned. If the server name, along with the client name, time and
+microsecond fields from the Authenticator match any recently-seen such
+tuples, the KRB_AP_ERR_REPEAT error is returned[11]. The server must
+remember any authenticator presented within the allowable clock skew, so
+that a replay attempt is guaranteed to fail. If a server loses track of any
+authenticator presented within the allowable clock skew, it must reject all
+requests until the clock skew interval has passed. This assures that any
+lost or re-played authenticators will fall outside the allowable clock skew
+and can no longer be successfully replayed (If this is not done, an attacker
+could conceivably record the ticket and authenticator sent over the network
+to a server, then disable the client's host, pose as the disabled host, and
+replay the ticket and authenticator to subvert the authentication.). If a
+sequence number is provided in the authenticator, the server saves it for
+later use in processing KRB_SAFE and/or KRB_PRIV messages. If a subkey is
+present, the server either saves it for later use or uses it to help
+generate its own choice for a subkey to be returned in a KRB_AP_REP message.
+
+The server computes the age of the ticket: local (server) time minus the
+start time inside the Ticket. If the start time is later than the current
+time by more than the allowable clock skew or if the INVALID flag is set in
+the ticket, the KRB_AP_ERR_TKT_NYV error is returned. Otherwise, if the
+current time is later than end time by more than the allowable clock skew,
+the KRB_AP_ERR_TKT_EXPIRED error is returned.
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+
+If all these checks succeed without an error, the server is assured that the
+client possesses the credentials of the principal named in the ticket and
+thus, the client has been authenticated to the server. See section A.10 for
+pseudocode.
+
+Passing these checks provides only authentication of the named principal; it
+does not imply authorization to use the named service. Applications must
+make a separate authorization decisions based upon the authenticated name of
+the user, the requested operation, local acces control information such as
+that contained in a .k5login or .k5users file, and possibly a separate
+distributed authorization service.
+
+3.2.4. Generation of a KRB_AP_REP message
+
+Typically, a client's request will include both the authentication
+information and its initial request in the same message, and the server need
+not explicitly reply to the KRB_AP_REQ. However, if mutual authentication
+(not only authenticating the client to the server, but also the server to
+the client) is being performed, the KRB_AP_REQ message will have
+MUTUAL-REQUIRED set in its ap-options field, and a KRB_AP_REP message is
+required in response. As with the error message, this message may be
+encapsulated in the application protocol if its "raw" form is not acceptable
+to the application's protocol. The timestamp and microsecond field used in
+the reply must be the client's timestamp and microsecond field (as provided
+in the authenticator)[12]. If a sequence number is to be included, it should
+be randomly chosen as described above for the authenticator. A subkey may be
+included if the server desires to negotiate a different subkey. The
+KRB_AP_REP message is encrypted in the session key extracted from the
+ticket. See section A.11 for pseudocode.
+
+3.2.5. Receipt of KRB_AP_REP message
+
+If a KRB_AP_REP message is returned, the client uses the session key from
+the credentials obtained for the server[13] to decrypt the message, and
+verifies that the timestamp and microsecond fields match those in the
+Authenticator it sent to the server. If they match, then the client is
+assured that the server is genuine. The sequence number and subkey (if
+present) are retained for later use. See section A.12 for pseudocode.
+
+3.2.6. Using the encryption key
+
+After the KRB_AP_REQ/KRB_AP_REP exchange has occurred, the client and server
+share an encryption key which can be used by the application. The 'true
+session key' to be used for KRB_PRIV, KRB_SAFE, or other
+application-specific uses may be chosen by the application based on the
+subkeys in the KRB_AP_REP message and the authenticator[14]. In some cases,
+the use of this session key will be implicit in the protocol; in others the
+method of use must be chosen from several alternatives. We leave the
+protocol negotiations of how to use the key (e.g. selecting an encryption or
+checksum type) to the application programmer; the Kerberos protocol does not
+constrain the implementation options, but an example of how this might be
+done follows.
+
+One way that an application may choose to negotiate a key to be used for
+subequent integrity and privacy protection is for the client to propose a
+key in the subkey field of the authenticator. The server can then choose a
+key using the proposed key from the client as input, returning the new
+subkey in the subkey field of the application reply. This key could then be
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+used for subsequent communication. To make this example more concrete, if
+the encryption method in use required a 56 bit key, and for whatever reason,
+one of the parties was prevented from using a key with more than 40 unknown
+bits, this method would allow the the party which is prevented from using
+more than 40 bits to either propose (if the client) an initial key with a
+known quantity for 16 of those bits, or to mask 16 of the bits (if the
+server) with the known quantity. The application implementor is warned,
+however, that this is only an example, and that an analysis of the
+particular crytosystem to be used, and the reasons for limiting the key
+length, must be made before deciding whether it is acceptable to mask bits
+of the key.
+
+With both the one-way and mutual authentication exchanges, the peers should
+take care not to send sensitive information to each other without proper
+assurances. In particular, applications that require privacy or integrity
+should use the KRB_AP_REP response from the server to client to assure both
+client and server of their peer's identity. If an application protocol
+requires privacy of its messages, it can use the KRB_PRIV message (section
+3.5). The KRB_SAFE message (section 3.4) can be used to assure integrity.
+
+3.3. The Ticket-Granting Service (TGS) Exchange
+
+                          Summary
+      Message direction       Message type     Section
+      1. Client to Kerberos   KRB_TGS_REQ      5.4.1
+      2. Kerberos to client   KRB_TGS_REP or   5.4.2
+                              KRB_ERROR        5.9.1
+
+The TGS exchange between a client and the Kerberos Ticket-Granting Server is
+initiated by a client when it wishes to obtain authentication credentials
+for a given server (which might be registered in a remote realm), when it
+wishes to renew or validate an existing ticket, or when it wishes to obtain
+a proxy ticket. In the first case, the client must already have acquired a
+ticket for the Ticket-Granting Service using the AS exchange (the
+ticket-granting ticket is usually obtained when a client initially
+authenticates to the system, such as when a user logs in). The message
+format for the TGS exchange is almost identical to that for the AS exchange.
+The primary difference is that encryption and decryption in the TGS exchange
+does not take place under the client's key. Instead, the session key from
+the ticket-granting ticket or renewable ticket, or sub-session key from an
+Authenticator is used. As is the case for all application servers, expired
+tickets are not accepted by the TGS, so once a renewable or ticket-granting
+ticket expires, the client must use a separate exchange to obtain valid
+tickets.
+
+The TGS exchange consists of two messages: A request (KRB_TGS_REQ) from the
+client to the Kerberos Ticket-Granting Server, and a reply (KRB_TGS_REP or
+KRB_ERROR). The KRB_TGS_REQ message includes information authenticating the
+client plus a request for credentials. The authentication information
+consists of the authentication header (KRB_AP_REQ) which includes the
+client's previously obtained ticket-granting, renewable, or invalid ticket.
+In the ticket-granting ticket and proxy cases, the request may include one
+or more of: a list of network addresses, a collection of typed authorization
+data to be sealed in the ticket for authorization use by the application
+server, or additional tickets (the use of which are described later). The
+TGS reply (KRB_TGS_REP) contains the requested credentials, encrypted in the
+session key from the ticket-granting ticket or renewable ticket, or if
+present, in the sub-session key from the Authenticator (part of the
+authentication header). The KRB_ERROR message contains an error code and
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+text explaining what went wrong. The KRB_ERROR message is not encrypted. The
+KRB_TGS_REP message contains information which can be used to detect
+replays, and to associate it with the message to which it replies. The
+KRB_ERROR message also contains information which can be used to associate
+it with the message to which it replies, but the lack of encryption in the
+KRB_ERROR message precludes the ability to detect replays or fabrications of
+such messages.
+
+3.3.1. Generation of KRB_TGS_REQ message
+
+Before sending a request to the ticket-granting service, the client must
+determine in which realm the application server is registered[15]. If the
+client does not already possess a ticket-granting ticket for the appropriate
+realm, then one must be obtained. This is first attempted by requesting a
+ticket-granting ticket for the destination realm from a Kerberos server for
+which the client does posess a ticket-granting ticket (using the KRB_TGS_REQ
+message recursively). The Kerberos server may return a TGT for the desired
+realm in which case one can proceed. Alternatively, the Kerberos server may
+return a TGT for a realm which is 'closer' to the desired realm (further
+along the standard hierarchical path), in which case this step must be
+repeated with a Kerberos server in the realm specified in the returned TGT.
+If neither are returned, then the request must be retried with a Kerberos
+server for a realm higher in the hierarchy. This request will itself require
+a ticket-granting ticket for the higher realm which must be obtained by
+recursively applying these directions.
+
+Once the client obtains a ticket-granting ticket for the appropriate realm,
+it determines which Kerberos servers serve that realm, and contacts one. The
+list might be obtained through a configuration file or network service or it
+may be generated from the name of the realm; as long as the secret keys
+exchanged by realms are kept secret, only denial of service results from
+using a false Kerberos server.
+
+As in the AS exchange, the client may specify a number of options in the
+KRB_TGS_REQ message. The client prepares the KRB_TGS_REQ message, providing
+an authentication header as an element of the padata field, and including
+the same fields as used in the KRB_AS_REQ message along with several
+optional fields: the enc-authorization-data field for application server use
+and additional tickets required by some options.
+
+In preparing the authentication header, the client can select a sub-session
+key under which the response from the Kerberos server will be encrypted[16].
+If the sub-session key is not specified, the session key from the
+ticket-granting ticket will be used. If the enc-authorization-data is
+present, it must be encrypted in the sub-session key, if present, from the
+authenticator portion of the authentication header, or if not present, using
+the session key from the ticket-granting ticket.
+
+Once prepared, the message is sent to a Kerberos server for the destination
+realm. See section A.5 for pseudocode.
+
+3.3.2. Receipt of KRB_TGS_REQ message
+
+The KRB_TGS_REQ message is processed in a manner similar to the KRB_AS_REQ
+message, but there are many additional checks to be performed. First, the
+Kerberos server must determine which server the accompanying ticket is for
+and it must select the appropriate key to decrypt it. For a normal
+KRB_TGS_REQ message, it will be for the ticket granting service, and the
+TGS's key will be used. If the TGT was issued by another realm, then the
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+appropriate inter-realm key must be used. If the accompanying ticket is not
+a ticket granting ticket for the current realm, but is for an application
+server in the current realm, the RENEW, VALIDATE, or PROXY options are
+specified in the request, and the server for which a ticket is requested is
+the server named in the accompanying ticket, then the KDC will decrypt the
+ticket in the authentication header using the key of the server for which it
+was issued. If no ticket can be found in the padata field, the
+KDC_ERR_PADATA_TYPE_NOSUPP error is returned.
+
+Once the accompanying ticket has been decrypted, the user-supplied checksum
+in the Authenticator must be verified against the contents of the request,
+and the message rejected if the checksums do not match (with an error code
+of KRB_AP_ERR_MODIFIED) or if the checksum is not keyed or not
+collision-proof (with an error code of KRB_AP_ERR_INAPP_CKSUM). If the
+checksum type is not supported, the KDC_ERR_SUMTYPE_NOSUPP error is
+returned. If the authorization-data are present, they are decrypted using
+the sub-session key from the Authenticator.
+
+If any of the decryptions indicate failed integrity checks, the
+KRB_AP_ERR_BAD_INTEGRITY error is returned.
+
+3.3.3. Generation of KRB_TGS_REP message
+
+The KRB_TGS_REP message shares its format with the KRB_AS_REP (KRB_KDC_REP),
+but with its type field set to KRB_TGS_REP. The detailed specification is in
+section 5.4.2.
+
+The response will include a ticket for the requested server. The Kerberos
+database is queried to retrieve the record for the requested server
+(including the key with which the ticket will be encrypted). If the request
+is for a ticket granting ticket for a remote realm, and if no key is shared
+with the requested realm, then the Kerberos server will select the realm
+"closest" to the requested realm with which it does share a key, and use
+that realm instead. This is the only case where the response from the KDC
+will be for a different server than that requested by the client.
+
+By default, the address field, the client's name and realm, the list of
+transited realms, the time of initial authentication, the expiration time,
+and the authorization data of the newly-issued ticket will be copied from
+the ticket-granting ticket (TGT) or renewable ticket. If the transited field
+needs to be updated, but the transited type is not supported, the
+KDC_ERR_TRTYPE_NOSUPP error is returned.
+
+If the request specifies an endtime, then the endtime of the new ticket is
+set to the minimum of (a) that request, (b) the endtime from the TGT, and
+(c) the starttime of the TGT plus the minimum of the maximum life for the
+application server and the maximum life for the local realm (the maximum
+life for the requesting principal was already applied when the TGT was
+issued). If the new ticket is to be a renewal, then the endtime above is
+replaced by the minimum of (a) the value of the renew_till field of the
+ticket and (b) the starttime for the new ticket plus the life
+(endtime-starttime) of the old ticket.
+
+If the FORWARDED option has been requested, then the resulting ticket will
+contain the addresses specified by the client. This option will only be
+honored if the FORWARDABLE flag is set in the TGT. The PROXY option is
+similar; the resulting ticket will contain the addresses specified by the
+client. It will be honored only if the PROXIABLE flag in the TGT is set. The
+PROXY option will not be honored on requests for additional ticket-granting
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+tickets.
+
+If the requested start time is absent, indicates a time in the past, or is
+within the window of acceptable clock skew for the KDC and the POSTDATE
+option has not been specified, then the start time of the ticket is set to
+the authentication server's current time. If it indicates a time in the
+future beyond the acceptable clock skew, but the POSTDATED option has not
+been specified or the MAY-POSTDATE flag is not set in the TGT, then the
+error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise, if the ticket-granting
+ticket has the MAY-POSTDATE flag set, then the resulting ticket will be
+postdated and the requested starttime is checked against the policy of the
+local realm. If acceptable, the ticket's start time is set as requested, and
+the INVALID flag is set. The postdated ticket must be validated before use
+by presenting it to the KDC after the starttime has been reached. However,
+in no case may the starttime, endtime, or renew-till time of a newly-issued
+postdated ticket extend beyond the renew-till time of the ticket-granting
+ticket.
+
+If the ENC-TKT-IN-SKEY option has been specified and an additional ticket
+has been included in the request, the KDC will decrypt the additional ticket
+using the key for the server to which the additional ticket was issued and
+verify that it is a ticket-granting ticket. If the name of the requested
+server is missing from the request, the name of the client in the additional
+ticket will be used. Otherwise the name of the requested server will be
+compared to the name of the client in the additional ticket and if
+different, the request will be rejected. If the request succeeds, the
+session key from the additional ticket will be used to encrypt the new
+ticket that is issued instead of using the key of the server for which the
+new ticket will be used[17].
+
+If the name of the server in the ticket that is presented to the KDC as part
+of the authentication header is not that of the ticket-granting server
+itself, the server is registered in the realm of the KDC, and the RENEW
+option is requested, then the KDC will verify that the RENEWABLE flag is set
+in the ticket, that the INVALID flag is not set in the ticket, and that the
+renew_till time is still in the future. If the VALIDATE option is rqeuested,
+the KDC will check that the starttime has passed and the INVALID flag is
+set. If the PROXY option is requested, then the KDC will check that the
+PROXIABLE flag is set in the ticket. If the tests succeed, and the ticket
+passes the hotlist check described in the next paragraph, the KDC will issue
+the appropriate new ticket.
+
+3.3.3.1. Checking for revoked tickets
+
+Whenever a request is made to the ticket-granting server, the presented
+ticket(s) is(are) checked against a hot-list of tickets which have been
+canceled. This hot-list might be implemented by storing a range of issue
+timestamps for 'suspect tickets'; if a presented ticket had an authtime in
+that range, it would be rejected. In this way, a stolen ticket-granting
+ticket or renewable ticket cannot be used to gain additional tickets
+(renewals or otherwise) once the theft has been reported. Any normal ticket
+obtained before it was reported stolen will still be valid (because they
+require no interaction with the KDC), but only until their normal expiration
+time.
+
+The ciphertext part of the response in the KRB_TGS_REP message is encrypted
+in the sub-session key from the Authenticator, if present, or the session
+key key from the ticket-granting ticket. It is not encrypted using the
+client's secret key. Furthermore, the client's key's expiration date and the
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+key version number fields are left out since these values are stored along
+with the client's database record, and that record is not needed to satisfy
+a request based on a ticket-granting ticket. See section A.6 for pseudocode.
+
+3.3.3.2. Encoding the transited field
+
+If the identity of the server in the TGT that is presented to the KDC as
+part of the authentication header is that of the ticket-granting service,
+but the TGT was issued from another realm, the KDC will look up the
+inter-realm key shared with that realm and use that key to decrypt the
+ticket. If the ticket is valid, then the KDC will honor the request, subject
+to the constraints outlined above in the section describing the AS exchange.
+The realm part of the client's identity will be taken from the
+ticket-granting ticket. The name of the realm that issued the
+ticket-granting ticket will be added to the transited field of the ticket to
+be issued. This is accomplished by reading the transited field from the
+ticket-granting ticket (which is treated as an unordered set of realm
+names), adding the new realm to the set, then constructing and writing out
+its encoded (shorthand) form (this may involve a rearrangement of the
+existing encoding).
+
+Note that the ticket-granting service does not add the name of its own
+realm. Instead, its responsibility is to add the name of the previous realm.
+This prevents a malicious Kerberos server from intentionally leaving out its
+own name (it could, however, omit other realms' names).
+
+The names of neither the local realm nor the principal's realm are to be
+included in the transited field. They appear elsewhere in the ticket and
+both are known to have taken part in authenticating the principal. Since the
+endpoints are not included, both local and single-hop inter-realm
+authentication result in a transited field that is empty.
+
+Because the name of each realm transited is added to this field, it might
+potentially be very long. To decrease the length of this field, its contents
+are encoded. The initially supported encoding is optimized for the normal
+case of inter-realm communication: a hierarchical arrangement of realms
+using either domain or X.500 style realm names. This encoding (called
+DOMAIN-X500-COMPRESS) is now described.
+
+Realm names in the transited field are separated by a ",". The ",", "\",
+trailing "."s, and leading spaces (" ") are special characters, and if they
+are part of a realm name, they must be quoted in the transited field by
+preced- ing them with a "\".
+
+A realm name ending with a "." is interpreted as being prepended to the
+previous realm. For example, we can encode traversal of EDU, MIT.EDU,
+ATHENA.MIT.EDU, WASHINGTON.EDU, and CS.WASHINGTON.EDU as:
+
+     "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.".
+
+Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were end-points, that they
+would not be included in this field, and we would have:
+
+     "EDU,MIT.,WASHINGTON.EDU"
+
+A realm name beginning with a "/" is interpreted as being appended to the
+previous realm[18]. If it is to stand by itself, then it should be preceded
+by a space (" "). For example, we can encode traversal of /COM/HP/APOLLO,
+/COM/HP, /COM, and /COM/DEC as:
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+
+     "/COM,/HP,/APOLLO, /COM/DEC".
+
+Like the example above, if /COM/HP/APOLLO and /COM/DEC are endpoints, they
+they would not be included in this field, and we would have:
+
+     "/COM,/HP"
+
+A null subfield preceding or following a "," indicates that all realms
+between the previous realm and the next realm have been traversed[19]. Thus,
+"," means that all realms along the path between the client and the server
+have been traversed. ",EDU, /COM," means that that all realms from the
+client's realm up to EDU (in a domain style hierarchy) have been traversed,
+and that everything from /COM down to the server's realm in an X.500 style
+has also been traversed. This could occur if the EDU realm in one hierarchy
+shares an inter-realm key directly with the /COM realm in another hierarchy.
+
+3.3.4. Receipt of KRB_TGS_REP message
+
+When the KRB_TGS_REP is received by the client, it is processed in the same
+manner as the KRB_AS_REP processing described above. The primary difference
+is that the ciphertext part of the response must be decrypted using the
+session key from the ticket-granting ticket rather than the client's secret
+key. See section A.7 for pseudocode.
+
+3.4. The KRB_SAFE Exchange
+
+The KRB_SAFE message may be used by clients requiring the ability to detect
+modifications of messages they exchange. It achieves this by including a
+keyed collision-proof checksum of the user data and some control
+information. The checksum is keyed with an encryption key (usually the last
+key negotiated via subkeys, or the session key if no negotiation has
+occured).
+
+3.4.1. Generation of a KRB_SAFE message
+
+When an application wishes to send a KRB_SAFE message, it collects its data
+and the appropriate control information and computes a checksum over them.
+The checksum algorithm should be a keyed one-way hash function (such as the
+RSA- MD5-DES checksum algorithm specified in section 6.4.5, or the DES MAC),
+generated using the sub-session key if present, or the session key.
+Different algorithms may be selected by changing the checksum type in the
+message. Unkeyed or non-collision-proof checksums are not suitable for this
+use.
+
+The control information for the KRB_SAFE message includes both a timestamp
+and a sequence number. The designer of an application using the KRB_SAFE
+message must choose at least one of the two mechanisms. This choice should
+be based on the needs of the application protocol.
+
+Sequence numbers are useful when all messages sent will be received by one's
+peer. Connection state is presently required to maintain the session key, so
+maintaining the next sequence number should not present an additional
+problem.
+
+If the application protocol is expected to tolerate lost messages without
+them being resent, the use of the timestamp is the appropriate replay
+detection mechanism. Using timestamps is also the appropriate mechanism for
+multi-cast protocols where all of one's peers share a common sub-session
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+key, but some messages will be sent to a subset of one's peers.
+
+After computing the checksum, the client then transmits the information and
+checksum to the recipient in the message format specified in section 5.6.1.
+
+3.4.2. Receipt of KRB_SAFE message
+
+When an application receives a KRB_SAFE message, it verifies it as follows.
+If any error occurs, an error code is reported for use by the application.
+
+The message is first checked by verifying that the protocol version and type
+fields match the current version and KRB_SAFE, respectively. A mismatch
+generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The
+application verifies that the checksum used is a collision-proof keyed
+checksum, and if it is not, a KRB_AP_ERR_INAPP_CKSUM error is generated. If
+the sender's address was included in the control information, the recipient
+verifies that the operating system's report of the sender's address matches
+the sender's address in the message, and (if a recipient address is
+specified or the recipient requires an address) that one of the recipient's
+addresses appears as the recipient's address in the message. A failed match
+for either case generates a KRB_AP_ERR_BADADDR error. Then the timestamp and
+usec and/or the sequence number fields are checked. If timestamp and usec
+are expected and not present, or they are present but not current, the
+KRB_AP_ERR_SKEW error is generated. If the server name, along with the
+client name, time and microsecond fields from the Authenticator match any
+recently-seen (sent or received[20] ) such tuples, the KRB_AP_ERR_REPEAT
+error is generated. If an incorrect sequence number is included, or a
+sequence number is expected but not present, the KRB_AP_ERR_BADORDER error
+is generated. If neither a time-stamp and usec or a sequence number is
+present, a KRB_AP_ERR_MODIFIED error is generated. Finally, the checksum is
+computed over the data and control information, and if it doesn't match the
+received checksum, a KRB_AP_ERR_MODIFIED error is generated.
+
+If all the checks succeed, the application is assured that the message was
+generated by its peer and was not modi- fied in transit.
+
+3.5. The KRB_PRIV Exchange
+
+The KRB_PRIV message may be used by clients requiring confidentiality and
+the ability to detect modifications of exchanged messages. It achieves this
+by encrypting the messages and adding control information.
+
+3.5.1. Generation of a KRB_PRIV message
+
+When an application wishes to send a KRB_PRIV message, it collects its data
+and the appropriate control information (specified in section 5.7.1) and
+encrypts them under an encryption key (usually the last key negotiated via
+subkeys, or the session key if no negotiation has occured). As part of the
+control information, the client must choose to use either a timestamp or a
+sequence number (or both); see the discussion in section 3.4.1 for
+guidelines on which to use. After the user data and control information are
+encrypted, the client transmits the ciphertext and some 'envelope'
+information to the recipient.
+
+3.5.2. Receipt of KRB_PRIV message
+
+When an application receives a KRB_PRIV message, it verifies it as follows.
+If any error occurs, an error code is reported for use by the application.
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+The message is first checked by verifying that the protocol version and type
+fields match the current version and KRB_PRIV, respectively. A mismatch
+generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The
+application then decrypts the ciphertext and processes the resultant
+plaintext. If decryption shows the data to have been modified, a
+KRB_AP_ERR_BAD_INTEGRITY error is generated. If the sender's address was
+included in the control information, the recipient verifies that the
+operating system's report of the sender's address matches the sender's
+address in the message, and (if a recipient address is specified or the
+recipient requires an address) that one of the recipient's addresses appears
+as the recipient's address in the message. A failed match for either case
+generates a KRB_AP_ERR_BADADDR error. Then the timestamp and usec and/or the
+sequence number fields are checked. If timestamp and usec are expected and
+not present, or they are present but not current, the KRB_AP_ERR_SKEW error
+is generated. If the server name, along with the client name, time and
+microsecond fields from the Authenticator match any recently-seen such
+tuples, the KRB_AP_ERR_REPEAT error is generated. If an incorrect sequence
+number is included, or a sequence number is expected but not present, the
+KRB_AP_ERR_BADORDER error is generated. If neither a time-stamp and usec or
+a sequence number is present, a KRB_AP_ERR_MODIFIED error is generated.
+
+If all the checks succeed, the application can assume the message was
+generated by its peer, and was securely transmitted (without intruders able
+to see the unencrypted contents).
+
+3.6. The KRB_CRED Exchange
+
+The KRB_CRED message may be used by clients requiring the ability to send
+Kerberos credentials from one host to another. It achieves this by sending
+the tickets together with encrypted data containing the session keys and
+other information associated with the tickets.
+
+3.6.1. Generation of a KRB_CRED message
+
+When an application wishes to send a KRB_CRED message it first (using the
+KRB_TGS exchange) obtains credentials to be sent to the remote host. It then
+constructs a KRB_CRED message using the ticket or tickets so obtained,
+placing the session key needed to use each ticket in the key field of the
+corresponding KrbCredInfo sequence of the encrypted part of the the KRB_CRED
+message.
+
+Other information associated with each ticket and obtained during the
+KRB_TGS exchange is also placed in the corresponding KrbCredInfo sequence in
+the encrypted part of the KRB_CRED message. The current time and, if
+specifically required by the application the nonce, s-address, and r-address
+fields, are placed in the encrypted part of the KRB_CRED message which is
+then encrypted under an encryption key previosuly exchanged in the KRB_AP
+exchange (usually the last key negotiated via subkeys, or the session key if
+no negotiation has occured).
+
+3.6.2. Receipt of KRB_CRED message
+
+When an application receives a KRB_CRED message, it verifies it. If any
+error occurs, an error code is reported for use by the application. The
+message is verified by checking that the protocol version and type fields
+match the current version and KRB_CRED, respectively. A mismatch generates a
+KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The application then
+decrypts the ciphertext and processes the resultant plaintext. If decryption
+shows the data to have been modified, a KRB_AP_ERR_BAD_INTEGRITY error is
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+generated.
+
+If present or required, the recipient verifies that the operating system's
+report of the sender's address matches the sender's address in the message,
+and that one of the recipient's addresses appears as the recipient's address
+in the message. A failed match for either case generates a
+KRB_AP_ERR_BADADDR error. The timestamp and usec fields (and the nonce field
+if required) are checked next. If the timestamp and usec are not present, or
+they are present but not current, the KRB_AP_ERR_SKEW error is generated.
+
+If all the checks succeed, the application stores each of the new tickets in
+its ticket cache together with the session key and other information in the
+corresponding KrbCredInfo sequence from the encrypted part of the KRB_CRED
+message.
+
+4. The Kerberos Database
+
+The Kerberos server must have access to a database containing the principal
+identifiers and secret keys of principals to be authenticated[21].
+
+4.1. Database contents
+
+A database entry should contain at least the following fields:
+
+Field                Value
+
+name                 Principal's identifier
+key                  Principal's secret key
+p_kvno               Principal's key version
+max_life             Maximum lifetime for Tickets
+max_renewable_life   Maximum total lifetime for renewable Tickets
+
+The name field is an encoding of the principal's identifier. The key field
+contains an encryption key. This key is the principal's secret key. (The key
+can be encrypted before storage under a Kerberos "master key" to protect it
+in case the database is compromised but the master key is not. In that case,
+an extra field must be added to indicate the master key version used, see
+below.) The p_kvno field is the key version number of the principal's secret
+key. The max_life field contains the maximum allowable lifetime (endtime -
+starttime) for any Ticket issued for this principal. The max_renewable_life
+field contains the maximum allowable total lifetime for any renewable Ticket
+issued for this principal. (See section 3.1 for a description of how these
+lifetimes are used in determining the lifetime of a given Ticket.)
+
+A server may provide KDC service to several realms, as long as the database
+representation provides a mechanism to distinguish between principal records
+with identifiers which differ only in the realm name.
+
+When an application server's key changes, if the change is routine (i.e. not
+the result of disclosure of the old key), the old key should be retained by
+the server until all tickets that had been issued using that key have
+expired. Because of this, it is possible for several keys to be active for a
+single principal. Ciphertext encrypted in a principal's key is always tagged
+with the version of the key that was used for encryption, to help the
+recipient find the proper key for decryption.
+
+When more than one key is active for a particular principal, the principal
+will have more than one record in the Kerberos database. The keys and key
+version numbers will differ between the records (the rest of the fields may
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+or may not be the same). Whenever Kerberos issues a ticket, or responds to a
+request for initial authentication, the most recent key (known by the
+Kerberos server) will be used for encryption. This is the key with the
+highest key version number.
+
+4.2. Additional fields
+
+Project Athena's KDC implementation uses additional fields in its database:
+
+Field        Value
+
+K_kvno       Kerberos' key version
+expiration   Expiration date for entry
+attributes   Bit field of attributes
+mod_date     Timestamp of last modification
+mod_name     Modifying principal's identifier
+
+The K_kvno field indicates the key version of the Kerberos master key under
+which the principal's secret key is encrypted.
+
+After an entry's expiration date has passed, the KDC will return an error to
+any client attempting to gain tickets as or for the principal. (A database
+may want to maintain two expiration dates: one for the principal, and one
+for the principal's current key. This allows password aging to work
+independently of the principal's expiration date. However, due to the
+limited space in the responses, the KDC must combine the key expiration and
+principal expiration date into a single value called 'key_exp', which is
+used as a hint to the user to take administrative action.)
+
+The attributes field is a bitfield used to govern the operations involving
+the principal. This field might be useful in conjunction with user
+registration procedures, for site-specific policy implementations (Project
+Athena currently uses it for their user registration process controlled by
+the system-wide database service, Moira [LGDSR87]), to identify whether a
+principal can play the role of a client or server or both, to note whether a
+server is appropriate trusted to recieve credentials delegated by a client,
+or to identify the 'string to key' conversion algorithm used for a
+principal's key[22]. Other bits are used to indicate that certain ticket
+options should not be allowed in tickets encrypted under a principal's key
+(one bit each): Disallow issuing postdated tickets, disallow issuing
+forwardable tickets, disallow issuing tickets based on TGT authentication,
+disallow issuing renewable tickets, disallow issuing proxiable tickets, and
+disallow issuing tickets for which the principal is the server.
+
+The mod_date field contains the time of last modification of the entry, and
+the mod_name field contains the name of the principal which last modified
+the entry.
+
+4.3. Frequently Changing Fields
+
+Some KDC implementations may wish to maintain the last time that a request
+was made by a particular principal. Information that might be maintained
+includes the time of the last request, the time of the last request for a
+ticket-granting ticket, the time of the last use of a ticket-granting
+ticket, or other times. This information can then be returned to the user in
+the last-req field (see section 5.2).
+
+Other frequently changing information that can be maintained is the latest
+expiration time for any tickets that have been issued using each key. This
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+field would be used to indicate how long old keys must remain valid to allow
+the continued use of outstanding tickets.
+
+4.4. Site Constants
+
+The KDC implementation should have the following configurable constants or
+options, to allow an administrator to make and enforce policy decisions:
+
+   * The minimum supported lifetime (used to determine whether the
+     KDC_ERR_NEVER_VALID error should be returned). This constant should
+     reflect reasonable expectations of round-trip time to the KDC,
+     encryption/decryption time, and processing time by the client and
+     target server, and it should allow for a minimum 'useful' lifetime.
+   * The maximum allowable total (renewable) lifetime of a ticket
+     (renew_till - starttime).
+   * The maximum allowable lifetime of a ticket (endtime - starttime).
+   * Whether to allow the issue of tickets with empty address fields
+     (including the ability to specify that such tickets may only be issued
+     if the request specifies some authorization_data).
+   * Whether proxiable, forwardable, renewable or post-datable tickets are
+     to be issued.
+
+5. Message Specifications
+
+The following sections describe the exact contents and encoding of protocol
+messages and objects. The ASN.1 base definitions are presented in the first
+subsection. The remaining subsections specify the protocol objects (tickets
+and authenticators) and messages. Specification of encryption and checksum
+techniques, and the fields related to them, appear in section 6.
+
+Optional field in ASN.1 sequences
+
+For optional integer value and date fields in ASN.1 sequences where a
+default value has been specified, certain default values will not be allowed
+in the encoding because these values will always be represented through
+defaulting by the absence of the optional field. For example, one will not
+send a microsecond zero value because one must make sure that there is only
+one way to encode this value.
+
+Additional fields in ASN.1 sequences
+
+Implementations receiving Kerberos messages with additional fields present
+in ASN.1 sequences should carry the those fields through, unmodified, when
+the message is forwarded. Implementations should not drop such fields if the
+sequence is reencoded.
+
+5.1. ASN.1 Distinguished Encoding Representation
+
+All uses of ASN.1 in Kerberos shall use the Distinguished Encoding
+Representation of the data elements as described in the X.509 specification,
+section 8.7 [X509-88].
+
+5.3. ASN.1 Base Definitions
+
+The following ASN.1 base definitions are used in the rest of this section.
+Note that since the underscore character (_) is not permitted in ASN.1
+names, the hyphen (-) is used in its place for the purposes of ASN.1 names.
+
+Realm ::=           GeneralString
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+PrincipalName ::=   SEQUENCE {
+                    name-type[0]     INTEGER,
+                    name-string[1]   SEQUENCE OF GeneralString
+}
+
+Kerberos realms are encoded as GeneralStrings. Realms shall not contain a
+character with the code 0 (the ASCII NUL). Most realms will usually consist
+of several components separated by periods (.), in the style of Internet
+Domain Names, or separated by slashes (/) in the style of X.500 names.
+Acceptable forms for realm names are specified in section 7. A PrincipalName
+is a typed sequence of components consisting of the following sub-fields:
+
+name-type
+     This field specifies the type of name that follows. Pre-defined values
+     for this field are specified in section 7.2. The name-type should be
+     treated as a hint. Ignoring the name type, no two names can be the same
+     (i.e. at least one of the components, or the realm, must be different).
+     This constraint may be eliminated in the future.
+name-string
+     This field encodes a sequence of components that form a name, each
+     component encoded as a GeneralString. Taken together, a PrincipalName
+     and a Realm form a principal identifier. Most PrincipalNames will have
+     only a few components (typically one or two).
+
+KerberosTime ::=   GeneralizedTime
+                   -- Specifying UTC time zone (Z)
+
+The timestamps used in Kerberos are encoded as GeneralizedTimes. An encoding
+shall specify the UTC time zone (Z) and shall not include any fractional
+portions of the seconds. It further shall not include any separators.
+Example: The only valid format for UTC time 6 minutes, 27 seconds after 9 pm
+on 6 November 1985 is 19851106210627Z.
+
+HostAddress ::=     SEQUENCE  {
+                    addr-type[0]             INTEGER,
+                    address[1]               OCTET STRING
+}
+
+HostAddresses ::=   SEQUENCE OF HostAddress
+
+The host adddress encodings consists of two fields:
+
+addr-type
+     This field specifies the type of address that follows. Pre-defined
+     values for this field are specified in section 8.1.
+address
+     This field encodes a single address of type addr-type.
+
+The two forms differ slightly. HostAddress contains exactly one address;
+HostAddresses contains a sequence of possibly many addresses.
+
+AuthorizationData ::=   SEQUENCE OF SEQUENCE {
+                        ad-type[0]               INTEGER,
+                        ad-data[1]               OCTET STRING
+}
+
+ad-data
+     This field contains authorization data to be interpreted according to
+     the value of the corresponding ad-type field.
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+ad-type
+     This field specifies the format for the ad-data subfield. All negative
+     values are reserved for local use. Non-negative values are reserved for
+     registered use.
+
+Each sequence of type and data is refered to as an authorization element.
+Elements may be application specific, however, there is a common set of
+recursive elements that should be understood by all implementations. These
+elements contain other elements embedded within them, and the interpretation
+of the encapsulating element determines which of the embedded elements must
+be interpreted, and which may be ignored. Definitions for these common
+elements may be found in Appendix B.
+
+TicketExtensions ::= SEQUENCE OF SEQUENCE {
+           te-type[0]       INTEGER,
+           te-data[1]       OCTET STRING
+}
+
+
+
+te-data
+     This field contains opaque data that must be caried with the ticket to
+     support extensions to the Kerberos protocol including but not limited
+     to some forms of inter-realm key exchange and plaintext authorization
+     data. See appendix C for some common uses of this field.
+te-type
+     This field specifies the format for the te-data subfield. All negative
+     values are reserved for local use. Non-negative values are reserved for
+     registered use.
+
+APOptions ::=   BIT STRING
+                  -- reserved(0),
+                  -- use-session-key(1),
+                  -- mutual-required(2)
+
+TicketFlags ::= BIT STRING
+                  -- reserved(0),
+                  -- forwardable(1),
+                  -- forwarded(2),
+                  -- proxiable(3),
+                  -- proxy(4),
+                  -- may-postdate(5),
+                  -- postdated(6),
+                  -- invalid(7),
+                  -- renewable(8),
+                  -- initial(9),
+                  -- pre-authent(10),
+                  -- hw-authent(11),
+                  -- transited-policy-checked(12),
+                  -- ok-as-delegate(13)
+
+KDCOptions ::=   BIT STRING
+                  -- reserved(0),
+                  -- forwardable(1),
+                  -- forwarded(2),
+                  -- proxiable(3),
+                  -- proxy(4),
+                  -- allow-postdate(5),
+                  -- postdated(6),
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                  -- unused7(7),
+                  -- renewable(8),
+                  -- unused9(9),
+                  -- unused10(10),
+                  -- unused11(11),
+                  -- unused12(12),
+                  -- unused13(13),
+                  -- disable-transited-check(26),
+                  -- renewable-ok(27),
+                  -- enc-tkt-in-skey(28),
+                  -- renew(30),
+                  -- validate(31)
+
+ASN.1 Bit strings have a length and a value. When used in Kerberos for the
+APOptions, TicketFlags, and KDCOptions, the length of the bit string on
+generated values should be the smallest number of bits needed to include the
+highest order bit that is set (1), but in no case less than 32 bits. The
+ASN.1 representation of the bit strings uses unnamed bits, with the meaning
+of the individual bits defined by the comments in the specification above.
+Implementations should accept values of bit strings of any length and treat
+the value of flags corresponding to bits beyond the end of the bit string as
+if the bit were reset (0). Comparison of bit strings of different length
+should treat the smaller string as if it were padded with zeros beyond the
+high order bits to the length of the longer string[23].
+
+LastReq ::=   SEQUENCE OF SEQUENCE {
+               lr-type[0]               INTEGER,
+               lr-value[1]              KerberosTime
+}
+
+lr-type
+     This field indicates how the following lr-value field is to be
+     interpreted. Negative values indicate that the information pertains
+     only to the responding server. Non-negative values pertain to all
+     servers for the realm. If the lr-type field is zero (0), then no
+     information is conveyed by the lr-value subfield. If the absolute value
+     of the lr-type field is one (1), then the lr-value subfield is the time
+     of last initial request for a TGT. If it is two (2), then the lr-value
+     subfield is the time of last initial request. If it is three (3), then
+     the lr-value subfield is the time of issue for the newest
+     ticket-granting ticket used. If it is four (4), then the lr-value
+     subfield is the time of the last renewal. If it is five (5), then the
+     lr-value subfield is the time of last request (of any type). If it is
+     (6), then the lr-value subfield is the time when the password will
+     expire.
+lr-value
+     This field contains the time of the last request. the time must be
+     interpreted according to the contents of the accompanying lr-type
+     subfield.
+
+See section 6 for the definitions of Checksum, ChecksumType, EncryptedData,
+EncryptionKey, EncryptionType, and KeyType.
+
+5.3. Tickets and Authenticators
+
+This section describes the format and encryption parameters for tickets and
+authenticators. When a ticket or authenticator is included in a protocol
+message it is treated as an opaque object.
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+5.3.1. Tickets
+
+A ticket is a record that helps a client authenticate to a service. A Ticket
+contains the following information:
+
+Ticket ::=        [APPLICATION 1] SEQUENCE {
+                  tkt-vno[0]                   INTEGER,
+                  realm[1]                     Realm,
+                  sname[2]                     PrincipalName,
+                  enc-part[3]                  EncryptedData,
+                  extensions[4]                TicketExtensions OPTIONAL
+}
+
+-- Encrypted part of ticket
+EncTicketPart ::= [APPLICATION 3] SEQUENCE {
+                  flags[0]                     TicketFlags,
+                  key[1]                       EncryptionKey,
+                  crealm[2]                    Realm,
+                  cname[3]                     PrincipalName,
+                  transited[4]                 TransitedEncoding,
+                  authtime[5]                  KerberosTime,
+                  starttime[6]                 KerberosTime OPTIONAL,
+                  endtime[7]                   KerberosTime,
+                  renew-till[8]                KerberosTime OPTIONAL,
+                  caddr[9]                     HostAddresses OPTIONAL,
+                  authorization-data[10]       AuthorizationData OPTIONAL
+}
+-- encoded Transited field
+TransitedEncoding ::=   SEQUENCE {
+                        tr-type[0]             INTEGER, -- must be registered
+                        contents[1]            OCTET STRING
+}
+
+The encoding of EncTicketPart is encrypted in the key shared by Kerberos and
+the end server (the server's secret key). See section 6 for the format of
+the ciphertext.
+
+tkt-vno
+     This field specifies the version number for the ticket format. This
+     document describes version number 5.
+realm
+     This field specifies the realm that issued a ticket. It also serves to
+     identify the realm part of the server's principal identifier. Since a
+     Kerberos server can only issue tickets for servers within its realm,
+     the two will always be identical.
+sname
+     This field specifies all components of the name part of the server's
+     identity, including those parts that identify a specific instance of a
+     service.
+enc-part
+     This field holds the encrypted encoding of the EncTicketPart sequence.
+extensions
+     This optional field contains a sequence of extentions that may be used
+     to carry information that must be carried with the ticket to support
+     several extensions, including but not limited to plaintext
+     authorization data, tokens for exchanging inter-realm keys, and other
+     information that must be associated with a ticket for use by the
+     application server. See Appendix C for definitions of some common
+     extensions.
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+
+     Note that some older versions of Kerberos did not support this field.
+     Because this is an optional field it will not break older clients, but
+     older clients might strip this field from the ticket before sending it
+     to the application server. This limits the usefulness of this ticket
+     field to environments where the ticket will not be parsed and
+     reconstructed by these older Kerberos clients.
+
+     If it is known that the client will strip this field from the ticket,
+     as an interim measure the KDC may append this field to the end of the
+     enc-part of the ticket and append a traler indicating the lenght of the
+     appended extensions field. (this paragraph is open for discussion,
+     including the form of the traler).
+flags
+     This field indicates which of various options were used or requested
+     when the ticket was issued. It is a bit-field, where the selected
+     options are indicated by the bit being set (1), and the unselected
+     options and reserved fields being reset (0). Bit 0 is the most
+     significant bit. The encoding of the bits is specified in section 5.2.
+     The flags are described in more detail above in section 2. The meanings
+     of the flags are:
+
+          Bit(s)      Name         Description
+
+          0           RESERVED
+                                   Reserved for future  expansion  of  this
+                                   field.
+
+          1           FORWARDABLE
+                                   The FORWARDABLE flag  is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.  When set,  this
+                                   flag  tells  the  ticket-granting server
+                                   that it is OK to  issue  a  new  ticket-
+                                   granting ticket with a different network
+                                   address based on the presented ticket.
+
+          2           FORWARDED
+                                   When set, this flag indicates  that  the
+                                   ticket  has either been forwarded or was
+                                   issued based on authentication involving
+                                   a forwarded ticket-granting ticket.
+
+          3           PROXIABLE
+                                   The  PROXIABLE  flag  is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.   The  PROXIABLE
+                                   flag  has an interpretation identical to
+                                   that of  the  FORWARDABLE  flag,  except
+                                   that   the   PROXIABLE  flag  tells  the
+                                   ticket-granting server  that  only  non-
+                                   ticket-granting  tickets  may  be issued
+                                   with different network addresses.
+
+          4           PROXY
+                                   When set, this  flag  indicates  that  a
+                                   ticket is a proxy.
+
+          5           MAY-POSTDATE
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                                   The MAY-POSTDATE flag is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.  This flag tells
+                                   the  ticket-granting server that a post-
+                                   dated ticket may be issued based on this
+                                   ticket-granting ticket.
+
+          6           POSTDATED
+                                   This flag indicates that this ticket has
+                                   been  postdated.   The  end-service  can
+                                   check the authtime field to see when the
+                                   original authentication occurred.
+
+          7           INVALID
+                                   This flag indicates  that  a  ticket  is
+                                   invalid, and it must be validated by the
+                                   KDC  before  use.   Application  servers
+                                   must reject tickets which have this flag
+                                   set.
+
+          8           RENEWABLE
+                                   The  RENEWABLE  flag  is  normally  only
+                                   interpreted  by the TGS, and can usually
+                                   be ignored by end servers (some particu-
+                                   larly careful servers may wish to disal-
+                                   low  renewable  tickets).   A  renewable
+                                   ticket  can be used to obtain a replace-
+                                   ment ticket  that  expires  at  a  later
+                                   date.
+
+          9           INITIAL
+                                   This flag indicates that this ticket was
+                                   issued  using  the  AS protocol, and not
+                                   issued  based   on   a   ticket-granting
+                                   ticket.
+
+          10          PRE-AUTHENT
+                                   This flag indicates that during  initial
+                                   authentication, the client was authenti-
+                                   cated by the KDC  before  a  ticket  was
+                                   issued.    The   strength  of  the  pre-
+                                   authentication method is not  indicated,
+                                   but is acceptable to the KDC.
+
+          11          HW-AUTHENT
+                                   This flag indicates  that  the  protocol
+                                   employed   for   initial  authentication
+                                   required the use of hardware expected to
+                                   be possessed solely by the named client.
+                                   The hardware  authentication  method  is
+                                   selected  by the KDC and the strength of
+                                   the method is not indicated.
+
+          12           TRANSITED   This flag indicates that the KDC for the
+                  POLICY-CHECKED   realm has checked the transited field
+                                   against a realm defined policy for
+                                   trusted certifiers.  If this flag is
+                                   reset (0), then the application server
+                                   must check the transited field itself,
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                                   and if unable to do so it must reject
+                                   the authentication.  If the flag is set
+                                   (1) then the application server may skip
+                                   its own validation of the transited
+                                   field, relying on the validation
+                                   performed by the KDC.  At its option the
+                                   application server may still apply its
+                                   own validation based on a separate
+                                   policy for acceptance.
+
+          13      OK-AS-DELEGATE   This flag indicates that the server (not
+                                   the client) specified in the ticket has
+                                   been determined by policy of the realm
+                                   to be a suitable recipient of
+                                   delegation.  A client can use the
+                                   presence of this flag to help it make a
+                                   decision whether to delegate credentials
+                                   (either grant a proxy or a forwarded
+                                   ticket granting ticket) to this server.
+                                   The client is free to ignore the value
+                                   of this flag.  When setting this flag,
+                                   an administrator should consider the
+                                   Security and placement of the server on
+                                   which the service will run, as well as
+                                   whether the service requires the use of
+                                   delegated credentials.
+
+          14          ANONYMOUS
+                                   This flag indicates that  the  principal
+                                   named in the ticket is a generic princi-
+                                   pal for the realm and does not  identify
+                                   the  individual  using  the ticket.  The
+                                   purpose  of  the  ticket  is   only   to
+                                   securely  distribute  a session key, and
+                                   not to identify  the  user.   Subsequent
+                                   requests  using the same ticket and ses-
+                                   sion may be  considered  as  originating
+                                   from  the  same  user, but requests with
+                                   the same username but a different ticket
+                                   are  likely  to originate from different
+                                   users.
+
+          15-31       RESERVED
+                                   Reserved for future use.
+
+key
+     This field exists in the ticket and the KDC response and is used to
+     pass the session key from Kerberos to the application server and the
+     client. The field's encoding is described in section 6.2.
+crealm
+     This field contains the name of the realm in which the client is
+     registered and in which initial authentication took place.
+cname
+     This field contains the name part of the client's principal identifier.
+transited
+     This field lists the names of the Kerberos realms that took part in
+     authenticating the user to whom this ticket was issued. It does not
+     specify the order in which the realms were transited. See section
+     3.3.3.2 for details on how this field encodes the traversed realms.
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     When the names of CA's are to be embedded inthe transited field (as
+     specified for some extentions to the protocol), the X.500 names of the
+     CA's should be mapped into items in the transited field using the
+     mapping defined by RFC2253.
+authtime
+     This field indicates the time of initial authentication for the named
+     principal. It is the time of issue for the original ticket on which
+     this ticket is based. It is included in the ticket to provide
+     additional information to the end service, and to provide the necessary
+     information for implementation of a `hot list' service at the KDC. An
+     end service that is particularly paranoid could refuse to accept
+     tickets for which the initial authentication occurred "too far" in the
+     past. This field is also returned as part of the response from the KDC.
+     When returned as part of the response to initial authentication
+     (KRB_AS_REP), this is the current time on the Kerberos server[24].
+starttime
+     This field in the ticket specifies the time after which the ticket is
+     valid. Together with endtime, this field specifies the life of the
+     ticket. If it is absent from the ticket, its value should be treated as
+     that of the authtime field.
+endtime
+     This field contains the time after which the ticket will not be honored
+     (its expiration time). Note that individual services may place their
+     own limits on the life of a ticket and may reject tickets which have
+     not yet expired. As such, this is really an upper bound on the
+     expiration time for the ticket.
+renew-till
+     This field is only present in tickets that have the RENEWABLE flag set
+     in the flags field. It indicates the maximum endtime that may be
+     included in a renewal. It can be thought of as the absolute expiration
+     time for the ticket, including all renewals.
+caddr
+     This field in a ticket contains zero (if omitted) or more (if present)
+     host addresses. These are the addresses from which the ticket can be
+     used. If there are no addresses, the ticket can be used from any
+     location. The decision by the KDC to issue or by the end server to
+     accept zero-address tickets is a policy decision and is left to the
+     Kerberos and end-service administrators; they may refuse to issue or
+     accept such tickets. The suggested and default policy, however, is that
+     such tickets will only be issued or accepted when additional
+     information that can be used to restrict the use of the ticket is
+     included in the authorization_data field. Such a ticket is a
+     capability.
+
+     Network addresses are included in the ticket to make it harder for an
+     attacker to use stolen credentials. Because the session key is not sent
+     over the network in cleartext, credentials can't be stolen simply by
+     listening to the network; an attacker has to gain access to the session
+     key (perhaps through operating system security breaches or a careless
+     user's unattended session) to make use of stolen tickets.
+
+     It is important to note that the network address from which a
+     connection is received cannot be reliably determined. Even if it could
+     be, an attacker who has compromised the client's workstation could use
+     the credentials from there. Including the network addresses only makes
+     it more difficult, not impossible, for an attacker to walk off with
+     stolen credentials and then use them from a "safe" location.
+authorization-data
+     The authorization-data field is used to pass authorization data from
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     the principal on whose behalf a ticket was issued to the application
+     service. If no authorization data is included, this field will be left
+     out. Experience has shown that the name of this field is confusing, and
+     that a better name for this field would be restrictions. Unfortunately,
+     it is not possible to change the name of this field at this time.
+
+     This field contains restrictions on any authority obtained on the basis
+     of authentication using the ticket. It is possible for any principal in
+     posession of credentials to add entries to the authorization data field
+     since these entries further restrict what can be done with the ticket.
+     Such additions can be made by specifying the additional entries when a
+     new ticket is obtained during the TGS exchange, or they may be added
+     during chained delegation using the authorization data field of the
+     authenticator.
+
+     Because entries may be added to this field by the holder of
+     credentials, except when an entry is separately authenticated by
+     encapulation in the kdc-issued element, it is not allowable for the
+     presence of an entry in the authorization data field of a ticket to
+     amplify the priveleges one would obtain from using a ticket.
+
+     The data in this field may be specific to the end service; the field
+     will contain the names of service specific objects, and the rights to
+     those objects. The format for this field is described in section 5.2.
+     Although Kerberos is not concerned with the format of the contents of
+     the sub-fields, it does carry type information (ad-type).
+
+     By using the authorization_data field, a principal is able to issue a
+     proxy that is valid for a specific purpose. For example, a client
+     wishing to print a file can obtain a file server proxy to be passed to
+     the print server. By specifying the name of the file in the
+     authorization_data field, the file server knows that the print server
+     can only use the client's rights when accessing the particular file to
+     be printed.
+
+     A separate service providing authorization or certifying group
+     membership may be built using the authorization-data field. In this
+     case, the entity granting authorization (not the authorized entity),
+     may obtain a ticket in its own name (e.g. the ticket is issued in the
+     name of a privelege server), and this entity adds restrictions on its
+     own authority and delegates the restricted authority through a proxy to
+     the client. The client would then present this authorization credential
+     to the application server separately from the authentication exchange.
+     Alternatively, such authorization credentials may be embedded in the
+     ticket authenticating the authorized entity, when the authorization is
+     separately authenticated using the kdc-issued authorization data
+     element (see B.4).
+
+     Similarly, if one specifies the authorization-data field of a proxy and
+     leaves the host addresses blank, the resulting ticket and session key
+     can be treated as a capability. See [Neu93] for some suggested uses of
+     this field.
+
+     The authorization-data field is optional and does not have to be
+     included in a ticket.
+
+5.3.2. Authenticators
+
+An authenticator is a record sent with a ticket to a server to certify the
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+client's knowledge of the encryption key in the ticket, to help the server
+detect replays, and to help choose a "true session key" to use with the
+particular session. The encoding is encrypted in the ticket's session key
+shared by the client and the server:
+
+-- Unencrypted authenticator
+Authenticator ::= [APPLICATION 2] SEQUENCE  {
+                  authenticator-vno[0]          INTEGER,
+                  crealm[1]                     Realm,
+                  cname[2]                      PrincipalName,
+                  cksum[3]                      Checksum OPTIONAL,
+                  cusec[4]                      INTEGER,
+                  ctime[5]                      KerberosTime,
+                  subkey[6]                     EncryptionKey OPTIONAL,
+                  seq-number[7]                 INTEGER OPTIONAL,
+                  authorization-data[8]         AuthorizationData OPTIONAL
+}
+
+
+authenticator-vno
+     This field specifies the version number for the format of the
+     authenticator. This document specifies version 5.
+crealm and cname
+     These fields are the same as those described for the ticket in section
+     5.3.1.
+cksum
+     This field contains a checksum of the the applica- tion data that
+     accompanies the KRB_AP_REQ.
+cusec
+     This field contains the microsecond part of the client's timestamp. Its
+     value (before encryption) ranges from 0 to 999999. It often appears
+     along with ctime. The two fields are used together to specify a
+     reasonably accurate timestamp.
+ctime
+     This field contains the current time on the client's host.
+subkey
+     This field contains the client's choice for an encryption key which is
+     to be used to protect this specific application session. Unless an
+     application specifies otherwise, if this field is left out the session
+     key from the ticket will be used.
+seq-number
+     This optional field includes the initial sequence number to be used by
+     the KRB_PRIV or KRB_SAFE messages when sequence numbers are used to
+     detect replays (It may also be used by application specific messages).
+     When included in the authenticator this field specifies the initial
+     sequence number for messages from the client to the server. When
+     included in the AP-REP message, the initial sequence number is that for
+     messages from the server to the client. When used in KRB_PRIV or
+     KRB_SAFE messages, it is incremented by one after each message is sent.
+     Sequence numbers fall in the range of 0 through 2^32 - 1 and wrap to
+     zero following the value 2^32 - 1.
+
+     For sequence numbers to adequately support the detection of replays
+     they should be non-repeating, even across connection boundaries. The
+     initial sequence number should be random and uniformly distributed
+     across the full space of possible sequence numbers, so that it cannot
+     be guessed by an attacker and so that it and the successive sequence
+     numbers do not repeat other sequences.
+authorization-data
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     This field is the same as described for the ticket in section 5.3.1. It
+     is optional and will only appear when additional restrictions are to be
+     placed on the use of a ticket, beyond those carried in the ticket
+     itself.
+
+5.4. Specifications for the AS and TGS exchanges
+
+This section specifies the format of the messages used in the exchange
+between the client and the Kerberos server. The format of possible error
+messages appears in section 5.9.1.
+
+5.4.1. KRB_KDC_REQ definition
+
+The KRB_KDC_REQ message has no type of its own. Instead, its type is one of
+KRB_AS_REQ or KRB_TGS_REQ depending on whether the request is for an initial
+ticket or an additional ticket. In either case, the message is sent from the
+client to the Authentication Server to request credentials for a service.
+
+The message fields are:
+
+AS-REQ ::=         [APPLICATION 10] KDC-REQ
+TGS-REQ ::=        [APPLICATION 12] KDC-REQ
+
+KDC-REQ ::=        SEQUENCE {
+                   pvno[1]            INTEGER,
+                   msg-type[2]        INTEGER,
+                   padata[3]          SEQUENCE OF PA-DATA OPTIONAL,
+                   req-body[4]        KDC-REQ-BODY
+}
+
+PA-DATA ::=        SEQUENCE {
+                   padata-type[1]     INTEGER,
+                   padata-value[2]    OCTET STRING,
+                                      -- might be encoded AP-REQ
+}
+
+KDC-REQ-BODY ::=   SEQUENCE {
+                    kdc-options[0]         KDCOptions,
+                    cname[1]               PrincipalName OPTIONAL,
+                                           -- Used only in AS-REQ
+                    realm[2]               Realm, -- Server's realm
+                                           -- Also client's in AS-REQ
+                    sname[3]               PrincipalName OPTIONAL,
+                    from[4]                KerberosTime OPTIONAL,
+                    till[5]                KerberosTime OPTIONAL,
+                    rtime[6]               KerberosTime OPTIONAL,
+                    nonce[7]               INTEGER,
+                    etype[8]               SEQUENCE OF INTEGER,
+                                           -- EncryptionType,
+                                           -- in preference order
+                    addresses[9]           HostAddresses OPTIONAL,
+                enc-authorization-data[10] EncryptedData OPTIONAL,
+                                           -- Encrypted AuthorizationData
+                                           -- encoding
+                    additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
+}
+
+The fields in this message are:
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+pvno
+     This field is included in each message, and specifies the protocol
+     version number. This document specifies protocol version 5.
+msg-type
+     This field indicates the type of a protocol message. It will almost
+     always be the same as the application identifier associated with a
+     message. It is included to make the identifier more readily accessible
+     to the application. For the KDC-REQ message, this type will be
+     KRB_AS_REQ or KRB_TGS_REQ.
+padata
+     The padata (pre-authentication data) field contains a sequence of
+     authentication information which may be needed before credentials can
+     be issued or decrypted. In the case of requests for additional tickets
+     (KRB_TGS_REQ), this field will include an element with padata-type of
+     PA-TGS-REQ and data of an authentication header (ticket-granting ticket
+     and authenticator). The checksum in the authenticator (which must be
+     collision-proof) is to be computed over the KDC-REQ-BODY encoding. In
+     most requests for initial authentication (KRB_AS_REQ) and most replies
+     (KDC-REP), the padata field will be left out.
+
+     This field may also contain information needed by certain extensions to
+     the Kerberos protocol. For example, it might be used to initially
+     verify the identity of a client before any response is returned. This
+     is accomplished with a padata field with padata-type equal to
+     PA-ENC-TIMESTAMP and padata-value defined as follows:
+
+     padata-type     ::= PA-ENC-TIMESTAMP
+     padata-value    ::= EncryptedData -- PA-ENC-TS-ENC
+
+     PA-ENC-TS-ENC   ::= SEQUENCE {
+                     patimestamp[0]     KerberosTime, -- client's time
+                     pausec[1]          INTEGER OPTIONAL
+     }
+
+     with patimestamp containing the client's time and pausec containing the
+     microseconds which may be omitted if a client will not generate more
+     than one request per second. The ciphertext (padata-value) consists of
+     the PA-ENC-TS-ENC sequence, encrypted using the client's secret key.
+
+     [use-specified-kvno item is here for discussion and may be removed] It
+     may also be used by the client to specify the version of a key that is
+     being used for accompanying preauthentication, and/or which should be
+     used to encrypt the reply from the KDC.
+
+     PA-USE-SPECIFIED-KVNO  ::=  Integer
+
+     The KDC should only accept and abide by the value of the
+     use-specified-kvno preauthentication data field when the specified key
+     is still valid and until use of a new key is confirmed. This situation
+     is likely to occur primarily during the period during which an updated
+     key is propagating to other KDC's in a realm.
+
+     The padata field can also contain information needed to help the KDC or
+     the client select the key needed for generating or decrypting the
+     response. This form of the padata is useful for supporting the use of
+     certain token cards with Kerberos. The details of such extensions are
+     specified in separate documents. See [Pat92] for additional uses of
+     this field.
+padata-type
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     The padata-type element of the padata field indicates the way that the
+     padata-value element is to be interpreted. Negative values of
+     padata-type are reserved for unregistered use; non-negative values are
+     used for a registered interpretation of the element type.
+req-body
+     This field is a placeholder delimiting the extent of the remaining
+     fields. If a checksum is to be calculated over the request, it is
+     calculated over an encoding of the KDC-REQ-BODY sequence which is
+     enclosed within the req-body field.
+kdc-options
+     This field appears in the KRB_AS_REQ and KRB_TGS_REQ requests to the
+     KDC and indicates the flags that the client wants set on the tickets as
+     well as other information that is to modify the behavior of the KDC.
+     Where appropriate, the name of an option may be the same as the flag
+     that is set by that option. Although in most case, the bit in the
+     options field will be the same as that in the flags field, this is not
+     guaranteed, so it is not acceptable to simply copy the options field to
+     the flags field. There are various checks that must be made before
+     honoring an option anyway.
+
+     The kdc_options field is a bit-field, where the selected options are
+     indicated by the bit being set (1), and the unselected options and
+     reserved fields being reset (0). The encoding of the bits is specified
+     in section 5.2. The options are described in more detail above in
+     section 2. The meanings of the options are:
+
+        Bit(s)    Name                Description
+         0        RESERVED
+                                      Reserved for future  expansion  of  this
+                                      field.
+
+         1        FORWARDABLE
+                                      The FORWARDABLE  option  indicates  that
+                                      the  ticket  to be issued is to have its
+                                      forwardable flag set.  It  may  only  be
+                                      set on the initial request, or in a sub-
+                                      sequent request if  the  ticket-granting
+                                      ticket on which it is based is also for-
+                                      wardable.
+
+         2        FORWARDED
+                                      The FORWARDED option is  only  specified
+                                      in  a  request  to  the  ticket-granting
+                                      server and will only be honored  if  the
+                                      ticket-granting  ticket  in  the request
+                                      has  its  FORWARDABLE  bit  set.    This
+                                      option  indicates that this is a request
+                                      for forwarding.  The address(es) of  the
+                                      host  from which the resulting ticket is
+                                      to  be  valid  are   included   in   the
+                                      addresses field of the request.
+
+         3        PROXIABLE
+                                      The PROXIABLE option indicates that  the
+                                      ticket to be issued is to have its prox-
+                                      iable flag set.  It may only be  set  on
+                                      the  initial request, or in a subsequent
+                                      request if the ticket-granting ticket on
+                                      which it is based is also proxiable.
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+
+         4        PROXY
+                                      The PROXY option indicates that this  is
+                                      a request for a proxy.  This option will
+                                      only be honored if  the  ticket-granting
+                                      ticket  in the request has its PROXIABLE
+                                      bit set.  The address(es)  of  the  host
+                                      from which the resulting ticket is to be
+                                       valid  are  included  in  the  addresses
+                                      field of the request.
+
+         5        ALLOW-POSTDATE
+                                      The ALLOW-POSTDATE option indicates that
+                                      the  ticket  to be issued is to have its
+                                      MAY-POSTDATE flag set.  It may  only  be
+                                      set on the initial request, or in a sub-
+                                      sequent request if  the  ticket-granting
+                                      ticket on which it is based also has its
+                                      MAY-POSTDATE flag set.
+
+         6        POSTDATED
+                                      The POSTDATED option indicates that this
+                                      is  a  request  for  a postdated ticket.
+                                      This option will only be honored if  the
+                                      ticket-granting  ticket  on  which it is
+                                      based has  its  MAY-POSTDATE  flag  set.
+                                      The  resulting ticket will also have its
+                                      INVALID flag set, and that flag  may  be
+                                      reset by a subsequent request to the KDC
+                                      after the starttime in  the  ticket  has
+                                      been reached.
+
+         7        UNUSED
+                                      This option is presently unused.
+
+         8        RENEWABLE
+                                      The RENEWABLE option indicates that  the
+                                      ticket  to  be  issued  is  to  have its
+                                      RENEWABLE flag set.  It may only be  set
+                                      on  the  initial  request,  or  when the
+                                      ticket-granting  ticket  on  which   the
+                                      request  is based is also renewable.  If
+                                      this option is requested, then the rtime
+                                      field   in   the  request  contains  the
+                                      desired absolute expiration time for the
+                                      ticket.
+
+         9-13     UNUSED
+                                      These options are presently unused.
+
+         14       REQUEST-ANONYMOUS
+                                      The REQUEST-ANONYMOUS  option  indicates
+                                      that  the  ticket to be issued is not to
+                                      identify  the  user  to  which  it   was
+                                      issued.  Instead, the principal identif-
+                                      ier is to be generic,  as  specified  by
+                                      the  policy  of  the realm (e.g. usually
+                                      anonymous@realm).  The  purpose  of  the
+                                      ticket  is only to securely distribute a
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                                      session key, and  not  to  identify  the
+                                      user.   The ANONYMOUS flag on the ticket
+                                      to be returned should be  set.   If  the
+                                      local  realms  policy  does  not  permit
+                                      anonymous credentials, the request is to
+                                      be rejected.
+
+         15-25    RESERVED
+                                      Reserved for future use.
+
+         26       DISABLE-TRANSITED-CHECK
+                                      By default the KDC will check the
+                                      transited field of a ticket-granting-
+                                      ticket against the policy of the local
+                                      realm before it will issue derivative
+                                      tickets based on the ticket granting
+                                      ticket.  If this flag is set in the
+                                      request, checking of the transited field
+                                      is disabled.  Tickets issued without the
+                                      performance of this check will be noted
+                                      by the reset (0) value of the
+                                      TRANSITED-POLICY-CHECKED flag,
+                                      indicating to the application server
+                                      that the tranisted field must be checked
+                                      locally.  KDC's are encouraged but not
+                                      required to honor the
+                                      DISABLE-TRANSITED-CHECK option.
+
+         27       RENEWABLE-OK
+                                      The RENEWABLE-OK option indicates that a
+                                      renewable ticket will be acceptable if a
+                                      ticket with the  requested  life  cannot
+                                      otherwise be provided.  If a ticket with
+                                      the requested life cannot  be  provided,
+                                      then  a  renewable  ticket may be issued
+                                      with  a  renew-till  equal  to  the  the
+                                      requested  endtime.   The  value  of the
+                                      renew-till field may still be limited by
+                                      local  limits, or limits selected by the
+                                      individual principal or server.
+
+         28       ENC-TKT-IN-SKEY
+                                      This option is used only by the  ticket-
+                                      granting  service.   The ENC-TKT-IN-SKEY
+                                      option indicates that the ticket for the
+                                      end  server  is  to  be encrypted in the
+                                      session key from the additional  ticket-
+                                      granting ticket provided.
+
+         29       RESERVED
+                                      Reserved for future use.
+
+         30       RENEW
+                                      This option is used only by the  ticket-
+                                      granting   service.   The  RENEW  option
+                                      indicates that the  present  request  is
+                                      for  a  renewal.  The ticket provided is
+                                      encrypted in  the  secret  key  for  the
+                                      server  on  which  it  is  valid.   This
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                                      option  will  only  be  honored  if  the
+                                      ticket  to  be renewed has its RENEWABLE
+                                      flag set and if the time in  its  renew-
+                                      till  field  has not passed.  The ticket
+                                      to be renewed is passed  in  the  padata
+                                      field  as  part  of  the  authentication
+                                      header.
+
+         31       VALIDATE
+                                      This option is used only by the  ticket-
+                                      granting  service.   The VALIDATE option
+                                      indicates that the request is  to  vali-
+                                      date  a  postdated ticket.  It will only
+                                      be honored if the  ticket  presented  is
+                                      postdated,  presently  has  its  INVALID
+                                      flag set, and would be otherwise  usable
+                                      at  this time.  A ticket cannot be vali-
+                                      dated before its starttime.  The  ticket
+                                      presented for validation is encrypted in
+                                      the key of the server for  which  it  is
+                                      valid  and is passed in the padata field
+                                      as part of the authentication header.
+
+cname and sname
+     These fields are the same as those described for the ticket in section
+     5.3.1. sname may only be absent when the ENC-TKT-IN-SKEY option is
+     specified. If absent, the name of the server is taken from the name of
+     the client in the ticket passed as additional-tickets.
+enc-authorization-data
+     The enc-authorization-data, if present (and it can only be present in
+     the TGS_REQ form), is an encoding of the desired authorization-data
+     encrypted under the sub-session key if present in the Authenticator, or
+     alternatively from the session key in the ticket-granting ticket, both
+     from the padata field in the KRB_AP_REQ.
+realm
+     This field specifies the realm part of the server's principal
+     identifier. In the AS exchange, this is also the realm part of the
+     client's principal identifier.
+from
+     This field is included in the KRB_AS_REQ and KRB_TGS_REQ ticket
+     requests when the requested ticket is to be postdated. It specifies the
+     desired start time for the requested ticket. If this field is omitted
+     then the KDC should use the current time instead.
+till
+     This field contains the expiration date requested by the client in a
+     ticket request. It is optional and if omitted the requested ticket is
+     to have the maximum endtime permitted according to KDC policy for the
+     parties to the authentication exchange as limited by expiration date of
+     the ticket granting ticket or other preauthentication credentials.
+rtime
+     This field is the requested renew-till time sent from a client to the
+     KDC in a ticket request. It is optional.
+nonce
+     This field is part of the KDC request and response. It it intended to
+     hold a random number generated by the client. If the same number is
+     included in the encrypted response from the KDC, it provides evidence
+     that the response is fresh and has not been replayed by an attacker.
+     Nonces must never be re-used. Ideally, it should be generated randomly,
+     but if the correct time is known, it may suffice[25].
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+etype
+     This field specifies the desired encryption algorithm to be used in the
+     response.
+addresses
+     This field is included in the initial request for tickets, and
+     optionally included in requests for additional tickets from the
+     ticket-granting server. It specifies the addresses from which the
+     requested ticket is to be valid. Normally it includes the addresses for
+     the client's host. If a proxy is requested, this field will contain
+     other addresses. The contents of this field are usually copied by the
+     KDC into the caddr field of the resulting ticket.
+additional-tickets
+     Additional tickets may be optionally included in a request to the
+     ticket-granting server. If the ENC-TKT-IN-SKEY option has been
+     specified, then the session key from the additional ticket will be used
+     in place of the server's key to encrypt the new ticket. If more than
+     one option which requires additional tickets has been specified, then
+     the additional tickets are used in the order specified by the ordering
+     of the options bits (see kdc-options, above).
+
+The application code will be either ten (10) or twelve (12) depending on
+whether the request is for an initial ticket (AS-REQ) or for an additional
+ticket (TGS-REQ).
+
+The optional fields (addresses, authorization-data and additional-tickets)
+are only included if necessary to perform the operation specified in the
+kdc-options field.
+
+It should be noted that in KRB_TGS_REQ, the protocol version number appears
+twice and two different message types appear: the KRB_TGS_REQ message
+contains these fields as does the authentication header (KRB_AP_REQ) that is
+passed in the padata field.
+
+5.4.2. KRB_KDC_REP definition
+
+The KRB_KDC_REP message format is used for the reply from the KDC for either
+an initial (AS) request or a subsequent (TGS) request. There is no message
+type for KRB_KDC_REP. Instead, the type will be either KRB_AS_REP or
+KRB_TGS_REP. The key used to encrypt the ciphertext part of the reply
+depends on the message type. For KRB_AS_REP, the ciphertext is encrypted in
+the client's secret key, and the client's key version number is included in
+the key version number for the encrypted data. For KRB_TGS_REP, the
+ciphertext is encrypted in the sub-session key from the Authenticator, or if
+absent, the session key from the ticket-granting ticket used in the request.
+In that case, no version number will be present in the EncryptedData
+sequence.
+
+The KRB_KDC_REP message contains the following fields:
+
+AS-REP ::=    [APPLICATION 11] KDC-REP
+TGS-REP ::=   [APPLICATION 13] KDC-REP
+
+KDC-REP ::=   SEQUENCE {
+              pvno[0]                    INTEGER,
+              msg-type[1]                INTEGER,
+              padata[2]                  SEQUENCE OF PA-DATA OPTIONAL,
+              crealm[3]                  Realm,
+              cname[4]                   PrincipalName,
+              ticket[5]                  Ticket,
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+              enc-part[6]                EncryptedData
+}
+
+EncASRepPart ::=    [APPLICATION 25[27]] EncKDCRepPart
+EncTGSRepPart ::=   [APPLICATION 26] EncKDCRepPart
+
+EncKDCRepPart ::=   SEQUENCE {
+                    key[0]               EncryptionKey,
+                    last-req[1]          LastReq,
+                    nonce[2]             INTEGER,
+                    key-expiration[3]    KerberosTime OPTIONAL,
+                    flags[4]             TicketFlags,
+                    authtime[5]          KerberosTime,
+                    starttime[6]         KerberosTime OPTIONAL,
+                    endtime[7]           KerberosTime,
+                    renew-till[8]        KerberosTime OPTIONAL,
+                    srealm[9]            Realm,
+                    sname[10]            PrincipalName,
+                    caddr[11]            HostAddresses OPTIONAL
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is either
+     KRB_AS_REP or KRB_TGS_REP.
+padata
+     This field is described in detail in section 5.4.1. One possible use
+     for this field is to encode an alternate "mix-in" string to be used
+     with a string-to-key algorithm (such as is described in section 6.3.2).
+     This ability is useful to ease transitions if a realm name needs to
+     change (e.g. when a company is acquired); in such a case all existing
+     password-derived entries in the KDC database would be flagged as
+     needing a special mix-in string until the next password change.
+crealm, cname, srealm and sname
+     These fields are the same as those described for the ticket in section
+     5.3.1.
+ticket
+     The newly-issued ticket, from section 5.3.1.
+enc-part
+     This field is a place holder for the ciphertext and related information
+     that forms the encrypted part of a message. The description of the
+     encrypted part of the message follows each appearance of this field.
+     The encrypted part is encoded as described in section 6.1.
+key
+     This field is the same as described for the ticket in section 5.3.1.
+last-req
+     This field is returned by the KDC and specifies the time(s) of the last
+     request by a principal. Depending on what information is available,
+     this might be the last time that a request for a ticket-granting ticket
+     was made, or the last time that a request based on a ticket-granting
+     ticket was successful. It also might cover all servers for a realm, or
+     just the particular server. Some implementations may display this
+     information to the user to aid in discovering unauthorized use of one's
+     identity. It is similar in spirit to the last login time displayed when
+     logging into timesharing systems.
+nonce
+     This field is described above in section 5.4.1.
+key-expiration
+     The key-expiration field is part of the response from the KDC and
+     specifies the time that the client's secret key is due to expire. The
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     expiration might be the result of password aging or an account
+     expiration. This field will usually be left out of the TGS reply since
+     the response to the TGS request is encrypted in a session key and no
+     client information need be retrieved from the KDC database. It is up to
+     the application client (usually the login program) to take appropriate
+     action (such as notifying the user) if the expiration time is imminent.
+flags, authtime, starttime, endtime, renew-till and caddr
+     These fields are duplicates of those found in the encrypted portion of
+     the attached ticket (see section 5.3.1), provided so the client may
+     verify they match the intended request and to assist in proper ticket
+     caching. If the message is of type KRB_TGS_REP, the caddr field will
+     only be filled in if the request was for a proxy or forwarded ticket,
+     or if the user is substituting a subset of the addresses from the
+     ticket granting ticket. If the client-requested addresses are not
+     present or not used, then the addresses contained in the ticket will be
+     the same as those included in the ticket-granting ticket.
+
+5.5. Client/Server (CS) message specifications
+
+This section specifies the format of the messages used for the
+authentication of the client to the application server.
+
+5.5.1. KRB_AP_REQ definition
+
+The KRB_AP_REQ message contains the Kerberos protocol version number, the
+message type KRB_AP_REQ, an options field to indicate any options in use,
+and the ticket and authenticator themselves. The KRB_AP_REQ message is often
+referred to as the 'authentication header'.
+
+AP-REQ ::=      [APPLICATION 14] SEQUENCE {
+                pvno[0]                       INTEGER,
+                msg-type[1]                   INTEGER,
+                ap-options[2]                 APOptions,
+                ticket[3]                     Ticket,
+                authenticator[4]              EncryptedData
+}
+
+APOptions ::=   BIT STRING {
+                reserved(0),
+                use-session-key(1),
+                mutual-required(2)
+}
+
+
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_AP_REQ.
+ap-options
+     This field appears in the application request (KRB_AP_REQ) and affects
+     the way the request is processed. It is a bit-field, where the selected
+     options are indicated by the bit being set (1), and the unselected
+     options and reserved fields being reset (0). The encoding of the bits
+     is specified in section 5.2. The meanings of the options are:
+
+       Bit(s)   Name              Description
+
+       0        RESERVED
+                                  Reserved for future  expansion  of  this
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                                  field.
+
+       1        USE-SESSION-KEY
+                                  The  USE-SESSION-KEY  option   indicates
+                                  that the ticket the client is presenting
+                                  to a server is encrypted in the  session
+                                  key  from  the  server's ticket-granting
+                                  ticket.  When this option is not  speci-
+                                  fied,  the  ticket  is  encrypted in the
+                                  server's secret key.
+
+       2        MUTUAL-REQUIRED
+                                  The  MUTUAL-REQUIRED  option  tells  the
+                                  server  that  the client requires mutual
+                                  authentication, and that it must respond
+                                  with a KRB_AP_REP message.
+
+       3-31     RESERVED
+                                  Reserved for future use.
+
+ticket
+     This field is a ticket authenticating the client to the server.
+authenticator
+     This contains the authenticator, which includes the client's choice of
+     a subkey. Its encoding is described in section 5.3.2.
+
+5.5.2. KRB_AP_REP definition
+
+The KRB_AP_REP message contains the Kerberos protocol version number, the
+message type, and an encrypted time- stamp. The message is sent in in
+response to an application request (KRB_AP_REQ) where the mutual
+authentication option has been selected in the ap-options field.
+
+AP-REP ::=         [APPLICATION 15] SEQUENCE {
+                   pvno[0]                           INTEGER,
+                   msg-type[1]                       INTEGER,
+                   enc-part[2]                       EncryptedData
+}
+
+EncAPRepPart ::=   [APPLICATION 27[29]] SEQUENCE {
+                   ctime[0]                          KerberosTime,
+                   cusec[1]                          INTEGER,
+                   subkey[2]                         EncryptionKey OPTIONAL,
+                   seq-number[3]                     INTEGER OPTIONAL
+}
+
+The encoded EncAPRepPart is encrypted in the shared session key of the
+ticket. The optional subkey field can be used in an application-arranged
+negotiation to choose a per association session key.
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_AP_REP.
+enc-part
+     This field is described above in section 5.4.2.
+ctime
+     This field contains the current time on the client's host.
+cusec
+     This field contains the microsecond part of the client's timestamp.
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+subkey
+     This field contains an encryption key which is to be used to protect
+     this specific application session. See section 3.2.6 for specifics on
+     how this field is used to negotiate a key. Unless an application
+     specifies otherwise, if this field is left out, the sub-session key
+     from the authenticator, or if also left out, the session key from the
+     ticket will be used.
+
+5.5.3. Error message reply
+
+If an error occurs while processing the application request, the KRB_ERROR
+message will be sent in response. See section 5.9.1 for the format of the
+error message. The cname and crealm fields may be left out if the server
+cannot determine their appropriate values from the corresponding KRB_AP_REQ
+message. If the authenticator was decipherable, the ctime and cusec fields
+will contain the values from it.
+
+5.6. KRB_SAFE message specification
+
+This section specifies the format of a message that can be used by either
+side (client or server) of an application to send a tamper-proof message to
+its peer. It presumes that a session key has previously been exchanged (for
+example, by using the KRB_AP_REQ/KRB_AP_REP messages).
+
+5.6.1. KRB_SAFE definition
+
+The KRB_SAFE message contains user data along with a collision-proof
+checksum keyed with the last encryption key negotiated via subkeys, or the
+session key if no negotiation has occured. The message fields are:
+
+KRB-SAFE ::=        [APPLICATION 20] SEQUENCE {
+                    pvno[0]                       INTEGER,
+                    msg-type[1]                   INTEGER,
+                    safe-body[2]                  KRB-SAFE-BODY,
+                    cksum[3]                      Checksum
+}
+
+KRB-SAFE-BODY ::=   SEQUENCE {
+                    user-data[0]                  OCTET STRING,
+                    timestamp[1]                  KerberosTime OPTIONAL,
+                    usec[2]                       INTEGER OPTIONAL,
+                    seq-number[3]                 INTEGER OPTIONAL,
+                    s-address[4]                  HostAddress OPTIONAL,
+                    r-address[5]                  HostAddress OPTIONAL
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_SAFE.
+safe-body
+     This field is a placeholder for the body of the KRB-SAFE message.
+cksum
+     This field contains the checksum of the application data. Checksum
+     details are described in section 6.4. The checksum is computed over the
+     encoding of the KRB-SAFE sequence. First, the cksum is zeroed and the
+     checksum is computed over the encoding of the KRB-SAFE sequence, then
+     the checksum is set to the result of that computation, and finally the
+     KRB-SAFE sequence is encoded again.
+user-data
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     This field is part of the KRB_SAFE and KRB_PRIV messages and contain
+     the application specific data that is being passed from the sender to
+     the recipient.
+timestamp
+     This field is part of the KRB_SAFE and KRB_PRIV messages. Its contents
+     are the current time as known by the sender of the message. By checking
+     the timestamp, the recipient of the message is able to make sure that
+     it was recently generated, and is not a replay.
+usec
+     This field is part of the KRB_SAFE and KRB_PRIV headers. It contains
+     the microsecond part of the timestamp.
+seq-number
+     This field is described above in section 5.3.2.
+s-address
+     This field specifies the address in use by the sender of the message.
+     It may be omitted if not required by the application protocol. The
+     application designer considering omission of this field is warned, that
+     the inclusion of this address prevents some kinds of replay attacks
+     (e.g., reflection attacks) and that it is only acceptable to omit this
+     address if there is sufficient information in the integrity protected
+     part of the application message for the recipient to unambiguously
+     determine if it was the intended recipient.
+r-address
+     This field specifies the address in use by the recipient of the
+     message. It may be omitted for some uses (such as broadcast protocols),
+     but the recipient may arbitrarily reject such messages. This field
+     along with s-address can be used to help detect messages which have
+     been incorrectly or maliciously delivered to the wrong recipient.
+
+5.7. KRB_PRIV message specification
+
+This section specifies the format of a message that can be used by either
+side (client or server) of an application to securely and privately send a
+message to its peer. It presumes that a session key has previously been
+exchanged (for example, by using the KRB_AP_REQ/KRB_AP_REP messages).
+
+5.7.1. KRB_PRIV definition
+
+The KRB_PRIV message contains user data encrypted in the Session Key. The
+message fields are:
+
+KRB-PRIV ::=         [APPLICATION 21] SEQUENCE {
+                     pvno[0]                           INTEGER,
+                     msg-type[1]                       INTEGER,
+                     enc-part[3]                       EncryptedData
+}
+
+EncKrbPrivPart ::=   [APPLICATION 28[31]] SEQUENCE {
+                     user-data[0]        OCTET STRING,
+                     timestamp[1]        KerberosTime OPTIONAL,
+                     usec[2]             INTEGER OPTIONAL,
+                     seq-number[3]       INTEGER OPTIONAL,
+                     s-address[4]        HostAddress OPTIONAL, -- sender's addr
+                     r-address[5]        HostAddress OPTIONAL -- recip's addr
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_PRIV.
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+enc-part
+     This field holds an encoding of the EncKrbPrivPart sequence encrypted
+     under the session key[32]. This encrypted encoding is used for the
+     enc-part field of the KRB-PRIV message. See section 6 for the format of
+     the ciphertext.
+user-data, timestamp, usec, s-address and r-address
+     These fields are described above in section 5.6.1.
+seq-number
+     This field is described above in section 5.3.2.
+
+5.8. KRB_CRED message specification
+
+This section specifies the format of a message that can be used to send
+Kerberos credentials from one principal to another. It is presented here to
+encourage a common mechanism to be used by applications when forwarding
+tickets or providing proxies to subordinate servers. It presumes that a
+session key has already been exchanged perhaps by using the
+KRB_AP_REQ/KRB_AP_REP messages.
+
+5.8.1. KRB_CRED definition
+
+The KRB_CRED message contains a sequence of tickets to be sent and
+information needed to use the tickets, including the session key from each.
+The information needed to use the tickets is encrypted under an encryption
+key previously exchanged or transferred alongside the KRB_CRED message. The
+message fields are:
+
+KRB-CRED         ::= [APPLICATION 22]   SEQUENCE {
+                 pvno[0]                INTEGER,
+                 msg-type[1]            INTEGER, -- KRB_CRED
+                 tickets[2]             SEQUENCE OF Ticket,
+                 enc-part[3]            EncryptedData
+}
+
+EncKrbCredPart   ::= [APPLICATION 29]   SEQUENCE {
+                 ticket-info[0]         SEQUENCE OF KrbCredInfo,
+                 nonce[1]               INTEGER OPTIONAL,
+                 timestamp[2]           KerberosTime OPTIONAL,
+                 usec[3]                INTEGER OPTIONAL,
+                 s-address[4]           HostAddress OPTIONAL,
+                 r-address[5]           HostAddress OPTIONAL
+}
+
+KrbCredInfo      ::=                    SEQUENCE {
+                 key[0]                 EncryptionKey,
+                 prealm[1]              Realm OPTIONAL,
+                 pname[2]               PrincipalName OPTIONAL,
+                 flags[3]               TicketFlags OPTIONAL,
+                 authtime[4]            KerberosTime OPTIONAL,
+                 starttime[5]           KerberosTime OPTIONAL,
+                 endtime[6]             KerberosTime OPTIONAL
+                 renew-till[7]          KerberosTime OPTIONAL,
+                 srealm[8]              Realm OPTIONAL,
+                 sname[9]               PrincipalName OPTIONAL,
+                 caddr[10]              HostAddresses OPTIONAL
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     KRB_CRED.
+tickets
+     These are the tickets obtained from the KDC specifically for use by the
+     intended recipient. Successive tickets are paired with the
+     corresponding KrbCredInfo sequence from the enc-part of the KRB-CRED
+     message.
+enc-part
+     This field holds an encoding of the EncKrbCredPart sequence encrypted
+     under the session key shared between the sender and the intended
+     recipient. This encrypted encoding is used for the enc-part field of
+     the KRB-CRED message. See section 6 for the format of the ciphertext.
+nonce
+     If practical, an application may require the inclusion of a nonce
+     generated by the recipient of the message. If the same value is
+     included as the nonce in the message, it provides evidence that the
+     message is fresh and has not been replayed by an attacker. A nonce must
+     never be re-used; it should be generated randomly by the recipient of
+     the message and provided to the sender of the message in an application
+     specific manner.
+timestamp and usec
+     These fields specify the time that the KRB-CRED message was generated.
+     The time is used to provide assurance that the message is fresh.
+s-address and r-address
+     These fields are described above in section 5.6.1. They are used
+     optionally to provide additional assurance of the integrity of the
+     KRB-CRED message.
+key
+     This field exists in the corresponding ticket passed by the KRB-CRED
+     message and is used to pass the session key from the sender to the
+     intended recipient. The field's encoding is described in section 6.2.
+
+The following fields are optional. If present, they can be associated with
+the credentials in the remote ticket file. If left out, then it is assumed
+that the recipient of the credentials already knows their value.
+
+prealm and pname
+     The name and realm of the delegated principal identity.
+flags, authtime, starttime, endtime, renew-till, srealm, sname, and caddr
+     These fields contain the values of the correspond- ing fields from the
+     ticket found in the ticket field. Descriptions of the fields are
+     identical to the descriptions in the KDC-REP message.
+
+5.9. Error message specification
+
+This section specifies the format for the KRB_ERROR message. The fields
+included in the message are intended to return as much information as
+possible about an error. It is not expected that all the information
+required by the fields will be available for all types of errors. If the
+appropriate information is not available when the message is composed, the
+corresponding field will be left out of the message.
+
+Note that since the KRB_ERROR message is only optionally integrity
+protected, it is quite possible for an intruder to synthesize or modify such
+a message. In particular, this means that unless appropriate integrity
+protection mechanisms have been applied to the KRB_ERROR message, the client
+should not use any fields in this message for security-critical purposes,
+such as setting a system clock or generating a fresh authenticator. The
+message can be useful, however, for advising a user on the reason for some
+failure.
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+
+5.9.1. KRB_ERROR definition
+
+The KRB_ERROR message consists of the following fields:
+
+KRB-ERROR ::=   [APPLICATION 30] SEQUENCE {
+                pvno[0]                       INTEGER,
+                msg-type[1]                   INTEGER,
+                ctime[2]                      KerberosTime OPTIONAL,
+                cusec[3]                      INTEGER OPTIONAL,
+                stime[4]                      KerberosTime,
+                susec[5]                      INTEGER,
+                error-code[6]                 INTEGER,
+                crealm[7]                     Realm OPTIONAL,
+                cname[8]                      PrincipalName OPTIONAL,
+                realm[9]                      Realm, -- Correct realm
+                sname[10]                     PrincipalName, -- Correct name
+                e-text[11]                    GeneralString OPTIONAL,
+                e-data[12]                    OCTET STRING OPTIONAL,
+                e-cksum[13]                   Checksum OPTIONAL,
+}
+
+
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_ERROR.
+ctime
+     This field is described above in section 5.4.1.
+cusec
+     This field is described above in section 5.5.2.
+stime
+     This field contains the current time on the server. It is of type
+     KerberosTime.
+susec
+     This field contains the microsecond part of the server's timestamp. Its
+     value ranges from 0 to 999999. It appears along with stime. The two
+     fields are used in conjunction to specify a reasonably accurate
+     timestamp.
+error-code
+     This field contains the error code returned by Kerberos or the server
+     when a request fails. To interpret the value of this field see the list
+     of error codes in section 8. Implementations are encouraged to provide
+     for national language support in the display of error messages.
+crealm, cname, srealm and sname
+     These fields are described above in section 5.3.1.
+e-text
+     This field contains additional text to help explain the error code
+     associated with the failed request (for example, it might include a
+     principal name which was unknown).
+e-data
+     This field contains additional data about the error for use by the
+     application to help it recover from or handle the error. If present,
+     this field will contain the encoding of a sequence of TypedData
+     (TYPED-DATA below), unless the errorcode is KDC_ERR_PREAUTH_REQUIRED,
+     in which case it will contain the encoding of a sequence of of padata
+     fields (METHOD-DATA below), each corresponding to an acceptable
+     pre-authentication method and optionally containing data for the
+     method:
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+
+     TYPED-DATA   ::=   SEQUENCE of TypeData
+     METHOD-DATA  ::=   SEQUENCE of PA-DATA
+
+     TypedData ::=   SEQUENCE {
+                         data-type[0]   INTEGER,
+                         data-value[1]  OCTET STRING OPTIONAL
+     }
+
+     Note that e-data-types have been reserved for all PA data types defined
+     prior to July 1999. For the KDC_ERR_PREAUTH_REQUIRED message, when
+     using new PA data types defined in July 1999 or later, the METHOD-DATA
+     sequence must itself be encapsulated in an TypedData element of type
+     TD-PADATA. All new implementations interpreting the METHOD-DATA field
+     for the KDC_ERR_PREAUTH_REQUIRED message must accept a type of
+     TD-PADATA, extract the typed data field and interpret the use any
+     elements encapsulated in the TD-PADATA elements as if they were present
+     in the METHOD-DATA sequence.
+e-cksum
+     This field contains an optional checksum for the KRB-ERROR message. The
+     checksum is calculated over the Kerberos ASN.1 encoding of the
+     KRB-ERROR message with the checksum absent. The checksum is then added
+     to the KRB-ERROR structure and the message is re-encoded. The Checksum
+     should be calculated using the session key from the ticket granting
+     ticket or service ticket, where available. If the error is in response
+     to a TGS or AP request, the checksum should be calculated uing the the
+     session key from the client's ticket. If the error is in response to an
+     AS request, then the checksum should be calulated using the client's
+     secret key ONLY if there has been suitable preauthentication to prove
+     knowledge of the secret key by the client[33]. If a checksum can not be
+     computed because the key to be used is not available, no checksum will
+     be included.
+
+     6. Encryption and Checksum Specifications
+
+     The Kerberos protocols described in this document are designed to use
+     stream encryption ciphers, which can be simulated using commonly
+     available block encryption ciphers, such as the Data Encryption
+     Standard [DES77], and triple DES variants, in conjunction with block
+     chaining and checksum methods [DESM80]. Encryption is used to prove the
+     identities of the network entities participating in message exchanges.
+     The Key Distribution Center for each realm is trusted by all principals
+     registered in that realm to store a secret key in confidence. Proof of
+     knowledge of this secret key is used to verify the authenticity of a
+     principal.
+
+     The KDC uses the principal's secret key (in the AS exchange) or a
+     shared session key (in the TGS exchange) to encrypt responses to ticket
+     requests; the ability to obtain the secret key or session key implies
+     the knowledge of the appropriate keys and the identity of the KDC. The
+     ability of a principal to decrypt the KDC response and present a Ticket
+     and a properly formed Authenticator (generated with the session key
+     from the KDC response) to a service verifies the identity of the
+     principal; likewise the ability of the service to extract the session
+     key from the Ticket and prove its knowledge thereof in a response
+     verifies the identity of the service.
+
+     The Kerberos protocols generally assume that the encryption used is
+     secure from cryptanalysis; however, in some cases, the order of fields
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     in the encrypted portions of messages are arranged to minimize the
+     effects of poorly chosen keys. It is still important to choose good
+     keys. If keys are derived from user-typed passwords, those passwords
+     need to be well chosen to make brute force attacks more difficult.
+     Poorly chosen keys still make easy targets for intruders.
+
+     The following sections specify the encryption and checksum mechanisms
+     currently defined for Kerberos. The encodings, chaining, and padding
+     requirements for each are described. For encryption methods, it is
+     often desirable to place random information (often referred to as a
+     confounder) at the start of the message. The requirements for a
+     confounder are specified with each encryption mechanism.
+
+     Some encryption systems use a block-chaining method to improve the the
+     security characteristics of the ciphertext. However, these chaining
+     methods often don't provide an integrity check upon decryption. Such
+     systems (such as DES in CBC mode) must be augmented with a checksum of
+     the plain-text which can be verified at decryption and used to detect
+     any tampering or damage. Such checksums should be good at detecting
+     burst errors in the input. If any damage is detected, the decryption
+     routine is expected to return an error indicating the failure of an
+     integrity check. Each encryption type is expected to provide and verify
+     an appropriate checksum. The specification of each encryption method
+     sets out its checksum requirements.
+
+     Finally, where a key is to be derived from a user's password, an
+     algorithm for converting the password to a key of the appropriate type
+     is included. It is desirable for the string to key function to be
+     one-way, and for the mapping to be different in different realms. This
+     is important because users who are registered in more than one realm
+     will often use the same password in each, and it is desirable that an
+     attacker compromising the Kerberos server in one realm not obtain or
+     derive the user's key in another.
+
+     For an discussion of the integrity characteristics of the candidate
+     encryption and checksum methods considered for Kerberos, the reader is
+     referred to [SG92].
+
+     6.1. Encryption Specifications
+
+     The following ASN.1 definition describes all encrypted messages. The
+     enc-part field which appears in the unencrypted part of messages in
+     section 5 is a sequence consisting of an encryption type, an optional
+     key version number, and the ciphertext.
+
+     EncryptedData ::=   SEQUENCE {
+                         etype[0]     INTEGER, -- EncryptionType
+                         kvno[1]      INTEGER OPTIONAL,
+                         cipher[2]    OCTET STRING -- ciphertext
+     }
+
+
+
+     etype
+          This field identifies which encryption algorithm was used to
+          encipher the cipher. Detailed specifications for selected
+          encryption types appear later in this section.
+     kvno
+          This field contains the version number of the key under which data
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+          is encrypted. It is only present in messages encrypted under long
+          lasting keys, such as principals' secret keys.
+     cipher
+          This field contains the enciphered text, encoded as an OCTET
+          STRING.
+     The cipher field is generated by applying the specified encryption
+     algorithm to data composed of the message and algorithm-specific
+     inputs. Encryption mechanisms defined for use with Kerberos must take
+     sufficient measures to guarantee the integrity of the plaintext, and we
+     recommend they also take measures to protect against precomputed
+     dictionary attacks. If the encryption algorithm is not itself capable
+     of doing so, the protections can often be enhanced by adding a checksum
+     and a confounder.
+
+     The suggested format for the data to be encrypted includes a
+     confounder, a checksum, the encoded plaintext, and any necessary
+     padding. The msg-seq field contains the part of the protocol message
+     described in section 5 which is to be encrypted. The confounder,
+     checksum, and padding are all untagged and untyped, and their length is
+     exactly sufficient to hold the appropriate item. The type and length is
+     implicit and specified by the particular encryption type being used
+     (etype). The format for the data to be encrypted for some methods is
+     described in the following diagram, but other methods may deviate from
+     this layour - so long as the definition of the method defines the
+     layout actually in use.
+
+           +-----------+----------+-------------+-----+
+           |confounder |   check  |   msg-seq   | pad |
+           +-----------+----------+-------------+-----+
+
+     The format cannot be described in ASN.1, but for those who prefer an
+     ASN.1-like notation:
+
+     CipherText ::=   ENCRYPTED       SEQUENCE {
+          confounder[0]   UNTAGGED[35] OCTET STRING(conf_length) OPTIONAL,
+          check[1]        UNTAGGED OCTET STRING(checksum_length) OPTIONAL,
+          msg-seq[2]      MsgSequence,
+          pad             UNTAGGED OCTET STRING(pad_length) OPTIONAL
+     }
+
+     One generates a random confounder of the appropriate length, placing it
+     in confounder; zeroes out check; calculates the appropriate checksum
+     over confounder, check, and msg-seq, placing the result in check; adds
+     the necessary padding; then encrypts using the specified encryption
+     type and the appropriate key.
+
+     Unless otherwise specified, a definition of an encryption algorithm
+     that specifies a checksum, a length for the confounder field, or an
+     octet boundary for padding uses this ciphertext format[36]. Those
+     fields which are not specified will be omitted.
+
+     In the interest of allowing all implementations using a particular
+     encryption type to communicate with all others using that type, the
+     specification of an encryption type defines any checksum that is needed
+     as part of the encryption process. If an alternative checksum is to be
+     used, a new encryption type must be defined.
+
+     Some cryptosystems require additional information beyond the key and
+     the data to be encrypted. For example, DES, when used in
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     cipher-block-chaining mode, requires an initialization vector. If
+     required, the description for each encryption type must specify the
+     source of such additional information. 6.2. Encryption Keys
+
+     The sequence below shows the encoding of an encryption key:
+
+            EncryptionKey ::=   SEQUENCE {
+                                keytype[0]    INTEGER,
+                                keyvalue[1]   OCTET STRING
+            }
+
+     keytype
+          This field specifies the type of encryption that is to be
+          performed using the key that follows in the keyvalue field. It
+          will always correspond to the etype to be used to generate or
+          decode the EncryptedData. In cases when multiple algorithms use a
+          common kind of key (e.g., if the encryption algorithm uses an
+          alternate checksum algorithm for an integrity check, or a
+          different chaining mechanism), the keytype provides information
+          needed to determine which algorithm is to be used.
+     keyvalue
+          This field contains the key itself, encoded as an octet string.
+     All negative values for the encryption key type are reserved for local
+     use. All non-negative values are reserved for officially assigned type
+     fields and interpreta- tions.
+
+     6.3. Encryption Systems
+
+     6.3.1. The NULL Encryption System (null)
+
+     If no encryption is in use, the encryption system is said to be the
+     NULL encryption system. In the NULL encryption system there is no
+     checksum, confounder or padding. The ciphertext is simply the
+     plaintext. The NULL Key is used by the null encryption system and is
+     zero octets in length, with keytype zero (0).
+
+     6.3.2. DES in CBC mode with a CRC-32 checksum (des-cbc-crc)
+
+     The des-cbc-crc encryption mode encrypts information under the Data
+     Encryption Standard [DES77] using the cipher block chaining mode
+     [DESM80]. A CRC-32 checksum (described in ISO 3309 [ISO3309]) is
+     applied to the confounder and message sequence (msg-seq) and placed in
+     the cksum field. DES blocks are 8 bytes. As a result, the data to be
+     encrypted (the concatenation of confounder, checksum, and message) must
+     be padded to an 8 byte boundary before encryption. The details of the
+     encryption of this data are identical to those for the des-cbc-md5
+     encryption mode.
+
+     Note that, since the CRC-32 checksum is not collision-proof, an
+     attacker could use a probabilistic chosen-plaintext attack to generate
+     a valid message even if a confounder is used [SG92]. The use of
+     collision-proof checksums is recommended for environments where such
+     attacks represent a significant threat. The use of the CRC-32 as the
+     checksum for ticket or authenticator is no longer mandated as an
+     interoperability requirement for Kerberos Version 5 Specification 1
+     (See section 9.1 for specific details).
+
+     6.3.3. DES in CBC mode with an MD4 checksum (des-cbc-md4)
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     The des-cbc-md4 encryption mode encrypts information under the Data
+     Encryption Standard [DES77] using the cipher block chaining mode
+     [DESM80]. An MD4 checksum (described in [MD492]) is applied to the
+     confounder and message sequence (msg-seq) and placed in the cksum
+     field. DES blocks are 8 bytes. As a result, the data to be encrypted
+     (the concatenation of confounder, checksum, and message) must be padded
+     to an 8 byte boundary before encryption. The details of the encryption
+     of this data are identical to those for the des-cbc-md5 encryption
+     mode.
+
+     6.3.4. DES in CBC mode with an MD5 checksum (des-cbc-md5)
+
+     The des-cbc-md5 encryption mode encrypts information under the Data
+     Encryption Standard [DES77] using the cipher block chaining mode
+     [DESM80]. An MD5 checksum (described in [MD5-92].) is applied to the
+     confounder and message sequence (msg-seq) and placed in the cksum
+     field. DES blocks are 8 bytes. As a result, the data to be encrypted
+     (the concatenation of confounder, checksum, and message) must be padded
+     to an 8 byte boundary before encryption.
+
+     Plaintext and DES ciphtertext are encoded as blocks of 8 octets which
+     are concatenated to make the 64-bit inputs for the DES algorithms. The
+     first octet supplies the 8 most significant bits (with the octet's
+     MSbit used as the DES input block's MSbit, etc.), the second octet the
+     next 8 bits, ..., and the eighth octet supplies the 8 least significant
+     bits.
+
+     Encryption under DES using cipher block chaining requires an additional
+     input in the form of an initialization vector. Unless otherwise
+     specified, zero should be used as the initialization vector. Kerberos'
+     use of DES requires an 8 octet confounder.
+
+     The DES specifications identify some 'weak' and 'semi-weak' keys; those
+     keys shall not be used for encrypting messages for use in Kerberos.
+     Additionally, because of the way that keys are derived for the
+     encryption of checksums, keys shall not be used that yield 'weak' or
+     'semi-weak' keys when eXclusive-ORed with the hexadecimal constant
+     F0F0F0F0F0F0F0F0.
+
+     A DES key is 8 octets of data, with keytype one (1). This consists of
+     56 bits of key, and 8 parity bits (one per octet). The key is encoded
+     as a series of 8 octets written in MSB-first order. The bits within the
+     key are also encoded in MSB order. For example, if the encryption key
+     is (B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) where
+     B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8 are the
+     parity bits, the first octet of the key would be B1,B2,...,B7,P1 (with
+     B1 as the MSbit). [See the FIPS 81 introduction for reference.]
+
+     String to key transformation
+
+     To generate a DES key from a text string (password), a "salt" is
+     concatenated to the text string, and then padded with ASCII nulls to an
+     8 byte boundary. This "salt" is normally the realm and each component
+     of the principal's name appended. However, sometimes different salts
+     are used --- for example, when a realm is renamed, or if a user changes
+     her username, or for compatibility with Kerberos V4 (whose
+     string-to-key algorithm uses a null string for the salt). This string
+     is then fan-folded and eXclusive-ORed with itself to form an 8 byte DES
+     key. Before eXclusive-ORing a block, every byte is shifted one bit to
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     the left to leave the lowest bit zero. The key is the "corrected" by
+     correcting the parity on the key, and if the key matches a 'weak' or
+     'semi-weak' key as described in the DES specification, it is
+     eXclusive-ORed with the constant 00000000000000F0. This key is then
+     used to generate a DES CBC checksum on the initial string (with the
+     salt appended). The result of the CBC checksum is the "corrected" as
+     described above to form the result which is return as the key.
+     Pseudocode follows:
+
+          name_to_default_salt(realm, name) {
+               s = realm
+               for(each component in name) {
+                    s = s + component;
+               }
+               return s;
+          }
+
+          key_correction(key) {
+               fixparity(key);
+               if (is_weak_key_key(key))
+                    key = key XOR 0xF0;
+               return(key);
+          }
+
+          string_to_key(string,salt) {
+
+               odd = 1;
+               s = string + salt;
+               tempkey = NULL;
+               pad(s); /* with nulls to 8 byte boundary */
+               for(8byteblock in s) {
+                    if(odd == 0)  {
+                        odd = 1;
+                        reverse(8byteblock)
+                    }
+                    else odd = 0;
+                    left shift every byte in 8byteblock one bit;
+                    tempkey = tempkey XOR 8byteblock;
+               }
+               tempkey = key_correction(tempkey);
+               key = key_correction(DES-CBC-check(s,tempkey));
+               return(key);
+          }
+
+     6.3.5. Triple DES with HMAC-SHA1 Kerberos Encryption Type with and
+     without Key Derivation [Original draft by Marc Horowitz, revisions by
+     David Miller]
+
+     This encryption type is based on the Triple DES cryptosystem, the
+     HMAC-SHA1 [Krawczyk96] message authentication algorithm, and key
+     derivation for Kerberos V5 [HorowitzB96]. Key derivation may or may not
+     be used in conjunction with the use of Triple DES keys.
+
+     Algorithm Identifiers
+
+     The des3-cbc-hmac-sha1 encryption type has been assigned the value 7.
+     The des3-cbc-hmac-sha1-kd encryption type, specifying the key
+     derivation variant of the encryption type, has been assigned the value
+     16. The hmac-sha1-des3 checksum type has been assigned the value 13.
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     The hmac-sha1-des3-kd checksum type, specifying the key derivation
+     variant of the checksum, has been assigned the value 12.
+
+     Triple DES Key Production
+
+     The EncryptionKey value is 24 octets long. The 7 most significant bits
+     of each octet contain key bits, and the least significant bit is the
+     inverse of the xor of the key bits.
+
+     For the purposes of key derivation, the block size is 64 bits, and the
+     key size is 168 bits. The 168 bits output by key derivation are
+     converted to an EncryptionKey value as follows. First, the 168 bits are
+     divided into three groups of 56 bits, which are expanded individually
+     into 64 bits as follows:
+
+      1  2  3  4  5  6  7  p
+      9 10 11 12 13 14 15  p
+     17 18 19 20 21 22 23  p
+     25 26 27 28 29 30 31  p
+     33 34 35 36 37 38 39  p
+     41 42 43 44 45 46 47  p
+     49 50 51 52 53 54 55  p
+     56 48 40 32 24 16  8  p
+
+     The "p" bits are parity bits computed over the data bits. The output of
+     the three expansions are concatenated to form the EncryptionKey value.
+
+     When the HMAC-SHA1 of a string is computed, the key is used in the
+     EncryptedKey form.
+
+     The string-to-key function is used to tranform UNICODE passwords into
+     DES3 keys. The DES3 string-to-key function relies on the "N-fold"
+     algorithm, which is detailed in [9]. The description of the N-fold
+     algorithm in that document is as follows:
+        o To n-fold a number X, replicate the input value to a length that
+          is the least common multiple of n and the length of X. Before each
+          repetition, the input is rotated to the right by 13 bit positions.
+          The successive n-bit chunks are added together using
+          1's-complement addition (that is, addition with end-around carry)
+          to yield an n-bit result"
+        o The n-fold algorithm, as with DES string-to-key, is applied to the
+          password string concatenated with a salt value. The salt value is
+          derived in the same was as for the DES string-to-key algorithm.
+          For 3-key triple DES then, the operation will involve a 168-fold
+          of the input password string. The remainder of the string-to-key
+          function for DES3 is shown here in pseudocode:
+
+     DES3string-to-key(passwordString, key)
+
+         salt = name_to_default_salt(realm, name)
+         s = passwordString + salt
+         tmpKey1 = 168-fold(s)
+         parityFix(tmpKey1);
+         if not weakKey(tmpKey1)
+             /*
+              * Encrypt temp key in itself with a
+              * zero initialization vector
+              *
+              * Function signature is DES3encrypt(plain, key, iv)
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+              * with cipher as the return value
+              */
+             tmpKey2 = DES3encrypt(tmpKey1, tmpKey1, zeroIvec)
+             /*
+              * Encrypt resultant temp key in itself with third component
+              * of first temp key as initialization vector
+              */
+             key = DES3encrypt(tmpKey2, tmpKey1, tmpKey1[2])
+             parityFix(key)
+             if not weakKey(key)
+                  return SUCCESS
+             else
+                  return FAILURE
+         else
+             return FAILURE
+
+     The weakKey function above is the same weakKey function used with DES
+     keys, but applied to each of the three single DES keys that comprise
+     the triple DES key.
+
+     The lengths of UNICODE encoded character strings include the trailing
+     terminator character (0).
+
+     Encryption Types des3-cbc-hmac-sha1 and des3-cbc-hmac-sha1-kd
+
+     EncryptedData using this type must be generated as described in
+     [Horowitz96]. The encryption algorithm is Triple DES in Outer-CBC mode.
+     The checksum algorithm is HMAC-SHA1. If the key derivation variant of
+     the encryption type is used, encryption key values are modified
+     according to the method under the Key Derivation section below.
+
+     Unless otherwise specified, a zero IV must be used.
+
+     If the length of the input data is not a multiple of the block size,
+     zero octets must be used to pad the plaintext to the next eight-octet
+     boundary. The counfounder must be eight random octets (one block).
+
+     Checksum Types hmac-sha1-des3 and hmac-sha1-des3-kd
+
+     Checksums using this type must be generated as described in
+     [Horowitz96]. The keyed hash algorithm is HMAC-SHA1. If the key
+     derivation variant of the checksum type is used, checksum key values
+     are modified according to the method under the Key Derivation section
+     below.
+
+     Key Derivation
+
+     In the Kerberos protocol, cryptographic keys are used in a number of
+     places. In order to minimize the effect of compromising a key, it is
+     desirable to use a different key for each of these places. Key
+     derivation [Horowitz96] can be used to construct different keys for
+     each operation from the keys transported on the network. For this to be
+     possible, a small change to the specification is necessary.
+
+     This section specifies a profile for the use of key derivation
+     [Horowitz96] with Kerberos. For each place where a key is used, a ``key
+     usage'' must is specified for that purpose. The key, key usage, and
+     encryption/checksum type together describe the transformation from
+     plaintext to ciphertext, or plaintext to checksum.
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+
+     Key Usage Values
+
+     This is a complete list of places keys are used in the kerberos
+     protocol, with key usage values and RFC 1510 section numbers:
+
+      1. AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the
+         client key (section 5.4.1)
+      2. AS-REP Ticket and TGS-REP Ticket (includes tgs session key or
+         application session key), encrypted with the service key
+         (section 5.4.2)
+      3. AS-REP encrypted part (includes tgs session key or application
+         session key), encrypted with the client key (section 5.4.2)
+      4. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
+         session key (section 5.4.1)
+      5. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
+         authenticator subkey (section 5.4.1)
+      6. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed
+         with the tgs session key (sections 5.3.2, 5.4.1)
+      7. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs
+         authenticator subkey), encrypted with the tgs session key
+         (section 5.3.2)
+      8. TGS-REP encrypted part (includes application session key),
+         encrypted with the tgs session key (section 5.4.2)
+      9. TGS-REP encrypted part (includes application session key),
+         encrypted with the tgs authenticator subkey (section 5.4.2)
+     10. AP-REQ Authenticator cksum, keyed with the application session
+         key (section 5.3.2)
+     11. AP-REQ Authenticator (includes application authenticator
+         subkey), encrypted with the application session key (section
+         5.3.2)
+     12. AP-REP encrypted part (includes application session subkey),
+         encrypted with the application session key (section 5.5.2)
+     13. KRB-PRIV encrypted part, encrypted with a key chosen by the
+         application (section 5.7.1)
+     14. KRB-CRED encrypted part, encrypted with a key chosen by the
+         application (section 5.6.1)
+     15. KRB-SAVE cksum, keyed with a key chosen by the application
+         (section 5.8.1)
+     18. KRB-ERROR checksum (e-cksum in section 5.9.1)
+     19. AD-KDCIssued checksum (ad-checksum in appendix B.1)
+     20. Checksum for Mandatory Ticket Extensions (appendix B.6)
+     21. Checksum in Authorization Data in Ticket Extensions (appendix B.7)
+
+     Key usage values between 1024 and 2047 (inclusive) are reserved for
+     application use. Applications should use even values for encryption and
+     odd values for checksums within this range.
+
+     A few of these key usages need a little clarification. A service which
+     receives an AP-REQ has no way to know if the enclosed Ticket was part
+     of an AS-REP or TGS-REP. Therefore, key usage 2 must always be used for
+     generating a Ticket, whether it is in response to an AS- REQ or
+     TGS-REQ.
+
+     There might exist other documents which define protocols in terms of
+     the RFC1510 encryption types or checksum types. Such documents would
+     not know about key usages. In order that these documents continue to be
+     meaningful until they are updated, key usages 1024 and 1025 must be
+     used to derive keys for encryption and checksums, respectively. New
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     protocols defined in terms of the Kerberos encryption and checksum
+     types should use their own key usages. Key usages may be registered
+     with IANA to avoid conflicts. Key usages must be unsigned 32 bit
+     integers. Zero is not permitted.
+
+     Defining Cryptosystems Using Key Derivation
+
+     Kerberos requires that the ciphertext component of EncryptedData be
+     tamper-resistant as well as confidential. This implies encryption and
+     integrity functions, which must each use their own separate keys. So,
+     for each key usage, two keys must be generated, one for encryption
+     (Ke), and one for integrity (Ki):
+
+           Ke = DK(protocol key, key usage | 0xAA)
+           Ki = DK(protocol key, key usage | 0x55)
+
+     where the protocol key is from the EncryptionKey from the wire
+     protocol, and the key usage is represented as a 32 bit integer in
+     network byte order. The ciphertest must be generated from the plaintext
+     as follows:
+
+        ciphertext = E(Ke, confounder | plaintext | padding) |
+                     H(Ki, confounder | plaintext | padding)
+
+     The confounder and padding are specific to the encryption algorithm E.
+
+     When generating a checksum only, there is no need for a confounder or
+     padding. Again, a new key (Kc) must be used. Checksums must be
+     generated from the plaintext as follows:
+
+           Kc = DK(protocol key, key usage | 0x99)
+           MAC = H(Kc, plaintext)
+
+     Note that each enctype is described by an encryption algorithm E and a
+     keyed hash algorithm H, and each checksum type is described by a keyed
+     hash algorithm H. HMAC, with an appropriate hash, is required for use
+     as H.
+
+     Key Derivation from Passwords
+
+     The well-known constant for password key derivation must be the byte
+     string {0x6b 0x65 0x72 0x62 0x65 0x72 0x6f 0x73}. These values
+     correspond to the ASCII encoding for the string "kerberos".
+
+     6.4. Checksums
+
+     The following is the ASN.1 definition used for a checksum:
+
+              Checksum ::=   SEQUENCE {
+                             cksumtype[0]   INTEGER,
+                             checksum[1]    OCTET STRING
+              }
+
+     cksumtype
+          This field indicates the algorithm used to generate the
+          accompanying checksum.
+     checksum
+          This field contains the checksum itself, encoded as an octet
+          string.
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     Detailed specification of selected checksum types appear later in this
+     section. Negative values for the checksum type are reserved for local
+     use. All non-negative values are reserved for officially assigned type
+     fields and interpretations.
+
+     Checksums used by Kerberos can be classified by two properties: whether
+     they are collision-proof, and whether they are keyed. It is infeasible
+     to find two plaintexts which generate the same checksum value for a
+     collision-proof checksum. A key is required to perturb or initialize
+     the algorithm in a keyed checksum. To prevent message-stream
+     modification by an active attacker, unkeyed checksums should only be
+     used when the checksum and message will be subsequently encrypted (e.g.
+     the checksums defined as part of the encryption algorithms covered
+     earlier in this section).
+
+     Collision-proof checksums can be made tamper-proof if the checksum
+     value is encrypted before inclusion in a message. In such cases, the
+     composition of the checksum and the encryption algorithm must be
+     considered a separate checksum algorithm (e.g. RSA-MD5 encrypted using
+     DES is a new checksum algorithm of type RSA-MD5-DES). For most keyed
+     checksums, as well as for the encrypted forms of unkeyed
+     collision-proof checksums, Kerberos prepends a confounder before the
+     checksum is calculated.
+
+     6.4.1. The CRC-32 Checksum (crc32)
+
+     The CRC-32 checksum calculates a checksum based on a cyclic redundancy
+     check as described in ISO 3309 [ISO3309]. The resulting checksum is
+     four (4) octets in length. The CRC-32 is neither keyed nor
+     collision-proof. The use of this checksum is not recommended. An
+     attacker using a probabilistic chosen-plaintext attack as described in
+     [SG92] might be able to generate an alternative message that satisfies
+     the checksum. The use of collision-proof checksums is recommended for
+     environments where such attacks represent a significant threat.
+
+     6.4.2. The RSA MD4 Checksum (rsa-md4)
+
+     The RSA-MD4 checksum calculates a checksum using the RSA MD4 algorithm
+     [MD4-92]. The algorithm takes as input an input message of arbitrary
+     length and produces as output a 128-bit (16 octet) checksum. RSA-MD4 is
+     believed to be collision-proof.
+
+     6.4.3. RSA MD4 Cryptographic Checksum Using DES (rsa-md4-des)
+
+     The RSA-MD4-DES checksum calculates a keyed collision-proof checksum by
+     prepending an 8 octet confounder before the text, applying the RSA MD4
+     checksum algorithm, and encrypting the confounder and the checksum
+     using DES in cipher-block-chaining (CBC) mode using a variant of the
+     key, where the variant is computed by eXclusive-ORing the key with the
+     constant F0F0F0F0F0F0F0F0[39]. The initialization vector should be
+     zero. The resulting checksum is 24 octets long (8 octets of which are
+     redundant). This checksum is tamper-proof and believed to be
+     collision-proof.
+
+     The DES specifications identify some weak keys' and 'semi-weak keys';
+     those keys shall not be used for generating RSA-MD4 checksums for use
+     in Kerberos.
+
+     The format for the checksum is described in the follow- ing diagram:
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+
+     +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+     |  des-cbc(confounder   +   rsa-md4(confounder+msg),key=var(key),iv=0)  |
+     +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+     The format cannot be described in ASN.1, but for those who prefer an
+     ASN.1-like notation:
+
+     rsa-md4-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                                confounder[0]   UNTAGGED OCTET STRING(8),
+                                check[1]        UNTAGGED OCTET STRING(16)
+     }
+
+     6.4.4. The RSA MD5 Checksum (rsa-md5)
+
+     The RSA-MD5 checksum calculates a checksum using the RSA MD5 algorithm.
+     [MD5-92]. The algorithm takes as input an input message of arbitrary
+     length and produces as output a 128-bit (16 octet) checksum. RSA-MD5 is
+     believed to be collision-proof.
+
+     6.4.5. RSA MD5 Cryptographic Checksum Using DES (rsa-md5-des)
+
+     The RSA-MD5-DES checksum calculates a keyed collision-proof checksum by
+     prepending an 8 octet confounder before the text, applying the RSA MD5
+     checksum algorithm, and encrypting the confounder and the checksum
+     using DES in cipher-block-chaining (CBC) mode using a variant of the
+     key, where the variant is computed by eXclusive-ORing the key with the
+     hexadecimal constant F0F0F0F0F0F0F0F0. The initialization vector should
+     be zero. The resulting checksum is 24 octets long (8 octets of which
+     are redundant). This checksum is tamper-proof and believed to be
+     collision-proof.
+
+     The DES specifications identify some 'weak keys' and 'semi-weak keys';
+     those keys shall not be used for encrypting RSA-MD5 checksums for use
+     in Kerberos.
+
+     The format for the checksum is described in the following diagram:
+
+     +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+     |  des-cbc(confounder   +   rsa-md5(confounder+msg),key=var(key),iv=0)  |
+     +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+     The format cannot be described in ASN.1, but for those who prefer an
+     ASN.1-like notation:
+
+     rsa-md5-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                                confounder[0]   UNTAGGED OCTET STRING(8),
+                                check[1]        UNTAGGED OCTET STRING(16)
+     }
+
+     6.4.6. DES cipher-block chained checksum (des-mac)
+
+     The DES-MAC checksum is computed by prepending an 8 octet confounder to
+     the plaintext, performing a DES CBC-mode encryption on the result using
+     the key and an initialization vector of zero, taking the last block of
+     the ciphertext, prepending the same confounder and encrypting the pair
+     using DES in cipher-block-chaining (CBC) mode using a a variant of the
+     key, where the variant is computed by eXclusive-ORing the key with the
+     hexadecimal constant F0F0F0F0F0F0F0F0. The initialization vector should
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     be zero. The resulting checksum is 128 bits (16 octets) long, 64 bits
+     of which are redundant. This checksum is tamper-proof and
+     collision-proof.
+
+     The format for the checksum is described in the following diagram:
+
+     +--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+
+     |   des-cbc(confounder  + des-mac(conf+msg,iv=0,key),key=var(key),iv=0) |
+     +--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+
+
+     The format cannot be described in ASN.1, but for those who prefer an
+     ASN.1-like notation:
+
+     des-mac-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                            confounder[0]   UNTAGGED OCTET STRING(8),
+                            check[1]        UNTAGGED OCTET STRING(8)
+     }
+
+     The DES specifications identify some 'weak' and 'semi-weak' keys; those
+     keys shall not be used for generating DES-MAC checksums for use in
+     Kerberos, nor shall a key be used whose variant is 'weak' or
+     'semi-weak'.
+
+     6.4.7. RSA MD4 Cryptographic Checksum Using DES alternative
+     (rsa-md4-des-k)
+
+     The RSA-MD4-DES-K checksum calculates a keyed collision-proof checksum
+     by applying the RSA MD4 checksum algorithm and encrypting the results
+     using DES in cipher-block-chaining (CBC) mode using a DES key as both
+     key and initialization vector. The resulting checksum is 16 octets
+     long. This checksum is tamper-proof and believed to be collision-proof.
+     Note that this checksum type is the old method for encoding the
+     RSA-MD4-DES checksum and it is no longer recommended.
+
+     6.4.8. DES cipher-block chained checksum alternative (des-mac-k)
+
+     The DES-MAC-K checksum is computed by performing a DES CBC-mode
+     encryption of the plaintext, and using the last block of the ciphertext
+     as the checksum value. It is keyed with an encryption key and an
+     initialization vector; any uses which do not specify an additional
+     initialization vector will use the key as both key and initialization
+     vector. The resulting checksum is 64 bits (8 octets) long. This
+     checksum is tamper-proof and collision-proof. Note that this checksum
+     type is the old method for encoding the DES-MAC checksum and it is no
+     longer recommended. The DES specifications identify some 'weak keys'
+     and 'semi-weak keys'; those keys shall not be used for generating
+     DES-MAC checksums for use in Kerberos.
+
+     7. Naming Constraints
+
+     7.1. Realm Names
+
+     Although realm names are encoded as GeneralStrings and although a realm
+     can technically select any name it chooses, interoperability across
+     realm boundaries requires agreement on how realm names are to be
+     assigned, and what information they imply.
+
+     To enforce these conventions, each realm must conform to the
+     conventions itself, and it must require that any realms with which
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     inter-realm keys are shared also conform to the conventions and require
+     the same from its neighbors.
+
+     Kerberos realm names are case sensitive. Realm names that differ only
+     in the case of the characters are not equivalent. There are presently
+     four styles of realm names: domain, X500, other, and reserved. Examples
+     of each style follow:
+
+          domain:   ATHENA.MIT.EDU (example)
+            X500:   C=US/O=OSF (example)
+           other:   NAMETYPE:rest/of.name=without-restrictions (example)
+        reserved:   reserved, but will not conflict with above
+
+     Domain names must look like domain names: they consist of components
+     separated by periods (.) and they contain neither colons (:) nor
+     slashes (/). Domain names must be converted to upper case when used as
+     realm names.
+
+     X.500 names contain an equal (=) and cannot contain a colon (:) before
+     the equal. The realm names for X.500 names will be string
+     representations of the names with components separated by slashes.
+     Leading and trailing slashes will not be included.
+
+     Names that fall into the other category must begin with a prefix that
+     contains no equal (=) or period (.) and the prefix must be followed by
+     a colon (:) and the rest of the name. All prefixes must be assigned
+     before they may be used. Presently none are assigned.
+
+     The reserved category includes strings which do not fall into the first
+     three categories. All names in this category are reserved. It is
+     unlikely that names will be assigned to this category unless there is a
+     very strong argument for not using the 'other' category.
+
+     These rules guarantee that there will be no conflicts between the
+     various name styles. The following additional constraints apply to the
+     assignment of realm names in the domain and X.500 categories: the name
+     of a realm for the domain or X.500 formats must either be used by the
+     organization owning (to whom it was assigned) an Internet domain name
+     or X.500 name, or in the case that no such names are registered,
+     authority to use a realm name may be derived from the authority of the
+     parent realm. For example, if there is no domain name for E40.MIT.EDU,
+     then the administrator of the MIT.EDU realm can authorize the creation
+     of a realm with that name.
+
+     This is acceptable because the organization to which the parent is
+     assigned is presumably the organization authorized to assign names to
+     its children in the X.500 and domain name systems as well. If the
+     parent assigns a realm name without also registering it in the domain
+     name or X.500 hierarchy, it is the parent's responsibility to make sure
+     that there will not in the future exists a name identical to the realm
+     name of the child unless it is assigned to the same entity as the realm
+     name.
+
+     7.2. Principal Names
+
+     As was the case for realm names, conventions are needed to ensure that
+     all agree on what information is implied by a principal name. The
+     name-type field that is part of the principal name indicates the kind
+     of information implied by the name. The name-type should be treated as
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     a hint. Ignoring the name type, no two names can be the same (i.e. at
+     least one of the components, or the realm, must be different). The
+     following name types are defined:
+
+ name-type      value   meaning
+
+  NT-UNKNOWN        0  Name type not known
+  NT-PRINCIPAL      1  General principal name (e.g. username, or DCE principal)
+  NT-SRV-INST       2  Service and other unique instance (krbtgt)
+  NT-SRV-HST        3  Service with host name as instance (telnet, rcommands)
+  NT-SRV-XHST       4  Service with slash-separated host name components
+  NT-UID            5  Unique ID
+  NT-X500-PRINCIPAL 6  Encoded X.509 Distingished name [RFC 1779]
+
+     When a name implies no information other than its uniqueness at a
+     particular time the name type PRINCIPAL should be used. The principal
+     name type should be used for users, and it might also be used for a
+     unique server. If the name is a unique machine generated ID that is
+     guaranteed never to be reassigned then the name type of UID should be
+     used (note that it is generally a bad idea to reassign names of any
+     type since stale entries might remain in access control lists).
+
+     If the first component of a name identifies a service and the remaining
+     components identify an instance of the service in a server specified
+     manner, then the name type of SRV-INST should be used. An example of
+     this name type is the Kerberos ticket-granting service whose name has a
+     first component of krbtgt and a second component identifying the realm
+     for which the ticket is valid.
+
+     If instance is a single component following the service name and the
+     instance identifies the host on which the server is running, then the
+     name type SRV-HST should be used. This type is typically used for
+     Internet services such as telnet and the Berkeley R commands. If the
+     separate components of the host name appear as successive components
+     following the name of the service, then the name type SRV-XHST should
+     be used. This type might be used to identify servers on hosts with
+     X.500 names where the slash (/) might otherwise be ambiguous.
+
+     A name type of NT-X500-PRINCIPAL should be used when a name from an
+     X.509 certificiate is translated into a Kerberos name. The encoding of
+     the X.509 name as a Kerberos principal shall conform to the encoding
+     rules specified in RFC 2253.
+
+     A name type of UNKNOWN should be used when the form of the name is not
+     known. When comparing names, a name of type UNKNOWN will match
+     principals authenticated with names of any type. A principal
+     authenticated with a name of type UNKNOWN, however, will only match
+     other names of type UNKNOWN.
+
+     Names of any type with an initial component of 'krbtgt' are reserved
+     for the Kerberos ticket granting service. See section 8.2.3 for the
+     form of such names.
+
+     7.2.1. Name of server principals
+
+     The principal identifier for a server on a host will generally be
+     composed of two parts: (1) the realm of the KDC with which the server
+     is registered, and (2) a two-component name of type NT-SRV-HST if the
+     host name is an Internet domain name or a multi-component name of type
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     NT-SRV-XHST if the name of the host is of a form such as X.500 that
+     allows slash (/) separators. The first component of the two- or
+     multi-component name will identify the service and the latter
+     components will identify the host. Where the name of the host is not
+     case sensitive (for example, with Internet domain names) the name of
+     the host must be lower case. If specified by the application protocol
+     for services such as telnet and the Berkeley R commands which run with
+     system privileges, the first component may be the string 'host' instead
+     of a service specific identifier. When a host has an official name and
+     one or more aliases, the official name of the host must be used when
+     constructing the name of the server principal.
+
+     8. Constants and other defined values
+
+     8.1. Host address types
+
+     All negative values for the host address type are reserved for local
+     use. All non-negative values are reserved for officially assigned type
+     fields and interpretations.
+
+     The values of the types for the following addresses are chosen to match
+     the defined address family constants in the Berkeley Standard
+     Distributions of Unix. They can be found in with symbolic names AF_xxx
+     (where xxx is an abbreviation of the address family name).
+
+     Internet (IPv4) Addresses
+
+     Internet (IPv4) addresses are 32-bit (4-octet) quantities, encoded in
+     MSB order. The type of IPv4 addresses is two (2).
+
+     Internet (IPv6) Addresses [Westerlund]
+
+     IPv6 addresses are 128-bit (16-octet) quantities, encoded in MSB order.
+     The type of IPv6 addresses is twenty-four (24). [RFC1883] [RFC1884].
+     The following addresses (see [RFC1884]) MUST not appear in any Kerberos
+     packet:
+        o the Unspecified Address
+        o the Loopback Address
+        o Link-Local addresses
+     IPv4-mapped IPv6 addresses MUST be represented as addresses of type 2.
+
+     CHAOSnet addresses
+
+     CHAOSnet addresses are 16-bit (2-octet) quantities, encoded in MSB
+     order. The type of CHAOSnet addresses is five (5).
+
+     ISO addresses
+
+     ISO addresses are variable-length. The type of ISO addresses is seven
+     (7).
+
+     Xerox Network Services (XNS) addresses
+
+     XNS addresses are 48-bit (6-octet) quantities, encoded in MSB order.
+     The type of XNS addresses is six (6).
+
+     AppleTalk Datagram Delivery Protocol (DDP) addresses
+
+     AppleTalk DDP addresses consist of an 8-bit node number and a 16-bit
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     network number. The first octet of the address is the node number; the
+     remaining two octets encode the network number in MSB order. The type
+     of AppleTalk DDP addresses is sixteen (16).
+
+     DECnet Phase IV addresses
+
+     DECnet Phase IV addresses are 16-bit addresses, encoded in LSB order.
+     The type of DECnet Phase IV addresses is twelve (12).
+
+     Netbios addresses
+
+     Netbios addresses are 16-octet addresses typically composed of 1 to 15
+     characters, trailing blank (ascii char 20) filled, with a 16th octet of
+     0x0. The type of Netbios addresses is 20 (0x14).
+
+     8.2. KDC messages
+
+     8.2.1. UDP/IP transport
+
+     When contacting a Kerberos server (KDC) for a KRB_KDC_REQ request using
+     UDP IP transport, the client shall send a UDP datagram containing only
+     an encoding of the request to port 88 (decimal) at the KDC's IP
+     address; the KDC will respond with a reply datagram containing only an
+     encoding of the reply message (either a KRB_ERROR or a KRB_KDC_REP) to
+     the sending port at the sender's IP address. Kerberos servers
+     supporting IP transport must accept UDP requests on port 88 (decimal).
+     The response to a request made through UDP/IP transport must also use
+     UDP/IP transport.
+
+     8.2.2. TCP/IP transport [Westerlund,Danielsson]
+
+     Kerberos servers (KDC's) should accept TCP requests on port 88
+     (decimal) and clients should support the sending of TCP requests on
+     port 88 (decimal). When the KRB_KDC_REQ message is sent to the KDC over
+     a TCP stream, a new connection will be established for each
+     authentication exchange (request and response). The KRB_KDC_REP or
+     KRB_ERROR message will be returned to the client on the same TCP stream
+     that was established for the request. The response to a request made
+     through TCP/IP transport must also use TCP/IP transport. Implementors
+     should note that some extentions to the Kerberos protocol will not work
+     if any implementation not supporting the TCP transport is involved
+     (client or KDC). Implementors are strongly urged to support the TCP
+     transport on both the client and server and are advised that the
+     current notation of "should" support will likely change in the future
+     to must support. The KDC may close the TCP stream after sending a
+     response, but may leave the stream open if it expects a followup - in
+     which case it may close the stream at any time if resource constratints
+     or other factors make it desirable to do so. Care must be taken in
+     managing TCP/IP connections with the KDC to prevent denial of service
+     attacks based on the number of TCP/IP connections with the KDC that
+     remain open. If multiple exchanges with the KDC are needed for certain
+     forms of preauthentication, multiple TCP connections may be required. A
+     client may close the stream after receiving response, and should close
+     the stream if it does not expect to send followup messages. The client
+     must be prepared to have the stream closed by the KDC at anytime, in
+     which case it must simply connect again when it is ready to send
+     subsequent messages.
+
+     The first four octets of the TCP stream used to transmit the request
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     request will encode in network byte order the length of the request
+     (KRB_KDC_REQ), and the length will be followed by the request itself.
+     The response will similarly be preceeded by a 4 octet encoding in
+     network byte order of the length of the KRB_KDC_REP or the KRB_ERROR
+     message and will be followed by the KRB_KDC_REP or the KRB_ERROR
+     response. If the sign bit is set on the integer represented by the
+     first 4 octets, then the next 4 octets will be read, extending the
+     length of the field by another 4 octets (less the sign bit which is
+     reserved for future expansion).
+
+     8.2.3. OSI transport
+
+     During authentication of an OSI client to an OSI server, the mutual
+     authentication of an OSI server to an OSI client, the transfer of
+     credentials from an OSI client to an OSI server, or during exchange of
+     private or integrity checked messages, Kerberos protocol messages may
+     be treated as opaque objects and the type of the authentication
+     mechanism will be:
+
+     OBJECT IDENTIFIER ::= {iso (1), org(3), dod(6),internet(1), security(5),kerberosv5(2)}
+
+     Depending on the situation, the opaque object will be an authentication
+     header (KRB_AP_REQ), an authentication reply (KRB_AP_REP), a safe
+     message (KRB_SAFE), a private message (KRB_PRIV), or a credentials
+     message (KRB_CRED). The opaque data contains an application code as
+     specified in the ASN.1 description for each message. The application
+     code may be used by Kerberos to determine the message type.
+
+     8.2.3. Name of the TGS
+
+     The principal identifier of the ticket-granting service shall be
+     composed of three parts: (1) the realm of the KDC issuing the TGS
+     ticket (2) a two-part name of type NT-SRV-INST, with the first part
+     "krbtgt" and the second part the name of the realm which will accept
+     the ticket-granting ticket. For example, a ticket-granting ticket
+     issued by the ATHENA.MIT.EDU realm to be used to get tickets from the
+     ATHENA.MIT.EDU KDC has a principal identifier of "ATHENA.MIT.EDU"
+     (realm), ("krbtgt", "ATHENA.MIT.EDU") (name). A ticket-granting ticket
+     issued by the ATHENA.MIT.EDU realm to be used to get tickets from the
+     MIT.EDU realm has a principal identifier of "ATHENA.MIT.EDU" (realm),
+     ("krbtgt", "MIT.EDU") (name).
+
+     8.3. Protocol constants and associated values
+
+     The following tables list constants used in the protocol and defines
+     their meanings. Ranges are specified in the "specification" section
+     that limit the values of constants for which values are defined here.
+     This allows implementations to make assumptions about the maximum
+     values that will be received for these constants. Implementation
+     receiving values outside the range specified in the "specification"
+     section may reject the request, but they must recover cleanly.
+
+  Encryption type       etype value block size  minimum pad size  confounder size
+  NULL                           0     1           0                 0
+  des-cbc-crc                    1     8           4                 8
+  des-cbc-md4                    2     8           0                 8
+  des-cbc-md5                    3     8           0                 8
+  <reserved>                     4
+  des3-cbc-md5                   5     8           0                 8
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+  <reserved>                     6
+  des3-cbc-sha1                  7     8           0                 8
+  dsaWithSHA1-CmsOID             9                                 (pkinit)
+  md5WithRSAEncryption-CmsOID   10                                 (pkinit)
+  sha1WithRSAEncryption-CmsOID  11                                 (pkinit)
+  rc2CBC-EnvOID                 12                                 (pkinit)
+  rsaEncryption-EnvOID          13                 (pkinit from PKCS#1 v1.5)
+  rsaES-OAEP-ENV-OID            14                 (pkinit from PKCS#1 v2.0)
+  des-ede3-cbc-Env-OID          15                                 (pkinit)
+  des3-cbc-sha1-kd              16                                 (Tom Yu)
+  rc4-hmac                      23                                 (swift)
+  rc4-hmac-exp                  24                                 (swift)
+
+  ENCTYPE_PK_CROSS              48                      (reserved for pkcross)
+  <reserved>                    0x8003
+
+  Checksum type              sumtype value       checksum size
+  CRC32                      1                   4
+  rsa-md4                    2                   16
+  rsa-md4-des                3                   24
+  des-mac                    4                   16
+  des-mac-k                  5                   8
+  rsa-md4-des-k              6                   16 (drop rsa ?)
+  rsa-md5                    7                   16 (drop rsa ?)
+  rsa-md5-des                8                   24 (drop rsa ?)
+  rsa-md5-des3               9                   24 (drop rsa ?)
+  hmac-sha1-des3-kd          12                  20
+  hmac-sha1-des3             13                  20
+
+  padata type                     padata-type value
+
+  PA-TGS-REQ                      1
+  PA-ENC-TIMESTAMP                2
+  PA-PW-SALT                      3
+  <reserved>                      4
+  PA-ENC-UNIX-TIME                5                  (depricated)
+  PA-SANDIA-SECUREID              6
+  PA-SESAME                       7
+  PA-OSF-DCE                      8
+  PA-CYBERSAFE-SECUREID           9
+  PA-AFS3-SALT                    10
+  PA-ETYPE-INFO                   11
+  PA-SAM-CHALLENGE                12                  (sam/otp)
+  PA-SAM-RESPONSE                 13                  (sam/otp)
+  PA-PK-AS-REQ                    14                  (pkinit)
+  PA-PK-AS-REP                    15                  (pkinit)
+  PA-USE-SPECIFIED-KVNO           20
+  PA-SAM-REDIRECT                 21                  (sam/otp)
+  PA-GET-FROM-TYPED-DATA          22
+  PA-SAM-ETYPE-INFO               23                  (sam/otp)
+
+data-type                     value    form of typed-data
+
+<reserved>                      1-21
+TD-PADATA                       22
+TD-PKINIT-CMS-CERTIFICATES      101      CertificateSet from CMS
+TD-KRB-PRINCIPAL                102
+TD-KRB-REALM                    103
+TD-TRUSTED-CERTIFIERS           104
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+TD-CERTIFICATE-INDEX            105
+
+authorization data type         ad-type value
+AD-IF-RELEVANT                     1
+AD-INTENDED-FOR-SERVER             2
+AD-INTENDED-FOR-APPLICATION-CLASS  3
+AD-KDC-ISSUED                      4
+AD-OR                              5
+AD-MANDATORY-TICKET-EXTENSIONS     6
+AD-IN-TICKET-EXTENSIONS            7
+reserved values                    8-63
+OSF-DCE                            64
+SESAME                             65
+AD-OSF-DCE-PKI-CERTID              66         (hemsath@us.ibm.com)
+
+Ticket Extension Types
+
+TE-TYPE-NULL                  0      Null ticket extension
+TE-TYPE-EXTERNAL-ADATA        1      Integrity protected authorization data
+<reserved>                    2      TE-TYPE-PKCROSS-KDC  (I have reservations)
+TE-TYPE-PKCROSS-CLIENT        3      PKCROSS cross realm key ticket
+TE-TYPE-CYBERSAFE-EXT         4      Assigned to CyberSafe Corp
+<reserved>                    5      TE-TYPE-DEST-HOST (I have reservations)
+
+alternate authentication type   method-type value
+reserved values                 0-63
+ATT-CHALLENGE-RESPONSE          64
+
+transited encoding type         tr-type value
+DOMAIN-X500-COMPRESS            1
+reserved values                 all others
+
+Label               Value   Meaning or MIT code
+
+pvno                    5   current Kerberos protocol version number
+
+message types
+
+KRB_AS_REQ             10   Request for initial authentication
+KRB_AS_REP             11   Response to KRB_AS_REQ request
+KRB_TGS_REQ            12   Request for authentication based on TGT
+KRB_TGS_REP            13   Response to KRB_TGS_REQ request
+KRB_AP_REQ             14   application request to server
+KRB_AP_REP             15   Response to KRB_AP_REQ_MUTUAL
+KRB_SAFE               20   Safe (checksummed) application message
+KRB_PRIV               21   Private (encrypted) application message
+KRB_CRED               22   Private (encrypted) message to forward credentials
+KRB_ERROR              30   Error response
+
+name types
+
+KRB_NT_UNKNOWN        0  Name type not known
+KRB_NT_PRINCIPAL      1  Just the name of the principal as in DCE, or for users
+KRB_NT_SRV_INST       2  Service and other unique instance (krbtgt)
+KRB_NT_SRV_HST        3  Service with host name as instance (telnet, rcommands)
+KRB_NT_SRV_XHST       4  Service with host as remaining components
+KRB_NT_UID            5  Unique ID
+KRB_NT_X500_PRINCIPAL 6  Encoded X.509 Distingished name [RFC 2253]
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+error codes
+
+KDC_ERR_NONE                    0   No error
+KDC_ERR_NAME_EXP                1   Client's entry in database has expired
+KDC_ERR_SERVICE_EXP             2   Server's entry in database has expired
+KDC_ERR_BAD_PVNO                3   Requested prot vers number not supported
+KDC_ERR_C_OLD_MAST_KVNO         4   Client's key encrypted in old master key
+KDC_ERR_S_OLD_MAST_KVNO         5   Server's key encrypted in old master key
+KDC_ERR_C_PRINCIPAL_UNKNOWN     6   Client not found in Kerberos database
+KDC_ERR_S_PRINCIPAL_UNKNOWN     7   Server not found in Kerberos database
+KDC_ERR_PRINCIPAL_NOT_UNIQUE    8   Multiple principal entries in database
+KDC_ERR_NULL_KEY                9   The client or server has a null key
+KDC_ERR_CANNOT_POSTDATE        10   Ticket not eligible for postdating
+KDC_ERR_NEVER_VALID            11   Requested start time is later than end time
+KDC_ERR_POLICY                 12   KDC policy rejects request
+KDC_ERR_BADOPTION              13   KDC cannot accommodate requested option
+KDC_ERR_ETYPE_NOSUPP           14   KDC has no support for encryption type
+KDC_ERR_SUMTYPE_NOSUPP         15   KDC has no support for checksum type
+KDC_ERR_PADATA_TYPE_NOSUPP     16   KDC has no support for padata type
+KDC_ERR_TRTYPE_NOSUPP          17   KDC has no support for transited type
+KDC_ERR_CLIENT_REVOKED         18   Clients credentials have been revoked
+KDC_ERR_SERVICE_REVOKED        19   Credentials for server have been revoked
+KDC_ERR_TGT_REVOKED            20   TGT has been revoked
+KDC_ERR_CLIENT_NOTYET          21   Client not yet valid - try again later
+KDC_ERR_SERVICE_NOTYET         22   Server not yet valid - try again later
+KDC_ERR_KEY_EXPIRED            23   Password has expired - change password
+KDC_ERR_PREAUTH_FAILED         24   Pre-authentication information was invalid
+KDC_ERR_PREAUTH_REQUIRED       25   Additional pre-authenticationrequired [40]
+KDC_ERR_SERVER_NOMATCH         26   Requested server and ticket don't match
+KDC_ERR_MUST_USE_USER2USER     27   Server principal valid for user2user only
+KDC_ERR_PATH_NOT_ACCPETED      28   KDC Policy rejects transited path
+KDC_ERR_SVC_UNAVAILABLE        29   A service is not available
+KRB_AP_ERR_BAD_INTEGRITY       31   Integrity check on decrypted field failed
+KRB_AP_ERR_TKT_EXPIRED         32   Ticket expired
+KRB_AP_ERR_TKT_NYV             33   Ticket not yet valid
+KRB_AP_ERR_REPEAT              34   Request is a replay
+KRB_AP_ERR_NOT_US              35   The ticket isn't for us
+KRB_AP_ERR_BADMATCH            36   Ticket and authenticator don't match
+KRB_AP_ERR_SKEW                37   Clock skew too great
+KRB_AP_ERR_BADADDR             38   Incorrect net address
+KRB_AP_ERR_BADVERSION          39   Protocol version mismatch
+KRB_AP_ERR_MSG_TYPE            40   Invalid msg type
+KRB_AP_ERR_MODIFIED            41   Message stream modified
+KRB_AP_ERR_BADORDER            42   Message out of order
+KRB_AP_ERR_BADKEYVER           44   Specified version of key is not available
+KRB_AP_ERR_NOKEY               45   Service key not available
+KRB_AP_ERR_MUT_FAIL            46   Mutual authentication failed
+KRB_AP_ERR_BADDIRECTION        47   Incorrect message direction
+KRB_AP_ERR_METHOD              48   Alternative authentication method required
+KRB_AP_ERR_BADSEQ              49   Incorrect sequence number in message
+KRB_AP_ERR_INAPP_CKSUM         50   Inappropriate type of checksum in message
+KRB_AP_PATH_NOT_ACCEPTED       51   Policy rejects transited path
+KRB_ERR_RESPONSE_TOO_BIG       52   Response too big for UDP, retry with TCP
+KRB_ERR_GENERIC                60   Generic error (description in e-text)
+KRB_ERR_FIELD_TOOLONG          61   Field is too long for this implementation
+KDC_ERROR_CLIENT_NOT_TRUSTED            62 (pkinit)
+KDC_ERROR_KDC_NOT_TRUSTED               63 (pkinit)
+KDC_ERROR_INVALID_SIG                   64 (pkinit)
+KDC_ERR_KEY_TOO_WEAK                    65 (pkinit)
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+KDC_ERR_CERTIFICATE_MISMATCH            66 (pkinit)
+KRB_AP_ERR_NO_TGT                       67 (user-to-user)
+KDC_ERR_WRONG_REALM                     68 (user-to-user)
+KRB_AP_ERR_USER_TO_USER_REQUIRED        69 (user-to-user)
+KDC_ERR_CANT_VERIFY_CERTIFICATE         70 (pkinit)
+KDC_ERR_INVALID_CERTIFICATE             71 (pkinit)
+KDC_ERR_REVOKED_CERTIFICATE             72 (pkinit)
+KDC_ERR_REVOCATION_STATUS_UNKNOWN       73 (pkinit)
+KDC_ERR_REVOCATION_STATUS_UNAVAILABLE   74 (pkinit)
+KDC_ERR_CLIENT_NAME_MISMATCH            75 (pkinit)
+KDC_ERR_KDC_NAME_MISMATCH               76 (pkinit)
+
+     9. Interoperability requirements
+
+     Version 5 of the Kerberos protocol supports a myriad of options. Among
+     these are multiple encryption and checksum types, alternative encoding
+     schemes for the transited field, optional mechanisms for
+     pre-authentication, the handling of tickets with no addresses, options
+     for mutual authentication, user to user authentication, support for
+     proxies, forwarding, postdating, and renewing tickets, the format of
+     realm names, and the handling of authorization data.
+
+     In order to ensure the interoperability of realms, it is necessary to
+     define a minimal configuration which must be supported by all
+     implementations. This minimal configuration is subject to change as
+     technology does. For example, if at some later date it is discovered
+     that one of the required encryption or checksum algorithms is not
+     secure, it will be replaced.
+
+     9.1. Specification 2
+
+     This section defines the second specification of these options.
+     Implementations which are configured in this way can be said to support
+     Kerberos Version 5 Specification 2 (5.1). Specification 1 (depricated)
+     may be found in RFC1510.
+
+     Transport
+
+     TCP/IP and UDP/IP transport must be supported by KDCs claiming
+     conformance to specification 2. Kerberos clients claiming conformance
+     to specification 2 must support UDP/IP transport for messages with the
+     KDC and should support TCP/IP transport.
+
+     Encryption and checksum methods
+
+     The following encryption and checksum mechanisms must be supported.
+     Implementations may support other mechanisms as well, but the
+     additional mechanisms may only be used when communicating with
+     principals known to also support them: This list is to be determined.
+
+     Encryption: DES-CBC-MD5, one triple des variant (tbd)
+     Checksums: CRC-32, DES-MAC, DES-MAC-K, and DES-MD5 (tbd)
+
+     Realm Names
+
+     All implementations must understand hierarchical realms in both the
+     Internet Domain and the X.500 style. When a ticket granting ticket for
+     an unknown realm is requested, the KDC must be able to determine the
+     names of the intermediate realms between the KDCs realm and the
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     requested realm.
+
+     Transited field encoding
+
+     DOMAIN-X500-COMPRESS (described in section 3.3.3.2) must be supported.
+     Alternative encodings may be supported, but they may be used only when
+     that encoding is supported by ALL intermediate realms.
+
+     Pre-authentication methods
+
+     The TGS-REQ method must be supported. The TGS-REQ method is not used on
+     the initial request. The PA-ENC-TIMESTAMP method must be supported by
+     clients but whether it is enabled by default may be determined on a
+     realm by realm basis. If not used in the initial request and the error
+     KDC_ERR_PREAUTH_REQUIRED is returned specifying PA-ENC-TIMESTAMP as an
+     acceptable method, the client should retry the initial request using
+     the PA-ENC-TIMESTAMP preauthentication method. Servers need not support
+     the PA-ENC-TIMESTAMP method, but if not supported the server should
+     ignore the presence of PA-ENC-TIMESTAMP pre-authentication in a
+     request.
+
+     Mutual authentication
+
+     Mutual authentication (via the KRB_AP_REP message) must be supported.
+
+     Ticket addresses and flags
+
+     All KDC's must pass on tickets that carry no addresses (i.e. if a TGT
+     contains no addresses, the KDC will return derivative tickets), but
+     each realm may set its own policy for issuing such tickets, and each
+     application server will set its own policy with respect to accepting
+     them.
+
+     Proxies and forwarded tickets must be supported. Individual realms and
+     application servers can set their own policy on when such tickets will
+     be accepted.
+
+     All implementations must recognize renewable and postdated tickets, but
+     need not actually implement them. If these options are not supported,
+     the starttime and endtime in the ticket shall specify a ticket's entire
+     useful life. When a postdated ticket is decoded by a server, all
+     implementations shall make the presence of the postdated flag visible
+     to the calling server.
+
+     User-to-user authentication
+
+     Support for user to user authentication (via the ENC-TKT-IN-SKEY KDC
+     option) must be provided by implementations, but individual realms may
+     decide as a matter of policy to reject such requests on a per-principal
+     or realm-wide basis.
+
+     Authorization data
+
+     Implementations must pass all authorization data subfields from
+     ticket-granting tickets to any derivative tickets unless directed to
+     suppress a subfield as part of the definition of that registered
+     subfield type (it is never incorrect to pass on a subfield, and no
+     registered subfield types presently specify suppression at the KDC).
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     Implementations must make the contents of any authorization data
+     subfields available to the server when a ticket is used.
+     Implementations are not required to allow clients to specify the
+     contents of the authorization data fields.
+
+     Constant ranges
+
+     All protocol constants are constrained to 32 bit (signed) values unless
+     further constrained by the protocol definition. This limit is provided
+     to allow implementations to make assumptions about the maximum values
+     that will be received for these constants. Implementation receiving
+     values outside this range may reject the request, but they must recover
+     cleanly.
+
+     9.2. Recommended KDC values
+
+     Following is a list of recommended values for a KDC implementation,
+     based on the list of suggested configuration constants (see section
+     4.4).
+
+     minimum lifetime              5 minutes
+     maximum renewable lifetime    1 week
+     maximum ticket lifetime       1 day
+     empty addresses               only when suitable  restrictions  appear
+                                   in authorization data
+     proxiable, etc.               Allowed.
+
+     10. REFERENCES
+
+     [NT94]    B. Clifford Neuman and Theodore Y. Ts'o, "An  Authenti-
+               cation  Service for Computer Networks," IEEE Communica-
+               tions Magazine, Vol. 32(9), pp. 33-38 (September 1994).
+
+     [MNSS87]  S. P. Miller, B. C. Neuman, J. I. Schiller, and  J.  H.
+               Saltzer,  Section  E.2.1:  Kerberos  Authentication and
+               Authorization System, M.I.T. Project Athena, Cambridge,
+               Massachusetts (December 21, 1987).
+
+     [SNS88]   J. G. Steiner, B. C. Neuman, and J. I. Schiller,  "Ker-
+               beros:  An Authentication Service for Open Network Sys-
+               tems," pp. 191-202 in  Usenix  Conference  Proceedings,
+               Dallas, Texas (February, 1988).
+
+     [NS78]    Roger M.  Needham  and  Michael  D.  Schroeder,  "Using
+               Encryption for Authentication in Large Networks of Com-
+               puters,"  Communications  of  the  ACM,  Vol.   21(12),
+               pp. 993-999 (December, 1978).
+
+     [DS81]    Dorothy E. Denning and  Giovanni  Maria  Sacco,  "Time-
+               stamps  in  Key Distribution Protocols," Communications
+               of the ACM, Vol. 24(8), pp. 533-536 (August 1981).
+
+     [KNT92]   John T. Kohl, B. Clifford Neuman, and Theodore Y. Ts'o,
+               "The Evolution of the Kerberos Authentication Service,"
+               in an IEEE Computer Society Text soon to  be  published
+               (June 1992).
+
+     [Neu93]   B.  Clifford  Neuman,  "Proxy-Based  Authorization  and
+               Accounting  for Distributed Systems," in Proceedings of
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+               the 13th International Conference on  Distributed  Com-
+               puting Systems, Pittsburgh, PA (May, 1993).
+
+     [DS90]    Don Davis and Ralph Swick,  "Workstation  Services  and
+               Kerberos  Authentication  at Project Athena," Technical
+               Memorandum TM-424,  MIT Laboratory for Computer Science
+               (February 1990).
+
+     [LGDSR87] P. J. Levine, M. R. Gretzinger, J. M. Diaz, W. E.  Som-
+               merfeld,  and  K. Raeburn, Section E.1: Service Manage-
+               ment System, M.I.T.  Project  Athena,  Cambridge,  Mas-
+               sachusetts (1987).
+
+     [X509-88] CCITT, Recommendation X.509: The Directory  Authentica-
+               tion Framework, December 1988.
+
+     [Pat92].  J. Pato, Using  Pre-Authentication  to  Avoid  Password
+               Guessing  Attacks, Open Software Foundation DCE Request
+               for Comments 26 (December 1992).
+
+     [DES77]   National Bureau of Standards, U.S. Department  of  Com-
+               merce,  "Data Encryption Standard," Federal Information
+               Processing Standards Publication  46,   Washington,  DC
+               (1977).
+
+     [DESM80]  National Bureau of Standards, U.S. Department  of  Com-
+               merce,  "DES  Modes  of Operation," Federal Information
+               Processing Standards Publication 81,   Springfield,  VA
+               (December 1980).
+
+     [SG92]    Stuart G. Stubblebine and Virgil D. Gligor, "On Message
+               Integrity  in  Cryptographic Protocols," in Proceedings
+               of the IEEE  Symposium  on  Research  in  Security  and
+               Privacy, Oakland, California (May 1992).
+
+     [IS3309]  International Organization  for  Standardization,  "ISO
+               Information  Processing  Systems - Data Communication -
+               High-Level Data Link Control Procedure -  Frame  Struc-
+               ture," IS 3309 (October 1984).  3rd Edition.
+
+     [MD4-92]  R. Rivest, "The  MD4  Message  Digest  Algorithm,"  RFC
+               1320,   MIT  Laboratory  for  Computer  Science  (April
+               1992).
+
+     [MD5-92]  R. Rivest, "The  MD5  Message  Digest  Algorithm,"  RFC
+               1321,   MIT  Laboratory  for  Computer  Science  (April
+               1992).
+
+     [KBC96]   H. Krawczyk, M. Bellare, and R. Canetti, "HMAC:  Keyed-
+               Hashing  for  Message  Authentication,"  Working  Draft
+               draft-ietf-ipsec-hmac-md5-01.txt,   (August 1996).
+
+     [Horowitz96] Horowitz, M., "Key Derivation for Authentication,
+               Integrity, and Privacy", draft-horowitz-key-derivation-02.txt,
+               August 1998.
+
+     [HorowitzB96] Horowitz, M., "Key Derivation for Kerberos V5", draft-
+               horowitz-kerb-key-derivation-01.txt, September 1998.
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     [Krawczyk96] Krawczyk, H., Bellare, and M., Canetti, R., "HMAC:
+               Keyed-Hashing for Message Authentication", draft-ietf-ipsec-hmac-
+               md5-01.txt, August, 1996.
+
+     A. Pseudo-code for protocol processing
+
+     This appendix provides pseudo-code describing how the messages are to
+     be constructed and interpreted by clients and servers.
+
+     A.1. KRB_AS_REQ generation
+
+             request.pvno := protocol version; /* pvno = 5 */
+             request.msg-type := message type; /* type = KRB_AS_REQ */
+
+             if(pa_enc_timestamp_required) then
+                     request.padata.padata-type = PA-ENC-TIMESTAMP;
+                     get system_time;
+                     padata-body.patimestamp,pausec = system_time;
+                     encrypt padata-body into request.padata.padata-value
+                             using client.key; /* derived from password */
+             endif
+
+             body.kdc-options := users's preferences;
+             body.cname := user's name;
+             body.realm := user's realm;
+             body.sname := service's name; /* usually "krbtgt", 
+                                              "localrealm" */
+
+             if (body.kdc-options.POSTDATED is set) then
+                     body.from := requested starting time;
+             else
+                     omit body.from;
+             endif
+             body.till := requested end time;
+             if (body.kdc-options.RENEWABLE is set) then
+                     body.rtime := requested final renewal time;
+             endif
+             body.nonce := random_nonce();
+             body.etype := requested etypes;
+             if (user supplied addresses) then
+                     body.addresses := user's addresses;
+             else
+                     omit body.addresses;
+             endif
+             omit body.enc-authorization-data;
+             request.req-body := body;
+
+             kerberos := lookup(name of local kerberos server (or servers));
+             send(packet,kerberos);
+
+             wait(for response);
+             if (timed_out) then
+                     retry or use alternate server;
+             endif
+
+     A.2. KRB_AS_REQ verification and KRB_AS_REP generation
+
+             decode message into req;
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+             client := lookup(req.cname,req.realm);
+             server := lookup(req.sname,req.realm);
+
+             get system_time;
+             kdc_time := system_time.seconds;
+
+             if (!client) then
+                     /* no client in Database */
+                     error_out(KDC_ERR_C_PRINCIPAL_UNKNOWN);
+             endif
+             if (!server) then
+                     /* no server in Database */
+                     error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+             endif
+
+             if(client.pa_enc_timestamp_required and
+                pa_enc_timestamp not present) then
+                     error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP));
+             endif
+
+             if(pa_enc_timestamp present) then
+                     decrypt req.padata-value into decrypted_enc_timestamp
+                             using client.key;
+                             using auth_hdr.authenticator.subkey;
+                     if (decrypt_error()) then
+                             error_out(KRB_AP_ERR_BAD_INTEGRITY);
+                     if(decrypted_enc_timestamp is not within allowable skew) 
+                         then
+                             error_out(KDC_ERR_PREAUTH_FAILED);
+                     endif
+                     if(decrypted_enc_timestamp and usec is replay)
+                             error_out(KDC_ERR_PREAUTH_FAILED);
+                     endif
+                     add decrypted_enc_timestamp and usec to replay cache;
+             endif
+
+             use_etype := first supported etype in req.etypes;
+
+             if (no support for req.etypes) then
+                     error_out(KDC_ERR_ETYPE_NOSUPP);
+             endif
+
+             new_tkt.vno := ticket version; /* = 5 */
+             new_tkt.sname := req.sname;
+             new_tkt.srealm := req.srealm;
+             reset all flags in new_tkt.flags;
+
+             /* It should be noted that local policy may affect the  */
+             /* processing of any of these flags.  For example, some */
+             /* realms may refuse to issue renewable tickets         */
+
+             if (req.kdc-options.FORWARDABLE is set) then
+                     set new_tkt.flags.FORWARDABLE;
+             endif
+             if (req.kdc-options.PROXIABLE is set) then
+                     set new_tkt.flags.PROXIABLE;
+             endif
+
+             if (req.kdc-options.ALLOW-POSTDATE is set) then
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                     set new_tkt.flags.MAY-POSTDATE;
+             endif
+             if ((req.kdc-options.RENEW is set) or
+                 (req.kdc-options.VALIDATE is set) or
+                 (req.kdc-options.PROXY is set) or
+                 (req.kdc-options.FORWARDED is set) or
+                 (req.kdc-options.ENC-TKT-IN-SKEY is set)) then
+                     error_out(KDC_ERR_BADOPTION);
+             endif
+
+             new_tkt.session := random_session_key();
+             new_tkt.cname := req.cname;
+             new_tkt.crealm := req.crealm;
+             new_tkt.transited := empty_transited_field();
+
+             new_tkt.authtime := kdc_time;
+
+             if (req.kdc-options.POSTDATED is set) then
+                if (against_postdate_policy(req.from)) then
+                     error_out(KDC_ERR_POLICY);
+                endif
+                set new_tkt.flags.POSTDATED;
+                set new_tkt.flags.INVALID;
+                new_tkt.starttime := req.from;
+             else
+                omit new_tkt.starttime; /* treated as authtime when omitted */
+             endif
+             if (req.till = 0) then
+                     till := infinity;
+             else
+                     till := req.till;
+             endif
+
+             new_tkt.endtime := min(till,
+                                   new_tkt.starttime+client.max_life,
+                                   new_tkt.starttime+server.max_life,
+                                   new_tkt.starttime+max_life_for_realm);
+
+             if ((req.kdc-options.RENEWABLE-OK is set) and
+                 (new_tkt.endtime < req.till)) then
+                     /* we set the RENEWABLE option for later processing */
+                     set req.kdc-options.RENEWABLE;
+                     req.rtime := req.till;
+             endif
+
+             if (req.rtime = 0) then
+                     rtime := infinity;
+             else
+                     rtime := req.rtime;
+             endif
+
+             if (req.kdc-options.RENEWABLE is set) then
+                     set new_tkt.flags.RENEWABLE;
+                     new_tkt.renew-till := min(rtime,
+                                     new_tkt.starttime+client.max_rlife,
+                                     new_tkt.starttime+server.max_rlife,
+                                     new_tkt.starttime+max_rlife_for_realm);
+             else
+                     omit new_tkt.renew-till; /* only present if RENEWABLE */
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+             endif
+
+             if (req.addresses) then
+                     new_tkt.caddr := req.addresses;
+             else
+                     omit new_tkt.caddr;
+             endif
+
+             new_tkt.authorization_data := empty_authorization_data();
+
+             encode to-be-encrypted part of ticket into OCTET STRING;
+             new_tkt.enc-part := encrypt OCTET STRING
+                  using etype_for_key(server.key), server.key, server.p_kvno;
+
+             /* Start processing the response */
+
+             resp.pvno := 5;
+             resp.msg-type := KRB_AS_REP;
+             resp.cname := req.cname;
+             resp.crealm := req.realm;
+             resp.ticket := new_tkt;
+
+             resp.key := new_tkt.session;
+             resp.last-req := fetch_last_request_info(client);
+             resp.nonce := req.nonce;
+             resp.key-expiration := client.expiration;
+             resp.flags := new_tkt.flags;
+
+             resp.authtime := new_tkt.authtime;
+             resp.starttime := new_tkt.starttime;
+             resp.endtime := new_tkt.endtime;
+
+             if (new_tkt.flags.RENEWABLE) then
+                     resp.renew-till := new_tkt.renew-till;
+             endif
+
+             resp.realm := new_tkt.realm;
+             resp.sname := new_tkt.sname;
+
+             resp.caddr := new_tkt.caddr;
+
+             encode body of reply into OCTET STRING;
+
+             resp.enc-part := encrypt OCTET STRING
+                              using use_etype, client.key, client.p_kvno;
+             send(resp);
+
+     A.3. KRB_AS_REP verification
+
+             decode response into resp;
+
+             if (resp.msg-type = KRB_ERROR) then
+                  if(error = KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)) then
+                             set pa_enc_timestamp_required;
+                             goto KRB_AS_REQ;
+                     endif
+                     process_error(resp);
+                     return;
+             endif
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+
+             /* On error, discard the response, and zero the session key */
+             /* from the response immediately */
+
+             key = get_decryption_key(resp.enc-part.kvno, resp.enc-part.etype,
+                                      resp.padata);
+             unencrypted part of resp := decode of decrypt of resp.enc-part
+                                     using resp.enc-part.etype and key;
+             zero(key);
+
+             if (common_as_rep_tgs_rep_checks fail) then
+                     destroy resp.key;
+                     return error;
+             endif
+
+             if near(resp.princ_exp) then
+                     print(warning message);
+             endif
+             save_for_later(ticket,session,client,server,times,flags);
+
+     A.4. KRB_AS_REP and KRB_TGS_REP common checks
+
+             if (decryption_error() or
+                 (req.cname != resp.cname) or
+                 (req.realm != resp.crealm) or
+                 (req.sname != resp.sname) or
+                 (req.realm != resp.realm) or
+                 (req.nonce != resp.nonce) or
+                 (req.addresses != resp.caddr)) then
+                     destroy resp.key;
+                     return KRB_AP_ERR_MODIFIED;
+             endif
+
+      /* make sure no flags are set that shouldn't be, and that all that */
+      /* should be are set                                               */
+         if (!check_flags_for_compatability(req.kdc-options,resp.flags)) then
+                     destroy resp.key;
+                     return KRB_AP_ERR_MODIFIED;
+             endif
+
+             if ((req.from = 0) and
+                 (resp.starttime is not within allowable skew)) then
+                     destroy resp.key;
+                     return KRB_AP_ERR_SKEW;
+             endif
+             if ((req.from != 0) and (req.from != resp.starttime)) then
+                     destroy resp.key;
+                     return KRB_AP_ERR_MODIFIED;
+             endif
+             if ((req.till != 0) and (resp.endtime > req.till)) then
+                     destroy resp.key;
+                     return KRB_AP_ERR_MODIFIED;
+             endif
+
+             if ((req.kdc-options.RENEWABLE is set) and
+                 (req.rtime != 0) and (resp.renew-till > req.rtime)) then
+                     destroy resp.key;
+                     return KRB_AP_ERR_MODIFIED;
+             endif
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+             if ((req.kdc-options.RENEWABLE-OK is set) and
+                 (resp.flags.RENEWABLE) and
+                 (req.till != 0) and
+                 (resp.renew-till > req.till)) then
+                     destroy resp.key;
+                     return KRB_AP_ERR_MODIFIED;
+             endif
+
+     A.5. KRB_TGS_REQ generation
+
+       /* Note that make_application_request might have to recursivly     */
+       /* call this routine to get the appropriate ticket-granting ticket */
+
+             request.pvno := protocol version; /* pvno = 5 */
+             request.msg-type := message type; /* type = KRB_TGS_REQ */
+
+             body.kdc-options := users's preferences;
+             /* If the TGT is not for the realm of the end-server  */
+             /* then the sname will be for a TGT for the end-realm */
+             /* and the realm of the requested ticket (body.realm) */
+             /* will be that of the TGS to which the TGT we are    */
+             /* sending applies                                    */
+             body.sname := service's name;
+             body.realm := service's realm;
+
+             if (body.kdc-options.POSTDATED is set) then
+                     body.from := requested starting time;
+             else
+                     omit body.from;
+             endif
+             body.till := requested end time;
+             if (body.kdc-options.RENEWABLE is set) then
+                     body.rtime := requested final renewal time;
+             endif
+             body.nonce := random_nonce();
+             body.etype := requested etypes;
+             if (user supplied addresses) then
+                     body.addresses := user's addresses;
+             else
+                     omit body.addresses;
+             endif
+
+             body.enc-authorization-data := user-supplied data;
+             if (body.kdc-options.ENC-TKT-IN-SKEY) then
+                     body.additional-tickets_ticket := second TGT;
+             endif
+
+             request.req-body := body;
+             check := generate_checksum (req.body,checksumtype);
+
+             request.padata[0].padata-type := PA-TGS-REQ;
+             request.padata[0].padata-value := create a KRB_AP_REQ using
+                                           the TGT and checksum
+
+             /* add in any other padata as required/supplied */
+
+             kerberos := lookup(name of local kerberose server (or servers));
+             send(packet,kerberos);
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+             wait(for response);
+             if (timed_out) then
+                     retry or use alternate server;
+             endif
+
+     A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation
+
+             /* note that reading the application request requires first
+             determining the server for which a ticket was issued, and
+             choosing the correct key for decryption.  The name of the
+             server appears in the plaintext part of the ticket. */
+
+             if (no KRB_AP_REQ in req.padata) then
+                     error_out(KDC_ERR_PADATA_TYPE_NOSUPP);
+             endif
+             verify KRB_AP_REQ in req.padata;
+
+             /* Note that the realm in which the Kerberos server is
+             operating is determined by the instance from the
+             ticket-granting ticket.  The realm in the ticket-granting
+             ticket is the realm under which the ticket granting
+             ticket was issued.  It is possible for a single Kerberos 
+             server to support more than one realm. */
+
+             auth_hdr := KRB_AP_REQ;
+             tgt := auth_hdr.ticket;
+
+             if (tgt.sname is not a TGT for local realm and is not req.sname) 
+                   then
+                     error_out(KRB_AP_ERR_NOT_US);
+
+             realm := realm_tgt_is_for(tgt);
+
+             decode remainder of request;
+
+             if (auth_hdr.authenticator.cksum is missing) then
+                     error_out(KRB_AP_ERR_INAPP_CKSUM);
+             endif
+
+             if (auth_hdr.authenticator.cksum type is not supported) then
+                     error_out(KDC_ERR_SUMTYPE_NOSUPP);
+             endif
+             if (auth_hdr.authenticator.cksum is not both collision-proof 
+                 and keyed) then
+                     error_out(KRB_AP_ERR_INAPP_CKSUM);
+             endif
+
+             set computed_checksum := checksum(req);
+             if (computed_checksum != auth_hdr.authenticatory.cksum) then
+                     error_out(KRB_AP_ERR_MODIFIED);
+             endif
+
+             server := lookup(req.sname,realm);
+
+             if (!server) then
+                     if (is_foreign_tgt_name(req.sname)) then
+                             server := best_intermediate_tgs(req.sname);
+                     else
+                             /* no server in Database */
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                             error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+                     endif
+             endif
+
+             session := generate_random_session_key();
+
+             use_etype := first supported etype in req.etypes;
+
+             if (no support for req.etypes) then
+                     error_out(KDC_ERR_ETYPE_NOSUPP);
+             endif
+
+             new_tkt.vno := ticket version; /* = 5 */
+             new_tkt.sname := req.sname;
+             new_tkt.srealm := realm;
+             reset all flags in new_tkt.flags;
+
+             /* It should be noted that local policy may affect the  */
+             /* processing of any of these flags.  For example, some */
+             /* realms may refuse to issue renewable tickets         */
+
+             new_tkt.caddr := tgt.caddr;
+             resp.caddr := NULL; /* We only include this if they change */
+             if (req.kdc-options.FORWARDABLE is set) then
+                     if (tgt.flags.FORWARDABLE is reset) then
+                             error_out(KDC_ERR_BADOPTION);
+                     endif
+                     set new_tkt.flags.FORWARDABLE;
+             endif
+             if (req.kdc-options.FORWARDED is set) then
+                     if (tgt.flags.FORWARDABLE is reset) then
+                             error_out(KDC_ERR_BADOPTION);
+                     endif
+                     set new_tkt.flags.FORWARDED;
+                     new_tkt.caddr := req.addresses;
+                     resp.caddr := req.addresses;
+             endif
+             if (tgt.flags.FORWARDED is set) then
+                     set new_tkt.flags.FORWARDED;
+             endif
+
+             if (req.kdc-options.PROXIABLE is set) then
+                     if (tgt.flags.PROXIABLE is reset)
+                             error_out(KDC_ERR_BADOPTION);
+                     endif
+                     set new_tkt.flags.PROXIABLE;
+             endif
+             if (req.kdc-options.PROXY is set) then
+                     if (tgt.flags.PROXIABLE is reset) then
+                             error_out(KDC_ERR_BADOPTION);
+                     endif
+                     set new_tkt.flags.PROXY;
+                     new_tkt.caddr := req.addresses;
+                     resp.caddr := req.addresses;
+             endif
+
+             if (req.kdc-options.ALLOW-POSTDATE is set) then
+                     if (tgt.flags.MAY-POSTDATE is reset)
+                             error_out(KDC_ERR_BADOPTION);
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                     endif
+                     set new_tkt.flags.MAY-POSTDATE;
+             endif
+             if (req.kdc-options.POSTDATED is set) then
+                     if (tgt.flags.MAY-POSTDATE is reset) then
+                             error_out(KDC_ERR_BADOPTION);
+                     endif
+                     set new_tkt.flags.POSTDATED;
+                     set new_tkt.flags.INVALID;
+                     if (against_postdate_policy(req.from)) then
+                             error_out(KDC_ERR_POLICY);
+                     endif
+                     new_tkt.starttime := req.from;
+             endif
+
+             if (req.kdc-options.VALIDATE is set) then
+                     if (tgt.flags.INVALID is reset) then
+                             error_out(KDC_ERR_POLICY);
+                     endif
+                     if (tgt.starttime > kdc_time) then
+                             error_out(KRB_AP_ERR_NYV);
+                     endif
+                     if (check_hot_list(tgt)) then
+                             error_out(KRB_AP_ERR_REPEAT);
+                     endif
+                     tkt := tgt;
+                     reset new_tkt.flags.INVALID;
+             endif
+
+             if (req.kdc-options.(any flag except ENC-TKT-IN-SKEY, RENEW,
+                                  and those already processed) is set) then
+                     error_out(KDC_ERR_BADOPTION);
+             endif
+
+             new_tkt.authtime := tgt.authtime;
+
+             if (req.kdc-options.RENEW is set) then
+      /* Note that if the endtime has already passed, the ticket would  */
+      /* have been rejected in the initial authentication stage, so     */
+      /* there is no need to check again here                           */
+                     if (tgt.flags.RENEWABLE is reset) then
+                             error_out(KDC_ERR_BADOPTION);
+                     endif
+                     if (tgt.renew-till < kdc_time) then
+                             error_out(KRB_AP_ERR_TKT_EXPIRED);
+                     endif
+                     tkt := tgt;
+                     new_tkt.starttime := kdc_time;
+                     old_life := tgt.endttime - tgt.starttime;
+                     new_tkt.endtime := min(tgt.renew-till,
+                                            new_tkt.starttime + old_life);
+             else
+                     new_tkt.starttime := kdc_time;
+                     if (req.till = 0) then
+                             till := infinity;
+                     else
+                             till := req.till;
+                     endif
+                     new_tkt.endtime := min(till,
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                                            new_tkt.starttime+client.max_life,
+                                            new_tkt.starttime+server.max_life,
+                                            new_tkt.starttime+max_life_for_realm,
+                                            tgt.endtime);
+
+                     if ((req.kdc-options.RENEWABLE-OK is set) and
+                         (new_tkt.endtime < req.till) and
+                         (tgt.flags.RENEWABLE is set) then
+                             /* we set the RENEWABLE option for later processing */
+                             set req.kdc-options.RENEWABLE;
+                             req.rtime := min(req.till, tgt.renew-till);
+                     endif
+             endif
+
+             if (req.rtime = 0) then
+                     rtime := infinity;
+             else
+                     rtime := req.rtime;
+             endif
+
+             if ((req.kdc-options.RENEWABLE is set) and
+                 (tgt.flags.RENEWABLE is set)) then
+                     set new_tkt.flags.RENEWABLE;
+                     new_tkt.renew-till := min(rtime,
+                                       new_tkt.starttime+client.max_rlife,
+                                       new_tkt.starttime+server.max_rlife,
+                                       new_tkt.starttime+max_rlife_for_realm,
+                                       tgt.renew-till);
+             else
+                     new_tkt.renew-till := OMIT; /* leave the
+                                                   renew-till field out */ 
+             endif
+             if (req.enc-authorization-data is present) then
+                     decrypt req.enc-authorization-data into
+                                  decrypted_authorization_data
+                             using auth_hdr.authenticator.subkey;
+                     if (decrypt_error()) then
+                             error_out(KRB_AP_ERR_BAD_INTEGRITY);
+                     endif
+             endif
+             new_tkt.authorization_data :=
+                     req.auth_hdr.ticket.authorization_data + 
+                                      decrypted_authorization_data;
+
+             new_tkt.key := session;
+             new_tkt.crealm := tgt.crealm;
+             new_tkt.cname := req.auth_hdr.ticket.cname;
+
+             if (realm_tgt_is_for(tgt) := tgt.realm) then
+                     /* tgt issued by local realm */
+                     new_tkt.transited := tgt.transited;
+             else
+                     /* was issued for this realm by some other realm */
+                     if (tgt.transited.tr-type not supported) then
+                             error_out(KDC_ERR_TRTYPE_NOSUPP);
+                     endif
+                     new_tkt.transited :=
+                         compress_transited(tgt.transited + tgt.realm) 
+                     /* Don't check tranited field if TGT for foreign realm,
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                      * or requested not to check */
+                     if (is_not_foreign_tgt_name(new_tkt.server)
+                        && req.kdc-options.DISABLE-TRANSITED-CHECK not
+                             set) then 
+                          /* Check it, so end-server does not have to
+                           * but don't fail, end-server may still accept it */
+                          if (check_transited_field(new_tkt.transited) == OK)
+                                   set new_tkt.flags.TRANSITED-POLICY-CHECKED;
+                             endif
+                     endif
+             endif
+
+             encode encrypted part of new_tkt into OCTET STRING;
+             if (req.kdc-options.ENC-TKT-IN-SKEY is set) then
+                     if (server not specified) then
+                             server = req.second_ticket.client;
+                     endif
+                     if ((req.second_ticket is not a TGT) or
+                         (req.second_ticket.client != server)) then
+                             error_out(KDC_ERR_POLICY);
+                     endif
+
+                     new_tkt.enc-part := encrypt OCTET STRING using
+                             using etype_for_key(second-ticket.key),
+                             second-ticket.key; 
+             else
+                     new_tkt.enc-part := encrypt OCTET STRING
+                             using etype_for_key(server.key),
+                             server.key, server.p_kvno; 
+             endif
+
+             resp.pvno := 5;
+             resp.msg-type := KRB_TGS_REP;
+             resp.crealm := tgt.crealm;
+             resp.cname := tgt.cname;
+             resp.ticket := new_tkt;
+
+             resp.key := session;
+             resp.nonce := req.nonce;
+             resp.last-req := fetch_last_request_info(client);
+             resp.flags := new_tkt.flags;
+
+             resp.authtime := new_tkt.authtime;
+             resp.starttime := new_tkt.starttime;
+             resp.endtime := new_tkt.endtime;
+
+             omit resp.key-expiration;
+
+             resp.sname := new_tkt.sname;
+             resp.realm := new_tkt.realm;
+
+             if (new_tkt.flags.RENEWABLE) then
+                     resp.renew-till := new_tkt.renew-till;
+             endif
+
+             encode body of reply into OCTET STRING;
+
+             if (req.padata.authenticator.subkey)
+                     resp.enc-part := encrypt OCTET STRING using use_etype,
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                             req.padata.authenticator.subkey;
+             else resp.enc-part := encrypt OCTET STRING using
+                                         use_etype, tgt.key; 
+
+             send(resp);
+
+     A.7. KRB_TGS_REP verification
+
+             decode response into resp;
+
+             if (resp.msg-type = KRB_ERROR) then
+                     process_error(resp);
+                     return;
+             endif
+
+             /* On error, discard the response, and zero the session key from
+             the response immediately */
+
+             if (req.padata.authenticator.subkey)
+                     unencrypted part of resp := decode of decrypt of
+                             resp.enc-part 
+                             using resp.enc-part.etype and subkey;
+             else unencrypted part of resp := decode of decrypt of
+                              resp.enc-part 
+                                     using resp.enc-part.etype and
+                                      tgt's session key; 
+             if (common_as_rep_tgs_rep_checks fail) then
+                     destroy resp.key;
+                     return error;
+             endif
+
+             check authorization_data as necessary;
+             save_for_later(ticket,session,client,server,times,flags);
+
+     A.8. Authenticator generation
+
+             body.authenticator-vno := authenticator vno; /* = 5 */
+             body.cname, body.crealm := client name;
+             if (supplying checksum) then
+                     body.cksum := checksum;
+             endif
+             get system_time;
+             body.ctime, body.cusec := system_time;
+             if (selecting sub-session key) then
+                     select sub-session key;
+                     body.subkey := sub-session key;
+             endif
+             if (using sequence numbers) then
+                     select initial sequence number;
+                     body.seq-number := initial sequence;
+             endif
+
+     A.9. KRB_AP_REQ generation
+
+             obtain ticket and session_key from cache;
+
+             packet.pvno := protocol version; /* 5 */
+             packet.msg-type := message type; /* KRB_AP_REQ */
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+             if (desired(MUTUAL_AUTHENTICATION)) then
+                     set packet.ap-options.MUTUAL-REQUIRED;
+             else
+                     reset packet.ap-options.MUTUAL-REQUIRED;
+             endif
+             if (using session key for ticket) then
+                     set packet.ap-options.USE-SESSION-KEY;
+             else
+                     reset packet.ap-options.USE-SESSION-KEY;
+             endif
+             packet.ticket := ticket; /* ticket */
+             generate authenticator;
+             encode authenticator into OCTET STRING;
+             encrypt OCTET STRING into packet.authenticator using session_key;
+
+     A.10. KRB_AP_REQ verification
+
+             receive packet;
+             if (packet.pvno != 5) then
+                     either process using other protocol spec
+                     or error_out(KRB_AP_ERR_BADVERSION);
+             endif
+             if (packet.msg-type != KRB_AP_REQ) then
+                     error_out(KRB_AP_ERR_MSG_TYPE);
+             endif
+             if (packet.ticket.tkt_vno != 5) then
+                     either process using other protocol spec
+                     or error_out(KRB_AP_ERR_BADVERSION);
+             endif
+             if (packet.ap_options.USE-SESSION-KEY is set) then
+                     retrieve session key from ticket-granting ticket for
+                      packet.ticket.{sname,srealm,enc-part.etype};
+             else
+                     retrieve service key for
+                   packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno}; 
+             endif
+             if (no_key_available) then
+                     if (cannot_find_specified_skvno) then
+                             error_out(KRB_AP_ERR_BADKEYVER);
+                     else
+                             error_out(KRB_AP_ERR_NOKEY);
+                     endif
+             endif
+             decrypt packet.ticket.enc-part into decr_ticket using
+                      retrieved key; 
+             if (decryption_error()) then
+                     error_out(KRB_AP_ERR_BAD_INTEGRITY);
+             endif
+             decrypt packet.authenticator into decr_authenticator
+                     using decr_ticket.key;
+             if (decryption_error()) then
+                     error_out(KRB_AP_ERR_BAD_INTEGRITY);
+             endif
+             if (decr_authenticator.{cname,crealm} !=
+                 decr_ticket.{cname,crealm}) then
+                     error_out(KRB_AP_ERR_BADMATCH);
+             endif
+             if (decr_ticket.caddr is present) then
+                     if (sender_address(packet) is not in
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                                    decr_ticket.caddr) then 
+                             error_out(KRB_AP_ERR_BADADDR);
+                     endif
+             elseif (application requires addresses) then
+                     error_out(KRB_AP_ERR_BADADDR);
+             endif
+             if (not in_clock_skew(decr_authenticator.ctime,
+                                   decr_authenticator.cusec)) then
+                     error_out(KRB_AP_ERR_SKEW);
+             endif
+             if (repeated(decr_authenticator.{ctime,cusec,cname,crealm})) then
+                     error_out(KRB_AP_ERR_REPEAT);
+             endif
+             save_identifier(decr_authenticator.{ctime,cusec,cname,crealm});
+             get system_time;
+             if ((decr_ticket.starttime-system_time > CLOCK_SKEW) or
+                 (decr_ticket.flags.INVALID is set)) then
+                     /* it hasn't yet become valid */
+                     error_out(KRB_AP_ERR_TKT_NYV);
+             endif
+             if (system_time-decr_ticket.endtime > CLOCK_SKEW) then
+                     error_out(KRB_AP_ERR_TKT_EXPIRED);
+             endif
+             if (decr_ticket.transited) then
+                 /* caller may ignore the TRANSITED-POLICY-CHECKED and do
+                  * check anyway */
+                 if (decr_ticket.flags.TRANSITED-POLICY-CHECKED not set) then
+                      if (check_transited_field(decr_ticket.transited) then
+                           error_out(KDC_AP_PATH_NOT_ACCPETED);
+                      endif
+                 endif
+             endif
+           /* caller must check decr_ticket.flags for any pertinent details */
+           return(OK, decr_ticket, packet.ap_options.MUTUAL-REQUIRED);
+
+     A.11. KRB_AP_REP generation
+
+             packet.pvno := protocol version; /* 5 */
+             packet.msg-type := message type; /* KRB_AP_REP */
+
+             body.ctime := packet.ctime;
+             body.cusec := packet.cusec;
+             if (selecting sub-session key) then
+                     select sub-session key;
+                     body.subkey := sub-session key;
+             endif
+             if (using sequence numbers) then
+                     select initial sequence number;
+                     body.seq-number := initial sequence;
+             endif
+
+             encode body into OCTET STRING;
+
+             select encryption type;
+             encrypt OCTET STRING into packet.enc-part;
+
+     A.12. KRB_AP_REP verification
+
+             receive packet;
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+             if (packet.pvno != 5) then
+                     either process using other protocol spec
+                     or error_out(KRB_AP_ERR_BADVERSION);
+             endif
+             if (packet.msg-type != KRB_AP_REP) then
+                     error_out(KRB_AP_ERR_MSG_TYPE);
+             endif
+             cleartext := decrypt(packet.enc-part) using ticket's session key;
+             if (decryption_error()) then
+                     error_out(KRB_AP_ERR_BAD_INTEGRITY);
+             endif
+             if (cleartext.ctime != authenticator.ctime) then
+                     error_out(KRB_AP_ERR_MUT_FAIL);
+             endif
+             if (cleartext.cusec != authenticator.cusec) then
+                     error_out(KRB_AP_ERR_MUT_FAIL);
+             endif
+             if (cleartext.subkey is present) then
+                     save cleartext.subkey for future use;
+             endif
+             if (cleartext.seq-number is present) then
+                     save cleartext.seq-number for future verifications;
+             endif
+             return(AUTHENTICATION_SUCCEEDED);
+
+     A.13. KRB_SAFE generation
+
+             collect user data in buffer;
+
+             /* assemble packet: */
+             packet.pvno := protocol version; /* 5 */
+             packet.msg-type := message type; /* KRB_SAFE */
+
+             body.user-data := buffer; /* DATA */
+             if (using timestamp) then
+                     get system_time;
+                     body.timestamp, body.usec := system_time;
+             endif
+             if (using sequence numbers) then
+                     body.seq-number := sequence number;
+             endif
+             body.s-address := sender host addresses;
+             if (only one recipient) then
+                     body.r-address := recipient host address;
+             endif
+             checksum.cksumtype := checksum type;
+             compute checksum over body;
+             checksum.checksum := checksum value; /* checksum.checksum */
+             packet.cksum := checksum;
+             packet.safe-body := body;
+
+     A.14. KRB_SAFE verification
+
+             receive packet;
+             if (packet.pvno != 5) then
+                     either process using other protocol spec
+                     or error_out(KRB_AP_ERR_BADVERSION);
+             endif
+             if (packet.msg-type != KRB_SAFE) then
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                     error_out(KRB_AP_ERR_MSG_TYPE);
+             endif
+             if (packet.checksum.cksumtype is not both collision-proof
+                 and keyed) then 
+                     error_out(KRB_AP_ERR_INAPP_CKSUM);
+             endif
+             if (safe_priv_common_checks_ok(packet)) then
+                     set computed_checksum := checksum(packet.body);
+                     if (computed_checksum != packet.checksum) then
+                             error_out(KRB_AP_ERR_MODIFIED);
+                     endif
+                     return (packet, PACKET_IS_GENUINE);
+             else
+                     return common_checks_error;
+             endif
+
+     A.15. KRB_SAFE and KRB_PRIV common checks
+
+             if (packet.s-address != O/S_sender(packet)) then
+                     /* O/S report of sender not who claims to have sent it */
+                     error_out(KRB_AP_ERR_BADADDR);
+             endif
+             if ((packet.r-address is present) and
+                 (packet.r-address != local_host_address)) then
+                     /* was not sent to proper place */
+                     error_out(KRB_AP_ERR_BADADDR);
+             endif
+             if (((packet.timestamp is present) and
+                  (not in_clock_skew(packet.timestamp,packet.usec))) or
+                 (packet.timestamp is not present and timestamp expected)) then
+                     error_out(KRB_AP_ERR_SKEW);
+             endif
+             if (repeated(packet.timestamp,packet.usec,packet.s-address)) then
+                     error_out(KRB_AP_ERR_REPEAT);
+             endif
+
+             if (((packet.seq-number is present) and
+                  ((not in_sequence(packet.seq-number)))) or
+                 (packet.seq-number is not present and sequence expected)) then
+                     error_out(KRB_AP_ERR_BADORDER);
+             endif
+             if (packet.timestamp not present and packet.seq-number
+                   not present) then 
+                     error_out(KRB_AP_ERR_MODIFIED);
+             endif
+
+             save_identifier(packet.{timestamp,usec,s-address},
+                             sender_principal(packet));
+
+             return PACKET_IS_OK;
+
+     A.16. KRB_PRIV generation
+
+             collect user data in buffer;
+
+             /* assemble packet: */
+             packet.pvno := protocol version; /* 5 */
+             packet.msg-type := message type; /* KRB_PRIV */
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+             packet.enc-part.etype := encryption type;
+
+             body.user-data := buffer;
+             if (using timestamp) then
+                     get system_time;
+                     body.timestamp, body.usec := system_time;
+             endif
+             if (using sequence numbers) then
+                     body.seq-number := sequence number;
+             endif
+             body.s-address := sender host addresses;
+             if (only one recipient) then
+                     body.r-address := recipient host address;
+             endif
+
+             encode body into OCTET STRING;
+
+             select encryption type;
+             encrypt OCTET STRING into packet.enc-part.cipher;
+
+     A.17. KRB_PRIV verification
+
+             receive packet;
+             if (packet.pvno != 5) then
+                     either process using other protocol spec
+                     or error_out(KRB_AP_ERR_BADVERSION);
+             endif
+             if (packet.msg-type != KRB_PRIV) then
+                     error_out(KRB_AP_ERR_MSG_TYPE);
+             endif
+
+             cleartext := decrypt(packet.enc-part) using negotiated key;
+             if (decryption_error()) then
+                     error_out(KRB_AP_ERR_BAD_INTEGRITY);
+             endif
+
+             if (safe_priv_common_checks_ok(cleartext)) then
+                     return(cleartext.DATA, PACKET_IS_GENUINE_AND_UNMODIFIED);
+             else
+                     return common_checks_error;
+             endif
+
+     A.18. KRB_CRED generation
+
+             invoke KRB_TGS; /* obtain tickets to be provided to peer */
+
+             /* assemble packet: */
+             packet.pvno := protocol version; /* 5 */
+             packet.msg-type := message type; /* KRB_CRED */
+
+             for (tickets[n] in tickets to be forwarded) do
+                     packet.tickets[n] = tickets[n].ticket;
+             done
+
+             packet.enc-part.etype := encryption type;
+
+             for (ticket[n] in tickets to be forwarded) do
+                     body.ticket-info[n].key = tickets[n].session;
+                     body.ticket-info[n].prealm = tickets[n].crealm;
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                     body.ticket-info[n].pname = tickets[n].cname;
+                     body.ticket-info[n].flags = tickets[n].flags;
+                     body.ticket-info[n].authtime = tickets[n].authtime;
+                     body.ticket-info[n].starttime = tickets[n].starttime;
+                     body.ticket-info[n].endtime = tickets[n].endtime;
+                     body.ticket-info[n].renew-till = tickets[n].renew-till;
+                     body.ticket-info[n].srealm = tickets[n].srealm;
+                     body.ticket-info[n].sname = tickets[n].sname;
+                     body.ticket-info[n].caddr = tickets[n].caddr;
+             done
+
+             get system_time;
+             body.timestamp, body.usec := system_time;
+
+             if (using nonce) then
+                     body.nonce := nonce;
+             endif
+
+             if (using s-address) then
+                     body.s-address := sender host addresses;
+             endif
+             if (limited recipients) then
+                     body.r-address := recipient host address;
+             endif
+
+             encode body into OCTET STRING;
+
+             select encryption type;
+             encrypt OCTET STRING into packet.enc-part.cipher
+                    using negotiated encryption key;
+
+     A.19. KRB_CRED verification
+
+             receive packet;
+             if (packet.pvno != 5) then
+                     either process using other protocol spec
+                     or error_out(KRB_AP_ERR_BADVERSION);
+             endif
+             if (packet.msg-type != KRB_CRED) then
+                     error_out(KRB_AP_ERR_MSG_TYPE);
+             endif
+
+             cleartext := decrypt(packet.enc-part) using negotiated key;
+             if (decryption_error()) then
+                     error_out(KRB_AP_ERR_BAD_INTEGRITY);
+             endif
+             if ((packet.r-address is present or required) and
+                (packet.s-address != O/S_sender(packet)) then
+                     /* O/S report of sender not who claims to have sent it */
+                     error_out(KRB_AP_ERR_BADADDR);
+             endif
+             if ((packet.r-address is present) and
+                 (packet.r-address != local_host_address)) then
+                     /* was not sent to proper place */
+                     error_out(KRB_AP_ERR_BADADDR);
+             endif
+             if (not in_clock_skew(packet.timestamp,packet.usec)) then
+                     error_out(KRB_AP_ERR_SKEW);
+             endif
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+             if (repeated(packet.timestamp,packet.usec,packet.s-address)) then
+                     error_out(KRB_AP_ERR_REPEAT);
+             endif
+             if (packet.nonce is required or present) and
+                (packet.nonce != expected-nonce) then
+                     error_out(KRB_AP_ERR_MODIFIED);
+             endif
+
+             for (ticket[n] in tickets that were forwarded) do
+                     save_for_later(ticket[n],key[n],principal[n],
+                                    server[n],times[n],flags[n]);
+             return
+
+     A.20. KRB_ERROR generation
+
+             /* assemble packet: */
+             packet.pvno := protocol version; /* 5 */
+             packet.msg-type := message type; /* KRB_ERROR */
+
+             get system_time;
+             packet.stime, packet.susec := system_time;
+             packet.realm, packet.sname := server name;
+
+             if (client time available) then
+                     packet.ctime, packet.cusec := client_time;
+             endif
+             packet.error-code := error code;
+             if (client name available) then
+                     packet.cname, packet.crealm := client name;
+             endif
+             if (error text available) then
+                     packet.e-text := error text;
+             endif
+             if (error data available) then
+                     packet.e-data := error data;
+             endif
+
+     B. Definition of common authorization data elements
+
+     This appendix contains the definitions of common authorization data
+     elements. These common authorization data elements are recursivly
+     defined, meaning the ad-data for these types will itself contain a
+     sequence of authorization data whose interpretation is affected by the
+     encapsulating element. Depending on the meaning of the encapsulating
+     element, the encapsulated elements may be ignored, might be interpreted
+     as issued directly by the KDC, or they might be stored in a separate
+     plaintext part of the ticket. The types of the encapsulating elements
+     are specified as part of the Kerberos specification because the
+     behavior based on these values should be understood across
+     implementations whereas other elements need only be understood by the
+     applications which they affect.
+
+     In the definitions that follow, the value of the ad-type for the
+     element will be specified in the subsection number, and the value of
+     the ad-data will be as shown in the ASN.1 structure that follows the
+     subsection heading.
+
+     B.1. If relevant
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     AD-IF-RELEVANT   AuthorizationData
+
+     AD elements encapsulated within the if-relevant element are intended
+     for interpretation only by application servers that understand the
+     particular ad-type of the embedded element. Application servers that do
+     not understand the type of an element embedded within the if-relevant
+     element may ignore the uninterpretable element. This element promotes
+     interoperability across implementations which may have local extensions
+     for authorization.
+
+     B.2. Intended for server
+
+     AD-INTENDED-FOR-SERVER   SEQUENCE {
+              intended-server[0]     SEQUENCE OF PrincipalName
+              elements[1]            AuthorizationData
+     }
+
+     AD elements encapsulated within the intended-for-server element may be
+     ignored if the application server is not in the list of principal names
+     of intended servers. Further, a KDC issuing a ticket for an application
+     server can remove this element if the application server is not in the
+     list of intended servers.
+
+     Application servers should check for their principal name in the
+     intended-server field of this element. If their principal name is not
+     found, this element should be ignored. If found, then the encapsulated
+     elements should be evaluated in the same manner as if they were present
+     in the top level authorization data field. Applications and application
+     servers that do not implement this element should reject tickets that
+     contain authorization data elements of this type.
+
+     B.3. Intended for application class
+
+     AD-INTENDED-FOR-APPLICATION-CLASS SEQUENCE {
+     intended-application-class[0] SEQUENCE OF GeneralString elements[1]
+     AuthorizationData } AD elements encapsulated within the
+     intended-for-application-class element may be ignored if the
+     application server is not in one of the named classes of application
+     servers. Examples of application server classes include "FILESYSTEM",
+     and other kinds of servers.
+
+     This element and the elements it encapulates may be safely ignored by
+     applications, application servers, and KDCs that do not implement this
+     element.
+
+     B.4. KDC Issued
+
+     AD-KDCIssued   SEQUENCE {
+                    ad-checksum[0]    Checksum,
+                     i-realm[1]       Realm OPTIONAL,
+                     i-sname[2]       PrincipalName OPTIONAL,
+                    elements[3]       AuthorizationData.
+     }
+
+     ad-checksum
+          A checksum over the elements field using a cryptographic checksum
+          method that is identical to the checksum used to protect the
+          ticket itself (i.e. using the same hash function and the same
+          encryption algorithm used to encrypt the ticket) and using a key
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+          derived from the same key used to protect the ticket.
+     i-realm, i-sname
+          The name of the issuing principal if different from the KDC
+          itself. This field would be used when the KDC can verify the
+          authenticity of elements signed by the issuing principal and it
+          allows this KDC to notify the application server of the validity
+          of those elements.
+     elements
+          A sequence of authorization data elements issued by the KDC.
+     The KDC-issued ad-data field is intended to provide a means for
+     Kerberos principal credentials to embed within themselves privilege
+     attributes and other mechanisms for positive authorization, amplifying
+     the priveleges of the principal beyond what can be done using a
+     credentials without such an a-data element.
+
+     This can not be provided without this element because the definition of
+     the authorization-data field allows elements to be added at will by the
+     bearer of a TGT at the time that they request service tickets and
+     elements may also be added to a delegated ticket by inclusion in the
+     authenticator.
+
+     For KDC-issued elements this is prevented because the elements are
+     signed by the KDC by including a checksum encrypted using the server's
+     key (the same key used to encrypt the ticket - or a key derived from
+     that key). Elements encapsulated with in the KDC-issued element will be
+     ignored by the application server if this "signature" is not present.
+     Further, elements encapsulated within this element from a ticket
+     granting ticket may be interpreted by the KDC, and used as a basis
+     according to policy for including new signed elements within derivative
+     tickets, but they will not be copied to a derivative ticket directly.
+     If they are copied directly to a derivative ticket by a KDC that is not
+     aware of this element, the signature will not be correct for the
+     application ticket elements, and the field will be ignored by the
+     application server.
+
+     This element and the elements it encapulates may be safely ignored by
+     applications, application servers, and KDCs that do not implement this
+     element.
+
+     B.5. And-Or
+
+     AD-AND-OR           SEQUENCE {
+                             condition-count[0]    INTEGER,
+                             elements[1]           AuthorizationData
+     }
+
+     When restrictive AD elements encapsulated within the and-or element are
+     encountered, only the number specified in condition-count of the
+     encapsulated conditions must be met in order to satisfy this element.
+     This element may be used to implement an "or" operation by setting the
+     condition-count field to 1, and it may specify an "and" operation by
+     setting the condition count to the number of embedded elements.
+     Application servers that do not implement this element must reject
+     tickets that contain authorization data elements of this type.
+
+     B.6. Mandatory ticket extensions
+
+     AD-Mandatory-Ticket-Extensions   Checksum
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     An authorization data element of type mandatory-ticket-extensions
+     specifies a collision-proof checksum using the same hash algorithm used
+     to protect the integrity of the ticket itself. This checksum will be
+     calculated over an individual extension field. If there are more than
+     one extension, multiple Mandatory-Ticket-Extensions authorization data
+     elements may be present, each with a checksum for a different extension
+     field. This restriction indicates that the ticket should not be
+     accepted if a ticket extension is not present in the ticket for which
+     the checksum does not match that checksum specified in the
+     authorization data element. Application servers that do not implement
+     this element must reject tickets that contain authorization data
+     elements of this type.
+
+     B.7. Authorization Data in ticket extensions
+
+     AD-IN-Ticket-Extensions   Checksum
+
+     An authorization data element of type in-ticket-extensions specifies a
+     collision-proof checksum using the same hash algorithm used to protect
+     the integrity of the ticket itself. This checksum is calculated over a
+     separate external AuthorizationData field carried in the ticket
+     extensions. Application servers that do not implement this element must
+     reject tickets that contain authorization data elements of this type.
+     Application servers that do implement this element will search the
+     ticket extensions for authorization data fields, calculate the
+     specified checksum over each authorization data field and look for one
+     matching the checksum in this in-ticket-extensions element. If not
+     found, then the ticket must be rejected. If found, the corresponding
+     authorization data elements will be interpreted in the same manner as
+     if they were contained in the top level authorization data field.
+
+     Note that if multiple external authorization data fields are present in
+     a ticket, each will have a corresponding element of type
+     in-ticket-extensions in the top level authorization data field, and the
+     external entries will be linked to the corresponding element by their
+     checksums.
+
+     C. Definition of common ticket extensions
+
+     This appendix contains the definitions of common ticket extensions.
+     Support for these extensions is optional. However, certain extensions
+     have associated authorization data elements that may require rejection
+     of a ticket containing an extension by application servers that do not
+     implement the particular extension. Other extensions have been defined
+     beyond those described in this specification. Such extensions are
+     described elswhere and for some of those extensions the reserved number
+     may be found in the list of constants.
+
+     It is known that older versions of Kerberos did not support this field,
+     and that some clients will strip this field from a ticket when they
+     parse and then reassemble a ticket as it is passed to the application
+     servers. The presence of the extension will not break such clients, but
+     any functionaly dependent on the extensions will not work when such
+     tickets are handled by old clients. In such situations, some
+     implementation may use alternate methods to transmit the information in
+     the extensions field.
+
+     C.1. Null ticket extension
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     TE-NullExtension   OctetString -- The empty Octet String
+
+     The te-data field in the null ticket extension is an octet string of
+     lenght zero. This extension may be included in a ticket granting ticket
+     so that the KDC can determine on presentation of the ticket granting
+     ticket whether the client software will strip the extensions field.
+
+     C.2. External Authorization Data
+
+     TE-ExternalAuthorizationData   AuthorizationData
+
+     The te-data field in the external authorization data ticket extension
+     is field of type AuthorizationData containing one or more authorization
+     data elements. If present, a corresponding authorization data element
+     will be present in the primary authorization data for the ticket and
+     that element will contain a checksum of the external authorization data
+     ticket extension.
+     -----------------------------------------------------------------------
+     [TM] Project Athena, Athena, and Kerberos are trademarks of the
+     Massachusetts Institute of Technology (MIT). No commercial use of these
+     trademarks may be made without prior written permission of MIT.
+
+     [1] Note, however, that many applications use Kerberos' functions only
+     upon the initiation of a stream-based network connection. Unless an
+     application subsequently provides integrity protection for the data
+     stream, the identity verification applies only to the initiation of the
+     connection, and does not guarantee that subsequent messages on the
+     connection originate from the same principal.
+
+     [2] Secret and private are often used interchangeably in the
+     literature. In our usage, it takes two (or more) to share a secret,
+     thus a shared DES key is a secret key. Something is only private when
+     no one but its owner knows it. Thus, in public key cryptosystems, one
+     has a public and a private key.
+
+     [3] Of course, with appropriate permission the client could arrange
+     registration of a separately-named prin- cipal in a remote realm, and
+     engage in normal exchanges with that realm's services. However, for
+     even small numbers of clients this becomes cumbersome, and more
+     automatic methods as described here are necessary.
+
+     [4] Though it is permissible to request or issue tick- ets with no
+     network addresses specified.
+
+     [5] The password-changing request must not be honored unless the
+     requester can provide the old password (the user's current secret key).
+     Otherwise, it would be possible for someone to walk up to an unattended
+     ses- sion and change another user's password.
+
+     [6] To authenticate a user logging on to a local system, the
+     credentials obtained in the AS exchange may first be used in a TGS
+     exchange to obtain credentials for a local server. Those credentials
+     must then be verified by a local server through successful completion
+     of the Client/Server exchange.
+
+     [7] "Random" means that, among other things, it should be impossible to
+     guess the next session key based on knowledge of past session keys.
+     This can only be achieved in a pseudo-random number generator if it is
+     based on cryptographic principles. It is more desirable to use a truly
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     random number generator, such as one based on measurements of random
+     physical phenomena.
+
+     [8] Tickets contain both an encrypted and unencrypted portion, so
+     cleartext here refers to the entire unit, which can be copied from one
+     message and replayed in another without any cryptographic skill.
+
+     [9] Note that this can make applications based on unreliable transports
+     difficult to code correctly. If the transport might deliver duplicated
+     messages, either a new authenticator must be generated for each retry,
+     or the application server must match requests and replies and replay
+     the first reply in response to a detected duplicate.
+
+     [10] This is used for user-to-user authentication as described in [8].
+
+     [11] Note that the rejection here is restricted to authenticators from
+     the same principal to the same server. Other client principals
+     communicating with the same server principal should not be have their
+     authenticators rejected if the time and microsecond fields happen to
+     match some other client's authenticator.
+
+     [12] In the Kerberos version 4 protocol, the timestamp in the reply was
+     the client's timestamp plus one. This is not necessary in version 5
+     because version 5 messages are formatted in such a way that it is not
+     possible to create the reply by judicious message surgery (even in
+     encrypted form) without knowledge of the appropriate encryption keys.
+
+     [13] Note that for encrypting the KRB_AP_REP message, the sub-session
+     key is not used, even if present in the Authenticator.
+
+     [14] Implementations of the protocol may wish to provide routines to
+     choose subkeys based on session keys and random numbers and to generate
+     a negotiated key to be returned in the KRB_AP_REP message.
+
+     [15]This can be accomplished in several ways. It might be known
+     beforehand (since the realm is part of the principal identifier), it
+     might be stored in a nameserver, or it might be obtained from a
+     configura- tion file. If the realm to be used is obtained from a
+     nameserver, there is a danger of being spoofed if the nameservice
+     providing the realm name is not authenti- cated. This might result in
+     the use of a realm which has been compromised, and would result in an
+     attacker's ability to compromise the authentication of the application
+     server to the client.
+
+     [16] If the client selects a sub-session key, care must be taken to
+     ensure the randomness of the selected sub- session key. One approach
+     would be to generate a random number and XOR it with the session key
+     from the ticket-granting ticket.
+
+     [17] This allows easy implementation of user-to-user authentication
+     [8], which uses ticket-granting ticket session keys in lieu of secret
+     server keys in situa- tions where such secret keys could be easily
+     comprom- ised.
+
+     [18] For the purpose of appending, the realm preceding the first listed
+     realm is considered to be the null realm ("").
+
+     [19] For the purpose of interpreting null subfields, the client's realm
+     is considered to precede those in the transited field, and the server's
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     realm is considered to follow them.
+
+     [20] This means that a client and server running on the same host and
+     communicating with one another using the KRB_SAFE messages should not
+     share a common replay cache to detect KRB_SAFE replays.
+
+     [21] The implementation of the Kerberos server need not combine the
+     database and the server on the same machine; it is feasible to store
+     the principal database in, say, a network name service, as long as the
+     entries stored therein are protected from disclosure to and
+     modification by unauthorized parties. However, we recommend against
+     such strategies, as they can make system management and threat analysis
+     quite complex.
+
+     [22] See the discussion of the padata field in section 5.4.2 for
+     details on why this can be useful.
+
+     [23] Warning for implementations that unpack and repack data structures
+     during the generation and verification of embedded checksums: Because
+     any checksums applied to data structures must be checked against the
+     original data the length of bit strings must be preserved within a data
+     structure between the time that a checksum is generated through
+     transmission to the time that the checksum is verified.
+
+     [24] It is NOT recommended that this time value be used to adjust the
+     workstation's clock since the workstation cannot reliably determine
+     that such a KRB_AS_REP actually came from the proper KDC in a timely
+     manner.
+
+     [25] Note, however, that if the time is used as the nonce, one must
+     make sure that the workstation time is monotonically increasing. If the
+     time is ever reset backwards, there is a small, but finite, probability
+     that a nonce will be reused.
+
+     [27] An application code in the encrypted part of a message provides an
+     additional check that the message was decrypted properly.
+
+     [29] An application code in the encrypted part of a message provides an
+     additional check that the message was decrypted properly.
+
+     [31] An application code in the encrypted part of a message provides an
+     additional check that the message was decrypted properly.
+
+     [32] If supported by the encryption method in use, an initialization
+     vector may be passed to the encryption procedure, in order to achieve
+     proper cipher chaining. The initialization vector might come from the
+     last block of the ciphertext from the previous KRB_PRIV message, but it
+     is the application's choice whether or not to use such an
+     initialization vector. If left out, the default initialization vector
+     for the encryption algorithm will be used.
+
+     [33] This prevents an attacker who generates an incorrect AS request
+     from obtaining verifiable plaintext for use in an off-line password
+     guessing attack.
+
+     [35] In the above specification, UNTAGGED OCTET STRING(length) is the
+     notation for an octet string with its tag and length removed. It is not
+     a valid ASN.1 type. The tag bits and length must be removed from the
+     confounder since the purpose of the confounder is so that the message
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     starts with random data, but the tag and its length are fixed. For
+     other fields, the length and tag would be redundant if they were
+     included because they are specified by the encryption type. [36] The
+     ordering of the fields in the CipherText is important. Additionally,
+     messages encoded in this format must include a length as part of the
+     msg-seq field. This allows the recipient to verify that the message has
+     not been truncated. Without a length, an attacker could use a chosen
+     plaintext attack to generate a message which could be truncated, while
+     leaving the checksum intact. Note that if the msg-seq is an encoding of
+     an ASN.1 SEQUENCE or OCTET STRING, then the length is part of that
+     encoding.
+
+     [37] In some cases, it may be necessary to use a different "mix-in"
+     string for compatibility reasons; see the discussion of padata in
+     section 5.4.2.
+
+     [38] In some cases, it may be necessary to use a different "mix-in"
+     string for compatibility reasons; see the discussion of padata in
+     section 5.4.2.
+
+     [39] A variant of the key is used to limit the use of a key to a
+     particular function, separating the functions of generating a checksum
+     from other encryption performed using the session key. The constant
+     F0F0F0F0F0F0F0F0 was chosen because it maintains key parity. The
+     properties of DES precluded the use of the complement. The same
+     constant is used for similar purpose in the Message Integrity Check in
+     the Privacy Enhanced Mail standard.
+
+     [40] This error carries additional information in the e- data field.
+     The contents of the e-data field for this message is described in
+     section 5.9.1.
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-06.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-06.txt
new file mode 100644
index 0000000..ae79e8a
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-06.txt
@@ -0,0 +1,7301 @@
+INTERNET-DRAFT                                              Clifford Neuman
+                                                                  John Kohl
+                                                              Theodore Ts'o
+                                                              July 14, 2000
+                                                   Expires January 14, 2001
+
+The Kerberos Network Authentication Service (V5)
+
+
+draft-ietf-cat-kerberos-revisions-06.txt
+
+STATUS OF THIS MEMO
+
+This document is an Internet-Draft and is in full conformance with all
+provisions of Section 10 of RFC 2026. Internet-Drafts are working documents
+of the Internet Engineering Task Force (IETF), its areas, and its working
+groups. Note that other groups may also distribute working documents as
+Internet-Drafts.
+
+Internet-Drafts are draft documents valid for a maximum of six months and
+may be updated, replaced, or obsoleted by other documents at any time. It
+is inappropriate to use Internet-Drafts as reference material or to cite
+them other than as "work in progress."
+
+The list of current Internet-Drafts can be accessed at
+http://www.ietf.org/ietf/1id-abstracts.txt
+
+The list of Internet-Draft Shadow Directories can be accessed at
+http://www.ietf.org/shadow.html.
+
+To learn the current status of any Internet-Draft, please check the
+"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
+Directories on ftp.ietf.org (US East Coast), nic.nordu.net (Europe),
+ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
+
+The distribution of this memo is unlimited. It is filed as
+draft-ietf-cat-kerberos-revisions-06.txt, and expires January 14, 2001.
+Please send comments to: krb-protocol@MIT.EDU
+
+     This document is getting closer to a last call, but there are several
+     issues to be discussed. Some, but not all of these issues, are
+     highlighted in comments in the draft. We hope to resolve these issues
+     on the mailing list for the Kerberos working group, leading up to and
+     during the Pittsburgh IETF on a section by section basis, since this
+     is a long document, and it has been difficult to consider it as a
+     whole. Once sections are agreed to, it is out intent to issue the more
+     formal WG and IETF last calls.
+
+ABSTRACT
+
+This document provides an overview and specification of Version 5 of the
+Kerberos protocol, and updates RFC1510 to clarify aspects of the protocol
+and its intended use that require more detailed or clearer explanation than
+was provided in RFC1510. This document is intended to provide a detailed
+description of the protocol, suitable for implementation, together with
+descriptions of the appropriate use of protocol messages and fields within
+those messages.
+
+This document is not intended to describe Kerberos to the end user, system
+administrator, or application developer. Higher level papers describing
+Version 5 of the Kerberos system [NT94] and documenting version 4 [SNS88],
+are available elsewhere.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+OVERVIEW
+
+This INTERNET-DRAFT describes the concepts and model upon which the
+Kerberos network authentication system is based. It also specifies Version
+5 of the Kerberos protocol.
+
+The motivations, goals, assumptions, and rationale behind most design
+decisions are treated cursorily; they are more fully described in a paper
+available in IEEE communications [NT94] and earlier in the Kerberos portion
+of the Athena Technical Plan [MNSS87]. The protocols have been a proposed
+standard and are being considered for advancement for draft standard
+through the IETF standard process. Comments are encouraged on the
+presentation, but only minor refinements to the protocol as implemented or
+extensions that fit within current protocol framework will be considered at
+this time.
+
+Requests for addition to an electronic mailing list for discussion of
+Kerberos, kerberos@MIT.EDU, may be addressed to kerberos-request@MIT.EDU.
+This mailing list is gatewayed onto the Usenet as the group
+comp.protocols.kerberos. Requests for further information, including
+documents and code availability, may be sent to info-kerberos@MIT.EDU.
+
+BACKGROUND
+
+The Kerberos model is based in part on Needham and Schroeder's trusted
+third-party authentication protocol [NS78] and on modifications suggested
+by Denning and Sacco [DS81]. The original design and implementation of
+Kerberos Versions 1 through 4 was the work of two former Project Athena
+staff members, Steve Miller of Digital Equipment Corporation and Clifford
+Neuman (now at the Information Sciences Institute of the University of
+Southern California), along with Jerome Saltzer, Technical Director of
+Project Athena, and Jeffrey Schiller, MIT Campus Network Manager. Many
+other members of Project Athena have also contributed to the work on
+Kerberos.
+
+Version 5 of the Kerberos protocol (described in this document) has evolved
+from Version 4 based on new requirements and desires for features not
+available in Version 4. The design of Version 5 of the Kerberos protocol
+was led by Clifford Neuman and John Kohl with much input from the
+community. The development of the MIT reference implementation was led at
+MIT by John Kohl and Theodore T'so, with help and contributed code from
+many others. Since RFC1510 was issued, extensions and revisions to the
+protocol have been proposed by many individuals. Some of these proposals
+are reflected in this document. Where such changes involved significant
+effort, the document cites the contribution of the proposer.
+
+Reference implementations of both version 4 and version 5 of Kerberos are
+publicly available and commercial implementations have been developed and
+are widely used. Details on the differences between Kerberos Versions 4 and
+5 can be found in [KNT92].
+
+1. Introduction
+
+Kerberos provides a means of verifying the identities of principals, (e.g.
+a workstation user or a network server) on an open (unprotected) network.
+This is accomplished without relying on assertions by the host operating
+system, without basing trust on host addresses, without requiring physical
+security of all the hosts on the network, and under the assumption that
+packets traveling along the network can be read, modified, and inserted at
+will[1]. Kerberos performs authentication under these conditions as a
+trusted third-party authentication service by using conventional (shared
+secret key [2] cryptography. Kerberos extensions have been proposed and
+implemented that provide for the use of public key cryptography during
+certain phases of the authentication protocol. These extensions provide for
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+authentication of users registered with public key certification
+authorities, and allow the system to provide certain benefits of public key
+cryptography in situations where they are needed.
+
+The basic Kerberos authentication process proceeds as follows: A client
+sends a request to the authentication server (AS) requesting 'credentials'
+for a given server. The AS responds with these credentials, encrypted in
+the client's key. The credentials consist of 1) a 'ticket' for the server
+and 2) a temporary encryption key (often called a "session key"). The
+client transmits the ticket (which contains the client's identity and a
+copy of the session key, all encrypted in the server's key) to the server.
+The session key (now shared by the client and server) is used to
+authenticate the client, and may optionally be used to authenticate the
+server. It may also be used to encrypt further communication between the
+two parties or to exchange a separate sub-session key to be used to encrypt
+further communication.
+
+Implementation of the basic protocol consists of one or more authentication
+servers running on physically secure hosts. The authentication servers
+maintain a database of principals (i.e., users and servers) and their
+secret keys. Code libraries provide encryption and implement the Kerberos
+protocol. In order to add authentication to its transactions, a typical
+network application adds one or two calls to the Kerberos library directly
+or through the Generic Security Services Application Programming Interface,
+GSSAPI, described in separate document. These calls result in the
+transmission of the necessary messages to achieve authentication.
+
+The Kerberos protocol consists of several sub-protocols (or exchanges).
+There are two basic methods by which a client can ask a Kerberos server for
+credentials. In the first approach, the client sends a cleartext request
+for a ticket for the desired server to the AS. The reply is sent encrypted
+in the client's secret key. Usually this request is for a ticket-granting
+ticket (TGT) which can later be used with the ticket-granting server (TGS).
+In the second method, the client sends a request to the TGS. The client
+uses the TGT to authenticate itself to the TGS in the same manner as if it
+were contacting any other application server that requires Kerberos
+authentication. The reply is encrypted in the session key from the TGT.
+Though the protocol specification describes the AS and the TGS as separate
+servers, they are implemented in practice as different protocol entry
+points within a single Kerberos server.
+
+Once obtained, credentials may be used to verify the identity of the
+principals in a transaction, to ensure the integrity of messages exchanged
+between them, or to preserve privacy of the messages. The application is
+free to choose whatever protection may be necessary.
+
+To verify the identities of the principals in a transaction, the client
+transmits the ticket to the application server. Since the ticket is sent
+"in the clear" (parts of it are encrypted, but this encryption doesn't
+thwart replay) and might be intercepted and reused by an attacker,
+additional information is sent to prove that the message originated with
+the principal to whom the ticket was issued. This information (called the
+authenticator) is encrypted in the session key, and includes a timestamp.
+The timestamp proves that the message was recently generated and is not a
+replay. Encrypting the authenticator in the session key proves that it was
+generated by a party possessing the session key. Since no one except the
+requesting principal and the server know the session key (it is never sent
+over the network in the clear) this guarantees the identity of the client.
+
+The integrity of the messages exchanged between principals can also be
+guaranteed using the session key (passed in the ticket and contained in the
+credentials). This approach provides detection of both replay attacks and
+message stream modification attacks. It is accomplished by generating and
+transmitting a collision-proof checksum (elsewhere called a hash or digest
+function) of the client's message, keyed with the session key. Privacy and
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+integrity of the messages exchanged between principals can be secured by
+encrypting the data to be passed using the session key contained in the
+ticket or the subsession key found in the authenticator.
+
+The authentication exchanges mentioned above require read-only access to
+the Kerberos database. Sometimes, however, the entries in the database must
+be modified, such as when adding new principals or changing a principal's
+key. This is done using a protocol between a client and a third Kerberos
+server, the Kerberos Administration Server (KADM). There is also a protocol
+for maintaining multiple copies of the Kerberos database. Neither of these
+protocols are described in this document.
+
+1.1. Cross-Realm Operation
+
+The Kerberos protocol is designed to operate across organizational
+boundaries. A client in one organization can be authenticated to a server
+in another. Each organization wishing to run a Kerberos server establishes
+its own 'realm'. The name of the realm in which a client is registered is
+part of the client's name, and can be used by the end-service to decide
+whether to honor a request.
+
+By establishing 'inter-realm' keys, the administrators of two realms can
+allow a client authenticated in the local realm to prove its identity to
+servers in other realms[3]. The exchange of inter-realm keys (a separate
+key may be used for each direction) registers the ticket-granting service
+of each realm as a principal in the other realm. A client is then able to
+obtain a ticket-granting ticket for the remote realm's ticket-granting
+service from its local realm. When that ticket-granting ticket is used, the
+remote ticket-granting service uses the inter-realm key (which usually
+differs from its own normal TGS key) to decrypt the ticket-granting ticket,
+and is thus certain that it was issued by the client's own TGS. Tickets
+issued by the remote ticket-granting service will indicate to the
+end-service that the client was authenticated from another realm.
+
+A realm is said to communicate with another realm if the two realms share
+an inter-realm key, or if the local realm shares an inter-realm key with an
+intermediate realm that communicates with the remote realm. An
+authentication path is the sequence of intermediate realms that are
+transited in communicating from one realm to another.
+
+Realms are typically organized hierarchically. Each realm shares a key with
+its parent and a different key with each child. If an inter-realm key is
+not directly shared by two realms, the hierarchical organization allows an
+authentication path to be easily constructed. If a hierarchical
+organization is not used, it may be necessary to consult a database in
+order to construct an authentication path between realms.
+
+Although realms are typically hierarchical, intermediate realms may be
+bypassed to achieve cross-realm authentication through alternate
+authentication paths (these might be established to make communication
+between two realms more efficient). It is important for the end-service to
+know which realms were transited when deciding how much faith to place in
+the authentication process. To facilitate this decision, a field in each
+ticket contains the names of the realms that were involved in
+authenticating the client.
+
+The application server is ultimately responsible for accepting or rejecting
+authentication and should check the transited field. The application server
+may choose to rely on the KDC for the application server's realm to check
+the transited field. The application server's KDC will set the
+TRANSITED-POLICY-CHECKED flag in this case. The KDC's for intermediate
+realms may also check the transited field as they issue
+ticket-granting-tickets for other realms, but they are encouraged not to do
+so. A client may request that the KDC's not check the transited field by
+setting the DISABLE-TRANSITED-CHECK flag. KDC's are encouraged but not
+required to honor this flag.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     [JBrezak] Should there be a section here on how clients determine what
+     realm a service is in? Something like:
+
+     The client may not immediately know what realm a particular service
+     principal is in. There are 2 basic mechanisms that can be used to
+     determine the realm of a service. The first requires that the client
+     fully specify the service principal including the realm in the
+     Kerberos protocol request. If the Kerberos server for the specified
+     realm does not have a principal that exactly matches the service in
+     the request, the Kerberos server will return an error indicating that
+     the service principal was not found. Alternatively the client can make
+     a request providing just the service principal name and requesting
+     name canonicalization from the Kerberos server. The Kerberos server
+     will attempt to locate a service principal in its database that best
+     matches the request principal or provide a referral to another
+     Kerberos realm that may be contain the requested service principal.
+
+1.2. Authorization
+
+As an authentication service, Kerberos provides a means of verifying the
+identity of principals on a network. Authentication is usually useful
+primarily as a first step in the process of authorization, determining
+whether a client may use a service, which objects the client is allowed to
+access, and the type of access allowed for each. Kerberos does not, by
+itself, provide authorization. Possession of a client ticket for a service
+provides only for authentication of the client to that service, and in the
+absence of a separate authorization procedure, it should not be considered
+by an application as authorizing the use of that service.
+
+Such separate authorization methods may be implemented as application
+specific access control functions and may be based on files such as the
+application server, or on separately issued authorization credentials such
+as those based on proxies [Neu93], or on other authorization services.
+Separately authenticated authorization credentials may be embedded in a
+tickets authorization data when encapsulated by the kdc-issued
+authorization data element.
+
+Applications should not be modified to accept the mere issuance of a
+service ticket by the Kerberos server (even by a modified Kerberos server)
+as granting authority to use the service, since such applications may
+become vulnerable to the bypass of this authorization check in an
+environment if they interoperate with other KDCs or where other options for
+application authentication (e.g. the PKTAPP proposal) are provided.
+
+1.3. Environmental assumptions
+
+Kerberos imposes a few assumptions on the environment in which it can
+properly function:
+
+   * 'Denial of service' attacks are not solved with Kerberos. There are
+     places in these protocols where an intruder can prevent an application
+     from participating in the proper authentication steps. Detection and
+     solution of such attacks (some of which can appear to be nnot-uncommon
+     'normal' failure modes for the system) is usually best left to the
+     human administrators and users.
+   * Principals must keep their secret keys secret. If an intruder somehow
+     steals a principal's key, it will be able to masquerade as that
+     principal or impersonate any server to the legitimate principal.
+   * 'Password guessing' attacks are not solved by Kerberos. If a user
+     chooses a poor password, it is possible for an attacker to
+     successfully mount an offline dictionary attack by repeatedly
+     attempting to decrypt, with successive entries from a dictionary,
+     messages obtained which are encrypted under a key derived from the
+     user's password.
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+   * Each host on the network must have a clock which is 'loosely
+     synchronized' to the time of the other hosts; this synchronization is
+     used to reduce the bookkeeping needs of application servers when they
+     do replay detection. The degree of "looseness" can be configured on a
+     per-server basis, but is typically on the order of 5 minutes. If the
+     clocks are synchronized over the network, the clock synchronization
+     protocol must itself be secured from network attackers.
+   * Principal identifiers are not recycled on a short-term basis. A
+     typical mode of access control will use access control lists (ACLs) to
+     grant permissions to particular principals. If a stale ACL entry
+     remains for a deleted principal and the principal identifier is
+     reused, the new principal will inherit rights specified in the stale
+     ACL entry. By not re-using principal identifiers, the danger of
+     inadvertent access is removed.
+
+1.4. Glossary of terms
+
+Below is a list of terms used throughout this document.
+
+Authentication
+     Verifying the claimed identity of a principal.
+Authentication header
+     A record containing a Ticket and an Authenticator to be presented to a
+     server as part of the authentication process.
+Authentication path
+     A sequence of intermediate realms transited in the authentication
+     process when communicating from one realm to another.
+Authenticator
+     A record containing information that can be shown to have been
+     recently generated using the session key known only by the client and
+     server.
+Authorization
+     The process of determining whether a client may use a service, which
+     objects the client is allowed to access, and the type of access
+     allowed for each.
+Capability
+     A token that grants the bearer permission to access an object or
+     service. In Kerberos, this might be a ticket whose use is restricted
+     by the contents of the authorization data field, but which lists no
+     network addresses, together with the session key necessary to use the
+     ticket.
+Ciphertext
+     The output of an encryption function. Encryption transforms plaintext
+     into ciphertext.
+Client
+     A process that makes use of a network service on behalf of a user.
+     Note that in some cases a Server may itself be a client of some other
+     server (e.g. a print server may be a client of a file server).
+Credentials
+     A ticket plus the secret session key necessary to successfully use
+     that ticket in an authentication exchange.
+KDC
+     Key Distribution Center, a network service that supplies tickets and
+     temporary session keys; or an instance of that service or the host on
+     which it runs. The KDC services both initial ticket and
+     ticket-granting ticket requests. The initial ticket portion is
+     sometimes referred to as the Authentication Server (or service). The
+     ticket-granting ticket portion is sometimes referred to as the
+     ticket-granting server (or service).
+Kerberos
+     Aside from the 3-headed dog guarding Hades, the name given to Project
+     Athena's authentication service, the protocol used by that service, or
+     the code used to implement the authentication service.
+Plaintext
+     The input to an encryption function or the output of a decryption
+     function. Decryption transforms ciphertext into plaintext.
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+Principal
+     A uniquely named client or server instance that participates in a
+     network communication.
+Principal identifier
+     The name used to uniquely identify each different principal.
+Seal
+     To encipher a record containing several fields in such a way that the
+     fields cannot be individually replaced without either knowledge of the
+     encryption key or leaving evidence of tampering.
+Secret key
+     An encryption key shared by a principal and the KDC, distributed
+     outside the bounds of the system, with a long lifetime. In the case of
+     a human user's principal, the secret key is derived from a password.
+Server
+     A particular Principal which provides a resource to network clients.
+     The server is sometimes refered to as the Application Server.
+Service
+     A resource provided to network clients; often provided by more than
+     one server (for example, remote file service).
+Session key
+     A temporary encryption key used between two principals, with a
+     lifetime limited to the duration of a single login "session".
+Sub-session key
+     A temporary encryption key used between two principals, selected and
+     exchanged by the principals using the session key, and with a lifetime
+     limited to the duration of a single association.
+Ticket
+     A record that helps a client authenticate itself to a server; it
+     contains the client's identity, a session key, a timestamp, and other
+     information, all sealed using the server's secret key. It only serves
+     to authenticate a client when presented along with a fresh
+     Authenticator.
+
+2. Ticket flag uses and requests
+
+Each Kerberos ticket contains a set of flags which are used to indicate
+various attributes of that ticket. Most flags may be requested by a client
+when the ticket is obtained; some are automatically turned on and off by a
+Kerberos server as required. The following sections explain what the
+various flags mean, and gives examples of reasons to use such a flag.
+
+2.1. Initial and pre-authenticated tickets
+
+The INITIAL flag indicates that a ticket was issued using the AS protocol
+and not issued based on a ticket-granting ticket. Application servers that
+want to require the demonstrated knowledge of a client's secret key (e.g. a
+password-changing program) can insist that this flag be set in any tickets
+they accept, and thus be assured that the client's key was recently
+presented to the application client.
+
+The PRE-AUTHENT and HW-AUTHENT flags provide addition information about the
+initial authentication, regardless of whether the current ticket was issued
+directly (in which case INITIAL will also be set) or issued on the basis of
+a ticket-granting ticket (in which case the INITIAL flag is clear, but the
+PRE-AUTHENT and HW-AUTHENT flags are carried forward from the
+ticket-granting ticket).
+
+2.2. Invalid tickets
+
+The INVALID flag indicates that a ticket is invalid. Application servers
+must reject tickets which have this flag set. A postdated ticket will
+usually be issued in this form. Invalid tickets must be validated by the
+KDC before use, by presenting them to the KDC in a TGS request with the
+VALIDATE option specified. The KDC will only validate tickets after their
+starttime has passed. The validation is required so that postdated tickets
+which have been stolen before their starttime can be rendered permanently
+invalid (through a hot-list mechanism) (see section 3.3.3.1).
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+2.3. Renewable tickets
+
+Applications may desire to hold tickets which can be valid for long periods
+of time. However, this can expose their credentials to potential theft for
+equally long periods, and those stolen credentials would be valid until the
+expiration time of the ticket(s). Simply using short-lived tickets and
+obtaining new ones periodically would require the client to have long-term
+access to its secret key, an even greater risk. Renewable tickets can be
+used to mitigate the consequences of theft. Renewable tickets have two
+"expiration times": the first is when the current instance of the ticket
+expires, and the second is the latest permissible value for an individual
+expiration time. An application client must periodically (i.e. before it
+expires) present a renewable ticket to the KDC, with the RENEW option set
+in the KDC request. The KDC will issue a new ticket with a new session key
+and a later expiration time. All other fields of the ticket are left
+unmodified by the renewal process. When the latest permissible expiration
+time arrives, the ticket expires permanently. At each renewal, the KDC may
+consult a hot-list to determine if the ticket had been reported stolen
+since its last renewal; it will refuse to renew such stolen tickets, and
+thus the usable lifetime of stolen tickets is reduced.
+
+The RENEWABLE flag in a ticket is normally only interpreted by the
+ticket-granting service (discussed below in section 3.3). It can usually be
+ignored by application servers. However, some particularly careful
+application servers may wish to disallow renewable tickets.
+
+If a renewable ticket is not renewed by its expiration time, the KDC will
+not renew the ticket. The RENEWABLE flag is reset by default, but a client
+may request it be set by setting the RENEWABLE option in the KRB_AS_REQ
+message. If it is set, then the renew-till field in the ticket contains the
+time after which the ticket may not be renewed.
+
+2.4. Postdated tickets
+
+Applications may occasionally need to obtain tickets for use much later,
+e.g. a batch submission system would need tickets to be valid at the time
+the batch job is serviced. However, it is dangerous to hold valid tickets
+in a batch queue, since they will be on-line longer and more prone to
+theft. Postdated tickets provide a way to obtain these tickets from the KDC
+at job submission time, but to leave them "dormant" until they are
+activated and validated by a further request of the KDC. If a ticket theft
+were reported in the interim, the KDC would refuse to validate the ticket,
+and the thief would be foiled.
+
+The MAY-POSTDATE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. This
+flag must be set in a ticket-granting ticket in order to issue a postdated
+ticket based on the presented ticket. It is reset by default; it may be
+requested by a client by setting the ALLOW-POSTDATE option in the
+KRB_AS_REQ message. This flag does not allow a client to obtain a postdated
+ticket-granting ticket; postdated ticket-granting tickets can only by
+obtained by requesting the postdating in the KRB_AS_REQ message. The life
+(endtime-starttime) of a postdated ticket will be the remaining life of the
+ticket-granting ticket at the time of the request, unless the RENEWABLE
+option is also set, in which case it can be the full life
+(endtime-starttime) of the ticket-granting ticket. The KDC may limit how
+far in the future a ticket may be postdated.
+
+The POSTDATED flag indicates that a ticket has been postdated. The
+application server can check the authtime field in the ticket to see when
+the original authentication occurred. Some services may choose to reject
+postdated tickets, or they may only accept them within a certain period
+after the original authentication. When the KDC issues a POSTDATED ticket,
+it will also be marked as INVALID, so that the application client must
+present the ticket to the KDC to be validated before use.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+2.5. Proxiable and proxy tickets
+
+At times it may be necessary for a principal to allow a service to perform
+an operation on its behalf. The service must be able to take on the
+identity of the client, but only for a particular purpose. A principal can
+allow a service to take on the principal's identity for a particular
+purpose by granting it a proxy.
+
+The process of granting a proxy using the proxy and proxiable flags is used
+to provide credentials for use with specific services. Though conceptually
+also a proxy, user's wishing to delegate their identity for ANY purpose
+must use the ticket forwarding mechanism described in the next section to
+forward a ticket granting ticket.
+
+The PROXIABLE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. When
+set, this flag tells the ticket-granting server that it is OK to issue a
+new ticket (but not a ticket-granting ticket) with a different network
+address based on this ticket. This flag is set if requested by the client
+on initial authentication. By default, the client will request that it be
+set when requesting a ticket granting ticket, and reset when requesting any
+other ticket.
+
+This flag allows a client to pass a proxy to a server to perform a remote
+request on its behalf, e.g. a print service client can give the print
+server a proxy to access the client's files on a particular file server in
+order to satisfy a print request.
+
+In order to complicate the use of stolen credentials, Kerberos tickets are
+usually valid from only those network addresses specifically included in
+the ticket[4]. When granting a proxy, the client must specify the new
+network address from which the proxy is to be used, or indicate that the
+proxy is to be issued for use from any address.
+
+The PROXY flag is set in a ticket by the TGS when it issues a proxy ticket.
+Application servers may check this flag and at their option they may
+require additional authentication from the agent presenting the proxy in
+order to provide an audit trail.
+
+2.6. Forwardable tickets
+
+Authentication forwarding is an instance of a proxy where the service is
+granted complete use of the client's identity. An example where it might be
+used is when a user logs in to a remote system and wants authentication to
+work from that system as if the login were local.
+
+The FORWARDABLE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. The
+FORWARDABLE flag has an interpretation similar to that of the PROXIABLE
+flag, except ticket-granting tickets may also be issued with different
+network addresses. This flag is reset by default, but users may request
+that it be set by setting the FORWARDABLE option in the AS request when
+they request their initial ticket- granting ticket.
+
+This flag allows for authentication forwarding without requiring the user
+to enter a password again. If the flag is not set, then authentication
+forwarding is not permitted, but the same result can still be achieved if
+the user engages in the AS exchange specifying the requested network
+addresses and supplies a password.
+
+The FORWARDED flag is set by the TGS when a client presents a ticket with
+the FORWARDABLE flag set and requests a forwarded ticket by specifying the
+FORWARDED KDC option and supplying a set of addresses for the new ticket.
+It is also set in all tickets issued based on tickets with the FORWARDED
+flag set. Application servers may choose to process FORWARDED tickets
+differently than non-FORWARDED tickets.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+2.7 Name canonicalization [JBrezak]
+
+If a client does not have the full name information for a principal, it can
+request that the Kerberos server attempt to lookup the name in its database
+and return a canonical form of the requested principal or a referral to a
+realm that has the requested principal in its namespace. Name
+canonicalization allows a principal to have alternate names. Name
+canonicalization must not be used to locate principal names supplied from
+wildcards and is not a mechanism to be used to search a Kerberos database.
+
+The CANONICALIZE flag in a ticket request is used to indicate to the
+Kerberos server that the client will accept an alternative name to the
+principal in the request or a referral to another realm. Both the AS and
+TGS must be able to interpret requests with this flag.
+
+By using this flag, the client can avoid extensive configuration needed to
+map specific host names to a particular realm.
+
+2.8. Other KDC options
+
+There are two additional options which may be set in a client's request of
+the KDC. The RENEWABLE-OK option indicates that the client will accept a
+renewable ticket if a ticket with the requested life cannot otherwise be
+provided. If a ticket with the requested life cannot be provided, then the
+KDC may issue a renewable ticket with a renew-till equal to the the
+requested endtime. The value of the renew-till field may still be adjusted
+by site-determined limits or limits imposed by the individual principal or
+server.
+
+The ENC-TKT-IN-SKEY option is honored only by the ticket-granting service.
+It indicates that the ticket to be issued for the end server is to be
+encrypted in the session key from the a additional second ticket-granting
+ticket provided with the request. See section 3.3.3 for specific details.
+
+3. Message Exchanges
+
+The following sections describe the interactions between network clients
+and servers and the messages involved in those exchanges.
+
+3.1. The Authentication Service Exchange
+
+                          Summary
+      Message direction       Message type    Section
+      1. Client to Kerberos   KRB_AS_REQ      5.4.1
+      2. Kerberos to client   KRB_AS_REP or   5.4.2
+                              KRB_ERROR       5.9.1
+
+The Authentication Service (AS) Exchange between the client and the
+Kerberos Authentication Server is initiated by a client when it wishes to
+obtain authentication credentials for a given server but currently holds no
+credentials. In its basic form, the client's secret key is used for
+encryption and decryption. This exchange is typically used at the
+initiation of a login session to obtain credentials for a Ticket-Granting
+Server which will subsequently be used to obtain credentials for other
+servers (see section 3.3) without requiring further use of the client's
+secret key. This exchange is also used to request credentials for services
+which must not be mediated through the Ticket-Granting Service, but rather
+require a principal's secret key, such as the password-changing service[5].
+This exchange does not by itself provide any assurance of the the identity
+of the user[6].
+
+The exchange consists of two messages: KRB_AS_REQ from the client to
+Kerberos, and KRB_AS_REP or KRB_ERROR in reply. The formats for these
+messages are described in sections 5.4.1, 5.4.2, and 5.9.1.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+In the request, the client sends (in cleartext) its own identity and the
+identity of the server for which it is requesting credentials. The
+response, KRB_AS_REP, contains a ticket for the client to present to the
+server, and a session key that will be shared by the client and the server.
+The session key and additional information are encrypted in the client's
+secret key. The KRB_AS_REP message contains information which can be used
+to detect replays, and to associate it with the message to which it
+replies. Various errors can occur; these are indicated by an error response
+(KRB_ERROR) instead of the KRB_AS_REP response. The error message is not
+encrypted. The KRB_ERROR message contains information which can be used to
+associate it with the message to which it replies. The lack of encryption
+in the KRB_ERROR message precludes the ability to detect replays,
+fabrications, or modifications of such messages.
+
+Without preautentication, the authentication server does not know whether
+the client is actually the principal named in the request. It simply sends
+a reply without knowing or caring whether they are the same. This is
+acceptable because nobody but the principal whose identity was given in the
+request will be able to use the reply. Its critical information is
+encrypted in that principal's key. The initial request supports an optional
+field that can be used to pass additional information that might be needed
+for the initial exchange. This field may be used for preauthentication as
+described in section [hl<>].
+
+3.1.1. Generation of KRB_AS_REQ message
+
+The client may specify a number of options in the initial request. Among
+these options are whether pre-authentication is to be performed; whether
+the requested ticket is to be renewable, proxiable, or forwardable; whether
+it should be postdated or allow postdating of derivative tickets; whether
+the client requests name-canonicalization; and whether a renewable ticket
+will be accepted in lieu of a non-renewable ticket if the requested ticket
+expiration date cannot be satisfied by a non-renewable ticket (due to
+configuration constraints; see section 4). See section A.1 for pseudocode.
+
+The client prepares the KRB_AS_REQ message and sends it to the KDC.
+
+3.1.2. Receipt of KRB_AS_REQ message
+
+If all goes well, processing the KRB_AS_REQ message will result in the
+creation of a ticket for the client to present to the server. The format
+for the ticket is described in section 5.3.1. The contents of the ticket
+are determined as follows.
+
+3.1.3. Generation of KRB_AS_REP message
+
+The authentication server looks up the client and server principals named
+in the KRB_AS_REQ in its database, extracting their respective keys.  If
+the requested client principal named in the request is not found in its
+database, then an error message with a KDC_ERR_C_PRINCIPAL_UNKNOWN is
+returned. If the request had the CANONICALIZE option set, then the AS can
+attempt to lookup the client principal name in an alternate database, if it
+is found an error message with a KDC_ERR_WRONG_REALM error code and the
+cname and crealm in the error message must contain the true client
+principal name and realm.
+
+If required, the server pre-authenticates the request, and if the
+pre-authentication check fails, an error message with the code
+KDC_ERR_PREAUTH_FAILED is returned. If the server cannot accommodate the
+requested encryption type, an error message with code KDC_ERR_ETYPE_NOSUPP
+is returned. Otherwise it generates a 'random' session key[7].
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+If there are multiple encryption keys registered for a client in the
+Kerberos database (or if the key registered supports multiple encryption
+types; e.g. DES3-CBC-SHA1 and DES3-CBC-SHA1-KD), then the etype field from
+the AS request is used by the KDC to select the encryption method to be
+used for encrypting the response to the client. If there is more than one
+supported, strong encryption type in the etype list, the first valid etype
+for which an encryption key is available is used. The encryption method
+used to respond to a TGS request is taken from the keytype of the session
+key found in the ticket granting ticket.
+
+     JBrezak - the behavior of PW-SALT, and ETYPE-INFO should be explained
+     here; also about using keys that have different string-to-key
+     functions like AFSsalt
+
+When the etype field is present in a KDC request, whether an AS or TGS
+request, the KDC will attempt to assign the type of the random session key
+from the list of methods in the etype field. The KDC will select the
+appropriate type using the list of methods provided together with
+information from the Kerberos database indicating acceptable encryption
+methods for the application server. The KDC will not issue tickets with a
+weak session key encryption type.
+
+If the requested start time is absent, indicates a time in the past, or is
+within the window of acceptable clock skew for the KDC and the POSTDATE
+option has not been specified, then the start time of the ticket is set to
+the authentication server's current time. If it indicates a time in the
+future beyond the acceptable clock skew, but the POSTDATED option has not
+been specified then the error KDC_ERR_CANNOT_POSTDATE is returned.
+Otherwise the requested start time is checked against the policy of the
+local realm (the administrator might decide to prohibit certain types or
+ranges of postdated tickets), and if acceptable, the ticket's start time is
+set as requested and the INVALID flag is set in the new ticket. The
+postdated ticket must be validated before use by presenting it to the KDC
+after the start time has been reached.
+
+The expiration time of the ticket will be set to the minimum of the
+following:
+
+   * The expiration time (endtime) requested in the KRB_AS_REQ message.
+   * The ticket's start time plus the maximum allowable lifetime associated
+     with the client principal (the authentication server's database
+     includes a maximum ticket lifetime field in each principal's record;
+     see section 4).
+   * The ticket's start time plus the maximum allowable lifetime associated
+     with the server principal.
+   * The ticket's start time plus the maximum lifetime set by the policy of
+     the local realm.
+
+If the requested expiration time minus the start time (as determined above)
+is less than a site-determined minimum lifetime, an error message with code
+KDC_ERR_NEVER_VALID is returned. If the requested expiration time for the
+ticket exceeds what was determined as above, and if the 'RENEWABLE-OK'
+option was requested, then the 'RENEWABLE' flag is set in the new ticket,
+and the renew-till value is set as if the 'RENEWABLE' option were requested
+(the field and option names are described fully in section 5.4.1).
+
+If the RENEWABLE option has been requested or if the RENEWABLE-OK option
+has been set and a renewable ticket is to be issued, then the renew-till
+field is set to the minimum of:
+
+   * Its requested value.
+   * The start time of the ticket plus the minimum of the two maximum
+     renewable lifetimes associated with the principals' database entries.
+   * The start time of the ticket plus the maximum renewable lifetime set
+     by the policy of the local realm.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+The flags field of the new ticket will have the following options set if
+they have been requested and if the policy of the local realm allows:
+FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE. If the new
+ticket is post-dated (the start time is in the future), its INVALID flag
+will also be set.
+
+If all of the above succeed, the server formats a KRB_AS_REP message (see
+section 5.4.2), copying the addresses in the request into the caddr of the
+response, placing any required pre-authentication data into the padata of
+the response, and encrypts the ciphertext part in the client's key using
+the requested encryption method, and sends it to the client. See section
+A.2 for pseudocode.
+
+3.1.4. Generation of KRB_ERROR message
+
+Several errors can occur, and the Authentication Server responds by
+returning an error message, KRB_ERROR, to the client, with the error-code
+and e-text fields set to appropriate values. The error message contents and
+details are described in Section 5.9.1.
+
+3.1.5. Receipt of KRB_AS_REP message
+
+If the reply message type is KRB_AS_REP, then the client verifies that the
+cname and crealm fields in the cleartext portion of the reply match what it
+requested. If any padata fields are present, they may be used to derive the
+proper secret key to decrypt the message. The client decrypts the encrypted
+part of the response using its secret key, verifies that the nonce in the
+encrypted part matches the nonce it supplied in its request (to detect
+replays). It also verifies that the sname and srealm in the response match
+those in the request (or are otherwise expected values), and that the host
+address field is also correct. It then stores the ticket, session key,
+start and expiration times, and other information for later use. The
+key-expiration field from the encrypted part of the response may be checked
+to notify the user of impending key expiration (the client program could
+then suggest remedial action, such as a password change). See section A.3
+for pseudocode.
+
+Proper decryption of the KRB_AS_REP message is not sufficient to verify the
+identity of the user; the user and an attacker could cooperate to generate
+a KRB_AS_REP format message which decrypts properly but is not from the
+proper KDC. If the host wishes to verify the identity of the user, it must
+require the user to present application credentials which can be verified
+using a securely-stored secret key for the host. If those credentials can
+be verified, then the identity of the user can be assured.
+
+3.1.6. Receipt of KRB_ERROR message
+
+If the reply message type is KRB_ERROR, then the client interprets it as an
+error and performs whatever application-specific tasks are necessary to
+recover. If the client set the CANONICALIZE option and a
+KDC_ERR_WRONG_REALM error was returned, the AS request should be retried to
+the realm and client principal name specified in the error message crealm
+and cname field respectively.
+
+3.2. The Client/Server Authentication Exchange
+
+                             Summary
+Message direction                         Message type    Section
+Client to Application server              KRB_AP_REQ      5.5.1
+[optional] Application server to client   KRB_AP_REP or   5.5.2
+                                          KRB_ERROR       5.9.1
+
+The client/server authentication (CS) exchange is used by network
+applications to authenticate the client to the server and vice versa. The
+client must have already acquired credentials for the server using the AS
+or TGS exchange.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+3.2.1. The KRB_AP_REQ message
+
+The KRB_AP_REQ contains authentication information which should be part of
+the first message in an authenticated transaction. It contains a ticket, an
+authenticator, and some additional bookkeeping information (see section
+5.5.1 for the exact format). The ticket by itself is insufficient to
+authenticate a client, since tickets are passed across the network in
+cleartext[DS90], so the authenticator is used to prevent invalid replay of
+tickets by proving to the server that the client knows the session key of
+the ticket and thus is entitled to use the ticket. The KRB_AP_REQ message
+is referred to elsewhere as the 'authentication header.'
+
+3.2.2. Generation of a KRB_AP_REQ message
+
+When a client wishes to initiate authentication to a server, it obtains
+(either through a credentials cache, the AS exchange, or the TGS exchange)
+a ticket and session key for the desired service. The client may re-use any
+tickets it holds until they expire. To use a ticket the client constructs a
+new Authenticator from the the system time, its name, and optionally an
+application specific checksum, an initial sequence number to be used in
+KRB_SAFE or KRB_PRIV messages, and/or a session subkey to be used in
+negotiations for a session key unique to this particular session.
+Authenticators may not be re-used and will be rejected if replayed to a
+server[LGDSR87]. If a sequence number is to be included, it should be
+randomly chosen so that even after many messages have been exchanged it is
+not likely to collide with other sequence numbers in use.
+
+The client may indicate a requirement of mutual authentication or the use
+of a session-key based ticket by setting the appropriate flag(s) in the
+ap-options field of the message.
+
+The Authenticator is encrypted in the session key and combined with the
+ticket to form the KRB_AP_REQ message which is then sent to the end server
+along with any additional application-specific information. See section A.9
+for pseudocode.
+
+3.2.3. Receipt of KRB_AP_REQ message
+
+Authentication is based on the server's current time of day (clocks must be
+loosely synchronized), the authenticator, and the ticket. Several errors
+are possible. If an error occurs, the server is expected to reply to the
+client with a KRB_ERROR message. This message may be encapsulated in the
+application protocol if its 'raw' form is not acceptable to the protocol.
+The format of error messages is described in section 5.9.1.
+
+The algorithm for verifying authentication information is as follows. If
+the message type is not KRB_AP_REQ, the server returns the
+KRB_AP_ERR_MSG_TYPE error. If the key version indicated by the Ticket in
+the KRB_AP_REQ is not one the server can use (e.g., it indicates an old
+key, and the server no longer possesses a copy of the old key), the
+KRB_AP_ERR_BADKEYVER error is returned. If the USE-SESSION-KEY flag is set
+in the ap-options field, it indicates to the server that the ticket is
+encrypted in the session key from the server's ticket-granting ticket
+rather than its secret key[10]. Since it is possible for the server to be
+registered in multiple realms, with different keys in each, the srealm
+field in the unencrypted portion of the ticket in the KRB_AP_REQ is used to
+specify which secret key the server should use to decrypt that ticket. The
+KRB_AP_ERR_NOKEY error code is returned if the server doesn't have the
+proper key to decipher the ticket.
+
+The ticket is decrypted using the version of the server's key specified by
+the ticket. If the decryption routines detect a modification of the ticket
+(each encryption system must provide safeguards to detect modified
+ciphertext; see section 6), the KRB_AP_ERR_BAD_INTEGRITY error is returned
+(chances are good that different keys were used to encrypt and decrypt).
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+The authenticator is decrypted using the session key extracted from the
+decrypted ticket. If decryption shows it to have been modified, the
+KRB_AP_ERR_BAD_INTEGRITY error is returned. The name and realm of the
+client from the ticket are compared against the same fields in the
+authenticator. If they don't match, the KRB_AP_ERR_BADMATCH error is
+returned (they might not match, for example, if the wrong session key was
+used to encrypt the authenticator). The addresses in the ticket (if any)
+are then searched for an address matching the operating-system reported
+address of the client. If no match is found or the server insists on ticket
+addresses but none are present in the ticket, the KRB_AP_ERR_BADADDR error
+is returned.
+
+If the local (server) time and the client time in the authenticator differ
+by more than the allowable clock skew (e.g., 5 minutes), the
+KRB_AP_ERR_SKEW error is returned. If the server name, along with the
+client name, time and microsecond fields from the Authenticator match any
+recently-seen such tuples, the KRB_AP_ERR_REPEAT error is returned[11]. The
+server must remember any authenticator presented within the allowable clock
+skew, so that a replay attempt is guaranteed to fail. If a server loses
+track of any authenticator presented within the allowable clock skew, it
+must reject all requests until the clock skew interval has passed. This
+assures that any lost or re-played authenticators will fall outside the
+allowable clock skew and can no longer be successfully replayed (If this is
+not done, an attacker could conceivably record the ticket and authenticator
+sent over the network to a server, then disable the client's host, pose as
+the disabled host, and replay the ticket and authenticator to subvert the
+authentication.). If a sequence number is provided in the authenticator,
+the server saves it for later use in processing KRB_SAFE and/or KRB_PRIV
+messages. If a subkey is present, the server either saves it for later use
+or uses it to help generate its own choice for a subkey to be returned in a
+KRB_AP_REP message.
+
+The server computes the age of the ticket: local (server) time minus the
+start time inside the Ticket. If the start time is later than the current
+time by more than the allowable clock skew or if the INVALID flag is set in
+the ticket, the KRB_AP_ERR_TKT_NYV error is returned. Otherwise, if the
+current time is later than end time by more than the allowable clock skew,
+the KRB_AP_ERR_TKT_EXPIRED error is returned.
+
+If all these checks succeed without an error, the server is assured that
+the client possesses the credentials of the principal named in the ticket
+and thus, the client has been authenticated to the server. See section A.10
+for pseudocode.
+
+Passing these checks provides only authentication of the named principal;
+it does not imply authorization to use the named service. Applications must
+make a separate authorization decisions based upon the authenticated name
+of the user, the requested operation, local acces control information such
+as that contained in a .k5login or .k5users file, and possibly a separate
+distributed authorization service.
+
+3.2.4. Generation of a KRB_AP_REP message
+
+Typically, a client's request will include both the authentication
+information and its initial request in the same message, and the server
+need not explicitly reply to the KRB_AP_REQ. However, if mutual
+authentication (not only authenticating the client to the server, but also
+the server to the client) is being performed, the KRB_AP_REQ message will
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+have MUTUAL-REQUIRED set in its ap-options field, and a KRB_AP_REP message
+is required in response. As with the error message, this message may be
+encapsulated in the application protocol if its "raw" form is not
+acceptable to the application's protocol. The timestamp and microsecond
+field used in the reply must be the client's timestamp and microsecond
+field (as provided in the authenticator)[12]. If a sequence number is to be
+included, it should be randomly chosen as described above for the
+authenticator. A subkey may be included if the server desires to negotiate
+a different subkey. The KRB_AP_REP message is encrypted in the session key
+extracted from the ticket. See section A.11 for pseudocode.
+
+3.2.5. Receipt of KRB_AP_REP message
+
+If a KRB_AP_REP message is returned, the client uses the session key from
+the credentials obtained for the server[13] to decrypt the message, and
+verifies that the timestamp and microsecond fields match those in the
+Authenticator it sent to the server. If they match, then the client is
+assured that the server is genuine. The sequence number and subkey (if
+present) are retained for later use. See section A.12 for pseudocode.
+
+3.2.6. Using the encryption key
+
+After the KRB_AP_REQ/KRB_AP_REP exchange has occurred, the client and
+server share an encryption key which can be used by the application. The
+'true session key' to be used for KRB_PRIV, KRB_SAFE, or other
+application-specific uses may be chosen by the application based on the
+subkeys in the KRB_AP_REP message and the authenticator[14]. In some cases,
+the use of this session key will be implicit in the protocol; in others the
+method of use must be chosen from several alternatives. We leave the
+protocol negotiations of how to use the key (e.g. selecting an encryption
+or checksum type) to the application programmer; the Kerberos protocol does
+not constrain the implementation options, but an example of how this might
+be done follows.
+
+One way that an application may choose to negotiate a key to be used for
+subequent integrity and privacy protection is for the client to propose a
+key in the subkey field of the authenticator. The server can then choose a
+key using the proposed key from the client as input, returning the new
+subkey in the subkey field of the application reply. This key could then be
+used for subsequent communication. To make this example more concrete, if
+the encryption method in use required a 56 bit key, and for whatever
+reason, one of the parties was prevented from using a key with more than 40
+unknown bits, this method would allow the the party which is prevented from
+using more than 40 bits to either propose (if the client) an initial key
+with a known quantity for 16 of those bits, or to mask 16 of the bits (if
+the server) with the known quantity. The application implementor is warned,
+however, that this is only an example, and that an analysis of the
+particular crytosystem to be used, and the reasons for limiting the key
+length, must be made before deciding whether it is acceptable to mask bits
+of the key.
+
+With both the one-way and mutual authentication exchanges, the peers should
+take care not to send sensitive information to each other without proper
+assurances. In particular, applications that require privacy or integrity
+should use the KRB_AP_REP response from the server to client to assure both
+client and server of their peer's identity. If an application protocol
+requires privacy of its messages, it can use the KRB_PRIV message (section
+3.5). The KRB_SAFE message (section 3.4) can be used to assure integrity.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+3.3. The Ticket-Granting Service (TGS) Exchange
+
+                          Summary
+      Message direction       Message type     Section
+      1. Client to Kerberos   KRB_TGS_REQ      5.4.1
+      2. Kerberos to client   KRB_TGS_REP or   5.4.2
+                              KRB_ERROR        5.9.1
+
+The TGS exchange between a client and the Kerberos Ticket-Granting Server
+is initiated by a client when it wishes to obtain authentication
+credentials for a given server (which might be registered in a remote
+realm), when it wishes to renew or validate an existing ticket, or when it
+wishes to obtain a proxy ticket. In the first case, the client must already
+have acquired a ticket for the Ticket-Granting Service using the AS
+exchange (the ticket-granting ticket is usually obtained when a client
+initially authenticates to the system, such as when a user logs in). The
+message format for the TGS exchange is almost identical to that for the AS
+exchange. The primary difference is that encryption and decryption in the
+TGS exchange does not take place under the client's key. Instead, the
+session key from the ticket-granting ticket or renewable ticket, or
+sub-session key from an Authenticator is used. As is the case for all
+application servers, expired tickets are not accepted by the TGS, so once a
+renewable or ticket-granting ticket expires, the client must use a separate
+exchange to obtain valid tickets.
+
+The TGS exchange consists of two messages: A request (KRB_TGS_REQ) from the
+client to the Kerberos Ticket-Granting Server, and a reply (KRB_TGS_REP or
+KRB_ERROR). The KRB_TGS_REQ message includes information authenticating the
+client plus a request for credentials. The authentication information
+consists of the authentication header (KRB_AP_REQ) which includes the
+client's previously obtained ticket-granting, renewable, or invalid ticket.
+In the ticket-granting ticket and proxy cases, the request may include one
+or more of: a list of network addresses, a collection of typed
+authorization data to be sealed in the ticket for authorization use by the
+application server, or additional tickets (the use of which are described
+later). The TGS reply (KRB_TGS_REP) contains the requested credentials,
+encrypted in the session key from the ticket-granting ticket or renewable
+ticket, or if present, in the sub-session key from the Authenticator (part
+of the authentication header). The KRB_ERROR message contains an error code
+and text explaining what went wrong. The KRB_ERROR message is not
+encrypted. The KRB_TGS_REP message contains information which can be used
+to detect replays, and to associate it with the message to which it
+replies. The KRB_ERROR message also contains information which can be used
+to associate it with the message to which it replies, but the lack of
+encryption in the KRB_ERROR message precludes the ability to detect replays
+or fabrications of such messages.
+
+3.3.1. Generation of KRB_TGS_REQ message
+
+Before sending a request to the ticket-granting service, the client must
+determine in which realm the application server is registered[15], if it is
+known. If the client does know the service principal name and realm and it
+does not already possess a ticket-granting ticket for the appropriate
+realm, then one must be obtained. This is first attempted by requesting a
+ticket-granting ticket for the destination realm from a Kerberos server for
+which the client does posess a ticket-granting ticket (using the
+KRB_TGS_REQ message recursively). The Kerberos server may return a TGT for
+the desired realm in which case one can proceed.
+
+If the client does not know the realm of the service or the true service
+principal name, then the CANONICALIZE option must be used in the request.
+This will cause the TGS to locate the service principal based on the target
+service name in the ticket and return the service principal name in the
+response. Alternatively, the Kerberos server may return a TGT for a realm
+which is 'closer' to the desired realm (further along the standard
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+hierarchical path) or the realm that may contain the requested service
+principal name in a request with the CANONCALIZE option set [JBrezak], in
+which case this step must be repeated with a Kerberos server in the realm
+specified in the returned TGT. If neither are returned, then the request
+must be retried with a Kerberos server for a realm higher in the hierarchy.
+This request will itself require a ticket-granting ticket for the higher
+realm which must be obtained by recursively applying these directions.
+
+Once the client obtains a ticket-granting ticket for the appropriate realm,
+it determines which Kerberos servers serve that realm, and contacts one.
+The list might be obtained through a configuration file or network service
+or it may be generated from the name of the realm; as long as the secret
+keys exchanged by realms are kept secret, only denial of service results
+from using a false Kerberos server.
+
+As in the AS exchange, the client may specify a number of options in the
+KRB_TGS_REQ message. The client prepares the KRB_TGS_REQ message, providing
+an authentication header as an element of the padata field, and including
+the same fields as used in the KRB_AS_REQ message along with several
+optional fields: the enc-authorization-data field for application server
+use and additional tickets required by some options.
+
+In preparing the authentication header, the client can select a sub-session
+key under which the response from the Kerberos server will be
+encrypted[16]. If the sub-session key is not specified, the session key
+from the ticket-granting ticket will be used. If the enc-authorization-data
+is present, it must be encrypted in the sub-session key, if present, from
+the authenticator portion of the authentication header, or if not present,
+using the session key from the ticket-granting ticket.
+
+Once prepared, the message is sent to a Kerberos server for the destination
+realm. See section A.5 for pseudocode.
+
+3.3.2. Receipt of KRB_TGS_REQ message
+
+The KRB_TGS_REQ message is processed in a manner similar to the KRB_AS_REQ
+message, but there are many additional checks to be performed. First, the
+Kerberos server must determine which server the accompanying ticket is for
+and it must select the appropriate key to decrypt it. For a normal
+KRB_TGS_REQ message, it will be for the ticket granting service, and the
+TGS's key will be used. If the TGT was issued by another realm, then the
+appropriate inter-realm key must be used. If the accompanying ticket is not
+a ticket granting ticket for the current realm, but is for an application
+server in the current realm, the RENEW, VALIDATE, or PROXY options are
+specified in the request, and the server for which a ticket is requested is
+the server named in the accompanying ticket, then the KDC will decrypt the
+ticket in the authentication header using the key of the server for which
+it was issued. If no ticket can be found in the padata field, the
+KDC_ERR_PADATA_TYPE_NOSUPP error is returned.
+
+Once the accompanying ticket has been decrypted, the user-supplied checksum
+in the Authenticator must be verified against the contents of the request,
+and the message rejected if the checksums do not match (with an error code
+of KRB_AP_ERR_MODIFIED) or if the checksum is not keyed or not
+collision-proof (with an error code of KRB_AP_ERR_INAPP_CKSUM). If the
+checksum type is not supported, the KDC_ERR_SUMTYPE_NOSUPP error is
+returned. If the authorization-data are present, they are decrypted using
+the sub-session key from the Authenticator.
+
+If any of the decryptions indicate failed integrity checks, the
+KRB_AP_ERR_BAD_INTEGRITY error is returned. If the CANONICALIZE option is
+set in the KRB_TGS_REQ, then the requested service name may not be the true
+principal name or the service may not be in the TGS realm.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+3.3.3. Generation of KRB_TGS_REP message
+
+The KRB_TGS_REP message shares its format with the KRB_AS_REP
+(KRB_KDC_REP), but with its type field set to KRB_TGS_REP. The detailed
+specification is in section 5.4.2.
+
+The response will include a ticket for the requested server. The Kerberos
+database is queried to retrieve the record for the requested server
+(including the key with which the ticket will be encrypted). If the request
+is for a ticket granting ticket for a remote realm, and if no key is shared
+with the requested realm, then the Kerberos server will select the realm
+"closest" to the requested realm with which it does share a key, and use
+that realm instead. If the CANONICALIZE option is set, the TGS may return a
+ticket containing the server name of the true service principal. If the
+requested server cannot be found in the TGS database, then a TGT for
+another trusted realm may be returned instead of a ticket for the service.
+This TGT is a referral mechanism to cause the client to retry the request
+to the realm of the TGT. These are the only cases where the response for
+the KDC will be for a different server than that requested by the client.
+
+By default, the address field, the client's name and realm, the list of
+transited realms, the time of initial authentication, the expiration time,
+and the authorization data of the newly-issued ticket will be copied from
+the ticket-granting ticket (TGT) or renewable ticket. If the transited
+field needs to be updated, but the transited type is not supported, the
+KDC_ERR_TRTYPE_NOSUPP error is returned.
+
+If the request specifies an endtime, then the endtime of the new ticket is
+set to the minimum of (a) that request, (b) the endtime from the TGT, and
+(c) the starttime of the TGT plus the minimum of the maximum life for the
+application server and the maximum life for the local realm (the maximum
+life for the requesting principal was already applied when the TGT was
+issued). If the new ticket is to be a renewal, then the endtime above is
+replaced by the minimum of (a) the value of the renew_till field of the
+ticket and (b) the starttime for the new ticket plus the life
+(endtime-starttime) of the old ticket.
+
+If the FORWARDED option has been requested, then the resulting ticket will
+contain the addresses specified by the client. This option will only be
+honored if the FORWARDABLE flag is set in the TGT. The PROXY option is
+similar; the resulting ticket will contain the addresses specified by the
+client. It will be honored only if the PROXIABLE flag in the TGT is set.
+The PROXY option will not be honored on requests for additional
+ticket-granting tickets.
+
+If the requested start time is absent, indicates a time in the past, or is
+within the window of acceptable clock skew for the KDC and the POSTDATE
+option has not been specified, then the start time of the ticket is set to
+the authentication server's current time. If it indicates a time in the
+future beyond the acceptable clock skew, but the POSTDATED option has not
+been specified or the MAY-POSTDATE flag is not set in the TGT, then the
+error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise, if the
+ticket-granting ticket has the MAY-POSTDATE flag set, then the resulting
+ticket will be postdated and the requested starttime is checked against the
+policy of the local realm. If acceptable, the ticket's start time is set as
+requested, and the INVALID flag is set. The postdated ticket must be
+validated before use by presenting it to the KDC after the starttime has
+been reached. However, in no case may the starttime, endtime, or renew-till
+time of a newly-issued postdated ticket extend beyond the renew-till time
+of the ticket-granting ticket.
+
+If the ENC-TKT-IN-SKEY option has been specified and an additional ticket
+has been included in the request, the KDC will decrypt the additional
+ticket using the key for the server to which the additional ticket was
+issued and verify that it is a ticket-granting ticket. If the name of the
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+requested server is missing from the request, the name of the client in the
+additional ticket will be used. Otherwise the name of the requested server
+will be compared to the name of the client in the additional ticket and if
+different, the request will be rejected. If the request succeeds, the
+session key from the additional ticket will be used to encrypt the new
+ticket that is issued instead of using the key of the server for which the
+new ticket will be used[17].
+
+If the name of the server in the ticket that is presented to the KDC as
+part of the authentication header is not that of the ticket-granting server
+itself, the server is registered in the realm of the KDC, and the RENEW
+option is requested, then the KDC will verify that the RENEWABLE flag is
+set in the ticket, that the INVALID flag is not set in the ticket, and that
+the renew_till time is still in the future. If the VALIDATE option is
+rqeuested, the KDC will check that the starttime has passed and the INVALID
+flag is set. If the PROXY option is requested, then the KDC will check that
+the PROXIABLE flag is set in the ticket. If the tests succeed, and the
+ticket passes the hotlist check described in the next paragraph, the KDC
+will issue the appropriate new ticket.
+
+3.3.3.1. Checking for revoked tickets
+
+Whenever a request is made to the ticket-granting server, the presented
+ticket(s) is(are) checked against a hot-list of tickets which have been
+canceled. This hot-list might be implemented by storing a range of issue
+timestamps for 'suspect tickets'; if a presented ticket had an authtime in
+that range, it would be rejected. In this way, a stolen ticket-granting
+ticket or renewable ticket cannot be used to gain additional tickets
+(renewals or otherwise) once the theft has been reported. Any normal ticket
+obtained before it was reported stolen will still be valid (because they
+require no interaction with the KDC), but only until their normal
+expiration time.
+
+The ciphertext part of the response in the KRB_TGS_REP message is encrypted
+in the sub-session key from the Authenticator, if present, or the session
+key key from the ticket-granting ticket. It is not encrypted using the
+client's secret key. Furthermore, the client's key's expiration date and
+the key version number fields are left out since these values are stored
+along with the client's database record, and that record is not needed to
+satisfy a request based on a ticket-granting ticket. See section A.6 for
+pseudocode.
+
+3.3.3.2. Encoding the transited field
+
+If the identity of the server in the TGT that is presented to the KDC as
+part of the authentication header is that of the ticket-granting service,
+but the TGT was issued from another realm, the KDC will look up the
+inter-realm key shared with that realm and use that key to decrypt the
+ticket. If the ticket is valid, then the KDC will honor the request,
+subject to the constraints outlined above in the section describing the AS
+exchange. The realm part of the client's identity will be taken from the
+ticket-granting ticket. The name of the realm that issued the
+ticket-granting ticket will be added to the transited field of the ticket
+to be issued. This is accomplished by reading the transited field from the
+ticket-granting ticket (which is treated as an unordered set of realm
+names), adding the new realm to the set, then constructing and writing out
+its encoded (shorthand) form (this may involve a rearrangement of the
+existing encoding).
+
+Note that the ticket-granting service does not add the name of its own
+realm. Instead, its responsibility is to add the name of the previous
+realm. This prevents a malicious Kerberos server from intentionally leaving
+out its own name (it could, however, omit other realms' names).
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+The names of neither the local realm nor the principal's realm are to be
+included in the transited field. They appear elsewhere in the ticket and
+both are known to have taken part in authenticating the principal. Since
+the endpoints are not included, both local and single-hop inter-realm
+authentication result in a transited field that is empty.
+
+Because the name of each realm transited is added to this field, it might
+potentially be very long. To decrease the length of this field, its
+contents are encoded. The initially supported encoding is optimized for the
+normal case of inter-realm communication: a hierarchical arrangement of
+realms using either domain or X.500 style realm names. This encoding
+(called DOMAIN-X500-COMPRESS) is now described.
+
+Realm names in the transited field are separated by a ",". The ",", "\",
+trailing "."s, and leading spaces (" ") are special characters, and if they
+are part of a realm name, they must be quoted in the transited field by
+preced- ing them with a "\".
+
+A realm name ending with a "." is interpreted as being prepended to the
+previous realm. For example, we can encode traversal of EDU, MIT.EDU,
+ATHENA.MIT.EDU, WASHINGTON.EDU, and CS.WASHINGTON.EDU as:
+
+     "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.".
+
+Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were end-points, that
+they would not be included in this field, and we would have:
+
+     "EDU,MIT.,WASHINGTON.EDU"
+
+A realm name beginning with a "/" is interpreted as being appended to the
+previous realm[18]. If it is to stand by itself, then it should be preceded
+by a space (" "). For example, we can encode traversal of /COM/HP/APOLLO,
+/COM/HP, /COM, and /COM/DEC as:
+
+     "/COM,/HP,/APOLLO, /COM/DEC".
+
+Like the example above, if /COM/HP/APOLLO and /COM/DEC are endpoints, they
+they would not be included in this field, and we would have:
+
+     "/COM,/HP"
+
+A null subfield preceding or following a "," indicates that all realms
+between the previous realm and the next realm have been traversed[19].
+Thus, "," means that all realms along the path between the client and the
+server have been traversed. ",EDU, /COM," means that that all realms from
+the client's realm up to EDU (in a domain style hierarchy) have been
+traversed, and that everything from /COM down to the server's realm in an
+X.500 style has also been traversed. This could occur if the EDU realm in
+one hierarchy shares an inter-realm key directly with the /COM realm in
+another hierarchy.
+
+3.3.4. Receipt of KRB_TGS_REP message
+
+When the KRB_TGS_REP is received by the client, it is processed in the same
+manner as the KRB_AS_REP processing described above. The primary difference
+is that the ciphertext part of the response must be decrypted using the
+session key from the ticket-granting ticket rather than the client's secret
+key. The server name returned in the reply is the true principal name of
+the service. See section A.7 for pseudocode.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+3.4. The KRB_SAFE Exchange
+
+The KRB_SAFE message may be used by clients requiring the ability to detect
+modifications of messages they exchange. It achieves this by including a
+keyed collision-proof checksum of the user data and some control
+information. The checksum is keyed with an encryption key (usually the last
+key negotiated via subkeys, or the session key if no negotiation has
+occured).
+
+3.4.1. Generation of a KRB_SAFE message
+
+When an application wishes to send a KRB_SAFE message, it collects its data
+and the appropriate control information and computes a checksum over them.
+The checksum algorithm should be a keyed one-way hash function (such as the
+RSA- MD5-DES checksum algorithm specified in section 6.4.5, or the DES
+MAC), generated using the sub-session key if present, or the session key.
+Different algorithms may be selected by changing the checksum type in the
+message. Unkeyed or non-collision-proof checksums are not suitable for this
+use.
+
+The control information for the KRB_SAFE message includes both a timestamp
+and a sequence number. The designer of an application using the KRB_SAFE
+message must choose at least one of the two mechanisms. This choice should
+be based on the needs of the application protocol.
+
+Sequence numbers are useful when all messages sent will be received by
+one's peer. Connection state is presently required to maintain the session
+key, so maintaining the next sequence number should not present an
+additional problem.
+
+If the application protocol is expected to tolerate lost messages without
+them being resent, the use of the timestamp is the appropriate replay
+detection mechanism. Using timestamps is also the appropriate mechanism for
+multi-cast protocols where all of one's peers share a common sub-session
+key, but some messages will be sent to a subset of one's peers.
+
+After computing the checksum, the client then transmits the information and
+checksum to the recipient in the message format specified in section 5.6.1.
+
+3.4.2. Receipt of KRB_SAFE message
+
+When an application receives a KRB_SAFE message, it verifies it as follows.
+If any error occurs, an error code is reported for use by the application.
+
+The message is first checked by verifying that the protocol version and
+type fields match the current version and KRB_SAFE, respectively. A
+mismatch generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error.
+The application verifies that the checksum used is a collision-proof keyed
+checksum, and if it is not, a KRB_AP_ERR_INAPP_CKSUM error is generated. If
+the sender's address was included in the control information, the recipient
+verifies that the operating system's report of the sender's address matches
+the sender's address in the message, and (if a recipient address is
+specified or the recipient requires an address) that one of the recipient's
+addresses appears as the recipient's address in the message. A failed match
+for either case generates a KRB_AP_ERR_BADADDR error. Then the timestamp
+and usec and/or the sequence number fields are checked. If timestamp and
+usec are expected and not present, or they are present but not current, the
+KRB_AP_ERR_SKEW error is generated. If the server name, along with the
+client name, time and microsecond fields from the Authenticator match any
+recently-seen (sent or received[20] ) such tuples, the KRB_AP_ERR_REPEAT
+error is generated. If an incorrect sequence number is included, or a
+sequence number is expected but not present, the KRB_AP_ERR_BADORDER error
+is generated. If neither a time-stamp and usec or a sequence number is
+present, a KRB_AP_ERR_MODIFIED error is generated. Finally, the checksum is
+computed over the data and control information, and if it doesn't match the
+received checksum, a KRB_AP_ERR_MODIFIED error is generated.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+If all the checks succeed, the application is assured that the message was
+generated by its peer and was not modi- fied in transit.
+
+3.5. The KRB_PRIV Exchange
+
+The KRB_PRIV message may be used by clients requiring confidentiality and
+the ability to detect modifications of exchanged messages. It achieves this
+by encrypting the messages and adding control information.
+
+3.5.1. Generation of a KRB_PRIV message
+
+When an application wishes to send a KRB_PRIV message, it collects its data
+and the appropriate control information (specified in section 5.7.1) and
+encrypts them under an encryption key (usually the last key negotiated via
+subkeys, or the session key if no negotiation has occured). As part of the
+control information, the client must choose to use either a timestamp or a
+sequence number (or both); see the discussion in section 3.4.1 for
+guidelines on which to use. After the user data and control information are
+encrypted, the client transmits the ciphertext and some 'envelope'
+information to the recipient.
+
+3.5.2. Receipt of KRB_PRIV message
+
+When an application receives a KRB_PRIV message, it verifies it as follows.
+If any error occurs, an error code is reported for use by the application.
+
+The message is first checked by verifying that the protocol version and
+type fields match the current version and KRB_PRIV, respectively. A
+mismatch generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error.
+The application then decrypts the ciphertext and processes the resultant
+plaintext. If decryption shows the data to have been modified, a
+KRB_AP_ERR_BAD_INTEGRITY error is generated. If the sender's address was
+included in the control information, the recipient verifies that the
+operating system's report of the sender's address matches the sender's
+address in the message, and (if a recipient address is specified or the
+recipient requires an address) that one of the recipient's addresses
+appears as the recipient's address in the message. A failed match for
+either case generates a KRB_AP_ERR_BADADDR error. Then the timestamp and
+usec and/or the sequence number fields are checked. If timestamp and usec
+are expected and not present, or they are present but not current, the
+KRB_AP_ERR_SKEW error is generated. If the server name, along with the
+client name, time and microsecond fields from the Authenticator match any
+recently-seen such tuples, the KRB_AP_ERR_REPEAT error is generated. If an
+incorrect sequence number is included, or a sequence number is expected but
+not present, the KRB_AP_ERR_BADORDER error is generated. If neither a
+time-stamp and usec or a sequence number is present, a KRB_AP_ERR_MODIFIED
+error is generated.
+
+If all the checks succeed, the application can assume the message was
+generated by its peer, and was securely transmitted (without intruders able
+to see the unencrypted contents).
+
+3.6. The KRB_CRED Exchange
+
+The KRB_CRED message may be used by clients requiring the ability to send
+Kerberos credentials from one host to another. It achieves this by sending
+the tickets together with encrypted data containing the session keys and
+other information associated with the tickets.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+3.6.1. Generation of a KRB_CRED message
+
+When an application wishes to send a KRB_CRED message it first (using the
+KRB_TGS exchange) obtains credentials to be sent to the remote host. It
+then constructs a KRB_CRED message using the ticket or tickets so obtained,
+placing the session key needed to use each ticket in the key field of the
+corresponding KrbCredInfo sequence of the encrypted part of the the
+KRB_CRED message.
+
+Other information associated with each ticket and obtained during the
+KRB_TGS exchange is also placed in the corresponding KrbCredInfo sequence
+in the encrypted part of the KRB_CRED message. The current time and, if
+specifically required by the application the nonce, s-address, and
+r-address fields, are placed in the encrypted part of the KRB_CRED message
+which is then encrypted under an encryption key previosuly exchanged in the
+KRB_AP exchange (usually the last key negotiated via subkeys, or the
+session key if no negotiation has occured).
+
+3.6.2. Receipt of KRB_CRED message
+
+When an application receives a KRB_CRED message, it verifies it. If any
+error occurs, an error code is reported for use by the application. The
+message is verified by checking that the protocol version and type fields
+match the current version and KRB_CRED, respectively. A mismatch generates
+a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The application then
+decrypts the ciphertext and processes the resultant plaintext. If
+decryption shows the data to have been modified, a KRB_AP_ERR_BAD_INTEGRITY
+error is generated.
+
+If present or required, the recipient verifies that the operating system's
+report of the sender's address matches the sender's address in the message,
+and that one of the recipient's addresses appears as the recipient's
+address in the message. A failed match for either case generates a
+KRB_AP_ERR_BADADDR error. The timestamp and usec fields (and the nonce
+field if required) are checked next. If the timestamp and usec are not
+present, or they are present but not current, the KRB_AP_ERR_SKEW error is
+generated.
+
+If all the checks succeed, the application stores each of the new tickets
+in its ticket cache together with the session key and other information in
+the corresponding KrbCredInfo sequence from the encrypted part of the
+KRB_CRED message.
+
+4. The Kerberos Database
+
+The Kerberos server must have access to a database containing the principal
+identifiers and secret keys of principals to be authenticated[21].
+
+4.1. Database contents
+
+A database entry should contain at least the following fields:
+
+Field                Value
+
+name                 Principal's identifier
+key                  Principal's secret key
+p_kvno               Principal's key version
+max_life             Maximum lifetime for Tickets
+max_renewable_life   Maximum total lifetime for renewable Tickets
+
+The name field is an encoding of the principal's identifier. The key field
+contains an encryption key. This key is the principal's secret key. (The
+key can be encrypted before storage under a Kerberos "master key" to
+protect it in case the database is compromised but the master key is not.
+In that case, an extra field must be added to indicate the master key
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+version used, see below.) The p_kvno field is the key version number of the
+principal's secret key. The max_life field contains the maximum allowable
+lifetime (endtime - starttime) for any Ticket issued for this principal.
+The max_renewable_life field contains the maximum allowable total lifetime
+for any renewable Ticket issued for this principal. (See section 3.1 for a
+description of how these lifetimes are used in determining the lifetime of
+a given Ticket.)
+
+A server may provide KDC service to several realms, as long as the database
+representation provides a mechanism to distinguish between principal
+records with identifiers which differ only in the realm name.
+
+When an application server's key changes, if the change is routine (i.e.
+not the result of disclosure of the old key), the old key should be
+retained by the server until all tickets that had been issued using that
+key have expired. Because of this, it is possible for several keys to be
+active for a single principal. Ciphertext encrypted in a principal's key is
+always tagged with the version of the key that was used for encryption, to
+help the recipient find the proper key for decryption.
+
+When more than one key is active for a particular principal, the principal
+will have more than one record in the Kerberos database. The keys and key
+version numbers will differ between the records (the rest of the fields may
+or may not be the same). Whenever Kerberos issues a ticket, or responds to
+a request for initial authentication, the most recent key (known by the
+Kerberos server) will be used for encryption. This is the key with the
+highest key version number.
+
+4.2. Additional fields
+
+Project Athena's KDC implementation uses additional fields in its database:
+
+Field        Value
+
+K_kvno       Kerberos' key version
+expiration   Expiration date for entry
+attributes   Bit field of attributes
+mod_date     Timestamp of last modification
+mod_name     Modifying principal's identifier
+
+The K_kvno field indicates the key version of the Kerberos master key under
+which the principal's secret key is encrypted.
+
+After an entry's expiration date has passed, the KDC will return an error
+to any client attempting to gain tickets as or for the principal. (A
+database may want to maintain two expiration dates: one for the principal,
+and one for the principal's current key. This allows password aging to work
+independently of the principal's expiration date. However, due to the
+limited space in the responses, the KDC must combine the key expiration and
+principal expiration date into a single value called 'key_exp', which is
+used as a hint to the user to take administrative action.)
+
+The attributes field is a bitfield used to govern the operations involving
+the principal. This field might be useful in conjunction with user
+registration procedures, for site-specific policy implementations (Project
+Athena currently uses it for their user registration process controlled by
+the system-wide database service, Moira [LGDSR87]), to identify whether a
+principal can play the role of a client or server or both, to note whether
+a server is appropriate trusted to recieve credentials delegated by a
+client, or to identify the 'string to key' conversion algorithm used for a
+principal's key[22]. Other bits are used to indicate that certain ticket
+options should not be allowed in tickets encrypted under a principal's key
+(one bit each): Disallow issuing postdated tickets, disallow issuing
+forwardable tickets, disallow issuing tickets based on TGT authentication,
+disallow issuing renewable tickets, disallow issuing proxiable tickets, and
+disallow issuing tickets for which the principal is the server.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+The mod_date field contains the time of last modification of the entry, and
+the mod_name field contains the name of the principal which last modified
+the entry.
+
+4.3. Frequently Changing Fields
+
+Some KDC implementations may wish to maintain the last time that a request
+was made by a particular principal. Information that might be maintained
+includes the time of the last request, the time of the last request for a
+ticket-granting ticket, the time of the last use of a ticket-granting
+ticket, or other times. This information can then be returned to the user
+in the last-req field (see section 5.2).
+
+Other frequently changing information that can be maintained is the latest
+expiration time for any tickets that have been issued using each key. This
+field would be used to indicate how long old keys must remain valid to
+allow the continued use of outstanding tickets.
+
+4.4. Site Constants
+
+The KDC implementation should have the following configurable constants or
+options, to allow an administrator to make and enforce policy decisions:
+
+   * The minimum supported lifetime (used to determine whether the
+     KDC_ERR_NEVER_VALID error should be returned). This constant should
+     reflect reasonable expectations of round-trip time to the KDC,
+     encryption/decryption time, and processing time by the client and
+     target server, and it should allow for a minimum 'useful' lifetime.
+   * The maximum allowable total (renewable) lifetime of a ticket
+     (renew_till - starttime).
+   * The maximum allowable lifetime of a ticket (endtime - starttime).
+   * Whether to allow the issue of tickets with empty address fields
+     (including the ability to specify that such tickets may only be issued
+     if the request specifies some authorization_data).
+   * Whether proxiable, forwardable, renewable or post-datable tickets are
+     to be issued.
+
+5. Message Specifications
+
+The following sections describe the exact contents and encoding of protocol
+messages and objects. The ASN.1 base definitions are presented in the first
+subsection. The remaining subsections specify the protocol objects (tickets
+and authenticators) and messages. Specification of encryption and checksum
+techniques, and the fields related to them, appear in section 6.
+
+Optional field in ASN.1 sequences
+
+For optional integer value and date fields in ASN.1 sequences where a
+default value has been specified, certain default values will not be
+allowed in the encoding because these values will always be represented
+through defaulting by the absence of the optional field. For example, one
+will not send a microsecond zero value because one must make sure that
+there is only one way to encode this value.
+
+Additional fields in ASN.1 sequences
+
+Implementations receiving Kerberos messages with additional fields present
+in ASN.1 sequences should carry the those fields through, unmodified, when
+the message is forwarded. Implementations should not drop such fields if
+the sequence is reencoded.
+
+5.1. ASN.1 Distinguished Encoding Representation
+
+All uses of ASN.1 in Kerberos shall use the Distinguished Encoding
+Representation of the data elements as described in the X.509
+specification, section 8.7 [X509-88].
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+5.2. ASN.1 Base Definitions
+
+The following ASN.1 base definitions are used in the rest of this section.
+Note that since the underscore character (_) is not permitted in ASN.1
+names, the hyphen (-) is used in its place for the purposes of ASN.1 names.
+
+Realm ::=           GeneralString
+PrincipalName ::=   SEQUENCE {
+                    name-type[0]     INTEGER,
+                    name-string[1]   SEQUENCE OF GeneralString
+}
+
+Kerberos realms are encoded as GeneralStrings. Realms shall not contain a
+character with the code 0 (the ASCII NUL). Most realms will usually consist
+of several components separated by periods (.), in the style of Internet
+Domain Names, or separated by slashes (/) in the style of X.500 names.
+Acceptable forms for realm names are specified in section 7. A
+PrincipalName is a typed sequence of components consisting of the following
+sub-fields:
+
+name-type
+     This field specifies the type of name that follows. Pre-defined values
+     for this field are specified in section 7.2. The name-type should be
+     treated as a hint. Ignoring the name type, no two names can be the
+     same (i.e. at least one of the components, or the realm, must be
+     different). This constraint may be eliminated in the future.
+name-string
+     This field encodes a sequence of components that form a name, each
+     component encoded as a GeneralString. Taken together, a PrincipalName
+     and a Realm form a principal identifier. Most PrincipalNames will have
+     only a few components (typically one or two).
+
+KerberosTime ::=   GeneralizedTime
+                   -- Specifying UTC time zone (Z)
+
+The timestamps used in Kerberos are encoded as GeneralizedTimes. An
+encoding shall specify the UTC time zone (Z) and shall not include any
+fractional portions of the seconds. It further shall not include any
+separators. Example: The only valid format for UTC time 6 minutes, 27
+seconds after 9 pm on 6 November 1985 is 19851106210627Z.
+
+HostAddress ::=     SEQUENCE  {
+                    addr-type[0]             INTEGER,
+                    address[1]               OCTET STRING
+}
+
+HostAddresses ::=   SEQUENCE OF HostAddress
+
+The host adddress encodings consists of two fields:
+
+addr-type
+     This field specifies the type of address that follows. Pre-defined
+     values for this field are specified in section 8.1.
+address
+     This field encodes a single address of type addr-type.
+
+The two forms differ slightly. HostAddress contains exactly one address;
+HostAddresses contains a sequence of possibly many addresses.
+
+AuthorizationData ::=   SEQUENCE OF SEQUENCE {
+                        ad-type[0]               INTEGER,
+                        ad-data[1]               OCTET STRING
+}
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+ad-data
+     This field contains authorization data to be interpreted according to
+     the value of the corresponding ad-type field.
+ad-type
+     This field specifies the format for the ad-data subfield. All negative
+     values are reserved for local use. Non-negative values are reserved
+     for registered use.
+
+Each sequence of type and data is refered to as an authorization element.
+Elements may be application specific, however, there is a common set of
+recursive elements that should be understood by all implementations. These
+elements contain other elements embedded within them, and the
+interpretation of the encapsulating element determines which of the
+embedded elements must be interpreted, and which may be ignored.
+Definitions for these common elements may be found in Appendix B.
+
+TicketExtensions ::= SEQUENCE OF SEQUENCE {
+           te-type[0]       INTEGER,
+           te-data[1]       OCTET STRING
+}
+
+
+
+te-data
+     This field contains opaque data that must be caried with the ticket to
+     support extensions to the Kerberos protocol including but not limited
+     to some forms of inter-realm key exchange and plaintext authorization
+     data. See appendix C for some common uses of this field.
+te-type
+     This field specifies the format for the te-data subfield. All negative
+     values are reserved for local use. Non-negative values are reserved
+     for registered use.
+
+APOptions ::=   BIT STRING
+                  -- reserved(0),
+                  -- use-session-key(1),
+                  -- mutual-required(2)
+
+TicketFlags ::= BIT STRING
+                  -- reserved(0),
+                  -- forwardable(1),
+                  -- forwarded(2),
+                  -- proxiable(3),
+                  -- proxy(4),
+                  -- may-postdate(5),
+                  -- postdated(6),
+                  -- invalid(7),
+                  -- renewable(8),
+                  -- initial(9),
+                  -- pre-authent(10),
+                  -- hw-authent(11),
+                  -- transited-policy-checked(12),
+                  -- ok-as-delegate(13)
+
+KDCOptions ::=   BIT STRING io
+                  -- reserved(0),
+                  -- forwardable(1),
+                  -- forwarded(2),
+                  -- proxiable(3),
+                  -- proxy(4),
+                  -- allow-postdate(5),
+                  -- postdated(6),
+                  -- unused7(7),
+                  -- renewable(8),
+                  -- unused9(9),
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+                  -- unused10(10),
+                  -- unused11(11),
+                  -- unused12(12),
+                  -- unused13(13),
+                  -- requestanonymous(14),
+                  -- canonicalize(15),
+                  -- disable-transited-check(26),
+                  -- renewable-ok(27),
+                  -- enc-tkt-in-skey(28),
+                  -- renew(30),
+                  -- validate(31)
+
+ASN.1 Bit strings have a length and a value. When used in Kerberos for the
+APOptions, TicketFlags, and KDCOptions, the length of the bit string on
+generated values should be the smallest number of bits needed to include
+the highest order bit that is set (1), but in no case less than 32 bits.
+The ASN.1 representation of the bit strings uses unnamed bits, with the
+meaning of the individual bits defined by the comments in the specification
+above. Implementations should accept values of bit strings of any length
+and treat the value of flags corresponding to bits beyond the end of the
+bit string as if the bit were reset (0). Comparison of bit strings of
+different length should treat the smaller string as if it were padded with
+zeros beyond the high order bits to the length of the longer string[23].
+
+LastReq ::=   SEQUENCE OF SEQUENCE {
+               lr-type[0]               INTEGER,
+               lr-value[1]              KerberosTime
+}
+
+lr-type
+     This field indicates how the following lr-value field is to be
+     interpreted. Negative values indicate that the information pertains
+     only to the responding server. Non-negative values pertain to all
+     servers for the realm. If the lr-type field is zero (0), then no
+     information is conveyed by the lr-value subfield. If the absolute
+     value of the lr-type field is one (1), then the lr-value subfield is
+     the time of last initial request for a TGT. If it is two (2), then the
+     lr-value subfield is the time of last initial request. If it is three
+     (3), then the lr-value subfield is the time of issue for the newest
+     ticket-granting ticket used. If it is four (4), then the lr-value
+     subfield is the time of the last renewal. If it is five (5), then the
+     lr-value subfield is the time of last request (of any type). If it is
+     (6), then the lr-value subfield is the time when the password will
+     expire.
+lr-value
+     This field contains the time of the last request. the time must be
+     interpreted according to the contents of the accompanying lr-type
+     subfield.
+
+See section 6 for the definitions of Checksum, ChecksumType, EncryptedData,
+EncryptionKey, EncryptionType, and KeyType.
+
+5.3. Tickets and Authenticators
+
+This section describes the format and encryption parameters for tickets and
+authenticators. When a ticket or authenticator is included in a protocol
+message it is treated as an opaque object.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+5.3.1. Tickets
+
+A ticket is a record that helps a client authenticate to a service. A
+Ticket contains the following information:
+
+Ticket ::=        [APPLICATION 1] SEQUENCE {
+                  tkt-vno[0]                   INTEGER,
+                  realm[1]                     Realm,
+                  sname[2]                     PrincipalName,
+                  enc-part[3]                  EncryptedData,
+                  extensions[4]                TicketExtensions OPTIONAL
+}
+
+-- Encrypted part of ticket
+EncTicketPart ::= [APPLICATION 3] SEQUENCE {
+                  flags[0]                     TicketFlags,
+                  key[1]                       EncryptionKey,
+                  crealm[2]                    Realm,
+                  cname[3]                     PrincipalName,
+                  transited[4]                 TransitedEncoding,
+                  authtime[5]                  KerberosTime,
+                  starttime[6]                 KerberosTime OPTIONAL,
+                  endtime[7]                   KerberosTime,
+                  renew-till[8]                KerberosTime OPTIONAL,
+                  caddr[9]                     HostAddresses OPTIONAL,
+                  authorization-data[10]       AuthorizationData OPTIONAL
+}
+-- encoded Transited field
+TransitedEncoding ::=   SEQUENCE {
+                        tr-type[0]             INTEGER, -- must be
+registered
+                        contents[1]            OCTET STRING
+}
+
+The encoding of EncTicketPart is encrypted in the key shared by Kerberos
+and the end server (the server's secret key). See section 6 for the format
+of the ciphertext.
+
+tkt-vno
+     This field specifies the version number for the ticket format. This
+     document describes version number 5.
+realm
+     This field specifies the realm that issued a ticket. It also serves to
+     identify the realm part of the server's principal identifier. Since a
+     Kerberos server can only issue tickets for servers within its realm,
+     the two will always be identical.
+sname
+     This field specifies all components of the name part of the server's
+     identity, including those parts that identify a specific instance of a
+     service.
+enc-part
+     This field holds the encrypted encoding of the EncTicketPart sequence.
+extensions
+     This optional field contains a sequence of extentions that may be used
+     to carry information that must be carried with the ticket to support
+     several extensions, including but not limited to plaintext
+     authorization data, tokens for exchanging inter-realm keys, and other
+     information that must be associated with a ticket for use by the
+     application server. See Appendix C for definitions of some common
+     extensions.
+
+     Note that some older versions of Kerberos did not support this field.
+     Because this is an optional field it will not break older clients, but
+     older clients might strip this field from the ticket before sending it
+     to the application server. This limits the usefulness of this ticket
+     field to environments where the ticket will not be parsed and
+     reconstructed by these older Kerberos clients.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     If it is known that the client will strip this field from the ticket,
+     as an interim measure the KDC may append this field to the end of the
+     enc-part of the ticket and append a traler indicating the lenght of
+     the appended extensions field. (this paragraph is open for discussion,
+     including the form of the traler).
+flags
+     This field indicates which of various options were used or requested
+     when the ticket was issued. It is a bit-field, where the selected
+     options are indicated by the bit being set (1), and the unselected
+     options and reserved fields being reset (0). Bit 0 is the most
+     significant bit. The encoding of the bits is specified in section 5.2.
+     The flags are described in more detail above in section 2. The
+     meanings of the flags are:
+
+          Bit(s)      Name         Description
+
+          0           RESERVED
+                                   Reserved for future  expansion  of  this
+                                   field.
+
+          1           FORWARDABLE
+                                   The FORWARDABLE flag  is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.  When set,  this
+                                   flag  tells  the  ticket-granting server
+                                   that it is OK to  issue  a  new  ticket-
+                                   granting ticket with a different network
+                                   address based on the presented ticket.
+
+          2           FORWARDED
+                                   When set, this flag indicates  that  the
+                                   ticket  has either been forwarded or was
+                                   issued based on authentication involving
+                                   a forwarded ticket-granting ticket.
+
+          3           PROXIABLE
+                                   The  PROXIABLE  flag  is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.   The  PROXIABLE
+                                   flag  has an interpretation identical to
+                                   that of  the  FORWARDABLE  flag,  except
+                                   that   the   PROXIABLE  flag  tells  the
+                                   ticket-granting server  that  only  non-
+                                   ticket-granting  tickets  may  be issued
+                                   with different network addresses.
+
+          4           PROXY
+                                   When set, this  flag  indicates  that  a
+                                   ticket is a proxy.
+
+          5           MAY-POSTDATE
+                                   The MAY-POSTDATE flag is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.  This flag tells
+                                   the  ticket-granting server that a post-
+                                   dated ticket may be issued based on this
+                                   ticket-granting ticket.
+
+          6           POSTDATED
+                                   This flag indicates that this ticket has
+                                   been  postdated.   The  end-service  can
+                                   check the authtime field to see when the
+                                   original authentication occurred.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+          7           INVALID
+                                   This flag indicates  that  a  ticket  is
+                                   invalid, and it must be validated by the
+                                   KDC  before  use.   Application  servers
+                                   must reject tickets which have this flag
+                                   set.
+
+          8           RENEWABLE
+                                   The  RENEWABLE  flag  is  normally  only
+                                   interpreted  by the TGS, and can usually
+                                   be ignored by end servers (some particu-
+                                   larly careful servers may wish to disal-
+                                   low  renewable  tickets).   A  renewable
+                                   ticket  can be used to obtain a replace-
+                                   ment ticket  that  expires  at  a  later
+                                   date.
+
+          9           INITIAL
+                                   This flag indicates that this ticket was
+                                   issued  using  the  AS protocol, and not
+                                   issued  based   on   a   ticket-granting
+                                   ticket.
+
+          10          PRE-AUTHENT
+                                   This flag indicates that during  initial
+                                   authentication, the client was authenti-
+                                   cated by the KDC  before  a  ticket  was
+                                   issued.    The   strength  of  the  pre-
+                                   authentication method is not  indicated,
+                                   but is acceptable to the KDC.
+
+          11          HW-AUTHENT
+                                   This flag indicates  that  the  protocol
+                                   employed   for   initial  authentication
+                                   required the use of hardware expected to
+                                   be possessed solely by the named client.
+                                   The hardware  authentication  method  is
+                                   selected  by the KDC and the strength of
+                                   the method is not indicated.
+
+          12           TRANSITED   This flag indicates that the KDC for the
+                  POLICY-CHECKED   realm has checked the transited field
+                                   against a realm defined policy for
+                                   trusted certifiers.  If this flag is
+                                   reset (0), then the application server
+                                   must check the transited field itself,
+                                   and if unable to do so it must reject
+                                   the authentication.  If the flag is set
+                                   (1) then the application server may skip
+                                   its own validation of the transited
+                                   field, relying on the validation
+                                   performed by the KDC.  At its option the
+                                   application server may still apply its
+                                   own validation based on a separate
+                                   policy for acceptance.
+
+          13      OK-AS-DELEGATE   This flag indicates that the server (not
+                                   the client) specified in the ticket has
+                                   been determined by policy of the realm
+                                   to be a suitable recipient of
+                                   delegation.  A client can use the
+                                   presence of this flag to help it make a
+                                   decision whether to delegate credentials
+                                   (either grant a proxy or a forwarded
+                                   ticket granting ticket) to this server.
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+                                   The client is free to ignore the value
+                                   of this flag.  When setting this flag,
+                                   an administrator should consider the
+                                   Security and placement of the server on
+                                   which the service will run, as well as
+                                   whether the service requires the use of
+                                   delegated credentials.
+
+          14          ANONYMOUS
+                                   This flag indicates that  the  principal
+                                   named in the ticket is a generic princi-
+                                   pal for the realm and does not  identify
+                                   the  individual  using  the ticket.  The
+                                   purpose  of  the  ticket  is   only   to
+                                   securely  distribute  a session key, and
+                                   not to identify  the  user.   Subsequent
+                                   requests  using the same ticket and ses-
+                                   sion may be  considered  as  originating
+                                   from  the  same  user, but requests with
+                                   the same username but a different ticket
+                                   are  likely  to originate from different
+                                   users.
+
+          15-31       RESERVED
+                                   Reserved for future use.
+
+key
+     This field exists in the ticket and the KDC response and is used to
+     pass the session key from Kerberos to the application server and the
+     client. The field's encoding is described in section 6.2.
+crealm
+     This field contains the name of the realm in which the client is
+     registered and in which initial authentication took place.
+cname
+     This field contains the name part of the client's principal
+     identifier.
+transited
+     This field lists the names of the Kerberos realms that took part in
+     authenticating the user to whom this ticket was issued. It does not
+     specify the order in which the realms were transited. See section
+     3.3.3.2 for details on how this field encodes the traversed realms.
+     When the names of CA's are to be embedded inthe transited field (as
+     specified for some extentions to the protocol), the X.500 names of the
+     CA's should be mapped into items in the transited field using the
+     mapping defined by RFC2253.
+authtime
+     This field indicates the time of initial authentication for the named
+     principal. It is the time of issue for the original ticket on which
+     this ticket is based. It is included in the ticket to provide
+     additional information to the end service, and to provide the
+     necessary information for implementation of a `hot list' service at
+     the KDC. An end service that is particularly paranoid could refuse to
+     accept tickets for which the initial authentication occurred "too far"
+     in the past. This field is also returned as part of the response from
+     the KDC. When returned as part of the response to initial
+     authentication (KRB_AS_REP), this is the current time on the Kerberos
+     server[24].
+starttime
+     This field in the ticket specifies the time after which the ticket is
+     valid. Together with endtime, this field specifies the life of the
+     ticket. If it is absent from the ticket, its value should be treated
+     as that of the authtime field.
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+endtime
+     This field contains the time after which the ticket will not be
+     honored (its expiration time). Note that individual services may place
+     their own limits on the life of a ticket and may reject tickets which
+     have not yet expired. As such, this is really an upper bound on the
+     expiration time for the ticket.
+renew-till
+     This field is only present in tickets that have the RENEWABLE flag set
+     in the flags field. It indicates the maximum endtime that may be
+     included in a renewal. It can be thought of as the absolute expiration
+     time for the ticket, including all renewals.
+caddr
+     This field in a ticket contains zero (if omitted) or more (if present)
+     host addresses. These are the addresses from which the ticket can be
+     used. If there are no addresses, the ticket can be used from any
+     location. The decision by the KDC to issue or by the end server to
+     accept zero-address tickets is a policy decision and is left to the
+     Kerberos and end-service administrators; they may refuse to issue or
+     accept such tickets. The suggested and default policy, however, is
+     that such tickets will only be issued or accepted when additional
+     information that can be used to restrict the use of the ticket is
+     included in the authorization_data field. Such a ticket is a
+     capability.
+
+     Network addresses are included in the ticket to make it harder for an
+     attacker to use stolen credentials. Because the session key is not
+     sent over the network in cleartext, credentials can't be stolen simply
+     by listening to the network; an attacker has to gain access to the
+     session key (perhaps through operating system security breaches or a
+     careless user's unattended session) to make use of stolen tickets.
+
+     It is important to note that the network address from which a
+     connection is received cannot be reliably determined. Even if it could
+     be, an attacker who has compromised the client's workstation could use
+     the credentials from there. Including the network addresses only makes
+     it more difficult, not impossible, for an attacker to walk off with
+     stolen credentials and then use them from a "safe" location.
+authorization-data
+     The authorization-data field is used to pass authorization data from
+     the principal on whose behalf a ticket was issued to the application
+     service. If no authorization data is included, this field will be left
+     out. Experience has shown that the name of this field is confusing,
+     and that a better name for this field would be restrictions.
+     Unfortunately, it is not possible to change the name of this field at
+     this time.
+
+     This field contains restrictions on any authority obtained on the
+     basis of authentication using the ticket. It is possible for any
+     principal in posession of credentials to add entries to the
+     authorization data field since these entries further restrict what can
+     be done with the ticket. Such additions can be made by specifying the
+     additional entries when a new ticket is obtained during the TGS
+     exchange, or they may be added during chained delegation using the
+     authorization data field of the authenticator.
+
+     Because entries may be added to this field by the holder of
+     credentials, except when an entry is separately authenticated by
+     encapulation in the kdc-issued element, it is not allowable for the
+     presence of an entry in the authorization data field of a ticket to
+     amplify the priveleges one would obtain from using a ticket.
+
+     The data in this field may be specific to the end service; the field
+     will contain the names of service specific objects, and the rights to
+     those objects. The format for this field is described in section 5.2.
+     Although Kerberos is not concerned with the format of the contents of
+     the sub-fields, it does carry type information (ad-type).
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     By using the authorization_data field, a principal is able to issue a
+     proxy that is valid for a specific purpose. For example, a client
+     wishing to print a file can obtain a file server proxy to be passed to
+     the print server. By specifying the name of the file in the
+     authorization_data field, the file server knows that the print server
+     can only use the client's rights when accessing the particular file to
+     be printed.
+
+     A separate service providing authorization or certifying group
+     membership may be built using the authorization-data field. In this
+     case, the entity granting authorization (not the authorized entity),
+     may obtain a ticket in its own name (e.g. the ticket is issued in the
+     name of a privelege server), and this entity adds restrictions on its
+     own authority and delegates the restricted authority through a proxy
+     to the client. The client would then present this authorization
+     credential to the application server separately from the
+     authentication exchange. Alternatively, such authorization credentials
+     may be embedded in the ticket authenticating the authorized entity,
+     when the authorization is separately authenticated using the
+     kdc-issued authorization data element (see B.4).
+
+     Similarly, if one specifies the authorization-data field of a proxy
+     and leaves the host addresses blank, the resulting ticket and session
+     key can be treated as a capability. See [Neu93] for some suggested
+     uses of this field.
+
+     The authorization-data field is optional and does not have to be
+     included in a ticket.
+
+5.3.2. Authenticators
+
+An authenticator is a record sent with a ticket to a server to certify the
+client's knowledge of the encryption key in the ticket, to help the server
+detect replays, and to help choose a "true session key" to use with the
+particular session. The encoding is encrypted in the ticket's session key
+shared by the client and the server:
+
+-- Unencrypted authenticator
+Authenticator ::= [APPLICATION 2] SEQUENCE  {
+                  authenticator-vno[0]          INTEGER,
+                  crealm[1]                     Realm,
+                  cname[2]                      PrincipalName,
+                  cksum[3]                      Checksum OPTIONAL,
+                  cusec[4]                      INTEGER,
+                  ctime[5]                      KerberosTime,
+                  subkey[6]                     EncryptionKey OPTIONAL,
+                  seq-number[7]                 INTEGER OPTIONAL,
+                  authorization-data[8]         AuthorizationData OPTIONAL
+}
+
+
+authenticator-vno
+     This field specifies the version number for the format of the
+     authenticator. This document specifies version 5.
+crealm and cname
+     These fields are the same as those described for the ticket in section
+     5.3.1.
+cksum
+     This field contains a checksum of the the applica- tion data that
+     accompanies the KRB_AP_REQ.
+cusec
+     This field contains the microsecond part of the client's timestamp.
+     Its value (before encryption) ranges from 0 to 999999. It often
+     appears along with ctime. The two fields are used together to specify
+     a reasonably accurate timestamp.
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+ctime
+     This field contains the current time on the client's host.
+subkey
+     This field contains the client's choice for an encryption key which is
+     to be used to protect this specific application session. Unless an
+     application specifies otherwise, if this field is left out the session
+     key from the ticket will be used.
+seq-number
+     This optional field includes the initial sequence number to be used by
+     the KRB_PRIV or KRB_SAFE messages when sequence numbers are used to
+     detect replays (It may also be used by application specific messages).
+     When included in the authenticator this field specifies the initial
+     sequence number for messages from the client to the server. When
+     included in the AP-REP message, the initial sequence number is that
+     for messages from the server to the client. When used in KRB_PRIV or
+     KRB_SAFE messages, it is incremented by one after each message is
+     sent. Sequence numbers fall in the range of 0 through 2^32 - 1 and
+     wrap to zero following the value 2^32 - 1.
+
+     For sequence numbers to adequately support the detection of replays
+     they should be non-repeating, even across connection boundaries. The
+     initial sequence number should be random and uniformly distributed
+     across the full space of possible sequence numbers, so that it cannot
+     be guessed by an attacker and so that it and the successive sequence
+     numbers do not repeat other sequences.
+authorization-data
+     This field is the same as described for the ticket in section 5.3.1.
+     It is optional and will only appear when additional restrictions are
+     to be placed on the use of a ticket, beyond those carried in the
+     ticket itself.
+
+5.4. Specifications for the AS and TGS exchanges
+
+This section specifies the format of the messages used in the exchange
+between the client and the Kerberos server. The format of possible error
+messages appears in section 5.9.1.
+
+5.4.1. KRB_KDC_REQ definition
+
+The KRB_KDC_REQ message has no type of its own. Instead, its type is one of
+KRB_AS_REQ or KRB_TGS_REQ depending on whether the request is for an
+initial ticket or an additional ticket. In either case, the message is sent
+from the client to the Authentication Server to request credentials for a
+service.
+
+The message fields are:
+
+AS-REQ ::=         [APPLICATION 10] KDC-REQ
+TGS-REQ ::=        [APPLICATION 12] KDC-REQ
+
+KDC-REQ ::=        SEQUENCE {
+                   pvno[1]            INTEGER,
+                   msg-type[2]        INTEGER,
+                   padata[3]          SEQUENCE OF PA-DATA OPTIONAL,
+                   req-body[4]        KDC-REQ-BODY
+}
+
+PA-DATA ::=        SEQUENCE {
+                   padata-type[1]     INTEGER,
+                   padata-value[2]    OCTET STRING,
+                                      -- might be encoded AP-REQ
+}
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+KDC-REQ-BODY ::=   SEQUENCE {
+                    kdc-options[0]         KDCOptions,
+                    cname[1]               PrincipalName OPTIONAL,
+                                           -- Used only in AS-REQ
+                    realm[2]               Realm, -- Server's realm
+                                           -- Also client's in AS-REQ
+                    sname[3]               PrincipalName OPTIONAL,
+                    from[4]                KerberosTime OPTIONAL,
+                    till[5]                KerberosTime OPTIONAL,
+                    rtime[6]               KerberosTime OPTIONAL,
+                    nonce[7]               INTEGER,
+                    etype[8]               SEQUENCE OF INTEGER,
+                                           -- EncryptionType,
+                                           -- in preference order
+                    addresses[9]           HostAddresses OPTIONAL,
+                enc-authorization-data[10] EncryptedData OPTIONAL,
+                                           -- Encrypted AuthorizationData
+                                           -- encoding
+                    additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
+}
+
+The fields in this message are:
+
+pvno
+     This field is included in each message, and specifies the protocol
+     version number. This document specifies protocol version 5.
+msg-type
+     This field indicates the type of a protocol message. It will almost
+     always be the same as the application identifier associated with a
+     message. It is included to make the identifier more readily accessible
+     to the application. For the KDC-REQ message, this type will be
+     KRB_AS_REQ or KRB_TGS_REQ.
+padata
+     The padata (pre-authentication data) field contains a sequence of
+     authentication information which may be needed before credentials can
+     be issued or decrypted. In the case of requests for additional tickets
+     (KRB_TGS_REQ), this field will include an element with padata-type of
+     PA-TGS-REQ and data of an authentication header (ticket-granting
+     ticket and authenticator). The checksum in the authenticator (which
+     must be collision-proof) is to be computed over the KDC-REQ-BODY
+     encoding. In most requests for initial authentication (KRB_AS_REQ) and
+     most replies (KDC-REP), the padata field will be left out.
+
+     This field may also contain information needed by certain extensions
+     to the Kerberos protocol. For example, it might be used to initially
+     verify the identity of a client before any response is returned. When
+     this field is used to authenticate or pre-authenticate a request, it
+     should contain a keyed checksum over the KDC-REQ-BODY to bind the
+     pre-authentication data to rest of the request. The KDC, as a matter
+     of policy, may decide whether to honor a KDC-REQ which includes any
+     pre-authentication data that does not contain the checksum field.
+     PA-ENC-TIMESTAMP defines a pre-authentication data type that is used
+     for authenticating a client by way of an encrypted timestamp. This is
+     accomplished with a padata field with padata-type equal to
+     PA-ENC-TIMESTAMP and padata-value defined as follows (query: the
+     checksum is new in this definition. If the optional field will break
+     things we can keep the old PA-ENC-TS-ENC, and define a new alternate
+     form that includes the checksum). :
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+          padata-type     ::= PA-ENC-TIMESTAMP
+          padata-value    ::= EncryptedData -- PA-ENC-TS-ENC
+
+          PA-ENC-TS-ENC   ::= SEQUENCE {
+                          patimestamp[0]     KerberosTime, -- client's time
+                          pausec[1]          INTEGER OPTIONAL,
+                          pachecksum[2]      checksum OPTIONAL
+                                             -- keyed checksum of
+KDC-REQ-BODY
+          }
+
+     with patimestamp containing the client's time and pausec containing
+     the microseconds which may be omitted if a client will not generate
+     more than one request per second. The ciphertext (padata-value)
+     consists of the PA-ENC-TS-ENC sequence, encrypted using the client's
+     secret key.
+
+     [use-specified-kvno item is here for discussion and may be removed] It
+     may also be used by the client to specify the version of a key that is
+     being used for accompanying preauthentication, and/or which should be
+     used to encrypt the reply from the KDC.
+
+     PA-USE-SPECIFIED-KVNO  ::=  Integer
+
+     The KDC should only accept and abide by the value of the
+     use-specified-kvno preauthentication data field when the specified key
+     is still valid and until use of a new key is confirmed. This situation
+     is likely to occur primarily during the period during which an updated
+     key is propagating to other KDC's in a realm.
+
+     The padata field can also contain information needed to help the KDC
+     or the client select the key needed for generating or decrypting the
+     response. This form of the padata is useful for supporting the use of
+     certain token cards with Kerberos. The details of such extensions are
+     specified in separate documents. See [Pat92] for additional uses of
+     this field.
+padata-type
+     The padata-type element of the padata field indicates the way that the
+     padata-value element is to be interpreted. Negative values of
+     padata-type are reserved for unregistered use; non-negative values are
+     used for a registered interpretation of the element type.
+req-body
+     This field is a placeholder delimiting the extent of the remaining
+     fields. If a checksum is to be calculated over the request, it is
+     calculated over an encoding of the KDC-REQ-BODY sequence which is
+     enclosed within the req-body field.
+kdc-options
+     This field appears in the KRB_AS_REQ and KRB_TGS_REQ requests to the
+     KDC and indicates the flags that the client wants set on the tickets
+     as well as other information that is to modify the behavior of the
+     KDC. Where appropriate, the name of an option may be the same as the
+     flag that is set by that option. Although in most case, the bit in the
+     options field will be the same as that in the flags field, this is not
+     guaranteed, so it is not acceptable to simply copy the options field
+     to the flags field. There are various checks that must be made before
+     honoring an option anyway.
+
+     The kdc_options field is a bit-field, where the selected options are
+     indicated by the bit being set (1), and the unselected options and
+     reserved fields being reset (0). The encoding of the bits is specified
+     in section 5.2. The options are described in more detail above in
+     section 2. The meanings of the options are:
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+        Bit(s)    Name                Description
+         0        RESERVED
+                                      Reserved for future  expansion  of
+this
+                                      field.
+
+         1        FORWARDABLE
+                                      The FORWARDABLE  option  indicates
+that
+                                      the  ticket  to be issued is to have
+its
+                                      forwardable flag set.  It  may  only
+be
+                                      set on the initial request, or in a
+sub-
+                                      sequent request if  the
+ticket-granting
+                                      ticket on which it is based is also
+for-
+                                      wardable.
+
+         2        FORWARDED
+                                      The FORWARDED option is  only
+specified
+                                      in  a  request  to  the
+ticket-granting
+                                      server and will only be honored  if
+the
+                                      ticket-granting  ticket  in  the
+request
+                                      has  its  FORWARDABLE  bit  set.
+This
+                                      option  indicates that this is a
+request
+                                      for forwarding.  The address(es) of
+the
+                                      host  from which the resulting ticket
+is
+                                      to  be  valid  are   included   in
+the
+                                      addresses field of the request.
+
+         3        PROXIABLE
+                                      The PROXIABLE option indicates that
+the
+                                      ticket to be issued is to have its
+prox-
+                                      iable flag set.  It may only be  set
+on
+                                      the  initial request, or in a
+subsequent
+                                      request if the ticket-granting ticket
+on
+                                      which it is based is also proxiable.
+
+         4        PROXY
+                                      The PROXY option indicates that this
+is
+                                      a request for a proxy.  This option
+will
+                                      only be honored if  the
+ticket-granting
+                                      ticket  in the request has its
+PROXIABLE
+                                      bit set.  The address(es)  of  the
+host
+                                      from which the resulting ticket is to
+be
+                                       valid  are  included  in  the
+addresses
+                                      field of the request.
+
+         5        ALLOW-POSTDATE
+                                      The ALLOW-POSTDATE option indicates
+that
+                                      the  ticket  to be issued is to have
+its
+                                      MAY-POSTDATE flag set.  It may  only
+be
+                                      set on the initial request, or in a
+sub-
+                                      sequent request if  the
+ticket-granting
+                                      ticket on which it is based also has
+its
+                                      MAY-POSTDATE flag set.
+
+         6        POSTDATED
+                                      The POSTDATED option indicates that
+this
+                                      is  a  request  for  a postdated
+ticket.
+                                      This option will only be honored if
+the
+                                      ticket-granting  ticket  on  which it
+is
+                                      based has  its  MAY-POSTDATE  flag
+set.
+                                      The  resulting ticket will also have
+its
+                                      INVALID flag set, and that flag  may
+be
+                                      reset by a subsequent request to the
+KDC
+                                      after the starttime in  the  ticket
+has
+                                      been reached.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+         7        UNUSED
+                                      This option is presently unused.
+
+         8        RENEWABLE
+                                      The RENEWABLE option indicates that
+the
+                                      ticket  to  be  issued  is  to  have
+its
+                                      RENEWABLE flag set.  It may only be
+set
+                                      on  the  initial  request,  or  when
+the
+                                      ticket-granting  ticket  on  which
+the
+                                      request  is based is also renewable.
+If
+                                      this option is requested, then the
+rtime
+                                      field   in   the  request  contains
+the
+                                      desired absolute expiration time for
+the
+                                      ticket.
+
+         9       RESERVED
+                                      Reserved for PK-Cross
+
+         10-13     UNUSED
+                                      These options are presently unused.
+
+         14       REQUEST-ANONYMOUS
+                                      The REQUEST-ANONYMOUS  option
+indicates
+                                      that  the  ticket to be issued is not
+to
+                                      identify  the  user  to  which  it
+was
+                                      issued.  Instead, the principal
+identif-
+                                      ier is to be generic,  as  specified
+by
+                                      the  policy  of  the realm (e.g.
+usually
+                                      anonymous@realm).  The  purpose  of
+the
+                                      ticket  is only to securely distribute
+a
+                                      session key, and  not  to  identify
+the
+                                      user.   The ANONYMOUS flag on the
+ticket
+                                      to be returned should be  set.   If
+the
+                                      local  realms  policy  does  not
+permit
+                                      anonymous credentials, the request is
+to
+                                      be rejected.
+
+         15      CANONICALIZE
+                                      The CANONICALIZE option indicates that
+                                      the client will accept the return of a
+                                      true server name instead of the name
+                                      specified in the request. In addition
+                                      the client will be able to process
+                                      any TGT referrals that will direct
+                                      the client to another realm to locate
+                                      the requested server. If a KDC does
+                                      not support name- canonicalization,
+                                      the option is ignored and the
+                                      appropriate
+                                      KDC_ERR_C_PRINCIPAL_UNKNOWN or
+                                      KDC_ERR_S_PRINCIPAL_UNKNOWN error is
+                                      returned. [JBrezak]
+
+         16-25    RESERVED
+                                      Reserved for future use.
+
+         26       DISABLE-TRANSITED-CHECK
+                                      By default the KDC will check the
+                                      transited field of a ticket-granting-
+                                      ticket against the policy of the local
+                                      realm before it will issue derivative
+                                      tickets based on the ticket granting
+                                      ticket.  If this flag is set in the
+                                      request, checking of the transited
+field
+                                      is disabled.  Tickets issued without
+the
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+                                      performance of this check will be
+noted
+                                      by the reset (0) value of the
+                                      TRANSITED-POLICY-CHECKED flag,
+                                      indicating to the application server
+                                      that the tranisted field must be
+checked
+                                      locally.  KDC's are encouraged but not
+                                      required to honor the
+                                      DISABLE-TRANSITED-CHECK option.
+
+         27       RENEWABLE-OK
+                                      The RENEWABLE-OK option indicates that
+a
+                                      renewable ticket will be acceptable if
+a
+                                      ticket with the  requested  life
+cannot
+                                      otherwise be provided.  If a ticket
+with
+                                      the requested life cannot  be
+provided,
+                                      then  a  renewable  ticket may be
+issued
+                                      with  a  renew-till  equal  to  the
+the
+                                      requested  endtime.   The  value  of
+the
+                                      renew-till field may still be limited
+by
+                                      local  limits, or limits selected by
+the
+                                      individual principal or server.
+
+         28       ENC-TKT-IN-SKEY
+                                      This option is used only by the
+ticket-
+                                      granting  service.   The
+ENC-TKT-IN-SKEY
+                                      option indicates that the ticket for
+the
+                                      end  server  is  to  be encrypted in
+the
+                                      session key from the additional
+ticket-
+                                      granting ticket provided.
+
+         29       RESERVED
+                                      Reserved for future use.
+
+         30       RENEW
+                                      This option is used only by the
+ticket-
+                                      granting   service.   The  RENEW
+option
+                                      indicates that the  present  request
+is
+                                      for  a  renewal.  The ticket provided
+is
+                                      encrypted in  the  secret  key  for
+the
+                                      server  on  which  it  is  valid.
+This
+                                      option  will  only  be  honored  if
+the
+                                      ticket  to  be renewed has its
+RENEWABLE
+                                      flag set and if the time in  its
+renew-
+                                      till  field  has not passed.  The
+ticket
+                                      to be renewed is passed  in  the
+padata
+                                      field  as  part  of  the
+authentication
+                                      header.
+
+         31       VALIDATE
+                                      This option is used only by the
+ticket-
+                                      granting  service.   The VALIDATE
+option
+                                      indicates that the request is  to
+vali-
+                                      date  a  postdated ticket.  It will
+only
+                                      be honored if the  ticket  presented
+is
+                                      postdated,  presently  has  its
+INVALID
+                                      flag set, and would be otherwise
+usable
+                                      at  this time.  A ticket cannot be
+vali-
+                                      dated before its starttime.  The
+ticket
+                                      presented for validation is encrypted
+in
+                                      the key of the server for  which  it
+is
+                                      valid  and is passed in the padata
+field
+                                      as part of the authentication header.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+cname and sname
+     These fields are the same as those described for the ticket in section
+     5.3.1. sname may only be absent when the ENC-TKT-IN-SKEY option is
+     specified. If absent, the name of the server is taken from the name of
+     the client in the ticket passed as additional-tickets.
+enc-authorization-data
+     The enc-authorization-data, if present (and it can only be present in
+     the TGS_REQ form), is an encoding of the desired authorization-data
+     encrypted under the sub-session key if present in the Authenticator,
+     or alternatively from the session key in the ticket-granting ticket,
+     both from the padata field in the KRB_AP_REQ.
+realm
+     This field specifies the realm part of the server's principal
+     identifier. In the AS exchange, this is also the realm part of the
+     client's principal identifier. If the CANONICALIZE option is set, the
+     realm is used as a hint to the KDC for its database lookup.
+from
+     This field is included in the KRB_AS_REQ and KRB_TGS_REQ ticket
+     requests when the requested ticket is to be postdated. It specifies
+     the desired start time for the requested ticket. If this field is
+     omitted then the KDC should use the current time instead.
+till
+     This field contains the expiration date requested by the client in a
+     ticket request. It is optional and if omitted the requested ticket is
+     to have the maximum endtime permitted according to KDC policy for the
+     parties to the authentication exchange as limited by expiration date
+     of the ticket granting ticket or other preauthentication credentials.
+rtime
+     This field is the requested renew-till time sent from a client to the
+     KDC in a ticket request. It is optional.
+nonce
+     This field is part of the KDC request and response. It it intended to
+     hold a random number generated by the client. If the same number is
+     included in the encrypted response from the KDC, it provides evidence
+     that the response is fresh and has not been replayed by an attacker.
+     Nonces must never be re-used. Ideally, it should be generated
+     randomly, but if the correct time is known, it may suffice[25].
+etype
+     This field specifies the desired encryption algorithm to be used in
+     the response.
+addresses
+     This field is included in the initial request for tickets, and
+     optionally included in requests for additional tickets from the
+     ticket-granting server. It specifies the addresses from which the
+     requested ticket is to be valid. Normally it includes the addresses
+     for the client's host. If a proxy is requested, this field will
+     contain other addresses. The contents of this field are usually copied
+     by the KDC into the caddr field of the resulting ticket.
+additional-tickets
+     Additional tickets may be optionally included in a request to the
+     ticket-granting server. If the ENC-TKT-IN-SKEY option has been
+     specified, then the session key from the additional ticket will be
+     used in place of the server's key to encrypt the new ticket. When he
+     ENC-TKT-IN-SKEY option is used for user-to-user authentication, this
+     addional ticket may be a TGT issued by the local realm or an
+     inter-realm TGT issued for the current KDC's realm by a remote KDC. If
+     more than one option which requires additional tickets has been
+     specified, then the additional tickets are used in the order specified
+     by the ordering of the options bits (see kdc-options, above).
+
+The application code will be either ten (10) or twelve (12) depending on
+whether the request is for an initial ticket (AS-REQ) or for an additional
+ticket (TGS-REQ).
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+The optional fields (addresses, authorization-data and additional-tickets)
+are only included if necessary to perform the operation specified in the
+kdc-options field.
+
+It should be noted that in KRB_TGS_REQ, the protocol version number appears
+twice and two different message types appear: the KRB_TGS_REQ message
+contains these fields as does the authentication header (KRB_AP_REQ) that
+is passed in the padata field.
+
+5.4.2. KRB_KDC_REP definition
+
+The KRB_KDC_REP message format is used for the reply from the KDC for
+either an initial (AS) request or a subsequent (TGS) request. There is no
+message type for KRB_KDC_REP. Instead, the type will be either KRB_AS_REP
+or KRB_TGS_REP. The key used to encrypt the ciphertext part of the reply
+depends on the message type. For KRB_AS_REP, the ciphertext is encrypted in
+the client's secret key, and the client's key version number is included in
+the key version number for the encrypted data. For KRB_TGS_REP, the
+ciphertext is encrypted in the sub-session key from the Authenticator, or
+if absent, the session key from the ticket-granting ticket used in the
+request. In that case, no version number will be present in the
+EncryptedData sequence.
+
+The KRB_KDC_REP message contains the following fields:
+
+AS-REP ::=    [APPLICATION 11] KDC-REP
+TGS-REP ::=   [APPLICATION 13] KDC-REP
+
+KDC-REP ::=   SEQUENCE {
+              pvno[0]                    INTEGER,
+              msg-type[1]                INTEGER,
+              padata[2]                  SEQUENCE OF PA-DATA OPTIONAL,
+              crealm[3]                  Realm,
+              cname[4]                   PrincipalName,
+              ticket[5]                  Ticket,
+              enc-part[6]                EncryptedData
+}
+
+EncASRepPart ::=    [APPLICATION 25[27]] EncKDCRepPart
+EncTGSRepPart ::=   [APPLICATION 26] EncKDCRepPart
+
+EncKDCRepPart ::=   SEQUENCE {
+                    key[0]               EncryptionKey,
+                    last-req[1]          LastReq,
+                    nonce[2]             INTEGER,
+                    key-expiration[3]    KerberosTime OPTIONAL,
+                    flags[4]             TicketFlags,
+                    authtime[5]          KerberosTime,
+                    starttime[6]         KerberosTime OPTIONAL,
+                    endtime[7]           KerberosTime,
+                    renew-till[8]        KerberosTime OPTIONAL,
+                    srealm[9]            Realm,
+                    sname[10]            PrincipalName,
+                    caddr[11]            HostAddresses OPTIONAL
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is either
+     KRB_AS_REP or KRB_TGS_REP.
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+padata
+     This field is described in detail in section 5.4.1. One possible use
+     for this field is to encode an alternate "mix-in" string to be used
+     with a string-to-key algorithm (such as is described in section
+     6.3.2). This ability is useful to ease transitions if a realm name
+     needs to change (e.g. when a company is acquired); in such a case all
+     existing password-derived entries in the KDC database would be flagged
+     as needing a special mix-in string until the next password change.
+crealm, cname, srealm and sname
+     These fields are the same as those described for the ticket in section
+     5.3.1.
+ticket
+     The newly-issued ticket, from section 5.3.1.
+enc-part
+     This field is a place holder for the ciphertext and related
+     information that forms the encrypted part of a message. The
+     description of the encrypted part of the message follows each
+     appearance of this field. The encrypted part is encoded as described
+     in section 6.1.
+key
+     This field is the same as described for the ticket in section 5.3.1.
+last-req
+     This field is returned by the KDC and specifies the time(s) of the
+     last request by a principal. Depending on what information is
+     available, this might be the last time that a request for a
+     ticket-granting ticket was made, or the last time that a request based
+     on a ticket-granting ticket was successful. It also might cover all
+     servers for a realm, or just the particular server. Some
+     implementations may display this information to the user to aid in
+     discovering unauthorized use of one's identity. It is similar in
+     spirit to the last login time displayed when logging into timesharing
+     systems.
+nonce
+     This field is described above in section 5.4.1.
+key-expiration
+     The key-expiration field is part of the response from the KDC and
+     specifies the time that the client's secret key is due to expire. The
+     expiration might be the result of password aging or an account
+     expiration. This field will usually be left out of the TGS reply since
+     the response to the TGS request is encrypted in a session key and no
+     client information need be retrieved from the KDC database. It is up
+     to the application client (usually the login program) to take
+     appropriate action (such as notifying the user) if the expiration time
+     is imminent.
+flags, authtime, starttime, endtime, renew-till and caddr
+     These fields are duplicates of those found in the encrypted portion of
+     the attached ticket (see section 5.3.1), provided so the client may
+     verify they match the intended request and to assist in proper ticket
+     caching. If the message is of type KRB_TGS_REP, the caddr field will
+     only be filled in if the request was for a proxy or forwarded ticket,
+     or if the user is substituting a subset of the addresses from the
+     ticket granting ticket. If the client-requested addresses are not
+     present or not used, then the addresses contained in the ticket will
+     be the same as those included in the ticket-granting ticket.
+
+5.5. Client/Server (CS) message specifications
+
+This section specifies the format of the messages used for the
+authentication of the client to the application server.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+5.5.1. KRB_AP_REQ definition
+
+The KRB_AP_REQ message contains the Kerberos protocol version number, the
+message type KRB_AP_REQ, an options field to indicate any options in use,
+and the ticket and authenticator themselves. The KRB_AP_REQ message is
+often referred to as the 'authentication header'.
+
+AP-REQ ::=      [APPLICATION 14] SEQUENCE {
+                pvno[0]                       INTEGER,
+                msg-type[1]                   INTEGER,
+                ap-options[2]                 APOptions,
+                ticket[3]                     Ticket,
+                authenticator[4]              EncryptedData
+}
+
+APOptions ::=   BIT STRING {
+                reserved(0),
+                use-session-key(1),
+                mutual-required(2)
+}
+
+
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_AP_REQ.
+ap-options
+     This field appears in the application request (KRB_AP_REQ) and affects
+     the way the request is processed. It is a bit-field, where the
+     selected options are indicated by the bit being set (1), and the
+     unselected options and reserved fields being reset (0). The encoding
+     of the bits is specified in section 5.2. The meanings of the options
+     are:
+
+	  Bit(s)   Name              Description
+
+	  0        RESERVED
+				     Reserved for future  expansion  of  this
+				     field.
+
+	  1        USE-SESSION-KEY
+				     The  USE-SESSION-KEY  option   indicates
+				     that the ticket the client is presenting
+				     to a server is encrypted in the  session
+				     key  from  the  server's ticket-granting
+				     ticket.  When this option is not  speci-
+				     fied,  the  ticket  is  encrypted in the
+				     server's secret key.
+
+	  2        MUTUAL-REQUIRED
+				     The  MUTUAL-REQUIRED  option  tells  the
+				     server  that  the client requires mutual
+				     authentication, and that it must respond
+				     with a KRB_AP_REP message.
+
+	  3-31     RESERVED
+				     Reserved for future use.
+
+ticket
+     This field is a ticket authenticating the client to the server.
+authenticator
+     This contains the authenticator, which includes the client's choice of
+     a subkey. Its encoding is described in section 5.3.2.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+5.5.2. KRB_AP_REP definition
+
+The KRB_AP_REP message contains the Kerberos protocol version number, the
+message type, and an encrypted time- stamp. The message is sent in in
+response to an application request (KRB_AP_REQ) where the mutual
+authentication option has been selected in the ap-options field.
+
+AP-REP ::=         [APPLICATION 15] SEQUENCE {
+                   pvno[0]                           INTEGER,
+                   msg-type[1]                       INTEGER,
+                   enc-part[2]                       EncryptedData
+}
+
+EncAPRepPart ::=   [APPLICATION 27[29]] SEQUENCE {
+                   ctime[0]                          KerberosTime,
+                   cusec[1]                          INTEGER,
+                   subkey[2]                         EncryptionKey OPTIONAL,
+                   seq-number[3]                     INTEGER OPTIONAL
+}
+
+The encoded EncAPRepPart is encrypted in the shared session key of the
+ticket. The optional subkey field can be used in an application-arranged
+negotiation to choose a per association session key.
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_AP_REP.
+enc-part
+     This field is described above in section 5.4.2.
+ctime
+     This field contains the current time on the client's host.
+cusec
+     This field contains the microsecond part of the client's timestamp.
+subkey
+     This field contains an encryption key which is to be used to protect
+     this specific application session. See section 3.2.6 for specifics on
+     how this field is used to negotiate a key. Unless an application
+     specifies otherwise, if this field is left out, the sub-session key
+     from the authenticator, or if also left out, the session key from the
+     ticket will be used.
+
+5.5.3. Error message reply
+
+If an error occurs while processing the application request, the KRB_ERROR
+message will be sent in response. See section 5.9.1 for the format of the
+error message. The cname and crealm fields may be left out if the server
+cannot determine their appropriate values from the corresponding KRB_AP_REQ
+message. If the authenticator was decipherable, the ctime and cusec fields
+will contain the values from it.
+
+5.6. KRB_SAFE message specification
+
+This section specifies the format of a message that can be used by either
+side (client or server) of an application to send a tamper-proof message to
+its peer. It presumes that a session key has previously been exchanged (for
+example, by using the KRB_AP_REQ/KRB_AP_REP messages).
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+5.6.1. KRB_SAFE definition
+
+The KRB_SAFE message contains user data along with a collision-proof
+checksum keyed with the last encryption key negotiated via subkeys, or the
+session key if no negotiation has occured. The message fields are:
+
+KRB-SAFE ::=        [APPLICATION 20] SEQUENCE {
+                    pvno[0]                       INTEGER,
+                    msg-type[1]                   INTEGER,
+                    safe-body[2]                  KRB-SAFE-BODY,
+                    cksum[3]                      Checksum
+}
+
+KRB-SAFE-BODY ::=   SEQUENCE {
+                    user-data[0]                  OCTET STRING,
+                    timestamp[1]                  KerberosTime OPTIONAL,
+                    usec[2]                       INTEGER OPTIONAL,
+                    seq-number[3]                 INTEGER OPTIONAL,
+                    s-address[4]                  HostAddress OPTIONAL,
+                    r-address[5]                  HostAddress OPTIONAL
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_SAFE.
+safe-body
+     This field is a placeholder for the body of the KRB-SAFE message.
+cksum
+     This field contains the checksum of the application data. Checksum
+     details are described in section 6.4. The checksum is computed over
+     the encoding of the KRB-SAFE sequence. First, the cksum is zeroed and
+     the checksum is computed over the encoding of the KRB-SAFE sequence,
+     then the checksum is set to the result of that computation, and
+     finally the KRB-SAFE sequence is encoded again.
+user-data
+     This field is part of the KRB_SAFE and KRB_PRIV messages and contain
+     the application specific data that is being passed from the sender to
+     the recipient.
+timestamp
+     This field is part of the KRB_SAFE and KRB_PRIV messages. Its contents
+     are the current time as known by the sender of the message. By
+     checking the timestamp, the recipient of the message is able to make
+     sure that it was recently generated, and is not a replay.
+usec
+     This field is part of the KRB_SAFE and KRB_PRIV headers. It contains
+     the microsecond part of the timestamp.
+seq-number
+     This field is described above in section 5.3.2.
+s-address
+     This field specifies the address in use by the sender of the message.
+     It may be omitted if not required by the application protocol. The
+     application designer considering omission of this field is warned,
+     that the inclusion of this address prevents some kinds of replay
+     attacks (e.g., reflection attacks) and that it is only acceptable to
+     omit this address if there is sufficient information in the integrity
+     protected part of the application message for the recipient to
+     unambiguously determine if it was the intended recipient.
+r-address
+     This field specifies the address in use by the recipient of the
+     message. It may be omitted for some uses (such as broadcast
+     protocols), but the recipient may arbitrarily reject such messages.
+     This field along with s-address can be used to help detect messages
+     which have been incorrectly or maliciously delivered to the wrong
+     recipient.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+5.7. KRB_PRIV message specification
+
+This section specifies the format of a message that can be used by either
+side (client or server) of an application to securely and privately send a
+message to its peer. It presumes that a session key has previously been
+exchanged (for example, by using the KRB_AP_REQ/KRB_AP_REP messages).
+
+5.7.1. KRB_PRIV definition
+
+The KRB_PRIV message contains user data encrypted in the Session Key. The
+message fields are:
+
+KRB-PRIV ::=         [APPLICATION 21] SEQUENCE {
+                     pvno[0]                           INTEGER,
+                     msg-type[1]                       INTEGER,
+                     enc-part[3]                       EncryptedData
+}
+
+EncKrbPrivPart ::=   [APPLICATION 28[31]] SEQUENCE {
+                     user-data[0]        OCTET STRING,
+                     timestamp[1]        KerberosTime OPTIONAL,
+                     usec[2]             INTEGER OPTIONAL,
+                     seq-number[3]       INTEGER OPTIONAL,
+                     s-address[4]        HostAddress OPTIONAL, -- sender's
+addr
+                     r-address[5]        HostAddress OPTIONAL -- recip's
+addr
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_PRIV.
+enc-part
+     This field holds an encoding of the EncKrbPrivPart sequence encrypted
+     under the session key[32]. This encrypted encoding is used for the
+     enc-part field of the KRB-PRIV message. See section 6 for the format
+     of the ciphertext.
+user-data, timestamp, usec, s-address and r-address
+     These fields are described above in section 5.6.1.
+seq-number
+     This field is described above in section 5.3.2.
+
+5.8. KRB_CRED message specification
+
+This section specifies the format of a message that can be used to send
+Kerberos credentials from one principal to another. It is presented here to
+encourage a common mechanism to be used by applications when forwarding
+tickets or providing proxies to subordinate servers. It presumes that a
+session key has already been exchanged perhaps by using the
+KRB_AP_REQ/KRB_AP_REP messages.
+
+5.8.1. KRB_CRED definition
+
+The KRB_CRED message contains a sequence of tickets to be sent and
+information needed to use the tickets, including the session key from each.
+The information needed to use the tickets is encrypted under an encryption
+key previously exchanged or transferred alongside the KRB_CRED message. The
+message fields are:
+
+KRB-CRED         ::= [APPLICATION 22]   SEQUENCE {
+                 pvno[0]                INTEGER,
+                 msg-type[1]            INTEGER, -- KRB_CRED
+                 tickets[2]             SEQUENCE OF Ticket,
+                 enc-part[3]            EncryptedData
+}
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+EncKrbCredPart   ::= [APPLICATION 29]   SEQUENCE {
+                 ticket-info[0]         SEQUENCE OF KrbCredInfo,
+                 nonce[1]               INTEGER OPTIONAL,
+                 timestamp[2]           KerberosTime OPTIONAL,
+                 usec[3]                INTEGER OPTIONAL,
+                 s-address[4]           HostAddress OPTIONAL,
+                 r-address[5]           HostAddress OPTIONAL
+}
+
+KrbCredInfo      ::=                    SEQUENCE {
+                 key[0]                 EncryptionKey,
+                 prealm[1]              Realm OPTIONAL,
+                 pname[2]               PrincipalName OPTIONAL,
+                 flags[3]               TicketFlags OPTIONAL,
+                 authtime[4]            KerberosTime OPTIONAL,
+                 starttime[5]           KerberosTime OPTIONAL,
+                 endtime[6]             KerberosTime OPTIONAL
+                 renew-till[7]          KerberosTime OPTIONAL,
+                 srealm[8]              Realm OPTIONAL,
+                 sname[9]               PrincipalName OPTIONAL,
+                 caddr[10]              HostAddresses OPTIONAL
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_CRED.
+tickets
+     These are the tickets obtained from the KDC specifically for use by
+     the intended recipient. Successive tickets are paired with the
+     corresponding KrbCredInfo sequence from the enc-part of the KRB-CRED
+     message.
+enc-part
+     This field holds an encoding of the EncKrbCredPart sequence encrypted
+     under the session key shared between the sender and the intended
+     recipient. This encrypted encoding is used for the enc-part field of
+     the KRB-CRED message. See section 6 for the format of the ciphertext.
+nonce
+     If practical, an application may require the inclusion of a nonce
+     generated by the recipient of the message. If the same value is
+     included as the nonce in the message, it provides evidence that the
+     message is fresh and has not been replayed by an attacker. A nonce
+     must never be re-used; it should be generated randomly by the
+     recipient of the message and provided to the sender of the message in
+     an application specific manner.
+timestamp and usec
+     These fields specify the time that the KRB-CRED message was generated.
+     The time is used to provide assurance that the message is fresh.
+s-address and r-address
+     These fields are described above in section 5.6.1. They are used
+     optionally to provide additional assurance of the integrity of the
+     KRB-CRED message.
+key
+     This field exists in the corresponding ticket passed by the KRB-CRED
+     message and is used to pass the session key from the sender to the
+     intended recipient. The field's encoding is described in section 6.2.
+
+The following fields are optional. If present, they can be associated with
+the credentials in the remote ticket file. If left out, then it is assumed
+that the recipient of the credentials already knows their value.
+
+prealm and pname
+     The name and realm of the delegated principal identity.
+flags, authtime, starttime, endtime, renew-till, srealm, sname, and caddr
+     These fields contain the values of the correspond- ing fields from the
+     ticket found in the ticket field. Descriptions of the fields are
+     identical to the descriptions in the KDC-REP message.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+5.9. Error message specification
+
+This section specifies the format for the KRB_ERROR message. The fields
+included in the message are intended to return as much information as
+possible about an error. It is not expected that all the information
+required by the fields will be available for all types of errors. If the
+appropriate information is not available when the message is composed, the
+corresponding field will be left out of the message.
+
+Note that since the KRB_ERROR message is only optionally integrity
+protected, it is quite possible for an intruder to synthesize or modify
+such a message. In particular, this means that unless appropriate integrity
+protection mechanisms have been applied to the KRB_ERROR message, the
+client should not use any fields in this message for security-critical
+purposes, such as setting a system clock or generating a fresh
+authenticator. The message can be useful, however, for advising a user on
+the reason for some failure.
+
+5.9.1. KRB_ERROR definition
+
+The KRB_ERROR message consists of the following fields:
+
+KRB-ERROR ::=   [APPLICATION 30] SEQUENCE {
+                pvno[0]                       INTEGER,
+                msg-type[1]                   INTEGER,
+                ctime[2]                      KerberosTime OPTIONAL,
+                cusec[3]                      INTEGER OPTIONAL,
+                stime[4]                      KerberosTime,
+                susec[5]                      INTEGER,
+                error-code[6]                 INTEGER,
+                crealm[7]                     Realm OPTIONAL,
+                cname[8]                      PrincipalName OPTIONAL,
+                realm[9]                      Realm, -- Correct realm
+                sname[10]                     PrincipalName, -- Correct name
+                e-text[11]                    GeneralString OPTIONAL,
+                e-data[12]                    OCTET STRING OPTIONAL,
+                e-cksum[13]                   Checksum OPTIONAL,
+}
+
+
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_ERROR.
+ctime
+     This field is described above in section 5.4.1.
+cusec
+     This field is described above in section 5.5.2.
+stime
+     This field contains the current time on the server. It is of type
+     KerberosTime.
+susec
+     This field contains the microsecond part of the server's timestamp.
+     Its value ranges from 0 to 999999. It appears along with stime. The
+     two fields are used in conjunction to specify a reasonably accurate
+     timestamp.
+error-code
+     This field contains the error code returned by Kerberos or the server
+     when a request fails. To interpret the value of this field see the
+     list of error codes in section 8. Implementations are encouraged to
+     provide for national language support in the display of error
+     messages.
+crealm, cname, srealm and sname
+     These fields are described above in section 5.3.1.
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+e-text
+     This field contains additional text to help explain the error code
+     associated with the failed request (for example, it might include a
+     principal name which was unknown).
+e-data
+     This field contains additional data about the error for use by the
+     application to help it recover from or handle the error. If present,
+     this field will contain the encoding of a sequence of TypedData
+     (TYPED-DATA below), unless the errorcode is KDC_ERR_PREAUTH_REQUIRED,
+     in which case it will contain the encoding of a sequence of of padata
+     fields (METHOD-DATA below), each corresponding to an acceptable
+     pre-authentication method and optionally containing data for the
+     method:
+
+     TYPED-DATA   ::=   SEQUENCE of TypeData
+     METHOD-DATA  ::=   SEQUENCE of PA-DATA
+
+     TypedData ::=   SEQUENCE {
+                         data-type[0]   INTEGER,
+                         data-value[1]  OCTET STRING OPTIONAL
+     }
+
+     Note that e-data-types have been reserved for all PA data types
+     defined prior to July 1999. For the KDC_ERR_PREAUTH_REQUIRED message,
+     when using new PA data types defined in July 1999 or later, the
+     METHOD-DATA sequence must itself be encapsulated in an TypedData
+     element of type TD-PADATA. All new implementations interpreting the
+     METHOD-DATA field for the KDC_ERR_PREAUTH_REQUIRED message must accept
+     a type of TD-PADATA, extract the typed data field and interpret the
+     use any elements encapsulated in the TD-PADATA elements as if they
+     were present in the METHOD-DATA sequence.
+e-cksum
+     This field contains an optional checksum for the KRB-ERROR message.
+     The checksum is calculated over the Kerberos ASN.1 encoding of the
+     KRB-ERROR message with the checksum absent. The checksum is then added
+     to the KRB-ERROR structure and the message is re-encoded. The Checksum
+     should be calculated using the session key from the ticket granting
+     ticket or service ticket, where available. If the error is in response
+     to a TGS or AP request, the checksum should be calculated uing the the
+     session key from the client's ticket. If the error is in response to
+     an AS request, then the checksum should be calulated using the
+     client's secret key ONLY if there has been suitable preauthentication
+     to prove knowledge of the secret key by the client[33]. If a checksum
+     can not be computed because the key to be used is not available, no
+     checksum will be included.
+
+     6. Encryption and Checksum Specifications
+
+     The Kerberos protocols described in this document are designed to use
+     stream encryption ciphers, which can be simulated using commonly
+     available block encryption ciphers, such as the Data Encryption
+     Standard [DES77], and triple DES variants, in conjunction with block
+     chaining and checksum methods [DESM80]. Encryption is used to prove
+     the identities of the network entities participating in message
+     exchanges. The Key Distribution Center for each realm is trusted by
+     all principals registered in that realm to store a secret key in
+     confidence. Proof of knowledge of this secret key is used to verify
+     the authenticity of a principal.
+
+     The KDC uses the principal's secret key (in the AS exchange) or a
+     shared session key (in the TGS exchange) to encrypt responses to
+     ticket requests; the ability to obtain the secret key or session key
+     implies the knowledge of the appropriate keys and the identity of the
+     KDC. The ability of a principal to decrypt the KDC response and
+     present a Ticket and a properly formed Authenticator (generated with
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     the session key from the KDC response) to a service verifies the
+     identity of the principal; likewise the ability of the service to
+     extract the session key from the Ticket and prove its knowledge
+     thereof in a response verifies the identity of the service.
+
+     The Kerberos protocols generally assume that the encryption used is
+     secure from cryptanalysis; however, in some cases, the order of fields
+     in the encrypted portions of messages are arranged to minimize the
+     effects of poorly chosen keys. It is still important to choose good
+     keys. If keys are derived from user-typed passwords, those passwords
+     need to be well chosen to make brute force attacks more difficult.
+     Poorly chosen keys still make easy targets for intruders.
+
+     The following sections specify the encryption and checksum mechanisms
+     currently defined for Kerberos. The encodings, chaining, and padding
+     requirements for each are described. For encryption methods, it is
+     often desirable to place random information (often referred to as a
+     confounder) at the start of the message. The requirements for a
+     confounder are specified with each encryption mechanism.
+
+     Some encryption systems use a block-chaining method to improve the the
+     security characteristics of the ciphertext. However, these chaining
+     methods often don't provide an integrity check upon decryption. Such
+     systems (such as DES in CBC mode) must be augmented with a checksum of
+     the plain-text which can be verified at decryption and used to detect
+     any tampering or damage. Such checksums should be good at detecting
+     burst errors in the input. If any damage is detected, the decryption
+     routine is expected to return an error indicating the failure of an
+     integrity check. Each encryption type is expected to provide and
+     verify an appropriate checksum. The specification of each encryption
+     method sets out its checksum requirements.
+
+     Finally, where a key is to be derived from a user's password, an
+     algorithm for converting the password to a key of the appropriate type
+     is included. It is desirable for the string to key function to be
+     one-way, and for the mapping to be different in different realms. This
+     is important because users who are registered in more than one realm
+     will often use the same password in each, and it is desirable that an
+     attacker compromising the Kerberos server in one realm not obtain or
+     derive the user's key in another.
+
+     For an discussion of the integrity characteristics of the candidate
+     encryption and checksum methods considered for Kerberos, the reader is
+     referred to [SG92].
+
+     6.1. Encryption Specifications
+
+     The following ASN.1 definition describes all encrypted messages. The
+     enc-part field which appears in the unencrypted part of messages in
+     section 5 is a sequence consisting of an encryption type, an optional
+     key version number, and the ciphertext.
+
+     EncryptedData ::=   SEQUENCE {
+                         etype[0]     INTEGER, -- EncryptionType
+                         kvno[1]      INTEGER OPTIONAL,
+                         cipher[2]    OCTET STRING -- ciphertext
+     }
+
+
+
+     etype
+          This field identifies which encryption algorithm was used to
+          encipher the cipher. Detailed specifications for selected
+          encryption types appear later in this section.
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     kvno
+          This field contains the version number of the key under which
+          data is encrypted. It is only present in messages encrypted under
+          long lasting keys, such as principals' secret keys.
+     cipher
+          This field contains the enciphered text, encoded as an OCTET
+          STRING.
+     The cipher field is generated by applying the specified encryption
+     algorithm to data composed of the message and algorithm-specific
+     inputs. Encryption mechanisms defined for use with Kerberos must take
+     sufficient measures to guarantee the integrity of the plaintext, and
+     we recommend they also take measures to protect against precomputed
+     dictionary attacks. If the encryption algorithm is not itself capable
+     of doing so, the protections can often be enhanced by adding a
+     checksum and a confounder.
+
+     The suggested format for the data to be encrypted includes a
+     confounder, a checksum, the encoded plaintext, and any necessary
+     padding. The msg-seq field contains the part of the protocol message
+     described in section 5 which is to be encrypted. The confounder,
+     checksum, and padding are all untagged and untyped, and their length
+     is exactly sufficient to hold the appropriate item. The type and
+     length is implicit and specified by the particular encryption type
+     being used (etype). The format for the data to be encrypted for some
+     methods is described in the following diagram, but other methods may
+     deviate from this layour - so long as the definition of the method
+     defines the layout actually in use.
+
+           +-----------+----------+-------------+-----+
+           |confounder |   check  |   msg-seq   | pad |
+           +-----------+----------+-------------+-----+
+
+     The format cannot be described in ASN.1, but for those who prefer an
+     ASN.1-like notation:
+
+     CipherText ::=   ENCRYPTED       SEQUENCE {
+             confounder[0]   UNTAGGED[35] OCTET STRING(conf_length)
+OPTIONAL,
+             check[1]        UNTAGGED OCTET STRING(checksum_length)
+OPTIONAL,
+             msg-seq[2]      MsgSequence,
+             pad             UNTAGGED OCTET STRING(pad_length) OPTIONAL
+     }
+
+     One generates a random confounder of the appropriate length, placing
+     it in confounder; zeroes out check; calculates the appropriate
+     checksum over confounder, check, and msg-seq, placing the result in
+     check; adds the necessary padding; then encrypts using the specified
+     encryption type and the appropriate key.
+
+     Unless otherwise specified, a definition of an encryption algorithm
+     that specifies a checksum, a length for the confounder field, or an
+     octet boundary for padding uses this ciphertext format[36]. Those
+     fields which are not specified will be omitted.
+
+     In the interest of allowing all implementations using a particular
+     encryption type to communicate with all others using that type, the
+     specification of an encryption type defines any checksum that is
+     needed as part of the encryption process. If an alternative checksum
+     is to be used, a new encryption type must be defined.
+
+     Some cryptosystems require additional information beyond the key and
+     the data to be encrypted. For example, DES, when used in
+     cipher-block-chaining mode, requires an initialization vector. If
+     required, the description for each encryption type must specify the
+     source of such additional information. 6.2. Encryption Keys
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     The sequence below shows the encoding of an encryption key:
+
+            EncryptionKey ::=   SEQUENCE {
+                                keytype[0]    INTEGER,
+                                keyvalue[1]   OCTET STRING
+            }
+
+     keytype
+          This field specifies the type of encryption that is to be
+          performed using the key that follows in the keyvalue field. It
+          will always correspond to the etype to be used to generate or
+          decode the EncryptedData. In cases when multiple algorithms use a
+          common kind of key (e.g., if the encryption algorithm uses an
+          alternate checksum algorithm for an integrity check, or a
+          different chaining mechanism), the keytype provides information
+          needed to determine which algorithm is to be used.
+     keyvalue
+          This field contains the key itself, encoded as an octet string.
+     All negative values for the encryption key type are reserved for local
+     use. All non-negative values are reserved for officially assigned type
+     fields and interpreta- tions.
+
+     6.3. Encryption Systems
+
+     6.3.1. The NULL Encryption System (null)
+
+     If no encryption is in use, the encryption system is said to be the
+     NULL encryption system. In the NULL encryption system there is no
+     checksum, confounder or padding. The ciphertext is simply the
+     plaintext. The NULL Key is used by the null encryption system and is
+     zero octets in length, with keytype zero (0).
+
+     6.3.2. DES in CBC mode with a CRC-32 checksum (des-cbc-crc)
+
+     The des-cbc-crc encryption mode encrypts information under the Data
+     Encryption Standard [DES77] using the cipher block chaining mode
+     [DESM80]. A CRC-32 checksum (described in ISO 3309 [ISO3309]) is
+     applied to the confounder and message sequence (msg-seq) and placed in
+     the cksum field. DES blocks are 8 bytes. As a result, the data to be
+     encrypted (the concatenation of confounder, checksum, and message)
+     must be padded to an 8 byte boundary before encryption. The details of
+     the encryption of this data are identical to those for the des-cbc-md5
+     encryption mode.
+
+     Note that, since the CRC-32 checksum is not collision-proof, an
+     attacker could use a probabilistic chosen-plaintext attack to generate
+     a valid message even if a confounder is used [SG92]. The use of
+     collision-proof checksums is recommended for environments where such
+     attacks represent a significant threat. The use of the CRC-32 as the
+     checksum for ticket or authenticator is no longer mandated as an
+     interoperability requirement for Kerberos Version 5 Specification 1
+     (See section 9.1 for specific details).
+
+     6.3.3. DES in CBC mode with an MD4 checksum (des-cbc-md4)
+
+     The des-cbc-md4 encryption mode encrypts information under the Data
+     Encryption Standard [DES77] using the cipher block chaining mode
+     [DESM80]. An MD4 checksum (described in [MD492]) is applied to the
+     confounder and message sequence (msg-seq) and placed in the cksum
+     field. DES blocks are 8 bytes. As a result, the data to be encrypted
+     (the concatenation of confounder, checksum, and message) must be
+     padded to an 8 byte boundary before encryption. The details of the
+     encryption of this data are identical to those for the des-cbc-md5
+     encryption mode.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     6.3.4. DES in CBC mode with an MD5 checksum (des-cbc-md5)
+
+     The des-cbc-md5 encryption mode encrypts information under the Data
+     Encryption Standard [DES77] using the cipher block chaining mode
+     [DESM80]. An MD5 checksum (described in [MD5-92].) is applied to the
+     confounder and message sequence (msg-seq) and placed in the cksum
+     field. DES blocks are 8 bytes. As a result, the data to be encrypted
+     (the concatenation of confounder, checksum, and message) must be
+     padded to an 8 byte boundary before encryption.
+
+     Plaintext and DES ciphtertext are encoded as blocks of 8 octets which
+     are concatenated to make the 64-bit inputs for the DES algorithms. The
+     first octet supplies the 8 most significant bits (with the octet's
+     MSbit used as the DES input block's MSbit, etc.), the second octet the
+     next 8 bits, ..., and the eighth octet supplies the 8 least
+     significant bits.
+
+     Encryption under DES using cipher block chaining requires an
+     additional input in the form of an initialization vector. Unless
+     otherwise specified, zero should be used as the initialization vector.
+     Kerberos' use of DES requires an 8 octet confounder.
+
+     The DES specifications identify some 'weak' and 'semi-weak' keys;
+     those keys shall not be used for encrypting messages for use in
+     Kerberos. Additionally, because of the way that keys are derived for
+     the encryption of checksums, keys shall not be used that yield 'weak'
+     or 'semi-weak' keys when eXclusive-ORed with the hexadecimal constant
+     F0F0F0F0F0F0F0F0.
+
+     A DES key is 8 octets of data, with keytype one (1). This consists of
+     56 bits of key, and 8 parity bits (one per octet). The key is encoded
+     as a series of 8 octets written in MSB-first order. The bits within
+     the key are also encoded in MSB order. For example, if the encryption
+     key is (B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8)
+     where B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8
+     are the parity bits, the first octet of the key would be
+     B1,B2,...,B7,P1 (with B1 as the MSbit). [See the FIPS 81 introduction
+     for reference.]
+
+     String to key transformation
+
+     To generate a DES key from a text string (password), a "salt" is
+     concatenated to the text string, and then padded with ASCII nulls to
+     an 8 byte boundary. This "salt" is normally the realm and each
+     component of the principal's name appended. However, sometimes
+     different salts are used --- for example, when a realm is renamed, or
+     if a user changes her username, or for compatibility with Kerberos V4
+     (whose string-to-key algorithm uses a null string for the salt). This
+     string is then fan-folded and eXclusive-ORed with itself to form an 8
+     byte DES key. Before eXclusive-ORing a block, every byte is shifted
+     one bit to the left to leave the lowest bit zero. The key is the
+     "corrected" by correcting the parity on the key, and if the key
+     matches a 'weak' or 'semi-weak' key as described in the DES
+     specification, it is eXclusive-ORed with the constant
+     00000000000000F0. This key is then used to generate a DES CBC checksum
+     on the initial string (with the salt appended). The result of the CBC
+     checksum is the "corrected" as described above to form the result
+     which is return as the key. Pseudocode follows:
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+          name_to_default_salt(realm, name) {
+               s = realm
+               for(each component in name) {
+                    s = s + component;
+               }
+               return s;
+          }
+
+          key_correction(key) {
+               fixparity(key);
+               if (is_weak_key_key(key))
+                    key = key XOR 0xF0;
+               return(key);
+          }
+
+          string_to_key(string,salt) {
+
+               odd = 1;
+               s = string + salt;
+               tempkey = NULL;
+               pad(s); /* with nulls to 8 byte boundary */
+               for(8byteblock in s) {
+                    if(odd == 0)  {
+                        odd = 1;
+                        reverse(8byteblock)
+                    }
+                    else odd = 0;
+                    left shift every byte in 8byteblock one bit;
+                    tempkey = tempkey XOR 8byteblock;
+               }
+               tempkey = key_correction(tempkey);
+               key = key_correction(DES-CBC-check(s,tempkey));
+               return(key);
+          }
+
+     6.3.5. Triple DES with HMAC-SHA1 Kerberos Encryption Type with and
+     without Key Derivation [Original draft by Marc Horowitz, revisions by
+     David Miller]
+
+          There are still a few pieces of this specification to be included
+          by falue, rather than by reference. This will be done before the
+          Pittsburgh IETF.
+     This encryption type is based on the Triple DES cryptosystem, the
+     HMAC-SHA1 [Krawczyk96] message authentication algorithm, and key
+     derivation for Kerberos V5 [HorowitzB96]. Key derivation may or may
+     not be used in conjunction with the use of Triple DES keys.
+
+     Algorithm Identifiers
+
+     The des3-cbc-hmac-sha1 encryption type has been assigned the value 7.
+     The des3-cbc-hmac-sha1-kd encryption type, specifying the key
+     derivation variant of the encryption type, has been assigned the value
+     16. The hmac-sha1-des3 checksum type has been assigned the value 13.
+     The hmac-sha1-des3-kd checksum type, specifying the key derivation
+     variant of the checksum, has been assigned the value 12.
+
+     Triple DES Key Production
+
+     The EncryptionKey value is 24 octets long. The 7 most significant bits
+     of each octet contain key bits, and the least significant bit is the
+     inverse of the xor of the key bits.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     For the purposes of key derivation, the block size is 64 bits, and the
+     key size is 168 bits. The 168 bits output by key derivation are
+     converted to an EncryptionKey value as follows. First, the 168 bits
+     are divided into three groups of 56 bits, which are expanded
+     individually into 64 bits as follows:
+
+      1  2  3  4  5  6  7  p
+      9 10 11 12 13 14 15  p
+     17 18 19 20 21 22 23  p
+     25 26 27 28 29 30 31  p
+     33 34 35 36 37 38 39  p
+     41 42 43 44 45 46 47  p
+     49 50 51 52 53 54 55  p
+     56 48 40 32 24 16  8  p
+
+     The "p" bits are parity bits computed over the data bits. The output
+     of the three expansions are concatenated to form the EncryptionKey
+     value.
+
+     When the HMAC-SHA1 of a string is computed, the key is used in the
+     EncryptedKey form.
+
+     The string-to-key function is used to tranform UNICODE passwords into
+     DES3 keys. The DES3 string-to-key function relies on the "N-fold"
+     algorithm, which is detailed in [9]. The description of the N-fold
+     algorithm in that document is as follows:
+        o To n-fold a number X, replicate the input value to a length that
+          is the least common multiple of n and the length of X. Before
+          each repetition, the input is rotated to the right by 13 bit
+          positions. The successive n-bit chunks are added together using
+          1's-complement addition (that is, addition with end-around carry)
+          to yield an n-bit result"
+        o The n-fold algorithm, as with DES string-to-key, is applied to
+          the password string concatenated with a salt value. The salt
+          value is derived in the same was as for the DES string-to-key
+          algorithm. For 3-key triple DES then, the operation will involve
+          a 168-fold of the input password string. The remainder of the
+          string-to-key function for DES3 is shown here in pseudocode:
+
+     DES3string-to-key(passwordString, key)
+
+         salt = name_to_default_salt(realm, name)
+         s = passwordString + salt
+         tmpKey1 = 168-fold(s)
+         parityFix(tmpKey1);
+         if not weakKey(tmpKey1)
+             /*
+              * Encrypt temp key in itself with a
+              * zero initialization vector
+              *
+              * Function signature is DES3encrypt(plain, key, iv)
+              * with cipher as the return value
+              */
+             tmpKey2 = DES3encrypt(tmpKey1, tmpKey1, zeroIvec)
+             /*
+              * Encrypt resultant temp key in itself with third component
+              * of first temp key as initialization vector
+              */
+             key = DES3encrypt(tmpKey2, tmpKey1, tmpKey1[2])
+             parityFix(key)
+             if not weakKey(key)
+                  return SUCCESS
+             else
+                  return FAILURE
+         else
+             return FAILURE
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     The weakKey function above is the same weakKey function used with DES
+     keys, but applied to each of the three single DES keys that comprise
+     the triple DES key.
+
+     The lengths of UNICODE encoded character strings include the trailing
+     terminator character (0).
+
+     Encryption Types des3-cbc-hmac-sha1 and des3-cbc-hmac-sha1-kd
+
+     EncryptedData using this type must be generated as described in
+     [Horowitz96]. The encryption algorithm is Triple DES in Outer-CBC
+     mode. The checksum algorithm is HMAC-SHA1. If the key derivation
+     variant of the encryption type is used, encryption key values are
+     modified according to the method under the Key Derivation section
+     below.
+
+     Unless otherwise specified, a zero IV must be used.
+
+     If the length of the input data is not a multiple of the block size,
+     zero octets must be used to pad the plaintext to the next eight-octet
+     boundary. The counfounder must be eight random octets (one block).
+
+     Checksum Types hmac-sha1-des3 and hmac-sha1-des3-kd
+
+     Checksums using this type must be generated as described in
+     [Horowitz96]. The keyed hash algorithm is HMAC-SHA1. If the key
+     derivation variant of the checksum type is used, checksum key values
+     are modified according to the method under the Key Derivation section
+     below.
+
+     Key Derivation
+
+     In the Kerberos protocol, cryptographic keys are used in a number of
+     places. In order to minimize the effect of compromising a key, it is
+     desirable to use a different key for each of these places. Key
+     derivation [Horowitz96] can be used to construct different keys for
+     each operation from the keys transported on the network. For this to
+     be possible, a small change to the specification is necessary.
+
+     This section specifies a profile for the use of key derivation
+     [Horowitz96] with Kerberos. For each place where a key is used, a
+     ``key usage'' must is specified for that purpose. The key, key usage,
+     and encryption/checksum type together describe the transformation from
+     plaintext to ciphertext, or plaintext to checksum.
+
+     Key Usage Values
+
+     This is a complete list of places keys are used in the kerberos
+     protocol, with key usage values and RFC 1510 section numbers:
+
+      1. AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the
+         client key (section 5.4.1)
+      2. AS-REP Ticket and TGS-REP Ticket (includes tgs session key or
+         application session key), encrypted with the service key
+         (section 5.4.2)
+      3. AS-REP encrypted part (includes tgs session key or application
+         session key), encrypted with the client key (section 5.4.2)
+      4. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
+         session key (section 5.4.1)
+      5. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
+         authenticator subkey (section 5.4.1)
+      6. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed
+         with the tgs session key (sections 5.3.2, 5.4.1)
+      7. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs
+         authenticator subkey), encrypted with the tgs session key
+         (section 5.3.2)
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+      8. TGS-REP encrypted part (includes application session key),
+         encrypted with the tgs session key (section 5.4.2)
+      9. TGS-REP encrypted part (includes application session key),
+         encrypted with the tgs authenticator subkey (section 5.4.2)
+     10. AP-REQ Authenticator cksum, keyed with the application session
+         key (section 5.3.2)
+     11. AP-REQ Authenticator (includes application authenticator
+         subkey), encrypted with the application session key (section
+         5.3.2)
+     12. AP-REP encrypted part (includes application session subkey),
+         encrypted with the application session key (section 5.5.2)
+     13. KRB-PRIV encrypted part, encrypted with a key chosen by the
+         application (section 5.7.1)
+     14. KRB-CRED encrypted part, encrypted with a key chosen by the
+         application (section 5.6.1)
+     15. KRB-SAVE cksum, keyed with a key chosen by the application
+         (section 5.8.1)
+     18. KRB-ERROR checksum (e-cksum in section 5.9.1)
+     19. AD-KDCIssued checksum (ad-checksum in appendix B.1)
+     20. Checksum for Mandatory Ticket Extensions (appendix B.6)
+     21. Checksum in Authorization Data in Ticket Extensions (appendix B.7)
+
+     Key usage values between 1024 and 2047 (inclusive) are reserved for
+     application use. Applications should use even values for encryption
+     and odd values for checksums within this range.
+
+     A few of these key usages need a little clarification. A service which
+     receives an AP-REQ has no way to know if the enclosed Ticket was part
+     of an AS-REP or TGS-REP. Therefore, key usage 2 must always be used
+     for generating a Ticket, whether it is in response to an AS- REQ or
+     TGS-REQ.
+
+     There might exist other documents which define protocols in terms of
+     the RFC1510 encryption types or checksum types. Such documents would
+     not know about key usages. In order that these documents continue to
+     be meaningful until they are updated, key usages 1024 and 1025 must be
+     used to derive keys for encryption and checksums, respectively. New
+     protocols defined in terms of the Kerberos encryption and checksum
+     types should use their own key usages. Key usages may be registered
+     with IANA to avoid conflicts. Key usages must be unsigned 32 bit
+     integers. Zero is not permitted.
+
+     Defining Cryptosystems Using Key Derivation
+
+     Kerberos requires that the ciphertext component of EncryptedData be
+     tamper-resistant as well as confidential. This implies encryption and
+     integrity functions, which must each use their own separate keys. So,
+     for each key usage, two keys must be generated, one for encryption
+     (Ke), and one for integrity (Ki):
+
+           Ke = DK(protocol key, key usage | 0xAA)
+           Ki = DK(protocol key, key usage | 0x55)
+
+     where the protocol key is from the EncryptionKey from the wire
+     protocol, and the key usage is represented as a 32 bit integer in
+     network byte order. The ciphertest must be generated from the
+     plaintext as follows:
+
+        ciphertext = E(Ke, confounder | plaintext | padding) |
+                     H(Ki, confounder | plaintext | padding)
+
+     The confounder and padding are specific to the encryption algorithm E.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     When generating a checksum only, there is no need for a confounder or
+     padding. Again, a new key (Kc) must be used. Checksums must be
+     generated from the plaintext as follows:
+
+           Kc = DK(protocol key, key usage | 0x99)
+           MAC = H(Kc, plaintext)
+
+     Note that each enctype is described by an encryption algorithm E and a
+     keyed hash algorithm H, and each checksum type is described by a keyed
+     hash algorithm H. HMAC, with an appropriate hash, is required for use
+     as H.
+
+     Key Derivation from Passwords
+
+     The well-known constant for password key derivation must be the byte
+     string {0x6b 0x65 0x72 0x62 0x65 0x72 0x6f 0x73}. These values
+     correspond to the ASCII encoding for the string "kerberos".
+
+     6.4. Checksums
+
+     The following is the ASN.1 definition used for a checksum:
+
+              Checksum ::=   SEQUENCE {
+                             cksumtype[0]   INTEGER,
+                             checksum[1]    OCTET STRING
+              }
+
+     cksumtype
+          This field indicates the algorithm used to generate the
+          accompanying checksum.
+     checksum
+          This field contains the checksum itself, encoded as an octet
+          string.
+     Detailed specification of selected checksum types appear later in this
+     section. Negative values for the checksum type are reserved for local
+     use. All non-negative values are reserved for officially assigned type
+     fields and interpretations.
+
+     Checksums used by Kerberos can be classified by two properties:
+     whether they are collision-proof, and whether they are keyed. It is
+     infeasible to find two plaintexts which generate the same checksum
+     value for a collision-proof checksum. A key is required to perturb or
+     initialize the algorithm in a keyed checksum. To prevent
+     message-stream modification by an active attacker, unkeyed checksums
+     should only be used when the checksum and message will be subsequently
+     encrypted (e.g. the checksums defined as part of the encryption
+     algorithms covered earlier in this section).
+
+     Collision-proof checksums can be made tamper-proof if the checksum
+     value is encrypted before inclusion in a message. In such cases, the
+     composition of the checksum and the encryption algorithm must be
+     considered a separate checksum algorithm (e.g. RSA-MD5 encrypted using
+     DES is a new checksum algorithm of type RSA-MD5-DES). For most keyed
+     checksums, as well as for the encrypted forms of unkeyed
+     collision-proof checksums, Kerberos prepends a confounder before the
+     checksum is calculated.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     6.4.1. The CRC-32 Checksum (crc32)
+
+     The CRC-32 checksum calculates a checksum based on a cyclic redundancy
+     check as described in ISO 3309 [ISO3309]. The resulting checksum is
+     four (4) octets in length. The CRC-32 is neither keyed nor
+     collision-proof. The use of this checksum is not recommended. An
+     attacker using a probabilistic chosen-plaintext attack as described in
+     [SG92] might be able to generate an alternative message that satisfies
+     the checksum. The use of collision-proof checksums is recommended for
+     environments where such attacks represent a significant threat.
+
+     6.4.2. The RSA MD4 Checksum (rsa-md4)
+
+     The RSA-MD4 checksum calculates a checksum using the RSA MD4 algorithm
+     [MD4-92]. The algorithm takes as input an input message of arbitrary
+     length and produces as output a 128-bit (16 octet) checksum. RSA-MD4
+     is believed to be collision-proof.
+
+     6.4.3. RSA MD4 Cryptographic Checksum Using DES (rsa-md4-des)
+
+     The RSA-MD4-DES checksum calculates a keyed collision-proof checksum
+     by prepending an 8 octet confounder before the text, applying the RSA
+     MD4 checksum algorithm, and encrypting the confounder and the checksum
+     using DES in cipher-block-chaining (CBC) mode using a variant of the
+     key, where the variant is computed by eXclusive-ORing the key with the
+     constant F0F0F0F0F0F0F0F0[39]. The initialization vector should be
+     zero. The resulting checksum is 24 octets long (8 octets of which are
+     redundant). This checksum is tamper-proof and believed to be
+     collision-proof.
+
+     The DES specifications identify some weak keys' and 'semi-weak keys';
+     those keys shall not be used for generating RSA-MD4 checksums for use
+     in Kerberos.
+
+     The format for the checksum is described in the follow- ing diagram:
+
+
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+     |  des-cbc(confounder   +   rsa-md4(confounder+msg),key=var(key),iv=0)
+|
+
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+     The format cannot be described in ASN.1, but for those who prefer an
+     ASN.1-like notation:
+
+     rsa-md4-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                                confounder[0]   UNTAGGED OCTET STRING(8),
+                                check[1]        UNTAGGED OCTET STRING(16)
+     }
+
+     6.4.4. The RSA MD5 Checksum (rsa-md5)
+
+     The RSA-MD5 checksum calculates a checksum using the RSA MD5
+     algorithm. [MD5-92]. The algorithm takes as input an input message of
+     arbitrary length and produces as output a 128-bit (16 octet) checksum.
+     RSA-MD5 is believed to be collision-proof.
+
+     6.4.5. RSA MD5 Cryptographic Checksum Using DES (rsa-md5-des)
+
+     The RSA-MD5-DES checksum calculates a keyed collision-proof checksum
+     by prepending an 8 octet confounder before the text, applying the RSA
+     MD5 checksum algorithm, and encrypting the confounder and the checksum
+     using DES in cipher-block-chaining (CBC) mode using a variant of the
+     key, where the variant is computed by eXclusive-ORing the key with the
+     hexadecimal constant F0F0F0F0F0F0F0F0. The initialization vector
+     should be zero. The resulting checksum is 24 octets long (8 octets of
+     which are redundant). This checksum is tamper-proof and believed to be
+     collision-proof.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     The DES specifications identify some 'weak keys' and 'semi-weak keys';
+     those keys shall not be used for encrypting RSA-MD5 checksums for use
+     in Kerberos.
+
+     The format for the checksum is described in the following diagram:
+
+
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+     |  des-cbc(confounder   +   rsa-md5(confounder+msg),key=var(key),iv=0)
+|
+
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+     The format cannot be described in ASN.1, but for those who prefer an
+     ASN.1-like notation:
+
+     rsa-md5-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                                confounder[0]   UNTAGGED OCTET STRING(8),
+                                check[1]        UNTAGGED OCTET STRING(16)
+     }
+
+     6.4.6. DES cipher-block chained checksum (des-mac)
+
+     The DES-MAC checksum is computed by prepending an 8 octet confounder
+     to the plaintext, performing a DES CBC-mode encryption on the result
+     using the key and an initialization vector of zero, taking the last
+     block of the ciphertext, prepending the same confounder and encrypting
+     the pair using DES in cipher-block-chaining (CBC) mode using a a
+     variant of the key, where the variant is computed by eXclusive-ORing
+     the key with the hexadecimal constant F0F0F0F0F0F0F0F0. The
+     initialization vector should be zero. The resulting checksum is 128
+     bits (16 octets) long, 64 bits of which are redundant. This checksum
+     is tamper-proof and collision-proof.
+
+     The format for the checksum is described in the following diagram:
+
+
++--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+
+     |   des-cbc(confounder  + des-mac(conf+msg,iv=0,key),key=var(key),iv=0)
+|
+
++--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+
+
+     The format cannot be described in ASN.1, but for those who prefer an
+     ASN.1-like notation:
+
+     des-mac-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                            confounder[0]   UNTAGGED OCTET STRING(8),
+                            check[1]        UNTAGGED OCTET STRING(8)
+     }
+
+     The DES specifications identify some 'weak' and 'semi-weak' keys;
+     those keys shall not be used for generating DES-MAC checksums for use
+     in Kerberos, nor shall a key be used whose variant is 'weak' or
+     'semi-weak'.
+
+     6.4.7. RSA MD4 Cryptographic Checksum Using DES alternative
+     (rsa-md4-des-k)
+
+     The RSA-MD4-DES-K checksum calculates a keyed collision-proof checksum
+     by applying the RSA MD4 checksum algorithm and encrypting the results
+     using DES in cipher-block-chaining (CBC) mode using a DES key as both
+     key and initialization vector. The resulting checksum is 16 octets
+     long. This checksum is tamper-proof and believed to be
+     collision-proof. Note that this checksum type is the old method for
+     encoding the RSA-MD4-DES checksum and it is no longer recommended.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     6.4.8. DES cipher-block chained checksum alternative (des-mac-k)
+
+     The DES-MAC-K checksum is computed by performing a DES CBC-mode
+     encryption of the plaintext, and using the last block of the
+     ciphertext as the checksum value. It is keyed with an encryption key
+     and an initialization vector; any uses which do not specify an
+     additional initialization vector will use the key as both key and
+     initialization vector. The resulting checksum is 64 bits (8 octets)
+     long. This checksum is tamper-proof and collision-proof. Note that
+     this checksum type is the old method for encoding the DES-MAC checksum
+     and it is no longer recommended. The DES specifications identify some
+     'weak keys' and 'semi-weak keys'; those keys shall not be used for
+     generating DES-MAC checksums for use in Kerberos.
+
+     7. Naming Constraints
+
+     7.1. Realm Names
+
+     Although realm names are encoded as GeneralStrings and although a
+     realm can technically select any name it chooses, interoperability
+     across realm boundaries requires agreement on how realm names are to
+     be assigned, and what information they imply.
+
+     To enforce these conventions, each realm must conform to the
+     conventions itself, and it must require that any realms with which
+     inter-realm keys are shared also conform to the conventions and
+     require the same from its neighbors.
+
+     Kerberos realm names are case sensitive. Realm names that differ only
+     in the case of the characters are not equivalent. There are presently
+     four styles of realm names: domain, X500, other, and reserved.
+     Examples of each style follow:
+
+          domain:   ATHENA.MIT.EDU (example)
+            X500:   C=US/O=OSF (example)
+           other:   NAMETYPE:rest/of.name=without-restrictions (example)
+        reserved:   reserved, but will not conflict with above
+
+     Domain names must look like domain names: they consist of components
+     separated by periods (.) and they contain neither colons (:) nor
+     slashes (/). Though domain names themselves are case insensitive, in
+     order for realms to match, the case must match as well. When
+     establishing a new realm name based on an internet domain name it is
+     recommended by convention that the characters be converted to upper
+     case.
+
+     X.500 names contain an equal (=) and cannot contain a colon (:) before
+     the equal. The realm names for X.500 names will be string
+     representations of the names with components separated by slashes.
+     Leading and trailing slashes will not be included.
+
+     Names that fall into the other category must begin with a prefix that
+     contains no equal (=) or period (.) and the prefix must be followed by
+     a colon (:) and the rest of the name. All prefixes must be assigned
+     before they may be used. Presently none are assigned.
+
+     The reserved category includes strings which do not fall into the
+     first three categories. All names in this category are reserved. It is
+     unlikely that names will be assigned to this category unless there is
+     a very strong argument for not using the 'other' category.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     These rules guarantee that there will be no conflicts between the
+     various name styles. The following additional constraints apply to the
+     assignment of realm names in the domain and X.500 categories: the name
+     of a realm for the domain or X.500 formats must either be used by the
+     organization owning (to whom it was assigned) an Internet domain name
+     or X.500 name, or in the case that no such names are registered,
+     authority to use a realm name may be derived from the authority of the
+     parent realm. For example, if there is no domain name for E40.MIT.EDU,
+     then the administrator of the MIT.EDU realm can authorize the creation
+     of a realm with that name.
+
+     This is acceptable because the organization to which the parent is
+     assigned is presumably the organization authorized to assign names to
+     its children in the X.500 and domain name systems as well. If the
+     parent assigns a realm name without also registering it in the domain
+     name or X.500 hierarchy, it is the parent's responsibility to make
+     sure that there will not in the future exists a name identical to the
+     realm name of the child unless it is assigned to the same entity as
+     the realm name.
+
+     7.2. Principal Names
+
+     As was the case for realm names, conventions are needed to ensure that
+     all agree on what information is implied by a principal name. The
+     name-type field that is part of the principal name indicates the kind
+     of information implied by the name. The name-type should be treated as
+     a hint. Ignoring the name type, no two names can be the same (i.e. at
+     least one of the components, or the realm, must be different). The
+     following name types are defined:
+
+     name-type      value   meaning
+
+    NT-UNKNOWN        0   Name type not known
+    NT-PRINCIPAL      1   General principal name (e.g. username, DCE
+principal)
+    NT-SRV-INST       2   Service and other unique instance (krbtgt)
+    NT-SRV-HST        3   Service with host name as instance (telnet, rcmds)
+    NT-SRV-XHST       4   Service with slash-separated host name components
+    NT-UID            5   Unique ID
+    NT-X500-PRINCIPAL 6   Encoded X.509 Distingished name [RFC 1779]
+    NT-SMTP-NAME      7   Name in form of SMTP email name (e.g.
+user@foo.com)
+
+     When a name implies no information other than its uniqueness at a
+     particular time the name type PRINCIPAL should be used. The principal
+     name type should be used for users, and it might also be used for a
+     unique server. If the name is a unique machine generated ID that is
+     guaranteed never to be reassigned then the name type of UID should be
+     used (note that it is generally a bad idea to reassign names of any
+     type since stale entries might remain in access control lists).
+
+     If the first component of a name identifies a service and the
+     remaining components identify an instance of the service in a server
+     specified manner, then the name type of SRV-INST should be used. An
+     example of this name type is the Kerberos ticket-granting service
+     whose name has a first component of krbtgt and a second component
+     identifying the realm for which the ticket is valid.
+
+     If instance is a single component following the service name and the
+     instance identifies the host on which the server is running, then the
+     name type SRV-HST should be used. This type is typically used for
+     Internet services such as telnet and the Berkeley R commands. If the
+     separate components of the host name appear as successive components
+     following the name of the service, then the name type SRV-XHST should
+     be used. This type might be used to identify servers on hosts with
+     X.500 names where the slash (/) might otherwise be ambiguous.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     A name type of NT-X500-PRINCIPAL should be used when a name from an
+     X.509 certificiate is translated into a Kerberos name. The encoding of
+     the X.509 name as a Kerberos principal shall conform to the encoding
+     rules specified in RFC 2253.
+
+     A name type of SMTP allows a name to be of a form that resembles a
+     SMTP email name. This name type can be used in conjunction with
+     name-canonicalization to allow a free-form of username to be specified
+     as a client name and allow the KDC to determine the Kerberos principal
+     name for the requested name. [JBrezak]
+
+     A name type of UNKNOWN should be used when the form of the name is not
+     known. When comparing names, a name of type UNKNOWN will match
+     principals authenticated with names of any type. A principal
+     authenticated with a name of type UNKNOWN, however, will only match
+     other names of type UNKNOWN.
+
+     Names of any type with an initial component of 'krbtgt' are reserved
+     for the Kerberos ticket granting service. See section 8.2.3 for the
+     form of such names.
+
+     7.2.1. Name of server principals
+
+     The principal identifier for a server on a host will generally be
+     composed of two parts: (1) the realm of the KDC with which the server
+     is registered, and (2) a two-component name of type NT-SRV-HST if the
+     host name is an Internet domain name or a multi-component name of type
+     NT-SRV-XHST if the name of the host is of a form such as X.500 that
+     allows slash (/) separators. The first component of the two- or
+     multi-component name will identify the service and the latter
+     components will identify the host. Where the name of the host is not
+     case sensitive (for example, with Internet domain names) the name of
+     the host must be lower case. If specified by the application protocol
+     for services such as telnet and the Berkeley R commands which run with
+     system privileges, the first component may be the string 'host'
+     instead of a service specific identifier. When a host has an official
+     name and one or more aliases, the official name of the host must be
+     used when constructing the name of the server principal.
+
+     8. Constants and other defined values
+
+     8.1. Host address types
+
+     All negative values for the host address type are reserved for local
+     use. All non-negative values are reserved for officially assigned type
+     fields and interpretations.
+
+     The values of the types for the following addresses are chosen to
+     match the defined address family constants in the Berkeley Standard
+     Distributions of Unix. They can be found in with symbolic names AF_xxx
+     (where xxx is an abbreviation of the address family name).
+
+     Internet (IPv4) Addresses
+
+     Internet (IPv4) addresses are 32-bit (4-octet) quantities, encoded in
+     MSB order. The type of IPv4 addresses is two (2).
+
+     Internet (IPv6) Addresses [Westerlund]
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     IPv6 addresses are 128-bit (16-octet) quantities, encoded in MSB
+     order. The type of IPv6 addresses is twenty-four (24). [RFC1883]
+     [RFC1884]. The following addresses (see [RFC1884]) MUST not appear in
+     any Kerberos packet:
+        o the Unspecified Address
+        o the Loopback Address
+        o Link-Local addresses
+     IPv4-mapped IPv6 addresses MUST be represented as addresses of type 2.
+
+     CHAOSnet addresses
+
+     CHAOSnet addresses are 16-bit (2-octet) quantities, encoded in MSB
+     order. The type of CHAOSnet addresses is five (5).
+
+     ISO addresses
+
+     ISO addresses are variable-length. The type of ISO addresses is seven
+     (7).
+
+     Xerox Network Services (XNS) addresses
+
+     XNS addresses are 48-bit (6-octet) quantities, encoded in MSB order.
+     The type of XNS addresses is six (6).
+
+     AppleTalk Datagram Delivery Protocol (DDP) addresses
+
+     AppleTalk DDP addresses consist of an 8-bit node number and a 16-bit
+     network number. The first octet of the address is the node number; the
+     remaining two octets encode the network number in MSB order. The type
+     of AppleTalk DDP addresses is sixteen (16).
+
+     DECnet Phase IV addresses
+
+     DECnet Phase IV addresses are 16-bit addresses, encoded in LSB order.
+     The type of DECnet Phase IV addresses is twelve (12).
+
+     Netbios addresses
+
+     Netbios addresses are 16-octet addresses typically composed of 1 to 15
+     characters, trailing blank (ascii char 20) filled, with a 16th octet
+     of 0x0. The type of Netbios addresses is 20 (0x14).
+
+     8.2. KDC messages
+
+     8.2.1. UDP/IP transport
+
+     When contacting a Kerberos server (KDC) for a KRB_KDC_REQ request
+     using UDP IP transport, the client shall send a UDP datagram
+     containing only an encoding of the request to port 88 (decimal) at the
+     KDC's IP address; the KDC will respond with a reply datagram
+     containing only an encoding of the reply message (either a KRB_ERROR
+     or a KRB_KDC_REP) to the sending port at the sender's IP address.
+     Kerberos servers supporting IP transport must accept UDP requests on
+     port 88 (decimal). The response to a request made through UDP/IP
+     transport must also use UDP/IP transport.
+
+     8.2.2. TCP/IP transport [Westerlund,Danielsson]
+
+     Kerberos servers (KDC's) should accept TCP requests on port 88
+     (decimal) and clients should support the sending of TCP requests on
+     port 88 (decimal). When the KRB_KDC_REQ message is sent to the KDC
+     over a TCP stream, a new connection will be established for each
+     authentication exchange (request and response). The KRB_KDC_REP or
+     KRB_ERROR message will be returned to the client on the same TCP
+     stream that was established for the request. The response to a request
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     made through TCP/IP transport must also use TCP/IP transport.
+     Implementors should note that some extentions to the Kerberos protocol
+     will not work if any implementation not supporting the TCP transport
+     is involved (client or KDC). Implementors are strongly urged to
+     support the TCP transport on both the client and server and are
+     advised that the current notation of "should" support will likely
+     change in the future to must support. The KDC may close the TCP stream
+     after sending a response, but may leave the stream open if it expects
+     a followup - in which case it may close the stream at any time if
+     resource constratints or other factors make it desirable to do so.
+     Care must be taken in managing TCP/IP connections with the KDC to
+     prevent denial of service attacks based on the number of TCP/IP
+     connections with the KDC that remain open. If multiple exchanges with
+     the KDC are needed for certain forms of preauthentication, multiple
+     TCP connections may be required. A client may close the stream after
+     receiving response, and should close the stream if it does not expect
+     to send followup messages. The client must be prepared to have the
+     stream closed by the KDC at anytime, in which case it must simply
+     connect again when it is ready to send subsequent messages.
+
+     The first four octets of the TCP stream used to transmit the request
+     request will encode in network byte order the length of the request
+     (KRB_KDC_REQ), and the length will be followed by the request itself.
+     The response will similarly be preceeded by a 4 octet encoding in
+     network byte order of the length of the KRB_KDC_REP or the KRB_ERROR
+     message and will be followed by the KRB_KDC_REP or the KRB_ERROR
+     response. If the sign bit is set on the integer represented by the
+     first 4 octets, then the next 4 octets will be read, extending the
+     length of the field by another 4 octets (less the sign bit which is
+     reserved for future expansion).
+
+     8.2.3. OSI transport
+
+     During authentication of an OSI client to an OSI server, the mutual
+     authentication of an OSI server to an OSI client, the transfer of
+     credentials from an OSI client to an OSI server, or during exchange of
+     private or integrity checked messages, Kerberos protocol messages may
+     be treated as opaque objects and the type of the authentication
+     mechanism will be:
+
+     OBJECT IDENTIFIER ::= {iso (1), org(3), dod(6),internet(1),
+security(5),kerberosv5(2)}
+
+     Depending on the situation, the opaque object will be an
+     authentication header (KRB_AP_REQ), an authentication reply
+     (KRB_AP_REP), a safe message (KRB_SAFE), a private message (KRB_PRIV),
+     or a credentials message (KRB_CRED). The opaque data contains an
+     application code as specified in the ASN.1 description for each
+     message. The application code may be used by Kerberos to determine the
+     message type.
+
+     8.2.3. Name of the TGS
+
+     The principal identifier of the ticket-granting service shall be
+     composed of three parts: (1) the realm of the KDC issuing the TGS
+     ticket (2) a two-part name of type NT-SRV-INST, with the first part
+     "krbtgt" and the second part the name of the realm which will accept
+     the ticket-granting ticket. For example, a ticket-granting ticket
+     issued by the ATHENA.MIT.EDU realm to be used to get tickets from the
+     ATHENA.MIT.EDU KDC has a principal identifier of "ATHENA.MIT.EDU"
+     (realm), ("krbtgt", "ATHENA.MIT.EDU") (name). A ticket-granting ticket
+     issued by the ATHENA.MIT.EDU realm to be used to get tickets from the
+     MIT.EDU realm has a principal identifier of "ATHENA.MIT.EDU" (realm),
+     ("krbtgt", "MIT.EDU") (name).
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     8.3. Protocol constants and associated values
+
+     The following tables list constants used in the protocol and defines
+     their meanings. Ranges are specified in the "specification" section
+     that limit the values of constants for which values are defined here.
+     This allows implementations to make assumptions about the maximum
+     values that will be received for these constants. Implementation
+     receiving values outside the range specified in the "specification"
+     section may reject the request, but they must recover cleanly.
+
+     Encryption type       etype value block size  minimum pad  confounder
+size
+     NULL                           0     1           0            0
+     des-cbc-crc                    1     8           4            8
+     des-cbc-md4                    2     8           0            8
+     des-cbc-md5                    3     8           0            8
+     reserved                       4
+     des3-cbc-md5                   5     8           0                 8
+     reserved                       6
+     des3-cbc-sha1                  7     8           0                 8
+     dsaWithSHA1-CmsOID             9
+(pkinit)
+     md5WithRSAEncryption-CmsOID   10
+(pkinit)
+     sha1WithRSAEncryption-CmsOID  11
+(pkinit)
+     rc2CBC-EnvOID                 12
+(pkinit)
+     rsaEncryption-EnvOID          13                (pkinit from PKCS#1
+v1.5)
+     rsaES-OAEP-ENV-OID            14                (pkinit from PKCS#1
+v2.0)
+     des-ede3-cbc-Env-OID          15
+(pkinit)
+     des3-cbc-sha1-kd              16                                 (Tom
+Yu)
+     rc4-hmac                      23
+(swift)
+     rc4-hmac-exp                  24
+(swift)
+
+     reserved                      0x8003
+
+     Checksum type              sumtype value       checksum size
+     CRC32                      1                   4
+     rsa-md4                    2                   16
+     rsa-md4-des                3                   24
+     des-mac                    4                   16
+     des-mac-k                  5                   8
+     rsa-md4-des-k              6                   16 (drop rsa ?)
+     rsa-md5                    7                   16 (drop rsa ?)
+     rsa-md5-des                8                   24 (drop rsa ?)
+     rsa-md5-des3               9                   24 (drop rsa ?)
+     hmac-sha1-des3-kd          12                  20
+     hmac-sha1-des3             13                  20
+     sha1 (unkeyed)             14                  20
+
+     padata type                     padata-type value
+
+     PA-TGS-REQ                      1
+     PA-ENC-TIMESTAMP                2
+     PA-PW-SALT                      3
+     reserved                        4
+     PA-ENC-UNIX-TIME                5                  (depricated)
+     PA-SANDIA-SECUREID              6
+     PA-SESAME                       7
+     PA-OSF-DCE                      8
+     PA-CYBERSAFE-SECUREID           9
+     PA-AFS3-SALT                    10
+     PA-ETYPE-INFO                   11
+     PA-SAM-CHALLENGE                12                  (sam/otp)
+     PA-SAM-RESPONSE                 13                  (sam/otp)
+     PA-PK-AS-REQ                    14                  (pkinit)
+     PA-PK-AS-REP                    15                  (pkinit)
+     PA-USE-SPECIFIED-KVNO           20
+     PA-SAM-REDIRECT                 21                  (sam/otp)
+     PA-GET-FROM-TYPED-DATA          22
+     PA-SAM-ETYPE-INFO               23                  (sam/otp)
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     data-type                     value    form of typed-data
+
+     reserved                        1-21
+     TD-PADATA                       22
+     TD-PKINIT-CMS-CERTIFICATES      101      CertificateSet from CMS
+     TD-KRB-PRINCIPAL                102
+     TD-KRB-REALM                    103
+     TD-TRUSTED-CERTIFIERS           104
+     TD-CERTIFICATE-INDEX            105
+     TD-APP-DEFINED-ERROR            106
+
+     authorization data type         ad-type value
+     AD-IF-RELEVANT                     1
+     AD-INTENDED-FOR-SERVER             2
+     AD-INTENDED-FOR-APPLICATION-CLASS  3
+     AD-KDC-ISSUED                      4
+     AD-OR                              5
+     AD-MANDATORY-TICKET-EXTENSIONS     6
+     AD-IN-TICKET-EXTENSIONS            7
+     reserved values                    8-63
+     OSF-DCE                            64
+     SESAME                             65
+     AD-OSF-DCE-PKI-CERTID              66    (hemsath@us.ibm.com)
+     AD-WIN200-PAC                     128
+(jbrezak@exchange.microsoft.com)
+
+     Ticket Extension Types
+
+     TE-TYPE-NULL                  0     Null ticket extension
+     TE-TYPE-EXTERNAL-ADATA        1     Integrity protected authorization
+data
+     reserved                      2     TE-TYPE-PKCROSS-KDC
+     TE-TYPE-PKCROSS-CLIENT        3     PKCROSS cross realm key ticket
+     TE-TYPE-CYBERSAFE-EXT         4     Assigned to CyberSafe Corp
+     reserved                      5     TE-TYPE-DEST-HOST
+
+     alternate authentication type   method-type value
+     reserved values                 0-63
+     ATT-CHALLENGE-RESPONSE          64
+
+     transited encoding type         tr-type value
+     DOMAIN-X500-COMPRESS            1
+     reserved values                 all others
+
+     Label               Value   Meaning or MIT code
+
+     pvno                    5   current Kerberos protocol version number
+
+     message types
+
+     KRB_AS_REQ             10   Request for initial authentication
+     KRB_AS_REP             11   Response to KRB_AS_REQ request
+     KRB_TGS_REQ            12   Request for authentication based on TGT
+     KRB_TGS_REP            13   Response to KRB_TGS_REQ request
+     KRB_AP_REQ             14   application request to server
+     KRB_AP_REP             15   Response to KRB_AP_REQ_MUTUAL
+     KRB_SAFE               20   Safe (checksummed) application message
+     KRB_PRIV               21   Private (encrypted) application message
+     KRB_CRED               22   Private (encrypted) message to forward
+credentials
+     KRB_ERROR              30   Error response
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     name types
+
+     KRB_NT_UNKNOWN        0  Name type not known
+     KRB_NT_PRINCIPAL      1  Just the name of the principal as in DCE, or
+for users
+     KRB_NT_SRV_INST       2  Service and other unique instance (krbtgt)
+     KRB_NT_SRV_HST        3  Service with host name as instance (telnet,
+rcommands)
+     KRB_NT_SRV_XHST       4  Service with host as remaining components
+     KRB_NT_UID            5  Unique ID
+     KRB_NT_X500_PRINCIPAL 6  Encoded X.509 Distingished name [RFC 2253]
+
+     error codes
+
+     KDC_ERR_NONE                    0   No error
+     KDC_ERR_NAME_EXP                1   Client's entry in database has
+expired
+     KDC_ERR_SERVICE_EXP             2   Server's entry in database has
+expired
+     KDC_ERR_BAD_PVNO                3   Requested protocol version number
+not supported
+     KDC_ERR_C_OLD_MAST_KVNO         4   Client's key encrypted in old
+master key
+     KDC_ERR_S_OLD_MAST_KVNO         5   Server's key encrypted in old
+master key
+     KDC_ERR_C_PRINCIPAL_UNKNOWN     6   Client not found in Kerberos
+database
+     KDC_ERR_S_PRINCIPAL_UNKNOWN     7   Server not found in Kerberos
+database
+     KDC_ERR_PRINCIPAL_NOT_UNIQUE    8   Multiple principal entries in
+database
+     KDC_ERR_NULL_KEY                9   The client or server has a null key
+     KDC_ERR_CANNOT_POSTDATE        10   Ticket not eligible for postdating
+     KDC_ERR_NEVER_VALID            11   Requested start time is later than
+end time
+     KDC_ERR_POLICY                 12   KDC policy rejects request
+     KDC_ERR_BADOPTION              13   KDC cannot accommodate requested
+option
+     KDC_ERR_ETYPE_NOSUPP           14   KDC has no support for encryption
+type
+     KDC_ERR_SUMTYPE_NOSUPP         15   KDC has no support for checksum
+type
+     KDC_ERR_PADATA_TYPE_NOSUPP     16   KDC has no support for padata type
+     KDC_ERR_TRTYPE_NOSUPP          17   KDC has no support for transited
+type
+     KDC_ERR_CLIENT_REVOKED         18   Clients credentials have been
+revoked
+     KDC_ERR_SERVICE_REVOKED        19   Credentials for server have been
+revoked
+     KDC_ERR_TGT_REVOKED            20   TGT has been revoked
+     KDC_ERR_CLIENT_NOTYET          21   Client not yet valid - try again
+later
+     KDC_ERR_SERVICE_NOTYET         22   Server not yet valid - try again
+later
+     KDC_ERR_KEY_EXPIRED            23   Password has expired - change
+password to reset
+     KDC_ERR_PREAUTH_FAILED         24   Pre-authentication information was
+invalid
+     KDC_ERR_PREAUTH_REQUIRED       25   Additional
+pre-authenticationrequired [40]
+     KDC_ERR_SERVER_NOMATCH         26   Requested server and ticket don't
+match
+     KDC_ERR_MUST_USE_USER2USER     27   Server principal valid for
+user2user only
+     KDC_ERR_PATH_NOT_ACCPETED      28   KDC Policy rejects transited path
+     KDC_ERR_SVC_UNAVAILABLE        29   A service is not available
+     KRB_AP_ERR_BAD_INTEGRITY       31   Integrity check on decrypted field
+failed
+     KRB_AP_ERR_TKT_EXPIRED         32   Ticket expired
+     KRB_AP_ERR_TKT_NYV             33   Ticket not yet valid
+     KRB_AP_ERR_REPEAT              34   Request is a replay
+     KRB_AP_ERR_NOT_US              35   The ticket isn't for us
+     KRB_AP_ERR_BADMATCH            36   Ticket and authenticator don't
+match
+     KRB_AP_ERR_SKEW                37   Clock skew too great
+     KRB_AP_ERR_BADADDR             38   Incorrect net address
+     KRB_AP_ERR_BADVERSION          39   Protocol version mismatch
+     KRB_AP_ERR_MSG_TYPE            40   Invalid msg type
+     KRB_AP_ERR_MODIFIED            41   Message stream modified
+     KRB_AP_ERR_BADORDER            42   Message out of order
+     KRB_AP_ERR_BADKEYVER           44   Specified version of key is not
+available
+     KRB_AP_ERR_NOKEY               45   Service key not available
+     KRB_AP_ERR_MUT_FAIL            46   Mutual authentication failed
+     KRB_AP_ERR_BADDIRECTION        47   Incorrect message direction
+     KRB_AP_ERR_METHOD              48   Alternative authentication method
+required
+     KRB_AP_ERR_BADSEQ              49   Incorrect sequence number in
+message
+     KRB_AP_ERR_INAPP_CKSUM         50   Inappropriate type of checksum in
+message
+     KRB_AP_PATH_NOT_ACCEPTED       51   Policy rejects transited path
+     KRB_ERR_RESPONSE_TOO_BIG       52   Response too big for UDP, retry
+with TCP
+     KRB_ERR_GENERIC                60   Generic error (description in
+e-text)
+     KRB_ERR_FIELD_TOOLONG          61   Field is too long for this
+implementation
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     KDC_ERROR_CLIENT_NOT_TRUSTED            62 (pkinit)
+     KDC_ERROR_KDC_NOT_TRUSTED               63 (pkinit)
+     KDC_ERROR_INVALID_SIG                   64 (pkinit)
+     KDC_ERR_KEY_TOO_WEAK                    65 (pkinit)
+     KDC_ERR_CERTIFICATE_MISMATCH            66 (pkinit)
+     KRB_AP_ERR_NO_TGT                       67 (user-to-user)
+     KDC_ERR_WRONG_REALM                     68 (user-to-user)
+     KRB_AP_ERR_USER_TO_USER_REQUIRED        69 (user-to-user)
+     KDC_ERR_CANT_VERIFY_CERTIFICATE         70 (pkinit)
+     KDC_ERR_INVALID_CERTIFICATE             71 (pkinit)
+     KDC_ERR_REVOKED_CERTIFICATE             72 (pkinit)
+     KDC_ERR_REVOCATION_STATUS_UNKNOWN       73 (pkinit)
+     KDC_ERR_REVOCATION_STATUS_UNAVAILABLE   74 (pkinit)
+     KDC_ERR_CLIENT_NAME_MISMATCH            75 (pkinit)
+     KDC_ERR_KDC_NAME_MISMATCH               76 (pkinit)
+
+     9. Interoperability requirements
+
+     Version 5 of the Kerberos protocol supports a myriad of options. Among
+     these are multiple encryption and checksum types, alternative encoding
+     schemes for the transited field, optional mechanisms for
+     pre-authentication, the handling of tickets with no addresses, options
+     for mutual authentication, user to user authentication, support for
+     proxies, forwarding, postdating, and renewing tickets, the format of
+     realm names, and the handling of authorization data.
+
+     In order to ensure the interoperability of realms, it is necessary to
+     define a minimal configuration which must be supported by all
+     implementations. This minimal configuration is subject to change as
+     technology does. For example, if at some later date it is discovered
+     that one of the required encryption or checksum algorithms is not
+     secure, it will be replaced.
+
+     9.1. Specification 2
+
+     This section defines the second specification of these options.
+     Implementations which are configured in this way can be said to
+     support Kerberos Version 5 Specification 2 (5.1). Specification 1
+     (depricated) may be found in RFC1510.
+
+     Transport
+
+     TCP/IP and UDP/IP transport must be supported by KDCs claiming
+     conformance to specification 2. Kerberos clients claiming conformance
+     to specification 2 must support UDP/IP transport for messages with the
+     KDC and should support TCP/IP transport.
+
+     Encryption and checksum methods
+
+     The following encryption and checksum mechanisms must be supported.
+     Implementations may support other mechanisms as well, but the
+     additional mechanisms may only be used when communicating with
+     principals known to also support them: This list is to be determined.
+
+     Encryption: DES-CBC-MD5, one triple des variant (tbd)
+     Checksums: CRC-32, DES-MAC, DES-MAC-K, and DES-MD5 (tbd)
+
+     Realm Names
+
+     All implementations must understand hierarchical realms in both the
+     Internet Domain and the X.500 style. When a ticket granting ticket for
+     an unknown realm is requested, the KDC must be able to determine the
+     names of the intermediate realms between the KDCs realm and the
+     requested realm.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     Transited field encoding
+
+     DOMAIN-X500-COMPRESS (described in section 3.3.3.2) must be supported.
+     Alternative encodings may be supported, but they may be used only when
+     that encoding is supported by ALL intermediate realms.
+
+     Pre-authentication methods
+
+     The TGS-REQ method must be supported. The TGS-REQ method is not used
+     on the initial request. The PA-ENC-TIMESTAMP method must be supported
+     by clients but whether it is enabled by default may be determined on a
+     realm by realm basis. If not used in the initial request and the error
+     KDC_ERR_PREAUTH_REQUIRED is returned specifying PA-ENC-TIMESTAMP as an
+     acceptable method, the client should retry the initial request using
+     the PA-ENC-TIMESTAMP preauthentication method. Servers need not
+     support the PA-ENC-TIMESTAMP method, but if not supported the server
+     should ignore the presence of PA-ENC-TIMESTAMP pre-authentication in a
+     request.
+
+     Mutual authentication
+
+     Mutual authentication (via the KRB_AP_REP message) must be supported.
+
+     Ticket addresses and flags
+
+     All KDC's must pass on tickets that carry no addresses (i.e. if a TGT
+     contains no addresses, the KDC will return derivative tickets), but
+     each realm may set its own policy for issuing such tickets, and each
+     application server will set its own policy with respect to accepting
+     them.
+
+     Proxies and forwarded tickets must be supported. Individual realms and
+     application servers can set their own policy on when such tickets will
+     be accepted.
+
+     All implementations must recognize renewable and postdated tickets,
+     but need not actually implement them. If these options are not
+     supported, the starttime and endtime in the ticket shall specify a
+     ticket's entire useful life. When a postdated ticket is decoded by a
+     server, all implementations shall make the presence of the postdated
+     flag visible to the calling server.
+
+     User-to-user authentication
+
+     Support for user to user authentication (via the ENC-TKT-IN-SKEY KDC
+     option) must be provided by implementations, but individual realms may
+     decide as a matter of policy to reject such requests on a
+     per-principal or realm-wide basis.
+
+     Authorization data
+
+     Implementations must pass all authorization data subfields from
+     ticket-granting tickets to any derivative tickets unless directed to
+     suppress a subfield as part of the definition of that registered
+     subfield type (it is never incorrect to pass on a subfield, and no
+     registered subfield types presently specify suppression at the KDC).
+
+     Implementations must make the contents of any authorization data
+     subfields available to the server when a ticket is used.
+     Implementations are not required to allow clients to specify the
+     contents of the authorization data fields.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     Constant ranges
+
+     All protocol constants are constrained to 32 bit (signed) values
+     unless further constrained by the protocol definition. This limit is
+     provided to allow implementations to make assumptions about the
+     maximum values that will be received for these constants.
+     Implementation receiving values outside this range may reject the
+     request, but they must recover cleanly.
+
+     9.2. Recommended KDC values
+
+     Following is a list of recommended values for a KDC implementation,
+     based on the list of suggested configuration constants (see section
+     4.4).
+
+     minimum lifetime              5 minutes
+     maximum renewable lifetime    1 week
+     maximum ticket lifetime       1 day
+     empty addresses               only when suitable  restrictions  appear
+                                   in authorization data
+     proxiable, etc.               Allowed.
+
+     10. REFERENCES
+
+     [NT94]    B. Clifford Neuman and Theodore Y. Ts'o, "An  Authenti-
+               cation  Service for Computer Networks," IEEE Communica-
+               tions Magazine, Vol. 32(9), pp. 33-38 (September 1994).
+
+     [MNSS87]  S. P. Miller, B. C. Neuman, J. I. Schiller, and  J.  H.
+               Saltzer,  Section  E.2.1:  Kerberos  Authentication and
+               Authorization System, M.I.T. Project Athena, Cambridge,
+               Massachusetts (December 21, 1987).
+
+     [SNS88]   J. G. Steiner, B. C. Neuman, and J. I. Schiller,  "Ker-
+               beros:  An Authentication Service for Open Network Sys-
+               tems," pp. 191-202 in  Usenix  Conference  Proceedings,
+               Dallas, Texas (February, 1988).
+
+     [NS78]    Roger M.  Needham  and  Michael  D.  Schroeder,  "Using
+               Encryption for Authentication in Large Networks of Com-
+               puters,"  Communications  of  the  ACM,  Vol.   21(12),
+               pp. 993-999 (December, 1978).
+
+     [DS81]    Dorothy E. Denning and  Giovanni  Maria  Sacco,  "Time-
+               stamps  in  Key Distribution Protocols," Communications
+               of the ACM, Vol. 24(8), pp. 533-536 (August 1981).
+
+     [KNT92]   John T. Kohl, B. Clifford Neuman, and Theodore Y. Ts'o,
+               "The Evolution of the Kerberos Authentication Service,"
+               in an IEEE Computer Society Text soon to  be  published
+               (June 1992).
+
+     [Neu93]   B.  Clifford  Neuman,  "Proxy-Based  Authorization  and
+               Accounting  for Distributed Systems," in Proceedings of
+               the 13th International Conference on  Distributed  Com-
+               puting Systems, Pittsburgh, PA (May, 1993).
+
+     [DS90]    Don Davis and Ralph Swick,  "Workstation  Services  and
+               Kerberos  Authentication  at Project Athena," Technical
+               Memorandum TM-424,  MIT Laboratory for Computer Science
+               (February 1990).
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     [LGDSR87] P. J. Levine, M. R. Gretzinger, J. M. Diaz, W. E.  Som-
+               merfeld,  and  K. Raeburn, Section E.1: Service Manage-
+               ment System, M.I.T.  Project  Athena,  Cambridge,  Mas-
+               sachusetts (1987).
+
+     [X509-88] CCITT, Recommendation X.509: The Directory  Authentica-
+               tion Framework, December 1988.
+
+     [Pat92].  J. Pato, Using  Pre-Authentication  to  Avoid  Password
+               Guessing  Attacks, Open Software Foundation DCE Request
+               for Comments 26 (December 1992).
+
+     [DES77]   National Bureau of Standards, U.S. Department  of  Com-
+               merce,  "Data Encryption Standard," Federal Information
+               Processing Standards Publication  46,   Washington,  DC
+               (1977).
+
+     [DESM80]  National Bureau of Standards, U.S. Department  of  Com-
+               merce,  "DES  Modes  of Operation," Federal Information
+               Processing Standards Publication 81,   Springfield,  VA
+               (December 1980).
+
+     [SG92]    Stuart G. Stubblebine and Virgil D. Gligor, "On Message
+               Integrity  in  Cryptographic Protocols," in Proceedings
+               of the IEEE  Symposium  on  Research  in  Security  and
+               Privacy, Oakland, California (May 1992).
+
+     [IS3309]  International Organization  for  Standardization,  "ISO
+               Information  Processing  Systems - Data Communication -
+               High-Level Data Link Control Procedure -  Frame  Struc-
+               ture," IS 3309 (October 1984).  3rd Edition.
+
+     [MD4-92]  R. Rivest, "The  MD4  Message  Digest  Algorithm,"  RFC
+               1320,   MIT  Laboratory  for  Computer  Science  (April
+               1992).
+
+     [MD5-92]  R. Rivest, "The  MD5  Message  Digest  Algorithm,"  RFC
+               1321,   MIT  Laboratory  for  Computer  Science  (April
+               1992).
+
+     [KBC96]   H. Krawczyk, M. Bellare, and R. Canetti, "HMAC:  Keyed-
+               Hashing  for  Message  Authentication,"  Working  Draft
+               draft-ietf-ipsec-hmac-md5-01.txt,   (August 1996).
+
+     [Horowitz96] Horowitz, M., "Key Derivation for Authentication,
+               Integrity, and Privacy",
+draft-horowitz-key-derivation-02.txt,
+               August 1998.
+
+     [HorowitzB96] Horowitz, M., "Key Derivation for Kerberos V5", draft-
+               horowitz-kerb-key-derivation-01.txt, September 1998.
+
+     [Krawczyk96] Krawczyk, H., Bellare, and M., Canetti, R., "HMAC:
+               Keyed-Hashing for Message Authentication",
+draft-ietf-ipsec-hmac-
+               md5-01.txt, August, 1996.
+
+     A. Pseudo-code for protocol processing
+
+     This appendix provides pseudo-code describing how the messages are to
+     be constructed and interpreted by clients and servers.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     A.1. KRB_AS_REQ generation
+
+             request.pvno := protocol version; /* pvno = 5 */
+             request.msg-type := message type; /* type = KRB_AS_REQ */
+
+             if(pa_enc_timestamp_required) then
+                     request.padata.padata-type = PA-ENC-TIMESTAMP;
+                     get system_time;
+                     padata-body.patimestamp,pausec = system_time;
+                     encrypt padata-body into request.padata.padata-value
+                             using client.key; /* derived from password */
+             endif
+
+             body.kdc-options := users's preferences;
+             body.cname := user's name;
+             body.realm := user's realm;
+             body.sname := service's name; /* usually "krbtgt",
+"localrealm" */
+             if (body.kdc-options.POSTDATED is set) then
+                     body.from := requested starting time;
+             else
+                     omit body.from;
+             endif
+             body.till := requested end time;
+             if (body.kdc-options.RENEWABLE is set) then
+                     body.rtime := requested final renewal time;
+             endif
+             body.nonce := random_nonce();
+             body.etype := requested etypes;
+             if (user supplied addresses) then
+                     body.addresses := user's addresses;
+             else
+                     omit body.addresses;
+             endif
+             omit body.enc-authorization-data;
+             request.req-body := body;
+
+             kerberos := lookup(name of local kerberos server (or servers));
+             send(packet,kerberos);
+
+             wait(for response);
+             if (timed_out) then
+                     retry or use alternate server;
+             endif
+
+     A.2. KRB_AS_REQ verification and KRB_AS_REP generation
+
+             decode message into req;
+
+             client := lookup(req.cname,req.realm);
+             server := lookup(req.sname,req.realm);
+
+             get system_time;
+             kdc_time := system_time.seconds;
+
+             if (!client) then
+                     /* no client in Database */
+                     error_out(KDC_ERR_C_PRINCIPAL_UNKNOWN);
+             endif
+             if (!server) then
+                     /* no server in Database */
+                     error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+             endif
+
+             if(client.pa_enc_timestamp_required and
+                pa_enc_timestamp not present) then
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+                     error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP));
+             endif
+
+             if(pa_enc_timestamp present) then
+                     decrypt req.padata-value into decrypted_enc_timestamp
+                             using client.key;
+                             using auth_hdr.authenticator.subkey;
+                     if (decrypt_error()) then
+                             error_out(KRB_AP_ERR_BAD_INTEGRITY);
+                     if(decrypted_enc_timestamp is not within allowable
+skew) then
+                             error_out(KDC_ERR_PREAUTH_FAILED);
+                     endif
+                     if(decrypted_enc_timestamp and usec is replay)
+                             error_out(KDC_ERR_PREAUTH_FAILED);
+                     endif
+                     add decrypted_enc_timestamp and usec to replay cache;
+             endif
+
+             use_etype := first supported etype in req.etypes;
+
+             if (no support for req.etypes) then
+                     error_out(KDC_ERR_ETYPE_NOSUPP);
+             endif
+
+             new_tkt.vno := ticket version; /* = 5 */
+             new_tkt.sname := req.sname;
+             new_tkt.srealm := req.srealm;
+             reset all flags in new_tkt.flags;
+
+             /* It should be noted that local policy may affect the  */
+             /* processing of any of these flags.  For example, some */
+             /* realms may refuse to issue renewable tickets         */
+
+             if (req.kdc-options.FORWARDABLE is set) then
+                     set new_tkt.flags.FORWARDABLE;
+             endif
+             if (req.kdc-options.PROXIABLE is set) then
+                     set new_tkt.flags.PROXIABLE;
+             endif
+
+             if (req.kdc-options.ALLOW-POSTDATE is set) then
+                     set new_tkt.flags.MAY-POSTDATE;
+             endif
+             if ((req.kdc-options.RENEW is set) or
+                 (req.kdc-options.VALIDATE is set) or
+                 (req.kdc-options.PROXY is set) or
+                 (req.kdc-options.FORWARDED is set) or
+                 (req.kdc-options.ENC-TKT-IN-SKEY is set)) then
+                     error_out(KDC_ERR_BADOPTION);
+             endif
+
+             new_tkt.session := random_session_key();
+             new_tkt.cname := req.cname;
+             new_tkt.crealm := req.crealm;
+             new_tkt.transited := empty_transited_field();
+
+             new_tkt.authtime := kdc_time;
+
+             if (req.kdc-options.POSTDATED is set) then
+                if (against_postdate_policy(req.from)) then
+                     error_out(KDC_ERR_POLICY);
+                endif
+                set new_tkt.flags.POSTDATED;
+                set new_tkt.flags.INVALID;
+                new_tkt.starttime := req.from;
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+             else
+                omit new_tkt.starttime; /* treated as authtime when omitted
+*/
+             endif
+             if (req.till = 0) then
+                     till := infinity;
+             else
+                     till := req.till;
+             endif
+
+             new_tkt.endtime := min(till,
+                                   new_tkt.starttime+client.max_life,
+                                   new_tkt.starttime+server.max_life,
+                                   new_tkt.starttime+max_life_for_realm);
+
+             if ((req.kdc-options.RENEWABLE-OK is set) and
+                 (new_tkt.endtime < req.till)) then
+                     /* we set the RENEWABLE option for later processing */
+                     set req.kdc-options.RENEWABLE;
+                     req.rtime := req.till;
+             endif
+
+             if (req.rtime = 0) then
+                     rtime := infinity;
+             else
+                     rtime := req.rtime;
+             endif
+
+             if (req.kdc-options.RENEWABLE is set) then
+                     set new_tkt.flags.RENEWABLE;
+                     new_tkt.renew-till := min(rtime,
+
+new_tkt.starttime+client.max_rlife,
+
+new_tkt.starttime+server.max_rlife,
+
+new_tkt.starttime+max_rlife_for_realm);
+             else
+                     omit new_tkt.renew-till; /* only present if RENEWABLE
+*/
+             endif
+
+             if (req.addresses) then
+                     new_tkt.caddr := req.addresses;
+             else
+                     omit new_tkt.caddr;
+             endif
+
+             new_tkt.authorization_data := empty_authorization_data();
+
+             encode to-be-encrypted part of ticket into OCTET STRING;
+             new_tkt.enc-part := encrypt OCTET STRING
+                     using etype_for_key(server.key), server.key,
+server.p_kvno;
+
+             /* Start processing the response */
+
+             resp.pvno := 5;
+             resp.msg-type := KRB_AS_REP;
+             resp.cname := req.cname;
+             resp.crealm := req.realm;
+             resp.ticket := new_tkt;
+
+             resp.key := new_tkt.session;
+             resp.last-req := fetch_last_request_info(client);
+             resp.nonce := req.nonce;
+             resp.key-expiration := client.expiration;
+             resp.flags := new_tkt.flags;
+
+             resp.authtime := new_tkt.authtime;
+             resp.starttime := new_tkt.starttime;
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+             resp.endtime := new_tkt.endtime;
+
+             if (new_tkt.flags.RENEWABLE) then
+                     resp.renew-till := new_tkt.renew-till;
+             endif
+
+             resp.realm := new_tkt.realm;
+             resp.sname := new_tkt.sname;
+
+             resp.caddr := new_tkt.caddr;
+
+             encode body of reply into OCTET STRING;
+
+             resp.enc-part := encrypt OCTET STRING
+                              using use_etype, client.key, client.p_kvno;
+             send(resp);
+
+     A.3. KRB_AS_REP verification
+
+             decode response into resp;
+
+             if (resp.msg-type = KRB_ERROR) then
+                     if(error = KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP))
+then
+                             set pa_enc_timestamp_required;
+                             goto KRB_AS_REQ;
+                     endif
+                     process_error(resp);
+                     return;
+             endif
+
+             /* On error, discard the response, and zero the session key */
+             /* from the response immediately */
+
+             key = get_decryption_key(resp.enc-part.kvno,
+resp.enc-part.etype,
+                                      resp.padata);
+             unencrypted part of resp := decode of decrypt of resp.enc-part
+                                     using resp.enc-part.etype and key;
+             zero(key);
+
+             if (common_as_rep_tgs_rep_checks fail) then
+                     destroy resp.key;
+                     return error;
+             endif
+
+             if near(resp.princ_exp) then
+                     print(warning message);
+             endif
+             save_for_later(ticket,session,client,server,times,flags);
+
+     A.4. KRB_AS_REP and KRB_TGS_REP common checks
+
+             if (decryption_error() or
+                 (req.cname != resp.cname) or
+                 (req.realm != resp.crealm) or
+                 (req.sname != resp.sname) or
+                 (req.realm != resp.realm) or
+                 (req.nonce != resp.nonce) or
+                 (req.addresses != resp.caddr)) then
+                     destroy resp.key;
+                     return KRB_AP_ERR_MODIFIED;
+             endif
+
+             /* make sure no flags are set that shouldn't be, and that all
+that */
+             /* should be are set
+*/
+             if (!check_flags_for_compatability(req.kdc-options,resp.flags))
+then
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+                     destroy resp.key;
+                     return KRB_AP_ERR_MODIFIED;
+             endif
+
+             if ((req.from = 0) and
+                 (resp.starttime is not within allowable skew)) then
+                     destroy resp.key;
+                     return KRB_AP_ERR_SKEW;
+             endif
+             if ((req.from != 0) and (req.from != resp.starttime)) then
+                     destroy resp.key;
+                     return KRB_AP_ERR_MODIFIED;
+             endif
+             if ((req.till != 0) and (resp.endtime > req.till)) then
+                     destroy resp.key;
+                     return KRB_AP_ERR_MODIFIED;
+             endif
+
+             if ((req.kdc-options.RENEWABLE is set) and
+                 (req.rtime != 0) and (resp.renew-till > req.rtime)) then
+                     destroy resp.key;
+                     return KRB_AP_ERR_MODIFIED;
+             endif
+             if ((req.kdc-options.RENEWABLE-OK is set) and
+                 (resp.flags.RENEWABLE) and
+                 (req.till != 0) and
+                 (resp.renew-till > req.till)) then
+                     destroy resp.key;
+                     return KRB_AP_ERR_MODIFIED;
+             endif
+
+     A.5. KRB_TGS_REQ generation
+
+             /* Note that make_application_request might have to recursivly
+*/
+             /* call this routine to get the appropriate ticket-granting
+ticket */
+
+             request.pvno := protocol version; /* pvno = 5 */
+             request.msg-type := message type; /* type = KRB_TGS_REQ */
+
+             body.kdc-options := users's preferences;
+             /* If the TGT is not for the realm of the end-server  */
+             /* then the sname will be for a TGT for the end-realm */
+             /* and the realm of the requested ticket (body.realm) */
+             /* will be that of the TGS to which the TGT we are    */
+             /* sending applies                                    */
+             body.sname := service's name;
+             body.realm := service's realm;
+
+             if (body.kdc-options.POSTDATED is set) then
+                     body.from := requested starting time;
+             else
+                     omit body.from;
+             endif
+             body.till := requested end time;
+             if (body.kdc-options.RENEWABLE is set) then
+                     body.rtime := requested final renewal time;
+             endif
+             body.nonce := random_nonce();
+             body.etype := requested etypes;
+             if (user supplied addresses) then
+                     body.addresses := user's addresses;
+             else
+                     omit body.addresses;
+             endif
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+             body.enc-authorization-data := user-supplied data;
+             if (body.kdc-options.ENC-TKT-IN-SKEY) then
+                     body.additional-tickets_ticket := second TGT;
+             endif
+
+             request.req-body := body;
+             check := generate_checksum (req.body,checksumtype);
+
+             request.padata[0].padata-type := PA-TGS-REQ;
+             request.padata[0].padata-value := create a KRB_AP_REQ using
+                                           the TGT and checksum
+
+             /* add in any other padata as required/supplied */
+
+             kerberos := lookup(name of local kerberose server (or
+servers));
+             send(packet,kerberos);
+
+             wait(for response);
+             if (timed_out) then
+                     retry or use alternate server;
+             endif
+
+     A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation
+
+             /* note that reading the application request requires first
+             determining the server for which a ticket was issued, and
+choosing the
+             correct key for decryption.  The name of the server appears in
+the
+             plaintext part of the ticket. */
+
+             if (no KRB_AP_REQ in req.padata) then
+                     error_out(KDC_ERR_PADATA_TYPE_NOSUPP);
+             endif
+             verify KRB_AP_REQ in req.padata;
+
+             /* Note that the realm in which the Kerberos server is
+operating is
+             determined by the instance from the ticket-granting ticket.
+The realm
+             in the ticket-granting ticket is the realm under which the
+ticket
+             granting ticket was issued.  It is possible for a single
+Kerberos
+             server to support more than one realm. */
+
+             auth_hdr := KRB_AP_REQ;
+             tgt := auth_hdr.ticket;
+
+             if (tgt.sname is not a TGT for local realm and is not
+req.sname) then
+                     error_out(KRB_AP_ERR_NOT_US);
+
+             realm := realm_tgt_is_for(tgt);
+
+             decode remainder of request;
+
+             if (auth_hdr.authenticator.cksum is missing) then
+                     error_out(KRB_AP_ERR_INAPP_CKSUM);
+             endif
+
+             if (auth_hdr.authenticator.cksum type is not supported) then
+                     error_out(KDC_ERR_SUMTYPE_NOSUPP);
+             endif
+             if (auth_hdr.authenticator.cksum is not both collision-proof
+and keyed) then
+                     error_out(KRB_AP_ERR_INAPP_CKSUM);
+             endif
+
+             set computed_checksum := checksum(req);
+             if (computed_checksum != auth_hdr.authenticatory.cksum) then
+                     error_out(KRB_AP_ERR_MODIFIED);
+             endif
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+
+             server := lookup(req.sname,realm);
+
+             if (!server) then
+                     if (is_foreign_tgt_name(req.sname)) then
+                             server := best_intermediate_tgs(req.sname);
+                     else
+                             /* no server in Database */
+                             error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+                     endif
+             endif
+
+             session := generate_random_session_key();
+
+             use_etype := first supported etype in req.etypes;
+
+             if (no support for req.etypes) then
+                     error_out(KDC_ERR_ETYPE_NOSUPP);
+             endif
+
+             new_tkt.vno := ticket version; /* = 5 */
+             new_tkt.sname := req.sname;
+             new_tkt.srealm := realm;
+             reset all flags in new_tkt.flags;
+
+             /* It should be noted that local policy may affect the  */
+             /* processing of any of these flags.  For example, some */
+             /* realms may refuse to issue renewable tickets         */
+
+             new_tkt.caddr := tgt.caddr;
+             resp.caddr := NULL; /* We only include this if they change */
+             if (req.kdc-options.FORWARDABLE is set) then
+                     if (tgt.flags.FORWARDABLE is reset) then
+                             error_out(KDC_ERR_BADOPTION);
+                     endif
+                     set new_tkt.flags.FORWARDABLE;
+             endif
+             if (req.kdc-options.FORWARDED is set) then
+                     if (tgt.flags.FORWARDABLE is reset) then
+                             error_out(KDC_ERR_BADOPTION);
+                     endif
+                     set new_tkt.flags.FORWARDED;
+                     new_tkt.caddr := req.addresses;
+                     resp.caddr := req.addresses;
+             endif
+             if (tgt.flags.FORWARDED is set) then
+                     set new_tkt.flags.FORWARDED;
+             endif
+
+             if (req.kdc-options.PROXIABLE is set) then
+                     if (tgt.flags.PROXIABLE is reset)
+                             error_out(KDC_ERR_BADOPTION);
+                     endif
+                     set new_tkt.flags.PROXIABLE;
+             endif
+             if (req.kdc-options.PROXY is set) then
+                     if (tgt.flags.PROXIABLE is reset) then
+                             error_out(KDC_ERR_BADOPTION);
+                     endif
+                     set new_tkt.flags.PROXY;
+                     new_tkt.caddr := req.addresses;
+                     resp.caddr := req.addresses;
+             endif
+
+             if (req.kdc-options.ALLOW-POSTDATE is set) then
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+                     if (tgt.flags.MAY-POSTDATE is reset)
+                             error_out(KDC_ERR_BADOPTION);
+                     endif
+                     set new_tkt.flags.MAY-POSTDATE;
+             endif
+             if (req.kdc-options.POSTDATED is set) then
+                     if (tgt.flags.MAY-POSTDATE is reset) then
+                             error_out(KDC_ERR_BADOPTION);
+                     endif
+                     set new_tkt.flags.POSTDATED;
+                     set new_tkt.flags.INVALID;
+                     if (against_postdate_policy(req.from)) then
+                             error_out(KDC_ERR_POLICY);
+                     endif
+                     new_tkt.starttime := req.from;
+             endif
+
+             if (req.kdc-options.VALIDATE is set) then
+                     if (tgt.flags.INVALID is reset) then
+                             error_out(KDC_ERR_POLICY);
+                     endif
+                     if (tgt.starttime > kdc_time) then
+                             error_out(KRB_AP_ERR_NYV);
+                     endif
+                     if (check_hot_list(tgt)) then
+                             error_out(KRB_AP_ERR_REPEAT);
+                     endif
+                     tkt := tgt;
+                     reset new_tkt.flags.INVALID;
+             endif
+
+             if (req.kdc-options.(any flag except ENC-TKT-IN-SKEY, RENEW,
+                                  and those already processed) is set) then
+                     error_out(KDC_ERR_BADOPTION);
+             endif
+
+             new_tkt.authtime := tgt.authtime;
+
+             if (req.kdc-options.RENEW is set) then
+               /* Note that if the endtime has already passed, the ticket
+would  */
+               /* have been rejected in the initial authentication stage, so
+*/
+               /* there is no need to check again here
+*/
+                     if (tgt.flags.RENEWABLE is reset) then
+                             error_out(KDC_ERR_BADOPTION);
+                     endif
+                     if (tgt.renew-till < kdc_time) then
+                             error_out(KRB_AP_ERR_TKT_EXPIRED);
+                     endif
+                     tkt := tgt;
+                     new_tkt.starttime := kdc_time;
+                     old_life := tgt.endttime - tgt.starttime;
+                     new_tkt.endtime := min(tgt.renew-till,
+                                            new_tkt.starttime + old_life);
+             else
+                     new_tkt.starttime := kdc_time;
+                     if (req.till = 0) then
+                             till := infinity;
+                     else
+                             till := req.till;
+                     endif
+                     new_tkt.endtime := min(till,
+
+new_tkt.starttime+client.max_life,
+
+new_tkt.starttime+server.max_life,
+
+new_tkt.starttime+max_life_for_realm,
+                                            tgt.endtime);
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+
+                     if ((req.kdc-options.RENEWABLE-OK is set) and
+                         (new_tkt.endtime < req.till) and
+                         (tgt.flags.RENEWABLE is set) then
+                             /* we set the RENEWABLE option for later
+processing */
+                             set req.kdc-options.RENEWABLE;
+                             req.rtime := min(req.till, tgt.renew-till);
+                     endif
+             endif
+
+             if (req.rtime = 0) then
+                     rtime := infinity;
+             else
+                     rtime := req.rtime;
+             endif
+
+             if ((req.kdc-options.RENEWABLE is set) and
+                 (tgt.flags.RENEWABLE is set)) then
+                     set new_tkt.flags.RENEWABLE;
+                     new_tkt.renew-till := min(rtime,
+
+new_tkt.starttime+client.max_rlife,
+
+new_tkt.starttime+server.max_rlife,
+
+new_tkt.starttime+max_rlife_for_realm,
+                                               tgt.renew-till);
+             else
+                     new_tkt.renew-till := OMIT; /* leave the renew-till
+field out */
+             endif
+             if (req.enc-authorization-data is present) then
+                     decrypt req.enc-authorization-data into
+decrypted_authorization_data
+                             using auth_hdr.authenticator.subkey;
+                     if (decrypt_error()) then
+                             error_out(KRB_AP_ERR_BAD_INTEGRITY);
+                     endif
+             endif
+             new_tkt.authorization_data :=
+req.auth_hdr.ticket.authorization_data +
+                                      decrypted_authorization_data;
+
+             new_tkt.key := session;
+             new_tkt.crealm := tgt.crealm;
+             new_tkt.cname := req.auth_hdr.ticket.cname;
+
+             if (realm_tgt_is_for(tgt) := tgt.realm) then
+                     /* tgt issued by local realm */
+                     new_tkt.transited := tgt.transited;
+             else
+                     /* was issued for this realm by some other realm */
+                     if (tgt.transited.tr-type not supported) then
+                             error_out(KDC_ERR_TRTYPE_NOSUPP);
+                     endif
+                     new_tkt.transited := compress_transited(tgt.transited +
+tgt.realm)
+                     /* Don't check tranited field if TGT for foreign realm,
+                      * or requested not to check */
+                     if (is_not_foreign_tgt_name(new_tkt.server)
+                        && req.kdc-options.DISABLE-TRANSITED-CHECK not set)
+then
+                             /* Check it, so end-server does not have to
+                              * but don't fail, end-server may still accept
+it */
+                             if (check_transited_field(new_tkt.transited) ==
+OK)
+                                   set
+new_tkt.flags.TRANSITED-POLICY-CHECKED;
+                             endif
+                     endif
+             endif
+
+             encode encrypted part of new_tkt into OCTET STRING;
+             if (req.kdc-options.ENC-TKT-IN-SKEY is set) then
+                     if (server not specified) then
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+                             server = req.second_ticket.client;
+                     endif
+                     if ((req.second_ticket is not a TGT) or
+                         (req.second_ticket.client != server)) then
+                             error_out(KDC_ERR_POLICY);
+                     endif
+
+                     new_tkt.enc-part := encrypt OCTET STRING using
+                             using etype_for_key(second-ticket.key),
+second-ticket.key;
+             else
+                     new_tkt.enc-part := encrypt OCTET STRING
+                             using etype_for_key(server.key), server.key,
+server.p_kvno;
+             endif
+
+             resp.pvno := 5;
+             resp.msg-type := KRB_TGS_REP;
+             resp.crealm := tgt.crealm;
+             resp.cname := tgt.cname;
+             resp.ticket := new_tkt;
+
+             resp.key := session;
+             resp.nonce := req.nonce;
+             resp.last-req := fetch_last_request_info(client);
+             resp.flags := new_tkt.flags;
+
+             resp.authtime := new_tkt.authtime;
+             resp.starttime := new_tkt.starttime;
+             resp.endtime := new_tkt.endtime;
+
+             omit resp.key-expiration;
+
+             resp.sname := new_tkt.sname;
+             resp.realm := new_tkt.realm;
+
+             if (new_tkt.flags.RENEWABLE) then
+                     resp.renew-till := new_tkt.renew-till;
+             endif
+
+             encode body of reply into OCTET STRING;
+
+             if (req.padata.authenticator.subkey)
+                     resp.enc-part := encrypt OCTET STRING using use_etype,
+                             req.padata.authenticator.subkey;
+             else resp.enc-part := encrypt OCTET STRING using use_etype,
+tgt.key;
+
+             send(resp);
+
+     A.7. KRB_TGS_REP verification
+
+             decode response into resp;
+
+             if (resp.msg-type = KRB_ERROR) then
+                     process_error(resp);
+                     return;
+             endif
+
+             /* On error, discard the response, and zero the session key
+from
+             the response immediately */
+
+             if (req.padata.authenticator.subkey)
+                     unencrypted part of resp := decode of decrypt of
+resp.enc-part
+                             using resp.enc-part.etype and subkey;
+             else unencrypted part of resp := decode of decrypt of
+resp.enc-part
+                                     using resp.enc-part.etype and tgt's
+session key;
+             if (common_as_rep_tgs_rep_checks fail) then
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+                     destroy resp.key;
+                     return error;
+             endif
+
+             check authorization_data as necessary;
+             save_for_later(ticket,session,client,server,times,flags);
+
+     A.8. Authenticator generation
+
+             body.authenticator-vno := authenticator vno; /* = 5 */
+             body.cname, body.crealm := client name;
+             if (supplying checksum) then
+                     body.cksum := checksum;
+             endif
+             get system_time;
+             body.ctime, body.cusec := system_time;
+             if (selecting sub-session key) then
+                     select sub-session key;
+                     body.subkey := sub-session key;
+             endif
+             if (using sequence numbers) then
+                     select initial sequence number;
+                     body.seq-number := initial sequence;
+             endif
+
+     A.9. KRB_AP_REQ generation
+
+             obtain ticket and session_key from cache;
+
+             packet.pvno := protocol version; /* 5 */
+             packet.msg-type := message type; /* KRB_AP_REQ */
+
+             if (desired(MUTUAL_AUTHENTICATION)) then
+                     set packet.ap-options.MUTUAL-REQUIRED;
+             else
+                     reset packet.ap-options.MUTUAL-REQUIRED;
+             endif
+             if (using session key for ticket) then
+                     set packet.ap-options.USE-SESSION-KEY;
+             else
+                     reset packet.ap-options.USE-SESSION-KEY;
+             endif
+             packet.ticket := ticket; /* ticket */
+             generate authenticator;
+             encode authenticator into OCTET STRING;
+             encrypt OCTET STRING into packet.authenticator using
+session_key;
+
+     A.10. KRB_AP_REQ verification
+
+             receive packet;
+             if (packet.pvno != 5) then
+                     either process using other protocol spec
+                     or error_out(KRB_AP_ERR_BADVERSION);
+             endif
+             if (packet.msg-type != KRB_AP_REQ) then
+                     error_out(KRB_AP_ERR_MSG_TYPE);
+             endif
+             if (packet.ticket.tkt_vno != 5) then
+                     either process using other protocol spec
+                     or error_out(KRB_AP_ERR_BADVERSION);
+             endif
+             if (packet.ap_options.USE-SESSION-KEY is set) then
+                     retrieve session key from ticket-granting ticket for
+                      packet.ticket.{sname,srealm,enc-part.etype};
+             else
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+                     retrieve service key for
+
+packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno};
+             endif
+             if (no_key_available) then
+                     if (cannot_find_specified_skvno) then
+                             error_out(KRB_AP_ERR_BADKEYVER);
+                     else
+                             error_out(KRB_AP_ERR_NOKEY);
+                     endif
+             endif
+             decrypt packet.ticket.enc-part into decr_ticket using retrieved
+key;
+             if (decryption_error()) then
+                     error_out(KRB_AP_ERR_BAD_INTEGRITY);
+             endif
+             decrypt packet.authenticator into decr_authenticator
+                     using decr_ticket.key;
+             if (decryption_error()) then
+                     error_out(KRB_AP_ERR_BAD_INTEGRITY);
+             endif
+             if (decr_authenticator.{cname,crealm} !=
+                 decr_ticket.{cname,crealm}) then
+                     error_out(KRB_AP_ERR_BADMATCH);
+             endif
+             if (decr_ticket.caddr is present) then
+                     if (sender_address(packet) is not in decr_ticket.caddr)
+then
+                             error_out(KRB_AP_ERR_BADADDR);
+                     endif
+             elseif (application requires addresses) then
+                     error_out(KRB_AP_ERR_BADADDR);
+             endif
+             if (not in_clock_skew(decr_authenticator.ctime,
+                                   decr_authenticator.cusec)) then
+                     error_out(KRB_AP_ERR_SKEW);
+             endif
+             if (repeated(decr_authenticator.{ctime,cusec,cname,crealm}))
+then
+                     error_out(KRB_AP_ERR_REPEAT);
+             endif
+             save_identifier(decr_authenticator.{ctime,cusec,cname,crealm});
+             get system_time;
+             if ((decr_ticket.starttime-system_time > CLOCK_SKEW) or
+                 (decr_ticket.flags.INVALID is set)) then
+                     /* it hasn't yet become valid */
+                     error_out(KRB_AP_ERR_TKT_NYV);
+             endif
+             if (system_time-decr_ticket.endtime > CLOCK_SKEW) then
+                     error_out(KRB_AP_ERR_TKT_EXPIRED);
+             endif
+             if (decr_ticket.transited) then
+                 /* caller may ignore the TRANSITED-POLICY-CHECKED and do
+                  * check anyway */
+                 if (decr_ticket.flags.TRANSITED-POLICY-CHECKED not set)
+then
+                      if (check_transited_field(decr_ticket.transited) then
+                           error_out(KDC_AP_PATH_NOT_ACCPETED);
+                      endif
+                 endif
+             endif
+             /* caller must check decr_ticket.flags for any pertinent
+details */
+             return(OK, decr_ticket, packet.ap_options.MUTUAL-REQUIRED);
+
+     A.11. KRB_AP_REP generation
+
+             packet.pvno := protocol version; /* 5 */
+             packet.msg-type := message type; /* KRB_AP_REP */
+
+             body.ctime := packet.ctime;
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+             body.cusec := packet.cusec;
+             if (selecting sub-session key) then
+                     select sub-session key;
+                     body.subkey := sub-session key;
+             endif
+             if (using sequence numbers) then
+                     select initial sequence number;
+                     body.seq-number := initial sequence;
+             endif
+
+             encode body into OCTET STRING;
+
+             select encryption type;
+             encrypt OCTET STRING into packet.enc-part;
+
+     A.12. KRB_AP_REP verification
+
+             receive packet;
+             if (packet.pvno != 5) then
+                     either process using other protocol spec
+                     or error_out(KRB_AP_ERR_BADVERSION);
+             endif
+             if (packet.msg-type != KRB_AP_REP) then
+                     error_out(KRB_AP_ERR_MSG_TYPE);
+             endif
+             cleartext := decrypt(packet.enc-part) using ticket's session
+key;
+             if (decryption_error()) then
+                     error_out(KRB_AP_ERR_BAD_INTEGRITY);
+             endif
+             if (cleartext.ctime != authenticator.ctime) then
+                     error_out(KRB_AP_ERR_MUT_FAIL);
+             endif
+             if (cleartext.cusec != authenticator.cusec) then
+                     error_out(KRB_AP_ERR_MUT_FAIL);
+             endif
+             if (cleartext.subkey is present) then
+                     save cleartext.subkey for future use;
+             endif
+             if (cleartext.seq-number is present) then
+                     save cleartext.seq-number for future verifications;
+             endif
+             return(AUTHENTICATION_SUCCEEDED);
+
+     A.13. KRB_SAFE generation
+
+             collect user data in buffer;
+
+             /* assemble packet: */
+             packet.pvno := protocol version; /* 5 */
+             packet.msg-type := message type; /* KRB_SAFE */
+
+             body.user-data := buffer; /* DATA */
+             if (using timestamp) then
+                     get system_time;
+                     body.timestamp, body.usec := system_time;
+             endif
+             if (using sequence numbers) then
+                     body.seq-number := sequence number;
+             endif
+             body.s-address := sender host addresses;
+             if (only one recipient) then
+                     body.r-address := recipient host address;
+             endif
+             checksum.cksumtype := checksum type;
+             compute checksum over body;
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+             checksum.checksum := checksum value; /* checksum.checksum */
+             packet.cksum := checksum;
+             packet.safe-body := body;
+
+     A.14. KRB_SAFE verification
+
+             receive packet;
+             if (packet.pvno != 5) then
+                     either process using other protocol spec
+                     or error_out(KRB_AP_ERR_BADVERSION);
+             endif
+             if (packet.msg-type != KRB_SAFE) then
+                     error_out(KRB_AP_ERR_MSG_TYPE);
+             endif
+             if (packet.checksum.cksumtype is not both collision-proof and
+keyed) then
+                     error_out(KRB_AP_ERR_INAPP_CKSUM);
+             endif
+             if (safe_priv_common_checks_ok(packet)) then
+                     set computed_checksum := checksum(packet.body);
+                     if (computed_checksum != packet.checksum) then
+                             error_out(KRB_AP_ERR_MODIFIED);
+                     endif
+                     return (packet, PACKET_IS_GENUINE);
+             else
+                     return common_checks_error;
+             endif
+
+     A.15. KRB_SAFE and KRB_PRIV common checks
+
+             if (packet.s-address != O/S_sender(packet)) then
+                     /* O/S report of sender not who claims to have sent it
+*/
+                     error_out(KRB_AP_ERR_BADADDR);
+             endif
+             if ((packet.r-address is present) and
+                 (packet.r-address != local_host_address)) then
+                     /* was not sent to proper place */
+                     error_out(KRB_AP_ERR_BADADDR);
+             endif
+             if (((packet.timestamp is present) and
+                  (not in_clock_skew(packet.timestamp,packet.usec))) or
+                 (packet.timestamp is not present and timestamp expected))
+then
+                     error_out(KRB_AP_ERR_SKEW);
+             endif
+             if (repeated(packet.timestamp,packet.usec,packet.s-address))
+then
+                     error_out(KRB_AP_ERR_REPEAT);
+             endif
+
+             if (((packet.seq-number is present) and
+                  ((not in_sequence(packet.seq-number)))) or
+                 (packet.seq-number is not present and sequence expected))
+then
+                     error_out(KRB_AP_ERR_BADORDER);
+             endif
+             if (packet.timestamp not present and packet.seq-number not
+present) then
+                     error_out(KRB_AP_ERR_MODIFIED);
+             endif
+
+             save_identifier(packet.{timestamp,usec,s-address},
+                             sender_principal(packet));
+
+             return PACKET_IS_OK;
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     A.16. KRB_PRIV generation
+
+             collect user data in buffer;
+
+             /* assemble packet: */
+             packet.pvno := protocol version; /* 5 */
+             packet.msg-type := message type; /* KRB_PRIV */
+
+             packet.enc-part.etype := encryption type;
+
+             body.user-data := buffer;
+             if (using timestamp) then
+                     get system_time;
+                     body.timestamp, body.usec := system_time;
+             endif
+             if (using sequence numbers) then
+                     body.seq-number := sequence number;
+             endif
+             body.s-address := sender host addresses;
+             if (only one recipient) then
+                     body.r-address := recipient host address;
+             endif
+
+             encode body into OCTET STRING;
+
+             select encryption type;
+             encrypt OCTET STRING into packet.enc-part.cipher;
+
+     A.17. KRB_PRIV verification
+
+             receive packet;
+             if (packet.pvno != 5) then
+                     either process using other protocol spec
+                     or error_out(KRB_AP_ERR_BADVERSION);
+             endif
+             if (packet.msg-type != KRB_PRIV) then
+                     error_out(KRB_AP_ERR_MSG_TYPE);
+             endif
+
+             cleartext := decrypt(packet.enc-part) using negotiated key;
+             if (decryption_error()) then
+                     error_out(KRB_AP_ERR_BAD_INTEGRITY);
+             endif
+
+             if (safe_priv_common_checks_ok(cleartext)) then
+                     return(cleartext.DATA,
+PACKET_IS_GENUINE_AND_UNMODIFIED);
+             else
+                     return common_checks_error;
+             endif
+
+     A.18. KRB_CRED generation
+
+             invoke KRB_TGS; /* obtain tickets to be provided to peer */
+
+             /* assemble packet: */
+             packet.pvno := protocol version; /* 5 */
+             packet.msg-type := message type; /* KRB_CRED */
+
+             for (tickets[n] in tickets to be forwarded) do
+                     packet.tickets[n] = tickets[n].ticket;
+             done
+
+             packet.enc-part.etype := encryption type;
+
+             for (ticket[n] in tickets to be forwarded) do
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+                     body.ticket-info[n].key = tickets[n].session;
+                     body.ticket-info[n].prealm = tickets[n].crealm;
+                     body.ticket-info[n].pname = tickets[n].cname;
+                     body.ticket-info[n].flags = tickets[n].flags;
+                     body.ticket-info[n].authtime = tickets[n].authtime;
+                     body.ticket-info[n].starttime = tickets[n].starttime;
+                     body.ticket-info[n].endtime = tickets[n].endtime;
+                     body.ticket-info[n].renew-till = tickets[n].renew-till;
+                     body.ticket-info[n].srealm = tickets[n].srealm;
+                     body.ticket-info[n].sname = tickets[n].sname;
+                     body.ticket-info[n].caddr = tickets[n].caddr;
+             done
+
+             get system_time;
+             body.timestamp, body.usec := system_time;
+
+             if (using nonce) then
+                     body.nonce := nonce;
+             endif
+
+             if (using s-address) then
+                     body.s-address := sender host addresses;
+             endif
+             if (limited recipients) then
+                     body.r-address := recipient host address;
+             endif
+
+             encode body into OCTET STRING;
+
+             select encryption type;
+             encrypt OCTET STRING into packet.enc-part.cipher
+                    using negotiated encryption key;
+
+     A.19. KRB_CRED verification
+
+             receive packet;
+             if (packet.pvno != 5) then
+                     either process using other protocol spec
+                     or error_out(KRB_AP_ERR_BADVERSION);
+             endif
+             if (packet.msg-type != KRB_CRED) then
+                     error_out(KRB_AP_ERR_MSG_TYPE);
+             endif
+
+             cleartext := decrypt(packet.enc-part) using negotiated key;
+             if (decryption_error()) then
+                     error_out(KRB_AP_ERR_BAD_INTEGRITY);
+             endif
+             if ((packet.r-address is present or required) and
+                (packet.s-address != O/S_sender(packet)) then
+                     /* O/S report of sender not who claims to have sent it
+*/
+                     error_out(KRB_AP_ERR_BADADDR);
+             endif
+             if ((packet.r-address is present) and
+                 (packet.r-address != local_host_address)) then
+                     /* was not sent to proper place */
+                     error_out(KRB_AP_ERR_BADADDR);
+             endif
+             if (not in_clock_skew(packet.timestamp,packet.usec)) then
+                     error_out(KRB_AP_ERR_SKEW);
+             endif
+             if (repeated(packet.timestamp,packet.usec,packet.s-address))
+then
+                     error_out(KRB_AP_ERR_REPEAT);
+             endif
+             if (packet.nonce is required or present) and
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+                (packet.nonce != expected-nonce) then
+                     error_out(KRB_AP_ERR_MODIFIED);
+             endif
+
+             for (ticket[n] in tickets that were forwarded) do
+                     save_for_later(ticket[n],key[n],principal[n],
+                                    server[n],times[n],flags[n]);
+             return
+
+     A.20. KRB_ERROR generation
+
+             /* assemble packet: */
+             packet.pvno := protocol version; /* 5 */
+             packet.msg-type := message type; /* KRB_ERROR */
+
+             get system_time;
+             packet.stime, packet.susec := system_time;
+             packet.realm, packet.sname := server name;
+
+             if (client time available) then
+                     packet.ctime, packet.cusec := client_time;
+             endif
+             packet.error-code := error code;
+             if (client name available) then
+                     packet.cname, packet.crealm := client name;
+             endif
+             if (error text available) then
+                     packet.e-text := error text;
+             endif
+             if (error data available) then
+                     packet.e-data := error data;
+             endif
+
+     B. Definition of common authorization data elements
+
+     This appendix contains the definitions of common authorization data
+     elements. These common authorization data elements are recursivly
+     defined, meaning the ad-data for these types will itself contain a
+     sequence of authorization data whose interpretation is affected by the
+     encapsulating element. Depending on the meaning of the encapsulating
+     element, the encapsulated elements may be ignored, might be
+     interpreted as issued directly by the KDC, or they might be stored in
+     a separate plaintext part of the ticket. The types of the
+     encapsulating elements are specified as part of the Kerberos
+     specification because the behavior based on these values should be
+     understood across implementations whereas other elements need only be
+     understood by the applications which they affect.
+
+     In the definitions that follow, the value of the ad-type for the
+     element will be specified in the subsection number, and the value of
+     the ad-data will be as shown in the ASN.1 structure that follows the
+     subsection heading.
+
+     B.1. If relevant
+
+     AD-IF-RELEVANT   AuthorizationData
+
+     AD elements encapsulated within the if-relevant element are intended
+     for interpretation only by application servers that understand the
+     particular ad-type of the embedded element. Application servers that
+     do not understand the type of an element embedded within the
+     if-relevant element may ignore the uninterpretable element. This
+     element promotes interoperability across implementations which may
+     have local extensions for authorization.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     B.2. Intended for server
+
+     AD-INTENDED-FOR-SERVER   SEQUENCE {
+              intended-server[0]     SEQUENCE OF PrincipalName
+              elements[1]            AuthorizationData
+     }
+
+     AD elements encapsulated within the intended-for-server element may be
+     ignored if the application server is not in the list of principal
+     names of intended servers. Further, a KDC issuing a ticket for an
+     application server can remove this element if the application server
+     is not in the list of intended servers.
+
+     Application servers should check for their principal name in the
+     intended-server field of this element. If their principal name is not
+     found, this element should be ignored. If found, then the encapsulated
+     elements should be evaluated in the same manner as if they were
+     present in the top level authorization data field. Applications and
+     application servers that do not implement this element should reject
+     tickets that contain authorization data elements of this type.
+
+     B.3. Intended for application class
+
+     AD-INTENDED-FOR-APPLICATION-CLASS SEQUENCE {
+     intended-application-class[0] SEQUENCE OF GeneralString elements[1]
+     AuthorizationData } AD elements encapsulated within the
+     intended-for-application-class element may be ignored if the
+     application server is not in one of the named classes of application
+     servers. Examples of application server classes include "FILESYSTEM",
+     and other kinds of servers.
+
+     This element and the elements it encapulates may be safely ignored by
+     applications, application servers, and KDCs that do not implement this
+     element.
+
+     B.4. KDC Issued
+
+     AD-KDCIssued   SEQUENCE {
+                    ad-checksum[0]    Checksum,
+                     i-realm[1]       Realm OPTIONAL,
+                     i-sname[2]       PrincipalName OPTIONAL,
+                    elements[3]       AuthorizationData.
+     }
+
+     ad-checksum
+          A checksum over the elements field using a cryptographic checksum
+          method that is identical to the checksum used to protect the
+          ticket itself (i.e. using the same hash function and the same
+          encryption algorithm used to encrypt the ticket) and using a key
+          derived from the same key used to protect the ticket.
+     i-realm, i-sname
+          The name of the issuing principal if different from the KDC
+          itself. This field would be used when the KDC can verify the
+          authenticity of elements signed by the issuing principal and it
+          allows this KDC to notify the application server of the validity
+          of those elements.
+     elements
+          A sequence of authorization data elements issued by the KDC.
+     The KDC-issued ad-data field is intended to provide a means for
+     Kerberos principal credentials to embed within themselves privilege
+     attributes and other mechanisms for positive authorization, amplifying
+     the priveleges of the principal beyond what can be done using a
+     credentials without such an a-data element.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     This can not be provided without this element because the definition
+     of the authorization-data field allows elements to be added at will by
+     the bearer of a TGT at the time that they request service tickets and
+     elements may also be added to a delegated ticket by inclusion in the
+     authenticator.
+
+     For KDC-issued elements this is prevented because the elements are
+     signed by the KDC by including a checksum encrypted using the server's
+     key (the same key used to encrypt the ticket - or a key derived from
+     that key). Elements encapsulated with in the KDC-issued element will
+     be ignored by the application server if this "signature" is not
+     present. Further, elements encapsulated within this element from a
+     ticket granting ticket may be interpreted by the KDC, and used as a
+     basis according to policy for including new signed elements within
+     derivative tickets, but they will not be copied to a derivative ticket
+     directly. If they are copied directly to a derivative ticket by a KDC
+     that is not aware of this element, the signature will not be correct
+     for the application ticket elements, and the field will be ignored by
+     the application server.
+
+     This element and the elements it encapulates may be safely ignored by
+     applications, application servers, and KDCs that do not implement this
+     element.
+
+     B.5. And-Or
+
+     AD-AND-OR           SEQUENCE {
+                             condition-count[0]    INTEGER,
+                             elements[1]           AuthorizationData
+     }
+
+     When restrictive AD elements encapsulated within the and-or element
+     are encountered, only the number specified in condition-count of the
+     encapsulated conditions must be met in order to satisfy this element.
+     This element may be used to implement an "or" operation by setting the
+     condition-count field to 1, and it may specify an "and" operation by
+     setting the condition count to the number of embedded elements.
+     Application servers that do not implement this element must reject
+     tickets that contain authorization data elements of this type.
+
+     B.6. Mandatory ticket extensions
+
+     AD-Mandatory-Ticket-Extensions           SEQUENCE {
+                             te-type[0]       INTEGER,
+                             te-checksum[0]    Checksum
+     }
+
+     An authorization data element of type mandatory-ticket-extensions
+     specifies the type and a collision-proof checksum using the same hash
+     algorithm used to protect the integrity of the ticket itself. This
+     checksum will be calculated over an individual extension field of the
+     type indicated. If there are more than one extension, multiple
+     Mandatory-Ticket-Extensions authorization data elements may be
+     present, each with a checksum for a different extension field. This
+     restriction indicates that the ticket should not be accepted if a
+     ticket extension is not present in the ticket for which the type and
+     checksum do not match that checksum specified in the authorization
+     data element. Note that although the type is redundant for the
+     purposes of the comparison, it makes the comparison easier when
+     multiple extensions are present. Application servers that do not
+     implement this element must reject tickets that contain authorization
+     data elements of this type.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     B.7. Authorization Data in ticket extensions
+
+     AD-IN-Ticket-Extensions   Checksum
+
+     An authorization data element of type in-ticket-extensions specifies a
+     collision-proof checksum using the same hash algorithm used to protect
+     the integrity of the ticket itself. This checksum is calculated over a
+     separate external AuthorizationData field carried in the ticket
+     extensions. Application servers that do not implement this element
+     must reject tickets that contain authorization data elements of this
+     type. Application servers that do implement this element will search
+     the ticket extensions for authorization data fields, calculate the
+     specified checksum over each authorization data field and look for one
+     matching the checksum in this in-ticket-extensions element. If not
+     found, then the ticket must be rejected. If found, the corresponding
+     authorization data elements will be interpreted in the same manner as
+     if they were contained in the top level authorization data field.
+
+     Note that if multiple external authorization data fields are present
+     in a ticket, each will have a corresponding element of type
+     in-ticket-extensions in the top level authorization data field, and
+     the external entries will be linked to the corresponding element by
+     their checksums.
+
+     C. Definition of common ticket extensions
+
+     This appendix contains the definitions of common ticket extensions.
+     Support for these extensions is optional. However, certain extensions
+     have associated authorization data elements that may require rejection
+     of a ticket containing an extension by application servers that do not
+     implement the particular extension. Other extensions have been defined
+     beyond those described in this specification. Such extensions are
+     described elswhere and for some of those extensions the reserved
+     number may be found in the list of constants.
+
+     It is known that older versions of Kerberos did not support this
+     field, and that some clients will strip this field from a ticket when
+     they parse and then reassemble a ticket as it is passed to the
+     application servers. The presence of the extension will not break such
+     clients, but any functionaly dependent on the extensions will not work
+     when such tickets are handled by old clients. In such situations, some
+     implementation may use alternate methods to transmit the information
+     in the extensions field.
+
+     C.1. Null ticket extension
+
+     TE-NullExtension   OctetString -- The empty Octet String
+
+     The te-data field in the null ticket extension is an octet string of
+     lenght zero. This extension may be included in a ticket granting
+     ticket so that the KDC can determine on presentation of the ticket
+     granting ticket whether the client software will strip the extensions
+     field.
+
+     C.2. External Authorization Data
+
+     TE-ExternalAuthorizationData   AuthorizationData
+
+     The te-data field in the external authorization data ticket extension
+     is field of type AuthorizationData containing one or more
+     authorization data elements. If present, a corresponding authorization
+     data element will be present in the primary authorization data for the
+     ticket and that element will contain a checksum of the external
+     authorization data ticket extension.
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     ----------------------------------------------------------------------
+     [TM] Project Athena, Athena, and Kerberos are trademarks of the
+     Massachusetts Institute of Technology (MIT). No commercial use of
+     these trademarks may be made without prior written permission of MIT.
+
+     [1] Note, however, that many applications use Kerberos' functions only
+     upon the initiation of a stream-based network connection. Unless an
+     application subsequently provides integrity protection for the data
+     stream, the identity verification applies only to the initiation of
+     the connection, and does not guarantee that subsequent messages on the
+     connection originate from the same principal.
+
+     [2] Secret and private are often used interchangeably in the
+     literature. In our usage, it takes two (or more) to share a secret,
+     thus a shared DES key is a secret key. Something is only private when
+     no one but its owner knows it. Thus, in public key cryptosystems, one
+     has a public and a private key.
+
+     [3] Of course, with appropriate permission the client could arrange
+     registration of a separately-named prin- cipal in a remote realm, and
+     engage in normal exchanges with that realm's services. However, for
+     even small numbers of clients this becomes cumbersome, and more
+     automatic methods as described here are necessary.
+
+     [4] Though it is permissible to request or issue tick- ets with no
+     network addresses specified.
+
+     [5] The password-changing request must not be honored unless the
+     requester can provide the old password (the user's current secret
+     key). Otherwise, it would be possible for someone to walk up to an
+     unattended ses- sion and change another user's password.
+
+     [6] To authenticate a user logging on to a local system, the
+     credentials obtained in the AS exchange may first be used in a TGS
+     exchange to obtain credentials for a local server. Those credentials
+     must then be verified by a local server through successful completion
+     of the Client/Server exchange.
+
+     [7] "Random" means that, among other things, it should be impossible
+     to guess the next session key based on knowledge of past session keys.
+     This can only be achieved in a pseudo-random number generator if it is
+     based on cryptographic principles. It is more desirable to use a truly
+     random number generator, such as one based on measurements of random
+     physical phenomena.
+
+     [8] Tickets contain both an encrypted and unencrypted portion, so
+     cleartext here refers to the entire unit, which can be copied from one
+     message and replayed in another without any cryptographic skill.
+
+     [9] Note that this can make applications based on unreliable
+     transports difficult to code correctly. If the transport might deliver
+     duplicated messages, either a new authenticator must be generated for
+     each retry, or the application server must match requests and replies
+     and replay the first reply in response to a detected duplicate.
+
+     [10] This is used for user-to-user authentication as described in [8].
+
+     [11] Note that the rejection here is restricted to authenticators from
+     the same principal to the same server. Other client principals
+     communicating with the same server principal should not be have their
+     authenticators rejected if the time and microsecond fields happen to
+     match some other client's authenticator.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     [12] In the Kerberos version 4 protocol, the timestamp in the reply
+     was the client's timestamp plus one. This is not necessary in version
+     5 because version 5 messages are formatted in such a way that it is
+     not possible to create the reply by judicious message surgery (even in
+     encrypted form) without knowledge of the appropriate encryption keys.
+
+     [13] Note that for encrypting the KRB_AP_REP message, the sub-session
+     key is not used, even if present in the Authenticator.
+
+     [14] Implementations of the protocol may wish to provide routines to
+     choose subkeys based on session keys and random numbers and to
+     generate a negotiated key to be returned in the KRB_AP_REP message.
+
+     [15]This can be accomplished in several ways. It might be known
+     beforehand (since the realm is part of the principal identifier), it
+     might be stored in a nameserver, or it might be obtained from a
+     configura- tion file. If the realm to be used is obtained from a
+     nameserver, there is a danger of being spoofed if the nameservice
+     providing the realm name is not authenti- cated. This might result in
+     the use of a realm which has been compromised, and would result in an
+     attacker's ability to compromise the authentication of the application
+     server to the client.
+
+     [16] If the client selects a sub-session key, care must be taken to
+     ensure the randomness of the selected sub- session key. One approach
+     would be to generate a random number and XOR it with the session key
+     from the ticket-granting ticket.
+
+     [17] This allows easy implementation of user-to-user authentication
+     [8], which uses ticket-granting ticket session keys in lieu of secret
+     server keys in situa- tions where such secret keys could be easily
+     comprom- ised.
+
+     [18] For the purpose of appending, the realm preceding the first
+     listed realm is considered to be the null realm ("").
+
+     [19] For the purpose of interpreting null subfields, the client's
+     realm is considered to precede those in the transited field, and the
+     server's realm is considered to follow them.
+
+     [20] This means that a client and server running on the same host and
+     communicating with one another using the KRB_SAFE messages should not
+     share a common replay cache to detect KRB_SAFE replays.
+
+     [21] The implementation of the Kerberos server need not combine the
+     database and the server on the same machine; it is feasible to store
+     the principal database in, say, a network name service, as long as the
+     entries stored therein are protected from disclosure to and
+     modification by unauthorized parties. However, we recommend against
+     such strategies, as they can make system management and threat
+     analysis quite complex.
+
+     [22] See the discussion of the padata field in section 5.4.2 for
+     details on why this can be useful.
+
+     [23] Warning for implementations that unpack and repack data
+     structures during the generation and verification of embedded
+     checksums: Because any checksums applied to data structures must be
+     checked against the original data the length of bit strings must be
+     preserved within a data structure between the time that a checksum is
+     generated through transmission to the time that the checksum is
+     verified.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     [24] It is NOT recommended that this time value be used to adjust the
+     workstation's clock since the workstation cannot reliably determine
+     that such a KRB_AS_REP actually came from the proper KDC in a timely
+     manner.
+
+     [25] Note, however, that if the time is used as the nonce, one must
+     make sure that the workstation time is monotonically increasing. If
+     the time is ever reset backwards, there is a small, but finite,
+     probability that a nonce will be reused.
+
+     [27] An application code in the encrypted part of a message provides
+     an additional check that the message was decrypted properly.
+
+     [29] An application code in the encrypted part of a message provides
+     an additional check that the message was decrypted properly.
+
+     [31] An application code in the encrypted part of a message provides
+     an additional check that the message was decrypted properly.
+
+     [32] If supported by the encryption method in use, an initialization
+     vector may be passed to the encryption procedure, in order to achieve
+     proper cipher chaining. The initialization vector might come from the
+     last block of the ciphertext from the previous KRB_PRIV message, but
+     it is the application's choice whether or not to use such an
+     initialization vector. If left out, the default initialization vector
+     for the encryption algorithm will be used.
+
+     [33] This prevents an attacker who generates an incorrect AS request
+     from obtaining verifiable plaintext for use in an off-line password
+     guessing attack.
+
+     [35] In the above specification, UNTAGGED OCTET STRING(length) is the
+     notation for an octet string with its tag and length removed. It is
+     not a valid ASN.1 type. The tag bits and length must be removed from
+     the confounder since the purpose of the confounder is so that the
+     message starts with random data, but the tag and its length are fixed.
+     For other fields, the length and tag would be redundant if they were
+     included because they are specified by the encryption type. [36] The
+     ordering of the fields in the CipherText is important. Additionally,
+     messages encoded in this format must include a length as part of the
+     msg-seq field. This allows the recipient to verify that the message
+     has not been truncated. Without a length, an attacker could use a
+     chosen plaintext attack to generate a message which could be
+     truncated, while leaving the checksum intact. Note that if the msg-seq
+     is an encoding of an ASN.1 SEQUENCE or OCTET STRING, then the length
+     is part of that encoding.
+
+     [37] In some cases, it may be necessary to use a different "mix-in"
+     string for compatibility reasons; see the discussion of padata in
+     section 5.4.2.
+
+     [38] In some cases, it may be necessary to use a different "mix-in"
+     string for compatibility reasons; see the discussion of padata in
+     section 5.4.2.
+
+     [39] A variant of the key is used to limit the use of a key to a
+     particular function, separating the functions of generating a checksum
+     from other encryption performed using the session key. The constant
+     F0F0F0F0F0F0F0F0 was chosen because it maintains key parity. The
+     properties of DES precluded the use of the complement. The same
+     constant is used for similar purpose in the Message Integrity Check in
+     the Privacy Enhanced Mail standard.
+
+     [40] This error carries additional information in the e- data field.
+     The contents of the e-data field for this message is described in
+     section 5.9.1.
+
+
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-02.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-02.txt
new file mode 100644
index 0000000..6f7dae0d
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-02.txt
@@ -0,0 +1,325 @@
+
+INTERNET-DRAFT                                        Mike Swift 
+draft-ietf-cat-kerberos-set-passwd-02.txt             Microsoft
+March 2000                                            Jonathan Trostle
+                                                      Cisco Systems
+                                                      John Brezak
+                                                      Microsoft
+                                                      Bill Gossman
+                                                      Cybersafe
+
+              Kerberos Set/Change Password: Version 2
+
+
+0. Status Of This Memo
+
+   This document is an Internet-Draft and is in full conformance with 
+   all provisions of Section 10 of RFC2026 [1]. 
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as 
+   Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six
+   months and may be updated, replaced, or obsoleted by other
+   documents at any time.  It is inappropriate to use Internet-
+   Drafts as reference material or to cite them other than as
+   "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   Comments and suggestions on this document are encouraged.  Comments 
+   on this document should be sent to the CAT working group discussion 
+   list:
+                       ietf-cat-wg@stanford.edu
+
+1. Abstract
+
+   The Kerberos (RFC 1510 [3]) change password protocol (Horowitz [4]), 
+   does not allow for an administrator to set a password for a new user. 
+   This functionality is useful in some environments, and this proposal 
+   extends [4] to allow password setting. The changes are: adding new 
+   fields to the request message to indicate the principal which is 
+   having its password set, not requiring the initial flag in the service 
+   ticket, using a new protocol version number, and adding three new 
+   result codes. We also extend the set/change protocol to allow a 
+   client to send a sequence of keys to the KDC instead of a cleartext 
+   password. If in the cleartext password case, the cleartext password 
+   fails to satisfy password policy, the server should use the result    
+   code KRB5_KPASSWD_POLICY_REJECT.
+
+2. Conventions used in this document 
+    
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
+
+   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in 
+   this document are to be interpreted as described in RFC-2119 [2]. 
+   
+3. The Protocol
+
+   The service must accept requests on UDP port 464 and TCP port 464 as 
+   well. The protocol consists of a single request message followed by 
+   a single reply message.  For UDP transport, each message must be fully 
+   contained in a single UDP packet.
+
+   For TCP transport, there is a 4 octet header in network byte order
+   precedes the message and specifies the length of the message. This
+   requirement is consistent with the TCP transport header in 1510bis.
+
+Request Message
+
+       0                   1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |         message length        |    protocol version number    |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |          AP_REQ length        |         AP-REQ data           /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      /                        KRB-PRIV message                       /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+   All 16 bit fields are in network byte order. 
+
+   message length field: contains the number of bytes in the message 
+   including this field.
+
+   protocol version number: contains the hex constant 0x0002 (network
+   byte order).
+
+   AP-REQ length: length of AP-REQ data, in bytes. If the length is zero, 
+   then the last field contains a KRB-ERROR message instead of a KRB-PRIV 
+   message.
+
+   AP-REQ data: (see [3]) The AP-REQ message must be for the service 
+   principal kadmin/changepw@REALM, where REALM is the REALM of the user 
+   who wishes to change/set his password.  The ticket in the AP-REQ must 
+   must include a subkey in the Authenticator. To enable setting of 
+   passwords/keys, it is not required that the initial flag be set in the 
+   Kerberos service ticket. The initial flag is required for change requests,
+   but not for set password requests. We have the following definitions:
+
+                    old passwd   initial flag  target principal can be
+                    in request?  required?     distinct from 
+                                               authenticating principal?
+                                              
+   change password:  yes         yes           no
+
+   set password:     no          no            yes
+
+   set key:          no          policy        yes
+                                 determined
+
+   KRB-PRIV message (see [3]) This KRB-PRIV message must be generated 
+   using the subkey from the authenticator in the AP-REQ data. 
+
+   The user-data component of the message consists of the following ASN.1 
+   structure encoded as an OCTET STRING:
+
+   ChangePasswdData :: =  SEQUENCE {
+                       newpasswdorkeys[0]   NewPasswdOrKeys,
+                       targname[1]          PrincipalName OPTIONAL,
+                         -- only present in set password: the principal
+                         -- which will have its password set
+                       targrealm[2]         Realm OPTIONAL, 
+                         -- only present in set password: the realm for 
+                         -- the principal which will have its password set
+
+                       }
+
+   NewPasswdOrKeys :: = CHOICE {
+                       passwords[0]  PasswordSequence,       
+                       keyseq[1]     KeySequences
+   }
+                         
+   KeySequences :: = SEQUENCE OF KeySequence
+
+   KeySequence :: = SEQUENCE {
+                       key[0]        EncryptionKey,
+                       salt[1]       OCTET STRING OPTIONAL,
+                       salt-type[2]  INTEGER OPTIONAL
+   }
+
+   PasswordSequence :: = SEQUENCE {
+                       newpasswd[0]  OCTET STRING,
+                       oldpasswd[1]  OCTET STRING OPTIONAL
+                         -- oldpasswd always present for change password
+                         -- but not present for set password 
+   }
+
+   The server must verify the AP-REQ message, check whether the client 
+   principal in the ticket is authorized to set or change the password 
+   (either for that principal, or for the principal in the targname 
+   field if present), and decrypt the new password/keys. The server 
+   also checks whether the initial flag is required for this request, 
+   replying with status 0x0007 if it is not set and should be. An 
+   authorization failure is cause to respond with status 0x0005. For 
+   forward compatibility, the server should be prepared to ignore fields 
+   after targrealm in the structure that it does not understand. 
+
+   The newpasswdorkeys field contains either the new cleartext password 
+   (with the old cleartext password for a change password operation), 
+   or a sequence of encryption keys with their respective salts. 
+
+   In the cleartext password case, if the old password is sent in the
+   request, the request is defined to be a change password request. If
+   the old password is not present in the request, the request is a set
+   password request. The server should apply policy checks to the old 
+   and new password after verifying that the old password is valid. 
+   The server can check validity by obtaining a key from the old 
+   password with a keytype that is present in the KDC database for the 
+   user and comparing the keys for equality. The server then generates 
+   the appropriate keytypes from the password and stores them in the KDC 
+
+   database. If all goes well, status 0x0000 is returned to the client 
+   in the reply message (see below). For a change password operation,
+   the initial flag in the service ticket MUST be set. 
+
+   In the key sequence case, the sequence of keys is sent to the set
+   password service. For a principal that can act as a server, its 
+   preferred keytype should be sent as the first key in the sequence, 
+   but the KDC is not required to honor this preference. Application 
+   servers should use the key sequence option for changing/setting their 
+   keys. The set password service should check that all keys are in the
+   proper format, returning the KRB5_KPASSWD_MALFORMED error otherwise. 
+
+Reply Message
+
+       0                   1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |         message length        |    protocol version number    |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |          AP_REP length        |         AP-REP data           /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      /                          KRB-PRIV message                     /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+   All 16 bit fields are in network byte order. 
+
+   message length field: contains the number of bytes in the message 
+   including this field.
+
+   protocol version number: contains the hex constant 0x0002 (network
+   byte order). (The reply message has the same format as in [4]).
+
+   AP-REP length: length of AP-REP data, in bytes. If the length is zero, 
+   then the last field contains a KRB-ERROR message instead of a KRB-PRIV 
+   message.
+
+   AP-REP data: the AP-REP is the response to the AP-REQ in the request 
+   packet.
+   
+   KRB-PRIV from [4]: This KRB-PRIV message must be generated using the 
+   subkey in the authenticator in the AP-REQ data.
+
+   The server will respond with a KRB-PRIV message unless it cannot
+   validate the client AP-REQ or KRB-PRIV message, in which case it will
+   respond with a KRB-ERROR message. NOTE: Unlike change password version
+   1, the KRB-ERROR message will be sent back without any encapsulation. 
+
+   The user-data component of the KRB-PRIV message, or e-data component 
+   of the KRB-ERROR message, must consist of the following data.
+
+       0                   1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |          result code          |        result string          /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |                             edata                             /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+      result code (16 bits) (result codes 0-4 are from [4]):
+         The result code must have one of the following values (network
+         byte order):
+         KRB5_KPASSWD_SUCCESS      0 request succeeds (This value is not 
+                                     allowed in a KRB-ERROR message)
+         KRB5_KPASSWD_MALFORMED    1 request fails due to being malformed
+         KRB5_KPASSWD_HARDERROR    2 request fails due to "hard" error in
+                                     processing the request (for example, 
+                                     there is a resource or other problem 
+                                     causing the request to fail)
+         KRB5_KPASSWD_AUTHERROR    3 request fails due to an error in 
+                                     authentication processing
+         KRB5_KPASSWD_SOFTERROR    4 request fails due to a soft error 
+                                     in processing the request 
+         KRB5_KPASSWD_ACCESSDENIED 5 requestor not authorized
+         KRB5_KPASSWD_BAD_VERSION  6 protocol version unsupported
+         KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7 initial flag required
+         KRB5_KPASSWD_POLICY_REJECT 8 new cleartext password fails policy;
+         the result string should include a text message to be presented
+         to the user.
+         KRB5_KPASSWD_BAD_PRINCIPAL 9 target principal does not exist
+         (only in response to a set password request).
+         KRB5_KPASSWD_ETYPE_NOSUPP 10 the request contains a key sequence
+         containing at least one etype that is not supported by the KDC.
+         The response edata contains an ASN.1 encoded PKERB-ETYPE-INFO 
+         type that specifies the etypes that the KDC supports:
+         
+         KERB-ETYPE-INFO-ENTRY :: = SEQUENCE {
+                encryption-type[0]  INTEGER,
+                salt[1]             OCTET STRING OPTIONAL -- not sent
+         }
+
+         PKERB-ETYPE-INFO ::= SEQUENCE OF KERB-ETYPE-INFO-ENTRY
+
+         The client should retry the request using only etypes (keytypes)
+         that are contained within the PKERB-ETYPE-INFO structure in the
+         previous response. 
+         0xFFFF if the request fails for some other reason.
+         The client must interpret any non-zero result code as a failure.
+      result string - from [4]:
+         This field is a UTF-8 encoded string which should be displayed
+         to the user by the client. Specific reasons for a password 
+         set/change policy failure is one use for this string. 
+      edata: used to convey additional information as defined by the 
+         result code. 
+
+4. References
+
+   [1] Bradner, S., "The Internet Standards Process -- Revision 3", BCP 
+       9, RFC 2026, October 1996. 
+    
+   [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement 
+       Levels", BCP 14, RFC 2119, March 1997 
+ 
+   [3] J. Kohl, C. Neuman. The Kerberos Network Authentication
+       Service (V5), Request for Comments 1510.
+
+   [4] M. Horowitz. Kerberos Change Password Protocol,
+       ftp://ds.internic.net/internet-drafts/
+       draft-ietf-cat-kerb-chg-password-02.txt
+
+5. Expiration Date
+
+   This draft expires in September 2000.
+
+6. Authors' Addresses
+
+   Jonathan Trostle
+   Cisco Systems
+   170 W. Tasman Dr.
+   San Jose, CA 95134
+   Email: jtrostle@cisco.com
+
+   Mike Swift 
+   1 Microsoft Way
+   Redmond, WA 98052
+   Email: mikesw@microsoft.com
+
+   John Brezak
+   1 Microsoft Way
+   Redmond, WA 98052
+   Email: jbrezak@microsoft.com
+
+   Bill Gossman
+   Cybersafe Corporation
+   1605 NW Sammamish Rd.
+   Issaquah, WA 98027-5378
+   Email: bill.gossman@cybersafe.com
+
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-03.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-03.txt
new file mode 100644
index 0000000..0319f8b
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-03.txt
@@ -0,0 +1,345 @@
+
+INTERNET-DRAFT                                        Mike Swift 
+draft-ietf-cat-kerberos-set-passwd-03.txt             Microsoft
+April 2000                                            Jonathan Trostle
+                                                      Cisco Systems
+                                                      John Brezak
+                                                      Microsoft
+                                                      Bill Gossman
+                                                      Cybersafe
+
+              Kerberos Set/Change Password: Version 2
+
+
+0. Status Of This Memo
+
+   This document is an Internet-Draft and is in full conformance with 
+   all provisions of Section 10 of RFC2026 [1]. 
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as 
+   Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six
+   months and may be updated, replaced, or obsoleted by other
+   documents at any time.  It is inappropriate to use Internet-
+   Drafts as reference material or to cite them other than as
+   "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   Comments and suggestions on this document are encouraged.  Comments 
+   on this document should be sent to the CAT working group discussion 
+   list:
+                       ietf-cat-wg@stanford.edu
+
+1. Abstract
+
+   The Kerberos (RFC 1510 [3]) change password protocol (Horowitz [4]), 
+   does not allow for an administrator to set a password for a new user. 
+   This functionality is useful in some environments, and this proposal 
+   extends [4] to allow password setting. The changes are: adding new 
+   fields to the request message to indicate the principal which is 
+   having its password set, not requiring the initial flag in the service 
+   ticket, using a new protocol version number, and adding three new 
+   result codes. We also extend the set/change protocol to allow a 
+   client to send a sequence of keys to the KDC instead of a cleartext 
+   password. If in the cleartext password case, the cleartext password 
+   fails to satisfy password policy, the server should use the result    
+   code KRB5_KPASSWD_POLICY_REJECT.
+
+2. Conventions used in this document 
+    
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
+
+   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in 
+   this document are to be interpreted as described in RFC-2119 [2]. 
+   
+3. The Protocol
+
+   The service must accept requests on UDP port 464 and TCP port 464 as 
+   well. The protocol consists of a single request message followed by 
+   a single reply message.  For UDP transport, each message must be fully 
+   contained in a single UDP packet.
+
+   For TCP transport, there is a 4 octet header in network byte order
+   precedes the message and specifies the length of the message. This
+   requirement is consistent with the TCP transport header in 1510bis.
+
+Request Message
+
+       0                   1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |         message length        |    protocol version number    |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |          AP_REQ length        |         AP-REQ data           /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      /                        KRB-PRIV message                       /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+   All 16 bit fields are in network byte order. 
+
+   message length field: contains the number of bytes in the message 
+   including this field.
+
+   protocol version number: contains the hex constant 0x0002 (network
+   byte order).
+
+   AP-REQ length: length of AP-REQ data, in bytes. If the length is zero, 
+   then the last field contains a KRB-ERROR message instead of a KRB-PRIV 
+   message.
+
+   AP-REQ data: (see [3]) For a change password/key request, the AP-REQ 
+   message service ticket sname, srealm principal identifier is 
+   kadmin/changepw@REALM where REALM is the realm of the change password 
+   service. The same applies to a set password/key request except the 
+   principal identifier is kadmin/setpw@REALM. The ticket in the AP-REQ 
+   must include a subkey in the Authenticator. To enable setting of 
+   passwords/keys, it is not required that the initial flag be set in the 
+   Kerberos service ticket. The initial flag is required for change requests,
+   but not for set requests. We have the following definitions:
+
+                    old passwd   initial flag  target principal can be
+                    in request?  required?     distinct from 
+                                               authenticating principal?
+                                              
+   change password:  yes         yes           no
+
+   set password:     no          policy (*)    yes
+
+   set key:          no          policy (*)    yes
+                                 
+   change key:       no          yes           no
+
+   policy (*): implementations SHOULD allow administrators to set the
+   initial flag required for set requests policy to either yes or no.
+   Clients MUST be able to retry set requests that fail due to error 7
+   (initial flag required) with an initial ticket. Clients SHOULD NOT
+   cache service tickets targetted at kadmin/changepw.
+
+   KRB-PRIV message (see [3]) This KRB-PRIV message must be generated 
+   using the subkey from the authenticator in the AP-REQ data. 
+
+   The user-data component of the message consists of the following ASN.1 
+   structure encoded as an OCTET STRING:
+
+   ChangePasswdData :: =  SEQUENCE {
+                       newpasswdorkeys[0]   NewPasswdOrKeys,
+                       targname[1]          PrincipalName OPTIONAL,
+                         -- only present in set password/key: the principal
+                         -- which will have its password or keys set. Not
+                         -- present in a set request if the client principal
+                         -- from the ticket is the principal having its 
+                         -- passwords or keys set.
+                       targrealm[2]         Realm OPTIONAL, 
+                         -- only present in set password/key: the realm for 
+                         -- the principal which will have its password or
+                         -- keys set. Not present in a set request if the 
+                         -- client principal from the ticket is the principal 
+                         -- having its passwords or keys set.
+                       }
+
+   NewPasswdOrKeys :: = CHOICE {
+                       passwords[0]  PasswordSequence,  -- change/set passwd   
+                       keyseq[1]     KeySequences       -- change/set key
+   }
+                         
+   KeySequences :: = SEQUENCE OF KeySequence
+
+   KeySequence :: = SEQUENCE {
+                       key[0]        EncryptionKey,
+                       salt[1]       OCTET STRING OPTIONAL,
+                       salt-type[2]  INTEGER OPTIONAL
+   }
+
+   PasswordSequence :: = SEQUENCE {
+                       newpasswd[0]  OCTET STRING,
+                       oldpasswd[1]  OCTET STRING OPTIONAL
+                         -- oldpasswd always present for change password
+                         -- but not present for set password, set key, or
+                         -- change key
+   }
+
+   The server must verify the AP-REQ message, check whether the client 
+   principal in the ticket is authorized to set or change the password 
+   (either for that principal, or for the principal in the targname 
+   field if present), and decrypt the new password/keys. The server 
+   also checks whether the initial flag is required for this request, 
+   replying with status 0x0007 if it is not set and should be. An 
+   authorization failure is cause to respond with status 0x0005. For 
+   forward compatibility, the server should be prepared to ignore fields 
+   after targrealm in the structure that it does not understand. 
+
+   The newpasswdorkeys field contains either the new cleartext password 
+   (with the old cleartext password for a change password operation), 
+   or a sequence of encryption keys with their respective salts. 
+
+   In the cleartext password case, if the old password is sent in the
+   request, the request MUST be a change password request. If the old 
+   password is not present in the request, the request MUST be a set
+   password request. The server should apply policy checks to the old 
+   and new password after verifying that the old password is valid. 
+   The server can check validity by obtaining a key from the old 
+   password with a keytype that is present in the KDC database for the 
+   user and comparing the keys for equality. The server then generates 
+   the appropriate keytypes from the password and stores them in the KDC 
+   database. If all goes well, status 0x0000 is returned to the client 
+   in the reply message (see below). For a change password operation,
+   the initial flag in the service ticket MUST be set. 
+
+   In the key sequence case, the sequence of keys is sent to the change
+   or set password service (kadmin/changepw or kadmin/setpw respectively). 
+   For a principal that can act as a server, its preferred keytype should 
+   be sent as the first key in the sequence, but the KDC is not required 
+   to honor this preference. Application servers should use the key 
+   sequence option for changing/setting their keys. The change/set password 
+   services should check that all keys are in the proper format, returning 
+   the KRB5_KPASSWD_MALFORMED error otherwise. 
+
+Reply Message
+
+       0                   1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |         message length        |    protocol version number    |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |          AP_REP length        |         AP-REP data           /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      /                          KRB-PRIV message                     /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+   All 16 bit fields are in network byte order. 
+
+   message length field: contains the number of bytes in the message 
+   including this field.
+
+   protocol version number: contains the hex constant 0x0002 (network
+   byte order). (The reply message has the same format as in [4]).
+
+   AP-REP length: length of AP-REP data, in bytes. If the length is zero, 
+   then the last field contains a KRB-ERROR message instead of a KRB-PRIV 
+   message.
+
+   AP-REP data: the AP-REP is the response to the AP-REQ in the request 
+   packet.
+   
+   KRB-PRIV from [4]: This KRB-PRIV message must be generated using the 
+   subkey in the authenticator in the AP-REQ data.
+
+   The server will respond with a KRB-PRIV message unless it cannot
+   validate the client AP-REQ or KRB-PRIV message, in which case it will
+   respond with a KRB-ERROR message. NOTE: Unlike change password version
+   1, the KRB-ERROR message will be sent back without any encapsulation. 
+
+   The user-data component of the KRB-PRIV message, or e-data component 
+   of the KRB-ERROR message, must consist of the following data.
+
+       0                   1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |          result code          |        result string          /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |                             edata                             /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+      result code (16 bits) (result codes 0-4 are from [4]):
+         The result code must have one of the following values (network
+         byte order):
+         KRB5_KPASSWD_SUCCESS      0 request succeeds (This value is not 
+                                     allowed in a KRB-ERROR message)
+         KRB5_KPASSWD_MALFORMED    1 request fails due to being malformed
+         KRB5_KPASSWD_HARDERROR    2 request fails due to "hard" error in
+                                     processing the request (for example, 
+                                     there is a resource or other problem 
+                                     causing the request to fail)
+         KRB5_KPASSWD_AUTHERROR    3 request fails due to an error in 
+                                     authentication processing
+         KRB5_KPASSWD_SOFTERROR    4 request fails due to a soft error 
+                                     in processing the request 
+         KRB5_KPASSWD_ACCESSDENIED 5 requestor not authorized
+         KRB5_KPASSWD_BAD_VERSION  6 protocol version unsupported
+         KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7 initial flag required
+         KRB5_KPASSWD_POLICY_REJECT 8 new cleartext password fails policy;
+         the result string should include a text message to be presented
+         to the user.
+         KRB5_KPASSWD_BAD_PRINCIPAL 9 target principal does not exist
+         (only in response to a set password request).
+         KRB5_KPASSWD_ETYPE_NOSUPP 10 the request contains a key sequence
+         containing at least one etype that is not supported by the KDC.
+         The response edata contains an ASN.1 encoded PKERB-ETYPE-INFO 
+         type that specifies the etypes that the KDC supports:
+         
+         KERB-ETYPE-INFO-ENTRY :: = SEQUENCE {
+                encryption-type[0]  INTEGER,
+                salt[1]             OCTET STRING OPTIONAL -- not sent
+         }
+
+         PKERB-ETYPE-INFO ::= SEQUENCE OF KERB-ETYPE-INFO-ENTRY
+
+         The client should retry the request using only etypes (keytypes)
+         that are contained within the PKERB-ETYPE-INFO structure in the
+         previous response. 
+         0xFFFF if the request fails for some other reason.
+         The client must interpret any non-zero result code as a failure.
+      result string - from [4]:
+         This field is a UTF-8 encoded string which should be displayed
+         to the user by the client. Specific reasons for a password 
+
+         set/change policy failure is one use for this string. 
+      edata: used to convey additional information as defined by the 
+         result code. 
+
+4. Acknowledgements
+  
+   The authors thank Tony Andrea for his input to the document.
+
+5. References
+
+   [1] Bradner, S., "The Internet Standards Process -- Revision 3", BCP 
+       9, RFC 2026, October 1996. 
+    
+   [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement 
+       Levels", BCP 14, RFC 2119, March 1997 
+ 
+   [3] J. Kohl, C. Neuman. The Kerberos Network Authentication
+       Service (V5), Request for Comments 1510.
+
+   [4] M. Horowitz. Kerberos Change Password Protocol,
+       ftp://ds.internic.net/internet-drafts/
+       draft-ietf-cat-kerb-chg-password-02.txt
+
+6. Expiration Date
+
+   This draft expires in October 2000.
+
+7. Authors' Addresses
+
+   Jonathan Trostle
+   Cisco Systems
+   170 W. Tasman Dr.
+   San Jose, CA 95134
+   Email: jtrostle@cisco.com
+
+   Mike Swift 
+   1 Microsoft Way
+   Redmond, WA 98052
+   Email: mikesw@microsoft.com
+
+   John Brezak
+   1 Microsoft Way
+   Redmond, WA 98052
+   Email: jbrezak@microsoft.com
+
+   Bill Gossman
+   Cybersafe Corporation
+   1605 NW Sammamish Rd.
+   Issaquah, WA 98027-5378
+   Email: bill.gossman@cybersafe.com
+
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb-dns-locate-02.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb-dns-locate-02.txt
new file mode 100644
index 0000000..bd31750
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb-dns-locate-02.txt
@@ -0,0 +1,339 @@
+
+
+
+
+
+
+INTERNET-DRAFT                                             Ken Hornstein
+<draft-ietf-cat-krb-dns-locate-02.txt>                               NRL
+March 10, 2000                                            Jeffrey Altman
+Expires: September 10, 2000                          Columbia University
+
+
+
+          Distributing Kerberos KDC and Realm Information with DNS
+
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet- Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   Distribution of this memo is unlimited.  It is filed as <draft-ietf-
+   cat-krb-dns-locate-02.txt>, and expires on September 10, 2000.  Please
+   send comments to the authors.
+
+Abstract
+
+   Neither the Kerberos V5 protocol [RFC1510] nor the Kerberos V4 proto-
+   col [RFC????] describe any mechanism for clients to learn critical
+   configuration information necessary for proper operation of the pro-
+   tocol.  Such information includes the location of Kerberos key dis-
+   tribution centers or a mapping between DNS domains and Kerberos
+   realms.
+
+   Current Kerberos implementations generally store such configuration
+   information in a file on each client machine.  Experience has shown
+   this method of storing configuration information presents problems
+   with out-of-date information and scaling problems, especially when
+
+
+
+Hornstein, Altman                                               [Page 1]
+
+RFC DRAFT                                                 March 10, 2000
+
+
+   using cross-realm authentication.
+
+   This memo describes a method for using the Domain Name System
+   [RFC1035] for storing such configuration information.  Specifically,
+   methods for storing KDC location and hostname/domain name to realm
+   mapping information are discussed.
+
+DNS vs. Kerberos - Case Sensitivity of Realm Names
+
+   In Kerberos, realm names are case sensitive.  While it is strongly
+   encouraged that all realm names be all upper case this recommendation
+   has not been adopted by all sites.  Some sites use all lower case
+   names and other use mixed case.  DNS on the other hand is case insen-
+   sitive for queries but is case preserving for responses to TXT
+   queries.  Since "MYREALM", "myrealm", and "MyRealm" are all different
+   it is necessary that the DNS entries be distinguishable.
+
+   Since the recommend realm names are all upper case, we will not
+   require any quoting to be applied to upper case names.  If the realm
+   name contains lower case characters each character is to be quoted by
+   a '=' character.  So "MyRealm" would be represented as "M=yR=e=a=l=m"
+   and "myrealm" as "=m=y=r=e=a=l=m".  If the realm name contains the
+   '=' character it will be represented as "==".
+
+
+Overview - KDC location information
+
+   KDC location information is to be stored using the DNS SRV RR [RFC
+   2052].  The format of this RR is as follows:
+
+   Service.Proto.Realm TTL Class SRV Priority Weight Port Target
+
+   The Service name for Kerberos is always "_kerberos".
+
+   The Proto can be either "_udp" or "_tcp".  If these records are to be
+   used, a "_udp" record MUST be included.  If the Kerberos implementa-
+   tion supports TCP transport, a "_tcp" record SHOULD be included.
+
+   The Realm is the Kerberos realm that this record corresponds to.
+
+   TTL, Class, SRV, Priority, Weight, Port, and Target have the standard
+   meaning as defined in RFC 2052.
+
+Example - KDC location information
+
+   These are DNS records for a Kerberos realm ASDF.COM.  It has two Ker-
+   beros servers, kdc1.asdf.com and kdc2.asdf.com.  Queries should be
+   directed to kdc1.asdf.com first as per the specified priority.
+
+
+
+Hornstein, Altman                                               [Page 2]
+
+RFC DRAFT                                                 March 10, 2000
+
+
+   Weights are not used in these records.
+
+   _kerberos._udp.ASDF.COM.        IN      SRV     0 0 88 kdc1.asdf.com.
+   _kerberos._udp.ASDF.COM.        IN      SRV     1 0 88 kdc2.asdf.com.
+
+Overview - Kerberos password changing server location information
+
+   Kerberos password changing server [KERB-CHG] location is to be stored
+   using the DNS SRV RR [RFC 2052].  The format of this RR is as fol-
+   lows:
+
+   Service.Proto.Realm TTL Class SRV Priority Weight Port Target
+
+   The Service name for the password server is always "_kpasswd".
+
+   The Proto MUST be "_udp".
+
+   The Realm is the Kerberos realm that this record corresponds to.
+
+   TTL, Class, SRV, Priority, Weight, Port, and Target have the standard
+   meaning as defined in RFC 2052.
+
+Overview - Kerberos admin server location information
+
+   Kerberos admin location information is to be stored using the DNS SRV
+   RR [RFC 2052].  The format of this RR is as follows:
+
+   Service.Proto.Realm TTL Class SRV Priority Weight Port Target
+
+   The Service name for the admin server is always "_kerberos-adm".
+
+   The Proto can be either "_udp" or "_tcp".  If these records are to be
+   used, a "_tcp" record MUST be included.  If the Kerberos admin imple-
+   mentation supports UDP transport, a "_udp" record SHOULD be included.
+
+   The Realm is the Kerberos realm that this record corresponds to.
+
+   TTL, Class, SRV, Priority, Weight, Port, and Target have the standard
+   meaning as defined in RFC 2052.
+
+   Note that there is no formal definition of a Kerberos admin protocol,
+   so the use of this record is optional and implementation-dependent.
+
+Example - Kerberos administrative server location information
+
+   These are DNS records for a Kerberos realm ASDF.COM.  It has one
+   administrative server, kdc1.asdf.com.
+
+
+
+
+Hornstein, Altman                                               [Page 3]
+
+RFC DRAFT                                                 March 10, 2000
+
+
+   _kerberos-adm._tcp.ASDF.COM.    IN      SRV     0 0 88 kdc1.asdf.com.
+
+Overview - Hostname/domain name to Kerberos realm mapping
+
+   Information on the mapping of DNS hostnames and domain names to Ker-
+   beros realms is stored using DNS TXT records [RFC 1035].  These
+   records have the following format.
+
+   Service.Name TTL Class TXT Realm
+
+   The Service field is always "_kerberos", and prefixes all entries of
+   this type.
+
+   The Name is a DNS hostname or domain name.  This is explained in
+   greater detail below.
+
+   TTL, Class, and TXT have the standard DNS meaning as defined in RFC
+   1035.
+
+   The Realm is the data for the TXT RR, and consists simply of the Ker-
+   beros realm that corresponds to the Name specified.
+
+   When a Kerberos client wishes to utilize a host-specific service, it
+   will perform a DNS TXT query, using the hostname in the Name field of
+   the DNS query.  If the record is not found, the first label of the
+   name is stripped and the query is retried.
+
+   Compliant implementations MUST query the full hostname and the most
+   specific domain name (the hostname with the first label removed).
+   Compliant implementations SHOULD try stripping all subsequent labels
+   until a match is found or the Name field is empty.
+
+Example - Hostname/domain name to Kerberos realm mapping
+
+   For the previously mentioned ASDF.COM realm and domain, some sample
+   records might be as follows:
+
+   _kerberos.asdf.com.             IN      TXT     "ASDF.COM"
+   _kerberos.mrkserver.asdf.com.   IN      TXT     "MARKETING.ASDF.COM"
+   _kerberos.salesserver.asdf.com. IN      TXT     "SALES.ASDF.COM"
+
+   Let us suppose that in this case, a Kerberos client wishes to use a
+   Kerberized service on the host foo.asdf.com.  It would first query:
+
+   _kerberos.foo.asdf.com. IN TXT
+
+   Finding no match, it would then query:
+
+
+
+
+Hornstein, Altman                                               [Page 4]
+
+RFC DRAFT                                                 March 10, 2000
+
+
+   _kerberos.asdf.com. IN TXT
+
+   And find an answer of ASDF.COM.  This would be the realm that
+   foo.asdf.com resides in.
+
+   If another Kerberos client wishes to use a Kerberized service on the
+   host salesserver.asdf.com, it would query:
+
+   _kerberos.salesserver.asdf.com IN TXT
+
+   And find an answer of SALES.ASDF.COM.
+
+Security considerations
+
+   As DNS is deployed today, it is an unsecure service.  Thus the infor-
+   mation returned by it cannot be trusted.
+
+   Current practice for REALM to KDC mapping is to use hostnames to
+   indicate KDC hosts (stored in some implementation-dependent location,
+   but generally a local config file).  These hostnames are vulnerable
+   to the standard set of DNS attacks (denial of service, spoofed
+   entries, etc).  The design of the Kerberos protocol limits attacks of
+   this sort to denial of service.  However, the use of SRV records does
+   not change this attack in any way.  They have the same vulnerabili-
+   ties that already exist in the common practice of using hostnames for
+   KDC locations.
+
+   Current practice for HOSTNAME to REALM mapping is to provide a local
+   configuration of mappings of hostname or domain name to realm which
+   are then mapped to KDCs.  But this again is vulnerable to spoofing
+   via CNAME records that point to hosts in other domains.  This has the
+   same effect as when a TXT record is spoofed.  In a realm with no
+   cross-realm trusts this is a DoS attack.  However, when cross-realm
+   trusts are used it is possible to redirect a client to use a comprom-
+   ised realm.
+
+   This is not an exploit of the Kerberos protocol but of the Kerberos
+   trust model.  The same can be done to any application that must
+   resolve the hostname in order to determine which domain a non-FQDN
+   belongs to.
+
+   Implementations SHOULD provide a way of specifying this information
+   locally without the use of DNS.  However, to make this feature
+   worthwhile a lack of any configuration information on a client should
+   be interpretted as permission to use DNS.
+
+
+
+
+
+
+Hornstein, Altman                                               [Page 5]
+
+RFC DRAFT                                                 March 10, 2000
+
+
+Expiration
+
+   This Internet-Draft expires on September 10, 2000.
+
+References
+
+
+   [RFC1510]
+        The Kerberos Network Authentication System; Kohl, Newman; Sep-
+        tember 1993.
+
+   [RFC1035]
+        Domain Names - Implementation and Specification; Mockapetris;
+        November 1987
+
+   [RFC2782]
+        A DNS RR for specifying the location of services (DNS SRV); Gul-
+        brandsen, Vixie; Feburary 2000
+
+   [KERB-CHG]
+        Kerberos Change Password Protocol; Horowitz;
+        ftp://ds.internic.net/internet-drafts/draft-ietf-cat-kerb-chg-
+        password-02.txt
+
+Authors' Addresses
+
+   Ken Hornstein
+   US Naval Research Laboratory
+   Bldg A-49, Room 2
+   4555 Overlook Avenue
+   Washington DC  20375 USA
+
+   Phone: +1 (202) 404-4765
+   EMail: kenh@cmf.nrl.navy.mil
+
+   Jeffrey Altman
+   The Kermit Project
+   Columbia University
+   612 West 115th Street #716
+   New York NY 10025-7799 USA
+
+   Phone: +1 (212) 854-1344
+   EMail: jaltman@columbia.edu
+
+
+
+
+
+
+
+
+Hornstein, Altman                                               [Page 6]
+
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb5gss-mech2-03.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb5gss-mech2-03.txt
new file mode 100644
index 0000000..11e5dc9
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb5gss-mech2-03.txt
@@ -0,0 +1,1333 @@
+
+INTERNET-DRAFT                                                    Tom Yu
+Common Authentication Technology WG                                  MIT
+draft-ietf-cat-krb5gss-mech2-03.txt                        04 March 2000
+
+           The Kerberos Version 5 GSSAPI Mechanism, Version 2
+
+Status of This Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   Comments on this document should be sent to
+   "ietf-cat-wg@lists.stanford.edu", the IETF Common Authentication
+   Technology WG discussion list.
+
+Abstract
+
+   This document defines protocols, procedures, and conventions to be
+   employed by peers implementing the Generic Security Service
+   Application Program Interface (as specified in RFC 2743) when using
+   Kerberos Version 5 technology (as specified in RFC 1510).  This
+   obsoletes RFC 1964.
+
+Acknowledgements
+
+   Much of the material in this specification is based on work done for
+   Cygnus Solutions by Marc Horowitz.
+
+Table of Contents
+
+   Status of This Memo ............................................    1
+   Abstract .......................................................    1
+   Acknowledgements ...............................................    1
+   Table of Contents ..............................................    1
+   1.  Introduction ...............................................    3
+   2.  Token Formats ..............................................    3
+      2.1.  Packet Notation .......................................    3
+
+Yu                  Document Expiration: 04 Sep 2000            [Page 1]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+      2.2.  Mechanism OID .........................................    4
+      2.3.  Context Establishment .................................    4
+         2.3.1.  Option Format ....................................    4
+            2.3.1.1.  Delegated Credentials Option ................    5
+            2.3.1.2.  Null Option .................................    5
+         2.3.2.  Initial Token ....................................    6
+            2.3.2.1.  Data to be Checksummed in APREQ .............    8
+         2.3.3.  Response Token ...................................   10
+      2.4.  Per-message Tokens ....................................   12
+         2.4.1.  Sequence Number Usage ............................   12
+         2.4.2.  MIC Token ........................................   12
+            2.4.2.1.  Data to be Checksummed in MIC Token .........   13
+         2.4.3.  Wrap Token .......................................   14
+            2.4.3.1.  Wrap Token With Integrity Only ..............   14
+            2.4.3.2.  Wrap Token With Integrity and Encryption
+                      .............................................   15
+               2.4.3.2.1.  Data to be Encrypted in Wrap Token .....   16
+   3.  ASN.1 Encoding of Octet Strings ............................   17
+   4.  Name Types .................................................   18
+      4.1.  Mandatory Name Forms ..................................   18
+         4.1.1.  Kerberos Principal Name Form .....................   18
+         4.1.2.  Exported Name Object Form for Kerberos5
+                 Mechanism ........................................   19
+   5.  Credentials ................................................   20
+   6.  Parameter Definitions ......................................   20
+      6.1.  Minor Status Codes ....................................   20
+         6.1.1.  Non-Kerberos-specific codes ......................   21
+         6.1.2.  Kerberos-specific-codes ..........................   21
+   7.  Kerberos Protocol Dependencies .............................   22
+   8.  Security Considerations ....................................   22
+   9.  References .................................................   22
+   10.  Author's Address ..........................................   23
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Yu                  Document Expiration: 04 Sep 2000            [Page 2]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+1.  Introduction
+
+   The original Kerberos 5 GSSAPI mechanism[RFC1964] has a number of
+   shortcomings.  This document attempts to remedy them by defining a
+   completely new Kerberos 5 GSSAPI mechanism.
+
+   The context establishment token format requires that the
+   authenticator of AP-REQ messages contain a cleartext data structure
+   in its checksum field, which is a needless and potentially confusing
+   overloading of that field.  This is implemented by a special checksum
+   algorithm whose purpose is to copy the input data directly into the
+   checksum field of the authenticator.
+
+   The number assignments for checksum algorithms and for encryption
+   types are inconsistent between the Kerberos protocol and the original
+   GSSAPI mechanism.  If new encryption or checksum algorithms are added
+   to the Kerberos protocol at some point, the GSSAPI mechanism will
+   need to be separately updated to use these new algorithms.
+
+   The original mechanism specifies a crude method of key derivation (by
+   using the XOR of the context key with a fixed constant), which is
+   incompatible with newer cryptosystems which specify key derivation
+   procedures themselves.  The original mechanism also assumes that both
+   checksums and cryptosystem blocksizes are eight bytes.
+
+   Defining all GSSAPI tokens for the new Kerberos 5 mechanism in terms
+   of the Kerberos protocol specification ensures that new encryption
+   types and checksum types may be automatically used as they are
+   defined for the Kerberos protocol.
+
+2.  Token Formats
+
+   All tokens, not just the initial token, are framed as the
+   InitialContextToken described in RFC 2743 section 3.1.  The
+   innerContextToken element of the token will not itself be encoded in
+   ASN.1, with the exception of caller-provided application data.
+
+   One rationale for avoiding the use of ASN.1 in the inner token is
+   that some implementors may wish to implement this mechanism in a
+   kernel or other similarly constrained application where handling of
+   full ASN.1 encoding may be cumbersome.  Also, due to the poor
+   availability of the relevant standards documents, ASN.1 encoders and
+   decoders are difficult to implement completely correctly, so keeping
+   ASN.1 usage to a minimum decreases the probability of bugs in the
+   implementation of the mechanism.  In particular, bit strings need to
+   be transferred at certain points in this mechanism.  There are many
+   conflicting common misunderstandings of how to encode and decode
+   ASN.1 bit strings, which have led difficulties in the implementaion
+   of the Kerberos protocol.
+
+
+
+
+
+Yu                  Document Expiration: 04 Sep 2000            [Page 3]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+2.1.  Packet Notation
+
+   The order of transmission of this protocol is described at the octet
+   level.  Packet diagrams depict bits in the order of transmission,
+   assuming that individual octets are transmitted with the most
+   significant bit (MSB) first.  The diagrams read from left to right
+   and from top to bottom, as in printed English.  In each octet, bit
+   number 7 is the MSB and bit number 0 is the LSB.
+
+   Numbers prefixed by the characters "0x" are in hexadecimal notation,
+   as in the C programming language.  Even though packet diagrams are
+   drawn 16 bits wide, no padding should be used to align the ends of
+   variable-length fields to a 32-bit or 16-bit boundary.
+
+   All integer fields are in network byte order.  All other fields have
+   the size shown in the diagrams, with the exception of variable length
+   fields.
+
+2.2.  Mechanism OID
+
+   The Object Identifier (OID) of the new krb5 v2 mechanism is:
+
+   {iso(1) member-body(2) us(840) mit(113554) infosys(1) gssapi(2)
+   krb5v2(3)}
+
+
+2.3.  Context Establishment
+
+2.3.1.  Option Format
+
+   Context establishment tokens, i.e., the initial ones that the
+   GSS_Init_sec_context() and the GSS_Accept_sec_context() calls emit
+   while a security context is being set up, may contain options that
+   influence the subsequent behavior of the context.  This document
+   describes only a small set of options, but additional types may be
+   added by documents intended to supplement this one.  The generic
+   format is as follows:
+
+  bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
+byte +-------------------------------+-------------------------------+
+  0  |                          option type                          |
+     +-------------------------------+-------------------------------+
+  2  |                                                               |
+     +--                  option length (32 bits)                  --+
+  4  |                                                               |
+     +-------------------------------+-------------------------------+
+  6  |                               .                               |
+     /                 option data (variable length)                 /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+
+
+
+
+Yu                  Document Expiration: 04 Sep 2000            [Page 4]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+   option type (16 bits)
+        The type identifier of the following option.
+
+   option length (32 bits)
+        The length in bytes of the following option.
+
+   option data (variable length)
+        The actual option data.
+
+   Any number of options may appear in an initator or acceptor token.
+   The final option in a token must be the null option, in order to mark
+   the end of the list.  Option type 0xffff is reserved.
+
+   The initiator and acceptor shall ignore any options that they do not
+   understand.
+
+2.3.1.1.  Delegated Credentials Option
+
+   Only the initiator may use this option.  The format of the delegated
+   credentials option is as follows:
+
+  bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
+byte +-------------------------------+-------------------------------+
+  0  |                     option type = 0x00001                     |
+     +-------------------------------+-------------------------------+
+  2  |                                                               |
+     +--                      KRB-CRED length                      --+
+  4  |                                                               |
+     +-------------------------------+-------------------------------+
+  6  |                               .                               |
+     /                        KRB-CRED message                       /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+
+
+   option type (16 bits)
+        The option type for this option shall be 0x0001.
+
+   KRB-CRED length (32 bits)
+        The length in bytes of the following KRB-CRED message.
+
+   KRB-CRED message (variable length)
+        The option data for this option shall be the KRB-CRED message
+        that contains the credentials being delegated (forwarded) to the
+        context acceptor.  Only the initiator may use this option.
+
+2.3.1.2.  Null Option
+
+   The Null option terminates the option list, and must be used by both
+   the initiator and the acceptor.  Its format is as follows:
+
+
+
+
+Yu                  Document Expiration: 04 Sep 2000            [Page 5]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+  bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
+byte +-------------------------------+-------------------------------+
+  0  |                        option type = 0                        |
+     +-------------------------------+-------------------------------+
+  2  |                                                               |
+     +--                         length = 0                        --+
+  4  |                                                               |
+     +-------------------------------+-------------------------------+
+
+
+   option type (16 bits)
+        The option type of this option must be zero.
+
+   option length (32 bits)
+        The length of this option must be zero.
+
+2.3.2.  Initial Token
+
+   This is the initial token sent by the context initiator, generated by
+   GSS_Init_sec_context().
+
+  bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
+byte +-------------------------------+-------------------------------+
+  0  |                   initial token id = 0x0101                   |
+     +-------------------------------+-------------------------------+
+  2  |                                                               |
+     +--         reserved flag bits          +-----------------------+
+  4  |                                       | I | C | S | R | M | D |
+     +-------------------------------+-------------------------------+
+  6  |                      checksum type count                      |
+     +-------------------------------+-------------------------------+
+  8  |                               .                               |
+     /                       checksum type list                      /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+  n  |                               .                               |
+     /                            options                            /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+  m  |                                                               |
+     +--                       AP-REQ length                       --+
+ m+2 |                                                               |
+     +-------------------------------+-------------------------------+
+ m+4 |                               .                               |
+     /                          AP-REQ data                          /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+
+
+   initial token ID (16 bits)
+        Contains the integer 0x0101, which identifies this as the
+        initial token in the context setup.
+
+
+Yu                  Document Expiration: 04 Sep 2000            [Page 6]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+   reserved flag bits (26 bits)
+        These bits are reserved for future expansion.  They must be set
+        to zero by the initiator and be ignored by the acceptor.
+
+   I flag (1 bit)
+        0x00000020 -- GSS_C_INTEG_FLAG
+
+   C flag (1 bit)
+        0x00000010 -- GSS_C_CONF_FLAG
+
+   S flag (1 bit)
+        0x00000008 -- GSS_C_SEQUENCE_FLAG
+
+   R flag (1 bit)
+        0x00000004 -- GSS_C_REPLAY_FLAG
+
+   M flag (1 bit)
+        0x00000002 -- GSS_C_MUTUAL_FLAG
+
+   D flag (1 bit)
+        0x00000001 -- GSS_C_DELEG_FLAG; This flag must be set if the
+        "delegated credentials" option is included.
+
+   checksum type count (16 bits)
+        The number of checksum types supported by the initiator.
+
+   checksum type list (variable length)
+        A list of Kerberos checksum types, as defined in RFC 1510
+        section 6.4. These checksum types must be collision-proof and
+        keyed with the context key; no checksum types that are
+        incompatible with the encryption key shall be used.  Each
+        checksum type number shall be 32 bits wide.  This list should
+        contain all the checksum types supported by the initiator.  If
+        mutual authentication is not used, then this list shall contain
+        only one checksum type.
+
+   options (variable length)
+        The context initiation options, described in section 2.3.1.
+
+   AP-REQ length (32 bits)
+        The length of the following KRB_AP_REQ message.
+
+   AP-REQ data (variable length)
+        The AP-REQ message as described in RFC 1510.  The checksum in
+        the authenticator will be computed over the items listed in the
+        next section.
+
+   The optional sequence number field shall be used in the AP-REQ.  The
+   initiator should generate a subkey in the authenticator, and the
+   acceptor should generate a subkey in the AP-REP.  The key used for
+   the per-message tokens will be the AP-REP subkey, or if that is not
+   present, the authenticator subkey, or if that is not present, the
+   session key.  When subkeys are generated, it is strongly recommended
+
+Yu                  Document Expiration: 04 Sep 2000            [Page 7]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+   that they be of the same type as the associated session key.
+
+   XXX The above is not secure.  There should be an algorithmic process
+   to arrive at a subsession key which both sides of the authentication
+   exchange can perform based on the ticket sessions key and data known
+   to both parties, and this should probably be part of the revised
+   Kerberos protocol rather than bound to the GSSAPI mechanism.
+
+2.3.2.1.  Data to be Checksummed in AP-REQ
+
+   The checksum in the AP-REQ message is calculated over the following
+   items.  Like in the actual tokens, no padding should be added to
+   force integer fields to align on 32 bit boundaries.  This particular
+   set of data should not be sent as a part of any token; it merely
+   specifies what is to be checksummed in the AP-REQ.  The items in this
+   encoding that precede the initial token ID correspond to the channel
+   bindings passed to GSS_Init_sec_context().
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Yu                  Document Expiration: 04 Sep 2000            [Page 8]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+  bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
+byte +-------------------------------+-------------------------------+
+  0  |                                                               |
+     +--                   initiator address type                  --+
+  2  |                                                               |
+     +-------------------------------+-------------------------------+
+  4  |                    initiator address length                   |
+     +-------------------------------+-------------------------------+
+  6  |                               .                               |
+     /                       initiator address                       /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+  n  |                                                               |
+     +--                   acceptor address type                   --+
+     |                                                               |
+     +-------------------------------+-------------------------------+
+ n+4 |                    acceptor address length                    |
+     +-------------------------------+-------------------------------+
+ n+6 |                               .                               |
+     /                        acceptor address                       /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+  m  |                               .                               |
+     /                        application data                       /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+  k  |                   initial token id = 0x0101                   |
+     +-------------------------------+-------------------------------+
+ k+2 |                                                               |
+     +--                           flags                           --+
+ k+4 |                                                               |
+     +-------------------------------+-------------------------------+
+ k+6 |                      checksum type count                      |
+     +-------------------------------+-------------------------------+
+ k+8 |                               .                               |
+     /                       checksum type list                      /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+  j  |                               .                               |
+     /                            options                            /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+
+
+   initiator address type (32 bits)
+        The initiator address type, as defined in the Kerberos protocol
+        specification.  If no initiator address is provided, this must
+        be zero.
+
+   initiator address length (16 bits)
+        The length in bytes of the following initiator address.  If
+        there is no inititator address provided, this must be zero.
+
+
+Yu                  Document Expiration: 04 Sep 2000            [Page 9]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+   initiator address (variable length)
+        The actual initiator address, in network byte order.
+
+   acceptor address type (32 bits)
+        The acceptor address type, as defined in the Kerberos protocol
+        specification.  If no acceptor address is provided, this must be
+        zero.
+
+   acceptor address length (16 bits)
+        The length in bytes of the following acceptor address.  This
+        must be zero is there is no acceptor address provided.
+
+   initiator address (variable length)
+        The actual acceptor address, in network byte order.
+
+   applicatation data (variable length)
+        The application data, if provided, encoded as a ASN.1 octet
+        string using DER.  If no application data are passed as input
+        channel bindings, this shall be a zero-length ASN.1 octet
+        string.
+
+   initial token ID (16 bits)
+        The initial token ID from the initial token.
+
+   flags (32 bits)
+        The context establishment flags from the initial token.
+
+   checksum type count (16 bits)
+        The number of checksum types supported by the initiator.
+
+   checksum type list (variable length)
+        The same list of checksum types contained in the initial token.
+
+   options (variable length)
+        The options list from the initial token.
+
+2.3.3.  Response Token
+
+   This is the reponse token sent by the context acceptor, if mutual
+   authentication is enabled.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Yu                  Document Expiration: 04 Sep 2000           [Page 10]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+  bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
+byte +-------------------------------+-------------------------------+
+  0  |                   response token id = 0x0202                  |
+     +-------------------------------+-------------------------------+
+  2  |                                                               |
+     +--                  reserved flag bits                 +-------+
+  4  |                                                       | D | E |
+     +-------------------------------+-------------------------------+
+  6  |                                                               |
+     +--                       checksum type                       --+
+  8  |                                                               |
+     +-------------------------------+-------------------------------+
+ 10  |                               .                               |
+     /                            options                            /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+  n  |                                                               |
+     +--                 AP-REP or KRB-ERROR length                --+
+ n+2 |                                                               |
+     +-------------------------------+-------------------------------+
+ n+4 |                               .                               |
+     /                    AP-REP or KRB-ERROR data                   /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+  m  |                               .                               |
+     /                            MIC data                           /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+
+
+   response token id (16 bits)
+        Contains the integer 0x0202, which identifies this as the
+        response token in the context setup.
+
+   reserved flag bits (30 bits)
+        These bits are reserved for future expansion.  They must be set
+        to zero by the acceptor and be ignored by the initiator.
+
+   D flag -- delegated creds accepted (1 bit)
+        0x00000002 -- If this flag is set, the acceptor processed the
+        delegated credentials, and GSS_C_DELEG_FLAG should be returned
+        to the caller.
+
+   E flag -- error (1 bit)
+        0x00000001 -- If this flag is set, a KRB-ERROR message shall be
+        present, rather than an AP-REP message.  If this flag is not
+        set, an AP-REP message shall be present.
+
+   checksum type count (16 bits)
+        The number of checksum types supported by both the initiator and
+        the acceptor.
+
+
+
+Yu                  Document Expiration: 04 Sep 2000           [Page 11]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+   checksum type (32 bits)
+        A Kerberos checksum type, as defined in RFC 1510 section 6.4.
+        This checksum type must be among the types listed by the
+        initiator, and will be used in for subsequent checksums
+        generated during this security context.
+
+   options (variable length)
+        The option list, as described earlier.  At this time, no options
+        are defined for the acceptor, but an implementation might make
+        use of these options to acknowledge an option from the initial
+        token.  After all the options are specified, a null option must
+        be used to terminate the list.
+
+   AP-REP or KRB-ERROR length (32 bits)
+        Depending on the value of the error flag, length in bytes of the
+        AP-REP or KRB-ERROR message.
+
+   AP-REP or KRB-ERROR data (variable length)
+        Depending on the value of the error flag, the AP-REP or
+        KRB-ERROR message as described in RFC 1510.  If this field
+        contains an AP-REP message, the sequence number field in the
+        AP-REP shall be filled.  If this is a KRB-ERROR message, no
+        further fields will be in this message.
+
+   MIC data (variable length)
+        A MIC token, as described in section 2.4.2, computed over the
+        concatentation of the response token ID, flags, checksum length
+        and type fields, and all option fields.  This field and the
+        preceding length field must not be present if the error flag is
+        set.
+
+2.4.  Per-message Tokens
+
+2.4.1.  Sequence Number Usage
+
+   Sequence numbers for per-message tokens are 31 bit unsigned integers,
+   which are incremented by 1 after each token.  An overflow condition
+   should result in a wraparound of the sequence number to zero.  The
+   initiator and acceptor each keep their own sequence numbers per
+   connection.
+
+   The intial sequence number for tokens sent from the initiator to the
+   acceptor shall be the least significant 31 bits of sequence number in
+   the AP-REQ message.  The initial sequence number for tokens sent from
+   the acceptor to the initiator shall be the least significant 31 bits
+   of the sequence number in the AP-REP message if mutual authentication
+   is used; if mutual authentication is not used, the initial sequence
+   number from acceptor to initiator shall be the least significant 31
+   bits of the sequence number in the AP-REQ message.
+
+
+
+
+
+Yu                  Document Expiration: 04 Sep 2000           [Page 12]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+2.4.2.  MIC Token
+
+   Use of the GSS_GetMIC() call yields a token, separate from the user
+   data being protected, which can be used to verify the integrity of
+   that data when it is received.  The MIC token has the following
+   format:
+
+  bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
+byte +-------------------------------+-------------------------------+
+  0  |                     MIC token id = 0x0303                     |
+     +-------------------------------+-------------------------------+
+  2  | D |                                                           |
+     +---+                     sequence number                     --+
+  4  |                                                               |
+     +-------------------------------+-------------------------------+
+  6  |                        checksum length                        |
+     +-------------------------------+-------------------------------+
+  8  |                               .                               |
+     /                         checksum data                         /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+
+
+   MIC token id (16 bits)
+        Contains the integer 0x0303, which identifies this as a MIC
+        token.
+
+   D -- direction bit (1 bit)
+        This bit shall be zero if the message is sent from the context
+        initiator.  If the message is sent from the context acceptor,
+        this bit shall be one.
+
+   sequence number (31 bits)
+        The sequence number.
+
+   checksum length (16 bits)
+        The number of bytes in the following checksum data field.
+
+   checksum data (variable length)
+        The checksum itself, as defined in RFC 1510 section 6.4.  The
+        checksum is calculated over the encoding described in the
+        following section.  The key usage GSS_TOK_MIC -- 22 [XXX need to
+        register this] shall be used in cryptosystems that support key
+        derivation.
+
+   The mechanism implementation shall only use the checksum type
+   returned by the acceptor in the case of mutual authentication.  If
+   mutual authentication is not requested, then only the checksum type
+   in the initiator token shall be used.
+
+
+
+
+
+Yu                  Document Expiration: 04 Sep 2000           [Page 13]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+2.4.2.1.  Data to be Checksummed in MIC Token
+
+   The checksum in the MIC token shall be calculated over the following
+   elements.  This set of data is not actually included in the token as
+   is; the description only appears for the purpose of specifying the
+   method of calculating the checksum.
+
+  bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
+byte +-------------------------------+-------------------------------+
+  0  |                     MIC token id = 0x0303                     |
+     +-------------------------------+-------------------------------+
+  2  | D |                                                           |
+     +---+                     sequence number                     --+
+  4  |                                                               |
+     +-------------------------------+-------------------------------+
+  6  |                               .                               |
+     /                        application data                       /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+
+
+   MIC token ID (16 bits)
+        The MIC token ID from the MIC message.
+
+   D -- direction bit (1 bit)
+        This bit shall be zero if the message is sent from the context
+        initiator.  If the message is sent from the context acceptor,
+        this bit shall be one.
+
+   sequence number (31 bits)
+        The sequence number.
+
+   application data (variable length)
+        The application-supplied data, encoded as an ASN.1 octet string
+        using DER.
+
+2.4.3.  Wrap Token
+
+   Use of the GSS_Wrap() call yields a token which encapsulates the
+   input user data (optionally encrypted) along with associated
+   integrity check quantities.
+
+2.4.3.1.  Wrap Token With Integrity Only
+
+
+
+
+
+
+
+
+
+
+
+Yu                  Document Expiration: 04 Sep 2000           [Page 14]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+  bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
+byte +-------------------------------+-------------------------------+
+  0  |                integrity wrap token id = 0x0404               |
+     +-------------------------------+-------------------------------+
+  2  | D |                                                           |
+     +---+                     sequence number                     --+
+  4  |                                                               |
+     +-------------------------------+-------------------------------+
+  6  |                               .                               |
+     /                        application data                       /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+  n  |                        checksum length                        |
+     +-------------------------------+-------------------------------+
+ n+2 |                               .                               |
+     /                         checksum data                         /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+
+
+   integrity wrap token id (16 bits)
+        Contains the integer 0x0404, which identifies this as a Wrap
+        token with integrity only.
+
+   D -- direction bit (1 bit)
+        This bit shall be zero if the message is sent from the context
+        initiator.  If the message is sent from the context acceptor,
+        this bit shall be one.
+
+   sequence number (31 bits)
+        The sequence number.
+
+   application data (variable length)
+        The application-supplied data, encoded as an ASN.1 octet string
+        using DER.
+
+   checksum length (16 bits)
+        The number of bytes in the following checksum data field.
+
+   checksum data (variable length)
+        The checksum itself, as defined in RFC 1510 section 6.4,
+        computed over the concatenation of the token ID, sequence
+        number, direction field, application data length, and
+        application data, as in the MIC token checksum in the previous
+        section.  The key usage GSS_TOK_WRAP_INTEG -- 23 [XXX need to
+        register this] shall be used in cryptosystems that support key
+        derivation.
+
+   The mechanism implementation should only use checksum types which it
+   knows to be valid for both peers, as described for MIC tokens.
+
+
+
+
+Yu                  Document Expiration: 04 Sep 2000           [Page 15]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+2.4.3.2.  Wrap Token With Integrity and Encryption
+
+  bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
+byte +-------------------------------+-------------------------------+
+     |                encrypted wrap token id = 0x0505               |
+     +-------------------------------+-------------------------------+
+  2  |                               .                               |
+     /                         encrypted data                        /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+
+
+   encrypted wrap token id (16 bits)
+        Contains the integer 0x0505, which identifies this as a Wrap
+        token with integrity and encryption.
+
+   encrypted data (variable length)
+        The encrypted data itself, as defined in RFC 1510 section 6.3,
+        encoded as an ASN.1 octet string using DER.  Note that this is
+        not the ASN.1 type EncryptedData as defined in RFC 1510
+        section 6.1, but rather the ciphertext without encryption type
+        or kvno information.  The encryption is performed using the
+        key/enctype exchanged during context setup.  The confounder and
+        checksum are as specified in the Kerberos protocol
+        specification.  The key usage GSS_TOK_WRAP_PRIV -- 24 [XXX need
+        to register this] shall be used in cryptosystems that support
+        key derivation.  The actual data to be encrypted are specified
+        below.
+
+2.4.3.2.1.  Data to be Encrypted in Wrap Token
+
+  bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
+byte +-------------------------------+-------------------------------+
+  0  | D |                                                           |
+     +---+                     sequence number                     --+
+  2  |                                                               |
+     +-------------------------------+-------------------------------+
+  4  |                               .                               |
+     /                        application data                       /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+
+
+   D -- direction bit (1 bit)
+        This bit shall be zero if the message is sent from the context
+        initiator.  If the message is sent from the context acceptor,
+        this bit shall be one.
+
+   sequence number (31 bits)
+        The sequence number.
+
+   application data (variable length)
+        The application-supplied data, encoded as an ASN.1 octet string
+
+Yu                  Document Expiration: 04 Sep 2000           [Page 16]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+        using DER.
+
+3.  ASN.1 Encoding of Octet Strings
+
+   In order to encode arbitirarly-sized application data, ASN.1 octet
+   string encoding is in this protocol.  The Distinguished Encoding
+   Rules (DER) shall always be used in such cases.  For reference
+   purposes, the DER encoding of an ASN.1 octet string, adapted from
+   ITU-T X.690, follows:
+
+   +--------+-------//-------+-------//-------+
+   |00000100| length octets  |contents octets |
+   +--------+-------//-------+-------//-------+
+    |
+    +-- identifier octet = 0x04 = [UNIVERSAL 4]
+
+
+   In this section only, the bits in each octet shall be numbered as in
+   the ASN.1 specification, from 8 to 1, with bit 8 being the MSB of the
+   octet, and with bit 1 being the LSB of the octet.
+
+   identifier octet (8 bits)
+        Contains the constant 0x04, the tag for primitive encoding of an
+        octet string with the default (UNIVERSAL 4) tag.
+
+   length octets (variable length)
+        Contains the length of the contents octets, in definite form
+        (since this encoding uses DER).
+
+   contents octets (variable length)
+        The contents of the octet string.
+
+   The length octets shall consist of either a short form (one byte
+   only), which is to be used only if the number of octets in the
+   contents octets is less than or equal to 127, or a long form, which
+   is to be used in all other cases.  The short form shall consist of a
+   single octet with bit 8 (the MSB) equal to zero, and the remaining
+   bits encoding the number of contents octets (which may be zero) as an
+   unsigned binary integer.
+
+   The long form shall consist of an initial octet and one or more
+   subsequent octets.  The first octet shall have bit 8 (the MSB) set to
+   one, and the remaining bits shall encode the number of subsequent
+   octets in the length encoding as an unsigned binary integer.  The
+   length must be encoded in the minimum number of octets.  An initial
+   octet of 0xFF is reserved by the ASN.1 specification.  Bits 8 to 1 of
+   the first subsequent octet, followed by bits 8 to 1 of each
+   subsequent octet in order, shall be the encoding of an unsigned
+   binary integer, with bit 8 of the first octet being the most
+   significant bit.  Thus, the length encoding within is in network byte
+   order.
+
+
+
+Yu                  Document Expiration: 04 Sep 2000           [Page 17]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+   An initial length octet of 0x80 shall not be used, as that is
+   reserved by the ASN.1 specification for indefinite lengths in
+   conjunction with constructed contents encodings, which are not to be
+   used with DER.
+
+4.  Name Types
+
+   This section discusses the name types which may be passed as input to
+   the Kerberos 5 GSSAPI mechanism's GSS_Import_name() call, and their
+   associated identifier values.  It defines interface elements in
+   support of portability, and assumes use of C language bindings per
+   RFC 2744.  In addition to specifying OID values for name type
+   identifiers, symbolic names are included and recommended to GSSAPI
+   implementors in the interests of convenience to callers.  It is
+   understood that not all implementations of the Kerberos 5 GSSAPI
+   mechanism need support all name types in this list, and that
+   additional name forms will likely be added to this list over time.
+   Further, the definitions of some or all name types may later migrate
+   to other, mechanism-independent, specifications.  The occurrence of a
+   name type in this specification is specifically not intended to
+   suggest that the type may be supported only by an implementation of
+   the Kerberos 5 mechanism.  In particular, the occurrence of the
+   string "_KRB5_" in the symbolic name strings constitutes a means to
+   unambiguously register the name strings, avoiding collision with
+   other documents; it is not meant to limit the name types' usage or
+   applicability.
+
+   For purposes of clarification to GSSAPI implementors, this section's
+   discussion of some name forms describes means through which those
+   forms can be supported with existing Kerberos technology.  These
+   discussions are not intended to preclude alternative implementation
+   strategies for support of the name forms within Kerberos mechanisms
+   or mechanisms based on other technologies.  To enhance application
+   portability, implementors of mechanisms are encouraged to support
+   name forms as defined in this section, even if their mechanisms are
+   independent of Kerberos 5.
+
+4.1.  Mandatory Name Forms
+
+   This section discusses name forms which are to be supported by all
+   conformant implementations of the Kerberos 5 GSSAPI mechanism.
+
+4.1.1.  Kerberos Principal Name Form
+
+   This name form shall be represented by the Object Identifier {iso(1)
+   member-body(2) us(840) mit(113554) infosys(1) gssapi(2) krb5(2)
+   krb5_name(1)}.  The recommended symbolic name for this type is
+   "GSS_KRB5_NT_PRINCIPAL_NAME".
+
+   This name type corresponds to the single-string representation of a
+   Kerberos name.  (Within the MIT Kerberos 5 implementation, such names
+   are parseable with the krb5_parse_name() function.)  The elements
+   included within this name representation are as follows, proceeding
+
+Yu                  Document Expiration: 04 Sep 2000           [Page 18]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+   from the beginning of the string:
+
+        (1) One or more principal name components; if more than one
+        principal name component is included, the components are
+        separated by '/'.  Arbitrary octets may be included within
+        principal name components, with the following constraints and
+        special considerations:
+
+           (1a) Any occurrence of the characters '@' or '/' within a
+           name component must be immediately preceded by the '\'
+           quoting character, to prevent interpretation as a component
+           or realm separator.
+
+           (1b) The ASCII newline, tab, backspace, and null characters
+           may occur directly within the component or may be
+           represented, respectively, by '\n', '\t', '\b', or '\0'.
+
+           (1c) If the '\' quoting character occurs outside the contexts
+           described in (1a) and (1b) above, the following character is
+           interpreted literally.  As a special case, this allows the
+           doubled representation '\\' to represent a single occurrence
+           of the quoting character.
+
+           (1d) An occurrence of the '\' quoting character as the last
+           character of a component is illegal.
+
+        (2) Optionally, a '@' character, signifying that a realm name
+        immediately follows. If no realm name element is included, the
+        local realm name is assumed.  The '/' , ':', and null characters
+        may not occur within a realm name; the '@', newline, tab, and
+        backspace characters may be included using the quoting
+        conventions described in (1a), (1b), and (1c) above.
+
+4.1.2.  Exported Name Object Form for Kerberos 5 Mechanism
+
+   When generated by the Kerberos 5 mechanism, the Mechanism OID within
+   the exportable name shall be that of the original Kerberos 5
+   mechanism[RFC1964].  The Mechanism OID for the original Kerberos 5
+   mechanism is:
+
+   {iso(1) member-body(2) us(840) mit(113554) infosys(1) gssapi(2)
+   krb5(2)}
+
+   The name component within the exportable name shall be a contiguous
+   string with structure as defined for the Kerberos Principal Name
+   Form.
+
+   In order to achieve a distinguished encoding for comparison purposes,
+   the following additional constraints are imposed on the export
+   operation:
+
+        (1) all occurrences of the characters '@', '/', and '\' within
+        principal components or realm names shall be quoted with an
+
+Yu                  Document Expiration: 04 Sep 2000           [Page 19]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+        immediately-preceding '\'.
+
+        (2) all occurrences of the null, backspace, tab, or newline
+        characters within principal components or realm names will be
+        represented, respectively, with '\0', '\b', '\t', or '\n'.
+
+        (3) the '\' quoting character shall not be emitted within an
+        exported name except to accomodate cases (1) and (2).
+
+5.  Credentials
+
+   The Kerberos 5 protocol uses different credentials (in the GSSAPI
+   sense) for initiating and accepting security contexts.  Normal
+   clients receive a ticket-granting ticket (TGT) and an associated
+   session key at "login" time; the pair of a TGT and its corresponding
+   session key forms a credential which is suitable for initiating
+   security contexts.  A ticket-granting ticket, its session key, and
+   any other (ticket, key) pairs obtained through use of the
+   ticket-granting-ticket, are typically stored in a Kerberos 5
+   credentials cache, sometimes known as a ticket file.
+
+   The encryption key used by the Kerberos server to seal tickets for a
+   particular application service forms the credentials suitable for
+   accepting security contexts.  These service keys are typically stored
+   in a Kerberos 5 key table (keytab), or srvtab file (the Kerberos 4
+   terminology).  In addition to their use as accepting credentials,
+   these service keys may also be used to obtain initiating credentials
+   for their service principal.
+
+   The Kerberos 5 mechanism's credential handle may contain references
+   to either or both types of credentials.  It is a local matter how the
+   Kerberos 5 mechanism implementation finds the appropriate Kerberos 5
+   credentials cache or key table.
+
+   However, when the Kerberos 5 mechanism attempts to obtain initiating
+   credentials for a service principal which are not available in a
+   credentials cache, and the key for that service principal is
+   available in a Kerberos 5 key table, the mechanism should use the
+   service key to obtain initiating credentials for that service.  This
+   should be accomplished by requesting a ticket-granting-ticket from
+   the Kerberos Key Distribution Center (KDC), and decrypting the KDC's
+   reply using the service key.
+
+6.  Parameter Definitions
+
+   This section defines parameter values used by the Kerberos V5 GSSAPI
+   mechanism.  It defines interface elements in support of portability,
+   and assumes use of C language bindings per RFC 2744.
+
+6.1.  Minor Status Codes
+
+   This section recommends common symbolic names for minor_status values
+   to be returned by the Kerberos 5 GSSAPI mechanism.  Use of these
+
+Yu                  Document Expiration: 04 Sep 2000           [Page 20]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+   definitions will enable independent implementors to enhance
+   application portability across different implementations of the
+   mechanism defined in this specification.  (In all cases,
+   implementations of GSS_Display_status() will enable callers to
+   convert minor_status indicators to text representations.)  Each
+   implementation should make available, through include files or other
+   means, a facility to translate these symbolic names into the concrete
+   values which a particular GSSAPI implementation uses to represent the
+   minor_status values specified in this section.
+
+   It is recognized that this list may grow over time, and that the need
+   for additional minor_status codes specific to particular
+   implementations may arise.  It is recommended, however, that
+   implementations should return a minor_status value as defined on a
+   mechanism-wide basis within this section when that code is accurately
+   representative of reportable status rather than using a separate,
+   implementation-defined code.
+
+6.1.1.  Non-Kerberos-specific codes
+
+   These symbols should likely be incorporated into the generic GSSAPI
+   C-bindings document, since they really are more general.
+
+GSS_KRB5_S_G_BAD_SERVICE_NAME
+        /* "No @ in SERVICE-NAME name string" */
+GSS_KRB5_S_G_BAD_STRING_UID
+        /* "STRING-UID-NAME contains nondigits" */
+GSS_KRB5_S_G_NOUSER
+        /* "UID does not resolve to username" */
+GSS_KRB5_S_G_VALIDATE_FAILED
+        /* "Validation error" */
+GSS_KRB5_S_G_BUFFER_ALLOC
+        /* "Couldn't allocate gss_buffer_t data" */
+GSS_KRB5_S_G_BAD_MSG_CTX
+        /* "Message context invalid" */
+GSS_KRB5_S_G_WRONG_SIZE
+        /* "Buffer is the wrong size" */
+GSS_KRB5_S_G_BAD_USAGE
+        /* "Credential usage type is unknown" */
+GSS_KRB5_S_G_UNKNOWN_QOP
+        /* "Unknown quality of protection specified" */
+
+
+6.1.2.  Kerberos-specific-codes
+
+
+
+
+
+
+
+
+
+
+Yu                  Document Expiration: 04 Sep 2000           [Page 21]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+GSS_KRB5_S_KG_CCACHE_NOMATCH
+        /* "Principal in credential cache does not match desired name" */
+GSS_KRB5_S_KG_KEYTAB_NOMATCH
+        /* "No principal in keytab matches desired name" */
+GSS_KRB5_S_KG_TGT_MISSING
+        /* "Credential cache has no TGT" */
+GSS_KRB5_S_KG_NO_SUBKEY
+        /* "Authenticator has no subkey" */
+GSS_KRB5_S_KG_CONTEXT_ESTABLISHED
+        /* "Context is already fully established" */
+GSS_KRB5_S_KG_BAD_SIGN_TYPE
+        /* "Unknown signature type in token" */
+GSS_KRB5_S_KG_BAD_LENGTH
+        /* "Invalid field length in token" */
+GSS_KRB5_S_KG_CTX_INCOMPLETE
+        /* "Attempt to use incomplete security context" */
+
+
+7.  Kerberos Protocol Dependencies
+
+   This protocol makes several assumptions about the Kerberos protocol,
+   which may require changes to the successor of RFC 1510.
+
+   Sequence numbers, checksum types, and address types are assumed to be
+   no wider than 32 bits.  The Kerberos protocol specification might
+   need to be modified to accomodate this.  This obviously requires some
+   further discussion.
+
+   Key usages need to be registered within the Kerberos protocol for use
+   with GSSAPI per-message tokens.  The current specification of the
+   Kerberos protocol does not include descriptions of key derivations or
+   key usages, but planned revisions to the protocol will include them.
+
+   This protocol also makes the assumption that any cryptosystem used
+   with the session key will include integrity protection, i.e., it
+   assumes that no "raw" cryptosystems will be used.
+
+8.  Security Considerations
+
+   The GSSAPI is a security protocol; therefore, security considerations
+   are discussed throughout this document.  The original Kerberos 5
+   GSSAPI mechanism's constraints on possible cryptosystems and checksum
+   types do not permit it to be readily extended to accomodate more
+   secure cryptographic technologies with larger checksums or encryption
+   block sizes.  Sites are strongly encouraged to adopt the mechanism
+   specified in this document in the light of recent publicity about the
+   deficiencies of DES.
+
+9.  References
+
+   [X.680] ISO/IEC, "Information technology -- Abstract Syntax Notation
+   One (ASN.1): Specification of basic notation", ITU-T X.680 (1997) |
+   ISO/IEC 8824-1:1998
+
+Yu                  Document Expiration: 04 Sep 2000           [Page 22]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+   [X.690] ISO/IEC, "Information technology -- ASN.1 encoding rules:
+   Specification of Basic Encoding Rules (BER), Canonical Encoding Rules
+   (CER) and Distinguished Encoding Rules (DER)", ITU-T X.690 (1997) |
+   ISO/IEC 8825-1:1998.
+
+   [RFC1510] Kohl, J., Neumann, C., "The Kerberos Network Authentication
+   Service (V5)", RFC 1510.
+
+   [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
+   RFC 1964.
+
+   [RFC2743] Linn, J., "Generic Security Service Application Program
+   Interface, Version 2, Update 1", RFC 2743.
+
+   [RFC2744] Wray, J., "Generic Security Service API Version 2:
+   C-bindings", RFC 2744.
+
+10.  Author's Address
+
+   Tom Yu
+   Massachusetts Institute of Technology
+   Room E40-345
+   77 Massachusetts Avenue
+   Cambridge, MA 02139
+   USA
+
+   email: tlyu@mit.edu
+   phone: +1 617 253 1753
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Yu                  Document Expiration: 04 Sep 2000           [Page 23]
+
diff --git a/crypto/heimdal/doc/standardisation/draft-raeburn-cat-gssapi-krb5-3des-00.txt b/crypto/heimdal/doc/standardisation/draft-raeburn-cat-gssapi-krb5-3des-00.txt
new file mode 100644
index 0000000..24325fd
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-raeburn-cat-gssapi-krb5-3des-00.txt
@@ -0,0 +1,281 @@
+CAT Working Group                                           K. Raeburn
+Internet-draft                                                     MIT
+Category:                                                July 14, 2000
+Updates: RFC 1964
+Document: draft-raeburn-cat-gssapi-krb5-3des-00.txt
+
+        Triple-DES Support for the Kerberos 5 GSSAPI Mechanism
+
+Status of this Memo
+ 
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026 [RFC2026]. Internet-Drafts
+   are working documents of the Internet Engineering Task Force
+   (IETF), its areas, and its working groups. Note that other groups
+   may also distribute working documents as
+   Internet-Drafts. Internet-Drafts are draft documents valid for a
+   maximum of six months and may be updated, replaced, or obsoleted by
+   other documents at any time. It is inappropriate to use
+   Internet-Drafts as reference material or to cite them other than as
+   "work in progress."
+     
+   The list of current Internet-Drafts can be accessed at 
+   http://www.ietf.org/ietf/1id-abstracts.txt  
+
+   The list of Internet-Draft Shadow Directories can be accessed at 
+   http://www.ietf.org/shadow.html. 
+    
+1. Abstract 
+
+   The MIT Kerberos 5 release version 1.2 includes support for
+   triple-DES with key derivation [KrbRev].  Recent work by the EFF
+   [EFF] has demonstrated the vulnerability of single-DES mechanisms
+   to brute-force attacks by sufficiently motivated and well-funded
+   parties.
+
+   The GSSAPI Kerberos 5 mechanism definition [GSSAPI-KRB5]
+   specifically enumerates encryption and checksum types,
+   independently of how such schemes may be used in Kerberos.  In the
+   long run, a new Kerberos-based mechanism, which does not require
+   separately enumerating for the GSSAPI mechanism each of the
+   encryption types defined by Kerberos, appears to be a better
+   approach.  Efforts to produce such a specification are under way.
+
+   In the interest of providing increased security in the interim,
+   however, MIT is proposing adding support for triple-DES to the
+   existing mechanism, as described here.
+
+2. Conventions Used in this Document
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
+   this document are to be interpreted as described in RFC 2119.
+
+3. New Algorithm Identifiers
+
+   One new sealing algorithm is defined, for use in WRAP tokens:
+
+   02 00 - DES3-KD
+
+   This algorithm uses triple-DES with key derivation, with a usage
+   value KG_USAGE_SEAL.  Padding is still to 8-byte multiples, and the
+   IV for encrypting application data is zero.
+
+   One new signing algorithm is defined, for use in MIC, Wrap, and
+   Delete tokens:
+
+   04 00 - HMAC SHA1 DES3-KD
+
+   This algorithm generates an HMAC using SHA-1 and a derived DES3 key
+   with usage KG_USAGE_SIGN, as (ought to be described) in [KrbRev].
+
+   [XXX: The current [KrbRev] description refers to expired I-Ds from
+   Marc Horowitz.  The text in [KrbRev] may be inadequate to produce
+   an interoperable implementation.]
+
+   The checksum size for this algorithm is 20 octets.  See section 5.3
+   below for the use of checksum lengths of other than eight bytes.
+
+4. Key Derivation
+
+   For purposes of key derivation, we add three new usage values to the
+   list defined in [KrbRev]; one for signing messages, one for
+   sealing messages, and one for encrypting sequence numbers:
+
+   #define KG_USAGE_SEAL 22
+   #define KG_USAGE_SIGN 23
+   #define KG_USAGE_SEQ  24
+
+5. Adjustments to Previous Definitions
+
+5.1. Quality of Protection
+
+   The GSSAPI specification [GSSAPI] says that a zero QOP value
+   indicates the "default".  The original specification for the
+   Kerberos 5 mechanism says that a zero QOP value (or a QOP value
+   with the appropriate bits clear) means DES encryption.
+
+   Rather than continue to force the use of plain DES when the
+   application doesn't use mechanism-specific QOP values, the better
+   choice appears to be to redefine the DES QOP value as some non-zero
+   value, and define a triple-DES value as well.  Then a zero value
+   continues to imply the default, which would be triple-DES
+   protection when given a triple-DES session key.
+
+   Our values are:
+
+   GSS_KRB5_INTEG_C_QOP_HMAC_SHA1        0x0004
+            /* SHA-1 checksum encrypted with key derivation */
+
+   GSS_KRB5_CONF_C_QOP_DES               0x0100
+            /* plain DES encryption */
+   GSS_KRB5_CONF_C_QOP_DES3_KD           0x0200
+            /* triple-DES with key derivation */
+
+   Rather than open the question of whether to specify means for
+   deriving a key of one type given a key of another type, and the
+   security implications of whether to generate a long key from a
+   shorter one, our implementation will simply return an error if the
+   QOP value specified does not correspond to the session key type.
+
+   [Implementation note: MIT's code does not implement QoP, and
+   returns an error for any non-zero QoP value.]
+
+5.2. MIC Sequence Number Encryption
+
+   The sequence numbers are encrypted in the context key (as defined
+   in [GSSAPI-KRB5] -- this will be either the Kerberos session key or
+   asubkey provided by the context initiator), using whatever
+   encryption system is designated by the type of that context key.
+   The IV is formed from the first N bytes of the SGN_CKSUM field,
+   where N is the number of bytes needed for the IV.  (With all
+   algorithms described here and in [GSSAPI-KRB5], the checksum is at
+   least as large as the IV.)
+
+5.3. Message Layout
+
+   Both MIC and Wrap tokens, as defined in [GSSAPI-KRB5], contain an
+   checksum field SGN_CKSUM.  In [GSSAPI-KRB5], this field was
+   specified as being 8 bytes long.  We now change this size to be
+   "defined by the checksum algorithm", and retroactively amend the
+   descriptions of all the checksum algorithms described in
+   [GSSAPI-KRB5] to explicitly specify 8-byte output.  Application
+   data continues to immediately follow the checksum field in the Wrap
+   token.
+
+   The revised message descriptions are thus:
+
+   MIC:
+
+   Byte no          Name           Description
+    0..1           TOK_ID          Identification field.
+    2..3           SGN_ALG         Integrity algorithm indicator.
+    4..7           Filler          Contains ff ff ff ff
+    8..15          SND_SEQ         Sequence number field.
+    16..s+15       SGN_CKSUM       Checksum of "to-be-signed data",
+                                   calculated according to algorithm
+                                   specified in SGN_ALG field.
+
+   Wrap:
+
+   Byte no          Name           Description
+    0..1           TOK_ID          Identification field.
+                                   Tokens emitted by GSS_Wrap() contain
+                                   the hex value 02 01 in this field.
+    2..3           SGN_ALG         Checksum algorithm indicator.
+    4..5           SEAL_ALG        Sealing algorithm indicator.
+    6..7           Filler          Contains ff ff
+    8..15          SND_SEQ         Encrypted sequence number field.
+    16..s+15       SGN_CKSUM       Checksum of plaintext padded data,
+                                   calculated according to algorithm
+                                   specified in SGN_ALG field.
+    s+16..last     Data            encrypted or plaintext padded data
+
+   Where "s" indicates the size of the checksum.
+
+   As indicated above in section 2, we define the HMAC SHA1 DES3-KD
+   checksum algorithm to produce a 20-byte output, so encrypted data
+   begins at byte 36.
+
+6. Backwards Compatibility Considerations
+
+   The context initiator SHOULD request of the KDC credentials using
+   session-key cryptosystem types supported by that implementation; if
+   the only types returned by the KDC are not supported by the
+   mechanism implementation, it MUST indicate a failure.  This may
+   seem obvious, but early implementations of both Kerberos and the
+   GSSAPI Kerberos mechanism supported only DES keys, so the
+   cryptosystem compatibility question was easy to overlook.
+
+   Under the current mechanism, no negotiation of algorithm types
+   occurs, so server-side (acceptor) implementations cannot request
+   that clients not use algorithm types not understood by the server.
+   However, administration of the server's Kerberos data has to be
+   done in communication with the KDC, and it is from the KDC that the
+   client will request credentials.  The KDC could therefore be tasked
+   with limiting session keys for a given service to types actually
+   supported by the Kerberos and GSSAPI software on the server.
+
+   This does have a drawback for cases where a service principal name
+   is used both for GSSAPI-based and non-GSSAPI-based communication,
+   if the GSSAPI implementation does not understand triple-DES but the
+   Kerberos implementation does.  It means that triple-DES session
+   keys cannot be issued for that service principal, which keeps the
+   protection of non-GSSAPI services weaker than necessary.  However,
+   in the most recent MIT releases thus far, while triple-DES support
+   has been present, it has required additional work to enable, so it
+   is not likely to be in use for many services.
+
+   It would also be possible to have clients attempt to get single-DES
+   session keys before trying to get triple-DES session keys, and have
+   the KDC refuse to issue the single-DES keys only for the most
+   critical of services, for which single-DES protection is considered
+   inadequate.  However, that would eliminate the possibility of
+   connecting with the more secure cryptosystem to any service that
+   can be accessed with the weaker cryptosystem.
+
+   We have chosen to go with the former approach, putting the burden
+   on the KDC administration and gaining the best protection possible
+   for GSSAPI services, possibly at the cost of protection of
+   non-GSSAPI Kerberos services running earlier versions of the
+   software.
+
+6. Security Considerations
+
+   Various tradeoffs arise regarding the mixing of new and old
+   software, or GSSAPI-based and non-GSSAPI Kerberos authentication.
+   They are discussed in section 5.
+
+7. References
+
+   [EFF] Electronic Frontier Foundation, "Cracking DES: Secrets of
+   Encryption Research, Wiretap Politics, and Chip Design", O'Reilly &
+   Associates, Inc., May, 1998.
+
+   [GSSAPI] Linn, J., "Generic Security Service Application Program
+   Interface Version 2, Update 1", RFC 2743, January, 2000.
+
+   [GSSAPI-KRB5] Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
+   RFC 1964, June, 1996.
+
+   [KrbRev] Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network
+   Authentication Service (V5)",
+   draft-ietf-cat-kerberos-revisions-05.txt, March 10, 2000.
+
+   [RFC2026] Bradner, S., "The Internet Standards Process -- Revision
+   3", RFC 2026, October, 1996.
+
+8. Author's Address
+
+   Kenneth Raeburn
+   Massachusetts Institute of Technology
+   77 Massachusetts Avenue
+   Cambridge, MA 02139
+
+9. Full Copyright Statement
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved. 
+    
+   This document and translations of it may be copied and furnished to 
+   others, and derivative works that comment on or otherwise explain it 
+   or assist in its implementation may be prepared, copied, published 
+   and distributed, in whole or in part, without restriction of any 
+   kind, provided that the above copyright notice and this paragraph 
+   are included on all such copies and derivative works.  However, this   
+   document itself may not be modified in any way, such as by removing   
+   the copyright notice or references to the Internet Society or other   
+   Internet organizations, except as needed for the purpose of 
+   developing Internet standards in which case the procedures for 
+   copyrights defined in the Internet Standards process must be 
+   followed, or as required to translate it into languages other than 
+   English. 
+    
+   The limited permissions granted above are perpetual and will not be 
+   revoked by the Internet Society or its successors or assigns. 
+    
+   This document and the information contained herein is provided on an 
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." 
diff --git a/crypto/heimdal/doc/standardisation/draft-raeburn-krb-gssapi-krb5-3des-01.txt b/crypto/heimdal/doc/standardisation/draft-raeburn-krb-gssapi-krb5-3des-01.txt
new file mode 100644
index 0000000..64ca1ac
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-raeburn-krb-gssapi-krb5-3des-01.txt
@@ -0,0 +1,395 @@
+
+
+
+
+
+
+Kerberos Working Group                                        K. Raeburn
+Category: Informational                                              MIT
+Document: draft-raeburn-krb-gssapi-krb5-3des-01.txt    November 24, 2000
+
+
+         Triple-DES Support for the Kerberos 5 GSSAPI Mechanism
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026 [1]. Internet-Drafts are
+   working documents of the Internet Engineering Task Force (IETF), its
+   areas, and its working groups. Note that other groups may also
+   distribute working documents as Internet-Drafts. Internet-Drafts are
+   draft documents valid for a maximum of six months and may be updated,
+   replaced, or obsoleted by other documents at any time. It is
+   inappropriate to use Internet-Drafts as reference material or to cite
+   them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+1. Abstract
+
+   The GSSAPI Kerberos 5 mechanism definition [GSSAPI-KRB5] specifically
+   enumerates encryption and checksum types, independently of how such
+   schemes may be used in Kerberos.  In the long run, a new Kerberos-
+   based mechanism, which does not require separately enumerating for
+   the GSSAPI mechanism each of the various encryption types defined by
+   Kerberos, is probably a better approach.  Various people have
+   expressed interest in designing one, but the work has not yet been
+   completed.
+
+   The MIT Kerberos 5 release version 1.2 includes support for triple-
+   DES with key derivation [KrbRev].  Recent work by the EFF [EFF] has
+   demonstrated the vulnerability of single-DES mechanisms to brute-
+   force attacks by sufficiently motivated and well-funded parties.  So,
+   in the interest of providing increased security in the near term, MIT
+   is adding support for triple-DES to the existing mechanism
+   implementation we ship, as an interim measure.
+
+
+
+
+
+
+
+
+Raeburn                                                         [Page 1]
+
+INTERNET DRAFT       Triple-DES for GSSAPI Kerberos        November 2000
+
+
+2. New Algorithm Identifiers
+
+   One new sealing algorithm is defined, for use in Wrap tokens.
+
+
+   +--------------------------------------------------------------------+
+   |          name                                octet values          |
+   +--------------------------------------------------------------------+
+   |         DES3-KD                                 02 00              |
+   +--------------------------------------------------------------------+
+
+   This algorithm uses triple-DES with key derivation, with a usage
+   value KG_USAGE_SEAL.  (Unlike the EncryptedData definition in
+   [KrbRev], no integrity protection is needed, so this is "raw" triple-
+   DES, with no checksum attached to the encrypted data.)  Padding is
+   still to 8-byte multiples, and the IV for encrypting application data
+   is zero.
+
+   One new signing algorithm is defined, for use in MIC, Wrap, and
+   Delete tokens.
+
+
+   +--------------------------------------------------------------------+
+   |             name                               octet values        |
+   +--------------------------------------------------------------------+
+   |       HMAC SHA1 DES3-KD                           04 00            |
+   +--------------------------------------------------------------------+
+
+   This algorithm generates an HMAC using SHA-1 and a derived DES3 key
+   with usage KG_USAGE_SIGN, as described in [KrbRev].
+
+   [N.B.: The current [KrbRev] description refers to expired I-Ds from
+   Marc Horowitz.  The text in [KrbRev] may be inadequate to produce an
+   interoperable implementation.]
+
+   The checksum size for this algorithm is 20 octets.  See section 4.3
+   below for the use of checksum lengths of other than eight bytes.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Raeburn                                                         [Page 2]
+
+INTERNET DRAFT       Triple-DES for GSSAPI Kerberos        November 2000
+
+
+3. Key Derivation
+
+   For purposes of key derivation, we add three new usage values to the
+   list defined in [KrbRev]; one for signing messages, one for sealing
+   messages, and one for encrypting sequence numbers:
+
+
+   +--------------------------------------------------------------------+
+   |             name                                    value          |
+   +--------------------------------------------------------------------+
+   |         KG_USAGE_SEAL                                22            |
+   |         KG_USAGE_SIGN                                23            |
+   |         KG_USAGE_SEQ                                 24            |
+   +--------------------------------------------------------------------+
+
+4. Adjustments to Previous Definitions
+
+4.1. Quality of Protection
+
+   The GSSAPI specification [GSSAPI] says that a zero QOP value
+   indicates the "default".  The original specification for the Kerberos
+   5 mechanism says that a zero QOP value (or a QOP value with the
+   appropriate bits clear) means DES encryption.
+
+   Rather than forcing the use of plain DES when the application doesn't
+   use mechanism-specific QOP values, we redefine the explicit DES QOP
+   value as a non-zero value, and define a triple-DES value as well.
+   Then a zero value continues to imply the default, which would be
+   triple-DES protection when given a triple-DES session key.
+
+   Our values are:
+
+   +--------------------------------------------------------------------+
+   |             name                  value      meaning               |
+   +--------------------------------------------------------------------+
+   | GSS_KRB5_INTEG_C_QOP_HMAC_SHA1    0x0004     SHA-1 HMAC, using     |
+   |                                              key derivation        |
+   |                                                                    |
+   |    GSS_KRB5_CONF_C_QOP_DES        0x0100     plain DES encryption  |
+   |                                                                    |
+   |  GSS_KRB5_CONF_C_QOP_DES3_KD      0x0200     triple-DES with key   |
+   |                                              derivation            |
+   +--------------------------------------------------------------------+
+
+   Rather than attempt to specify a generic mechanism for deriving a key
+   of one type given a key of another type, and evaluate the security
+   implications of using a short key to generate a longer key to satisfy
+   the requested quality of protection, our implementation will simply
+
+
+
+Raeburn                                                         [Page 3]
+
+INTERNET DRAFT       Triple-DES for GSSAPI Kerberos        November 2000
+
+
+   return an error if the nonzero QOP value specified does not
+   correspond to the session key type.
+
+4.2. MIC Sequence Number Encryption
+
+   The sequence numbers are encrypted in the context key (as defined in
+   [GSSAPI-KRB5] -- this will be either the Kerberos session key or
+   asubkey provided by the context initiator), using whatever encryption
+   system is designated by the type of that context key.  The IV is
+   formed from the first N bytes of the SGN_CKSUM field, where N is the
+   number of bytes needed for the IV.  (With all algorithms described
+   here and in [GSSAPI-KRB5], the checksum is at least as large as the
+   IV.)
+
+4.3. Message Layout
+
+   Both MIC and Wrap tokens, as defined in [GSSAPI-KRB5], contain an
+   checksum field SGN_CKSUM.  In [GSSAPI-KRB5], this field was specified
+   as being 8 bytes long.  We now change this size to be "defined by the
+   checksum algorithm", and retroactively amend the descriptions of all
+   the checksum algorithms described in [GSSAPI-KRB5] to explicitly
+   specify 8-byte output.  Application data continues to immediately
+   follow the checksum field in the Wrap token.
+
+   The revised message descriptions are thus:
+
+   MIC token:
+
+   Byte #             Name                Description
+   ----------------------------------------------------------------------
+    0..1              TOK_ID              Identification field.
+    2..3              SGN_ALG             Integrity algorithm indicator.
+    4..7              Filler              Contains ff ff ff ff
+    8..15             SND_SEQ             Sequence number field.
+   16..s+15           SGN_CKSUM           Checksum of "to-be-signed
+                                          data", calculated according to
+                                          algorithm specified in SGN_ALG
+                                          field.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Raeburn                                                         [Page 4]
+
+INTERNET DRAFT       Triple-DES for GSSAPI Kerberos        November 2000
+
+
+   Wrap token:
+
+   Byte #           Name             Description
+   ----------------------------------------------------------------------
+    0..1            TOK_ID           Identification field.  Tokens
+                                     emitted by GSS_Wrap() contain the
+                                     hex value 02 01 in this field.
+    2..3            SGN_ALG          Checksum algorithm indicator.
+    4..5            SEAL_ALG         Sealing algorithm indicator.
+    6..7            Filler           Contains ff ff
+    8..15           SND_SEQ          Encrypted sequence number field.
+   16..s+15         SGN_CKSUM        Checksum of plaintext padded data,
+                                     calculated according to algorithm
+                                     specified in SGN_ALG field.
+   s+16..last       Data             encrypted or plaintext padded data
+
+
+   Where "s" indicates the size of the checksum.
+
+   As indicated above in section 2, we define the HMAC SHA1 DES3-KD
+   checksum algorithm to produce a 20-byte output, so encrypted data
+   begins at byte 36.
+
+5. Backwards Compatibility Considerations
+
+   The context initiator should request of the KDC credentials using
+   session-key cryptosystem types supported by that implementation; if
+   the only types returned by the KDC are not supported by the mechanism
+   implementation, it should indicate a failure.  This may seem obvious,
+   but early implementations of both Kerberos and the GSSAPI Kerberos
+   mechanism supported only DES keys, so the cryptosystem compatibility
+   question was easy to overlook.
+
+   Under the current mechanism, no negotiation of algorithm types
+   occurs, so server-side (acceptor) implementations cannot request that
+   clients not use algorithm types not understood by the server.
+   However, administration of the server's Kerberos data (e.g., the
+   service key) has to be done in communication with the KDC, and it is
+   from the KDC that the client will request credentials.  The KDC could
+   therefore be tasked with limiting session keys for a given service to
+   types actually supported by the Kerberos and GSSAPI software on the
+   server.
+
+   This does have a drawback for cases where a service principal name is
+   used both for GSSAPI-based and non-GSSAPI-based communication (most
+   notably the "host" service key), if the GSSAPI implementation does
+   not understand triple-DES but the Kerberos implementation does.  It
+   means that triple-DES session keys cannot be issued for that service
+
+
+
+Raeburn                                                         [Page 5]
+
+INTERNET DRAFT       Triple-DES for GSSAPI Kerberos        November 2000
+
+
+   principal, which keeps the protection of non-GSSAPI services weaker
+   than necessary.
+
+   It would also be possible to have clients attempt to get single-DES
+   session keys before trying to get triple-DES session keys, and have
+   the KDC refuse to issue the single-DES keys only for the most
+   critical of services, for which single-DES protection is considered
+   inadequate.  However, that would eliminate the possibility of
+   connecting with the more secure cryptosystem to any service that can
+   be accessed with the weaker cryptosystem.
+
+   For MIT's 1.2 release, we chose to go with the former approach,
+   putting the burden on the KDC administration and gaining the best
+   protection possible for GSSAPI services, possibly at the cost of
+   weaker protection of non-GSSAPI Kerberos services running earlier
+   versions of the software.
+
+6. Security Considerations
+
+   Various tradeoffs arise regarding the mixing of new and old software,
+   or GSSAPI-based and non-GSSAPI Kerberos authentication.  They are
+   discussed in section 5.
+
+7. References
+
+   [EFF] Electronic Frontier Foundation, "Cracking DES: Secrets of
+   Encryption Research, Wiretap Politics, and Chip Design", O'Reilly &
+   Associates, Inc., May, 1998.
+
+   [GSSAPI] Linn, J., "Generic Security Service Application Program
+   Interface Version 2, Update 1", RFC 2743, January, 2000.
+
+   [GSSAPI-KRB5] Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
+   RFC 1964, June, 1996.
+
+   [KrbRev] Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network
+   Authentication Service (V5)", draft-ietf-cat-kerberos-
+   revisions-06.txt, July 4, 2000.
+
+8. Author's Address
+
+   Kenneth Raeburn Massachusetts Institute of Technology 77
+   Massachusetts Avenue Cambridge, MA 02139
+
+9. Full Copyright Statement
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+
+
+
+Raeburn                                                         [Page 6]
+
+INTERNET DRAFT       Triple-DES for GSSAPI Kerberos        November 2000
+
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
+
+10. Document Change History
+
+>From -00 to -01:
+
+   Converted master to GNU troff and tbl, rewriting tables in the
+   process.
+
+   Specify informational category only.  Modify some text to emphasize
+   that this document intends to describe MIT's extensions.
+
+   Point out that while EncryptedData for 3des-kd includes a checksum,
+   DES3-KD GSS encryption does not.
+
+   Shorten backwards-compatibility descriptions a little.
+
+   Submit to Kerberos working group rather than CAT.
+
+
+
+
+
+
+
+
+
+
+
+Raeburn                                                         [Page 7]
+
diff --git a/crypto/heimdal/doc/standardisation/draft-smedvinsky-dhc-kerbauth-01.txt b/crypto/heimdal/doc/standardisation/draft-smedvinsky-dhc-kerbauth-01.txt
new file mode 100644
index 0000000..321c5ba
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-smedvinsky-dhc-kerbauth-01.txt
@@ -0,0 +1,929 @@
+
+
+DHC Working Group                                          S. Medvinsky
+Internet Draft                                                 Motorola
+Document: <draft-smedvinsky-dhc-kerbauth-01.txt>
+Category: Standards Track                                    P.Lalwaney
+Expires: January 2001                                             Nokia
+
+                                                              July 2000
+
+
+        Kerberos V Authentication Mode for Uninitialized Clients
+
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups. Note that
+   other groups may also distribute working documents as Internet-
+   Drafts. Internet-Drafts are draft documents valid for a maximum of
+   six months and may be updated, replaced, or obsoleted by other
+   documents at any time. It is inappropriate to use Internet- Drafts
+   as reference material or to cite them other than as "work in
+   progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   The distribution of this memo is unlimited.  It is filed as <draft-
+   smedvinsky-dhc-kerbauth-01.txt>, and expires January 2001. Please
+   send comments to the authors.
+
+
+
+1. Abstract
+
+   The Dynamic Host Configuration Protocol (DHCP) [1] includes an
+   option that allows authentication of all DHCP messages, as specified
+   in [2].  This document specifies a DHCP authentication mode based on
+   Kerberos V tickets. This provides mutual authentication between a
+   DHCP client and server, as well as authentication of all DHCP
+   messages.
+
+   This document specifies Kerberos message exchanges between an
+   uninitialized client and the KDC (Key Distribution Center) using an
+   IAKERB proxy [7] so that the Kerberos key management phase is
+   decoupled from, and precedes the address allocation and network
+   configuration phase that uses the DHCP authentication option.  In
+   order to make use of the IAKERB proxy, this document specifies a
+   transport mechanism that works with an uninitialized client (i.e. a
+
+Kerberos V Authentication Mode for Uninitialized Clients     July 2000
+
+
+   client without an assigned IP address). In addition, the document
+   specifies the format of the Kerberos authenticator to be used with
+   the DHCP authentication option.
+
+2. Conventions used in this document
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in
+   this document are to be interpreted as described in RFC-2119.
+
+3. Introduction
+
+   3.1 Terminology
+
+   o "DHCP client"
+
+   A DHCP client is an Internet host using DHCP to obtain configuration
+   parameters such as a network address.
+
+   o "DHCP server"
+
+   A DHCP server is an Internet host that returns configuration
+   parameters to DHCP clients.
+
+   O "Ticket"
+
+   A Kerberos term for a record that helps a client authenticate itself
+   to a server; it contains the client's identity, a session key, a
+   timestamp, and other information, all sealed using the server's
+   secret key. It only serves to authenticate a client when presented
+   along with a fresh Authenticator.
+
+   o "Key Distribution Center"
+
+   Key Distribution Center, a network service that supplies tickets and
+   temporary session keys; or an instance of that service or the host
+   on which it runs. The KDC services both initial ticket and Ticket-
+   Granting Ticket (TGT) requests. The initial ticket portion is
+   sometimes referred to as the Authentication Server (or service. The
+   Ticket-Granting Ticket portion is sometimes referred to as the
+   Ticket-Granting Server (or service).
+
+   o "Realm"
+
+   A Kerberos administrative domain that represents a group of
+   principals registered at a KDC.  A single KDC may be responsible for
+   one or more realms.  A fully qualified principal name includes a
+   realm name along with a principal name unique within that realm.
+
+3.2 Protocol Overview
+
+
+
+S. Medvinsky, P. Lalwaney                                          -2-        
+
+Kerberos V Authentication Mode for Uninitialized Clients     July 2000
+
+
+   DHCP as defined in [1] defines the protocol exchanges for a client
+   to obtain its IP address and network configuration information from
+   a DHCP Server. Kerberos V5 as described in [6] defines the protocol
+   and message exchanges to mutually authenticate two parties. It is
+   our goal to provide authentication support for DHCP using Kerberos.
+   This implies that the Kerberos key management exchange has to take
+   place before a client gets its IP address from the DHCP Server.
+   Kerberos assumes that the client has a network address and can
+   contact the Key Distribution Center to obtain its credentials for
+   authenticated communication with an application server.
+
+   In this specification we utilize the key exchange using an IAKERB
+   proxy described in [7]. This does not require any changes to either
+   the IAKERB or the Kerberos V5 specification.  This document also
+   specifies a particular transport that allows an uninitialized client
+   to contact an IAKERB proxy.
+
+   The Kerberos ticket returned from the key management exchange
+   discussed in Section 5 of this document is passed to the DHCP Server
+   inside the DHCP authentication option with the new Kerberos
+   authenticator type. This is described in Section 6 of this draft.
+
+
+3.3 Related Work
+
+   A prior Internet Draft [3] outlined the use of Kerberos-based
+   authentication for DHCP. The proposal tightly coupled the Kerberos
+   client state machines and the DHCP client state machines. As a
+   result, the Kerberos key management messages were carried in DHCP
+   messages, along with the Kerberos authenticators. In addition, the
+   first DHCP message exchange (request, offer) is not authenticated.
+
+   We propose a protocol exchange where Kerberos key management is
+   decoupled from and precedes authenticated DHCP exchanges. This
+   implies that the Kerberos ticket returned in the initial key
+   management exchange could be used to authenticate servers assigning
+   addresses by non-DHCP address assignment mechanisms like RSIP [4]
+   and for service specific parameter provisioning mechanisms using SLP
+   [5].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+S. Medvinsky, P. Lalwaney                                          -3-        
+
+Kerberos V Authentication Mode for Uninitialized Clients     July 2000
+
+
+
+4. System Architecture
+
+
+     Client
+    --------                            --------
+   |        |   5.Authenticated DHCP   |        |
+   |  DHCP  |<------------------------>| DHCP   |
+   | client |                          | server |
+   |        |                          |        |
+   |        |                          |        |
+   |Kerberos|                          |        |
+   | Client |                          |        |
+    --------                            --------
+       ^
+       |
+       |
+       |
+       |                                -------
+        ------------------------------>|       |
+         Kerberos Key Mgmt             | Proxy |
+         messages:                     |       |
+          1. AS Request  / 2.AS Reply   -------
+          3. TGS Request / 4.TGS Reply     ^
+                                           | Kerberos
+                                           | Key Mgmt messages
+                                           v (1, 2, 3, 4)
+                                        --------
+                                       |        |
+                                       |  KDC   |
+                                       |        |
+                                        --------
+
+     Figure 1: System blocks and message interactions between them
+
+
+   In this architecture, the DHCP client obtains a Kerberos ticket from
+   the Key Distribution Center (KDC) using standard Kerberos messages,
+   as specified in [6].  The client, however, contacts the KDC via a
+   proxy server, according to the IAKERB mechanism, described in [7].
+   The are several reasons why a client has to go through this proxy in
+   order to contact the KDC:
+
+  a)The client may not know the host address of the KDC and may be
+     sending its first request message as a broadcast on a local
+     network.  The KDC may not be located on the local network, and
+     even if it were - it will be unable to communicate with a client
+     without an IP address.  This document describes a specific
+     mechanism that may be used by a client to communicate with the
+     Kerberos proxy.
+
+
+
+S. Medvinsky, P. Lalwaney                                          -4-        
+
+Kerberos V Authentication Mode for Uninitialized Clients     July 2000
+
+
+  b)The client may not know its Kerberos realm name.  The proxy is
+     able to fill in the missing client realm name in an AS Request
+     message, as specified in IAKERB.  Note that in the case that
+     PKINIT pre-authenticator is used [8], the realm name in the AS
+     Request may be the KDC realm name and not the clientÆs realm name.
+
+  c) The client does not know the realm name of the DHCP server.
+
+     According to IAKERB, when the client sends a TGS Request with a
+     missing server realm name, the proxy will return to the client an
+     error message containing the missing realm name.
+
+     Note that in this case the proxy could return the client a wrong
+     realm name and the client could be fooled into obtaining a ticket
+     for the wrong DHCP server (on the same local network).  However,
+     the wrong DHCP server must still be a registered principal in a
+     KDC database.  In some circumstances this may be an acceptable
+     compromise.  Also, see the security considerations section.
+
+     IAKERB describes the proxy as part of an application server - the
+     DHCP server in this case.  However, in this document we are not
+     requiring the proxy to be integrated with the DHCP server.  The
+     same IAKERB mechanisms apply in the more general case, where the
+     proxy is an independent application.  This proxy, however, MUST be
+     reachable by a client via a local network broadcast.
+
+     After a client has obtained a Kerberos ticket for the DHCP server,
+     it will use it as part of an authentication option in the DHCP
+     messages.  The only extension to the DHCP protocol is the addition
+     of a new authenticator type based on Kerberos tickets.
+
+4.1 Cross-Realm Authentication
+
+   Figure 1 shows a client communicating with a single KDC via a proxy.
+   However, the DHCP clientÆs realm may be different from the DHCP
+   serverÆs realm.  In that case, the client may need to first contact
+   the KDC in its local realm to obtain a cross-realm TGT.  Then, the
+   client would use the cross-realm TGT to contact the KDC in the DHCP
+   serverÆs realm, as specified in [6].
+
+   In the following example a client doesnÆt know its realm or the DHCP
+   serverÆs realm, which happens to be different from the clientÆs
+   realm.  Here are the steps in obtaining the ticket for the DHCP
+   server (based on [6] and [7]):
+
+        1) The client sends AS Request with NULL realm to the proxy.
+        2) The proxy fills in the realm and forwards the AS Request to
+           the KDC in the clientÆs realm.
+        3) The KDC issues a TGT and sends back an AS Reply to the
+           proxy.
+        4) The proxy forwards AS Reply to the client.
+
+
+S. Medvinsky, P. Lalwaney                                          -5-        
+
+Kerberos V Authentication Mode for Uninitialized Clients     July 2000
+
+
+        5) The client sends TGS Request for a principal name "dhcpsrvr"
+           with NULL realm to the proxy.
+        6) The proxy returns KRB_AP_ERR_REALM_REQUIRED error with the
+           DHCP serverÆs realm to the client.
+        7) The client sends another TGS Request for a cross-realm TGT
+           to the proxy.
+        8) The proxy forwards the TGS Request to the KDC in the
+           clientÆs realm.
+        9) The KDC issues a cross-realm TGT and sends back a TGS Reply
+           to the proxy.
+       10) The proxy forwards TGS Reply to the client.
+       11) The client sends a TGS Request to the proxy for a principal
+       "dhcpsrvr" with the realm name filled in, using a cross-realm
+       TGT.
+       12) The proxy forwards TGS Request to the KDC in the DHCP      
+       server's realm.
+       13) The KDC issues a ticket for the DHCP server and sends TGS
+       Reply back to the proxy.
+       14) The proxy forwards TGS Reply to the client.
+
+   In a most general case, the client may need to contact any number of
+   KDCs in different realms before it can get a ticket for the DHCP
+   server.  In each case, the client would contact a KDC via the proxy
+   server, as specified in Section 5 of this document.
+
+4.2 Public Key Authentication
+
+   This specification also allows clients to perform public key
+   authentication to the KDC, based on the PKINIT specification [8].
+   In this case, the size of an AS Request and AS Reply messages is
+   likely to exceed the size of typical link MTU's.
+
+   Here is an example, where PKINIT is used by a DHCP client that is
+   not a registered principal in the KDC principal database:
+
+        1) The client sends AS Request with a PKINIT Request pre-
+           authenticator to the proxy.  This includes the clientÆs
+           signature and X.509 certificate.  The KDC realm field is
+           left as NULL.
+        2) The proxy fills in the realm and forwards the AS Request to
+           the KDC in the filled in realm.  This is the realm of the
+           DHCP server.  Here, the clientÆs realm is the name of a
+           Certification Authority - not the same as the KDC realm.
+        3) The KDC issues a TGT and sends back an AS Reply with a
+           PKINIT Reply pre-authenticator to the proxy.
+        4) The proxy forwards the AS Reply to the client.
+        5) The client sends TGS Request for a principal name "dhcpsrvr"
+           with the realm found in the TGT to the proxy.
+        6) The proxy forwards TGS Request to the KDC in the DHCP
+           serverÆs realm.
+        7) The KDC issues a ticket for the DHCP server and sends TGS
+           Reply back to the proxy.
+
+S. Medvinsky, P. Lalwaney                                          -6-        
+
+Kerberos V Authentication Mode for Uninitialized Clients     July 2000
+
+
+        8) The proxy forwards TGS Reply to the client.
+
+
+   5. Key Management Exchange that Precedes Network Address Allocation
+
+   An uninitialized host (e.g. on power-on and reset) does not have a
+   network address. It does have a link layer address or hardware
+   address. At this time, the client may not have any information on
+   its realm or the realm of the address allocation server (DHCP
+   Server).
+
+   In the Kerberos key management exchange, a client gets its ticket
+   granting ticket (TGT) by contacting the Authentication Server in the
+   KDC using the AS_Request / Reply messages (shown as messages 1 and 2
+   in Figure 1). The client then contacts the Ticket Granting Server in
+   the KDC to get the DHCP server ticket (to be used for mutual
+   authentication with the DHCP server) using the TGS_REQ / TGS_REP
+   messages (shown as messages 3 and 4 in the above figure).  It is
+   also possible for the client to obtain a DHCP server ticket directly
+   with the AS Request / Reply exchange, without the use of the TGT.
+
+   In the use of Kerberos for DHCP authentication, the client (a) does
+   not have an IP/network address (b) does not know he KDCÆs IP address
+   (c) the KDC may not be on the local network and (d) the client may
+   not know the DHCP ServerÆs IP address and realm.  We therefore
+   require a Kerberos proxy on the local network to accept broadcast
+   Kerberos request messages (AS_REQ and TGS_REQ) from uninitialized
+   clients and relay them to the appropriate KDC.
+
+   The uninitialized client formulates a broadcast AS_REQ or TGS_REQ as
+   follows:
+
+   The request payload contains the client hardware address in
+   addresses field with a negative value for the address type. Kerberos
+   v5 [6] allows for the usage of negative address types for "local"
+   use. Note that IAKERB [7] discourages the use of the addresses field
+   as network addresses may not be known or may change in situation
+   where proxies are used. In this draft we incorporate the negative
+   values permitted in the Kerberos transport in the address type field
+   of both the AS_REQ and TGS_REQ messages. The negative value SHOULD
+   be the negative number of the hardware address type "htype" value
+   (from assigned numbers RFC) used in RFC 2131. The address field of
+   the message contains the clients hardware address.
+
+   The request payload is UDP encapsulated and addressed to port 88 on
+   the server/proxy. The UDP source port is selected by the client. The
+   source and destination network addresses are the all-zeroÆs address
+   and the broadcast address, respectively. For IPv4, the source IP
+   address is set to 0.0.0.0 and the destination IP address is set to
+   255.255.255.255. The data link layer header source address
+   corresponds to the link layer/hardware address of the client. The
+
+
+S. Medvinsky, P. Lalwaney                                          -7-        
+
+Kerberos V Authentication Mode for Uninitialized Clients     July 2000
+
+
+   destination link layer address is the broadcast address at the link
+   layer (e.g. for Ethernet the address is ffffffff).
+
+   In the case where AS_REQ message contains a PKINIT pre-authenticator
+   for public key-based client authentication (based on [8]), the
+   message will probably not fit into a single UDP packet given typical
+   link MTU's.
+
+   It is assumed that the proxy server on a network is configured with
+   a list of KDCÆs, their realms and their IP addresses. The proxy
+   server will act as a client to the KDC and forward standard Kerberos
+   messages to/from the KDC using unicast UDP or TCP transport
+   mechanisms, according to [6].
+
+   Upon receiving a broadcast request from a client, the proxy MUST
+   record the clientÆs hardware address that appears as the source
+   address on the frame as well as in the addresses field of the
+   request message. Based on the realm of the KDC specified in the
+   request, the proxy determines the KDC to which this message is
+   relayed as a unicast message from the proxy to the KDC.  In the case
+   that the client left the KDC realm name as NULL, it is up to the
+   proxy to first determine the correct realm name and fill it in the
+   request (according to [7]).
+
+   On receiving a request, the KDC formulates a response (AS_REP or
+   TGS_REP). It includes the clientÆs addresses field in the encrypted
+   part of the ticket (according to [6]). This response is unicast to
+   the proxy.
+
+   Upon receiving the reply, the proxy MUST first determine the
+   previously saved hardware address of the client.  The proxy
+   broadcasts the reply on its local network. This is a network layer
+   broadcast. At the link level, it uses the hardware address obtained
+   from the addresses field of the request.
+
+   The client on receiving the response (link layer destination address
+   as its hardware address, network layer address is the broadcast
+   address) must verify that the hardware address in the ticket
+   corresponds to its link layer address.
+
+   Upon receiving a TGS_REP (or an AS_REP with the application server
+   ticket) from the proxy, the client will have enough information to
+   securely communicate with the application server (the DHCP Server in
+   this case), as specified in the following section.
+
+
+
+
+
+
+
+
+
+S. Medvinsky, P. Lalwaney                                          -8-        
+
+Kerberos V Authentication Mode for Uninitialized Clients     July 2000
+
+
+    6. Authenticated Message Exchange Between the DHCP Client and the
+   DHCP Server
+
+   The ticket returned in the TGS response is used by the DHCP client
+   in the construction of the Kerberos authenticator.  The Kerberos
+   ticket serves two purposes: to establish a shared session key with
+   the DHCP server, and is also included as part of a Kerberos
+   authenticator in the DHCP request.
+
+   If the size of the authenticator is greater than 255 bytes, the DHCP
+   authentication option is repeated multiple times.  When the values
+   of all the authentication options are concatenated together, they
+   will make up the complete authenticator.
+
+   Once the session key is established, the Kerberos structure
+   containing the ticket (AP REQ) can be omitted from the authenticator
+   for subsequent messages sent by both the DHCP client and the DHCP
+   server.
+
+   The Kerberos authenticator for a DHCP request message is specified
+   below:
+
+   0                   1                   2                   3
+   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |     Code      |    Length     |    Protocol   |   Algorithm   |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |                                                               |
+   +              Replay Detection (64 bits)                       +
+   |                                                               |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |                                                               |
+   +              Authentication token (n octets)           ...    +
+   |                                                               |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+   The format of this authenticator is in accordance with [2]. The code
+   for the authentication option is TBD, and the length field contains
+   the length of the remainder of the option, starting with the
+   protocol field.
+
+   The value of the protocol field for this authenticator MUST be set
+   to 2.
+
+   The algorithm field MUST take one of the following values:
+        1 - HMAC-MD5
+        2 - HMAC-SHA-1
+
+   Replay protection field is a monotonically increasing counter field.
+   When the Kerberos AP REQ structure is present in the authenticator
+   the counter may be set to any value.  The AP REQ contains its own
+   replay protection mechanism in the form of a timestamp.
+
+S. Medvinsky, P. Lalwaney                                          -9-        
+
+Kerberos V Authentication Mode for Uninitialized Clients     July 2000
+
+
+
+   Once the session key has been established and the AP REQ is not
+   included in the authenticator, this field MUST be monotonically
+   increasing in the messages sent by the client.
+
+   Kerberos authenticator token consists of type-length-value
+   attributes:
+
+   0                   1                   2                   3
+   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |     Type      |  Reserved     |       Payload Length          |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |                           attribute value...
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+   The following attributes are included in the Kerberos authenticator
+   token:
+
+   Type         Attribute Name          Value
+   --------------------------------------------------------------------
+   0            Message Integrity Code  Depends on the value of the
+                                        algorithm field.  Its length is
+                                        16 bytes for HMAC-MD5 [9, 10]
+                                        and 20 bytes for HMAC-SHA-1
+                                        [11, 10].  The HMAC key must be
+                                        derived from Kerberos session
+                                        key found in the Kerberos
+                                        ticket according to the key
+                                        derivation rules in [6]:
+
+                                          HMAC Key = DK(sess key,
+                                                      key usage | 0x99)
+
+                                        Here, DK is defined in [12] and
+                                        the key usage value for DHCP is
+                                        TBD.
+
+                                        The HMAC is calculated over the
+                                        entire DHCP message. The
+                                        Message Integrity Code
+                                        attribute MUST be set to all 0s
+                                        for the computation of the
+                                        HMAC.  Because a DHCP relay
+                                        agent may alter the values of
+                                        the 'giaddr' and 'hops' fields
+                                        in the DHCP message, the
+                                        contents of those two fields
+                                        MUST also be set to zero for
+                                        the computation of the HMAC.
+                                        Rules specified in Section 3 of
+                                        [2] for the exclusion and
+
+S. Medvinsky, P. Lalwaney                                         -10-        
+
+Kerberos V Authentication Mode for Uninitialized Clients     July 2000
+
+
+                                        processing of the relay agent
+                                        information are applicable here
+                                        too.
+
+                                        This field MUST always be
+                                        present in the Kerberos
+                                        authenticator.
+
+   1            AP_REQ                  ASN.1 encoding of a Kerberos
+                                        AP_REQ message, as specified
+                                        in [6]. This MUST be included
+                                        by the client when establishing
+                                        a new session key.  In all
+                                        other cases, this attribute
+                                        MUST be omitted.
+
+   AP_REQ contains the Kerberos ticket for the DHCP server and also
+   contains information needed by the DHCP server to authenticate the
+   client.  After verifying the AP_REQ and decrypting the Kerberos
+   ticket, the DHCP server is able to extract a session key which it
+   now shares with the DHCP client.
+
+   The Kerberos authenticator token contains its own replay protection
+   mechanism inside the AP_REQ structure.  The AP_REQ contains a
+   timestamp that must be within an agreed upon time window at the DHCP
+   server.  However, this does not require the DHCP clients to maintain
+   an accurate clock between reboots.  Kerberos allows clients to
+   synchronize their clock with the KDC with the help of Kerberos
+   KRB_AP_ERR_SKEW error message, as specified in [6].
+
+   The DHCP server MUST save both the session key and its associated
+   expiration time found in the Kerberos ticket.  Up until the
+   expiration time, the server must accept client requests with the
+   Kerberos authenticator that does not include the AP REQ, using the
+   saved session key in calculating HMAC values.
+
+   The Kerberos authenticator inside all DHCP server responses MUST NOT
+   contain the AP REQ and MUST use the saved Kerberos session key in
+   calculating HMAC values.
+
+   When the session key expires, it is the client's responsibility to
+   obtain a new ticket from the KDC and to include an AP REQ inside the
+   Kerberos authenticator for the next DHCP request message.
+
+
+
+
+
+
+
+
+
+
+S. Medvinsky, P. Lalwaney                                         -11-        
+
+Kerberos V Authentication Mode for Uninitialized Clients     July 2000
+
+
+7. Detailed message flows for Kerberos and DHCP message Exchanges
+
+   The following flow depicts the Kerberos exchange in which a AS REQ
+   message is used to directly request the DHCP Server ticket. There
+   are no changes to transport mechanisms below when the additional
+   phase of using TGS requests/responses with TGTÆs is used.
+
+   Client                         IAKERB Proxy                 KDC
+
+   KB-client-------- AS_REQ ------>
+
+   AS REQ Address type = - (htype)
+   AS REQ Address= hw address
+
+   src UDP port = senders port
+   destination UDP port = 88
+
+   src IP = 0.0.0.0
+   destination IP = 255.255.255.255
+
+   src link layer address =
+   clientÆs HW/link address [e.g Ethernet address]
+
+   destination link layer address =
+   link broadcast address [e.g. ffffffff for Ethernet]
+
+
+                                         --------------------------->
+                                            (unicast to UDP port 88)
+
+
+
+                                          <--------------------------
+                                             (unicast AS REP)
+                                         Encrypted portion of ticket
+                                         Includes clients HW address
+
+
+      <---------------AS_REP -----------
+
+
+     Ticket includes clientÆs hardware address
+
+     src UDP port = 88
+     destination UDP port = copied from src port in AS_REQ
+
+     src IP = ProxyÆs IP address
+     destination IP = 255.255.255.255
+
+     src link layer address = ProxyÆs HW/link address
+     destination link layer address =
+         ClientÆs link layer address from AS_REQ
+
+
+S. Medvinsky, P. Lalwaney                                         -12-        
+
+Kerberos V Authentication Mode for Uninitialized Clients     July 2000
+
+
+
+
+
+    The client uses the ticket received from the KDC in the DHCP
+Authentication option as described in Section 6.
+
+
+     Client
+     DHCP-client                                   DHCP Server
+
+             ------DHCPDISCOVER ---->
+             (Auth Protocol = 2, includes Kerberos
+              authenticator with AP REQ )
+                                   -----------------------------------
+                                   |  HMAC  |     AP   REQ           |
+                                    ----------------------------------
+                                            | Ticket| Client Authent |
+                                            --------------------------
+
+                                         1. Server decrypts ticket
+                                         (inside AP REQ) with service
+                                         key
+                                         2. Server decrypts client
+                                         authenticator (inside AP REQ)
+                                         and checks content and
+                                         checksum to validate the
+                                         client.
+                                         3. Recompute HMAC with session
+                                         key and compare.
+
+
+          <-------DHCPOFFER----------
+          (Auth Protocol = 2, no AP REQ )
+
+
+
+         ---------DHCPREQUEST------->
+         (Auth Protocol = 2, no AP REQ)
+
+
+          <--------DHCPACK-------------
+           (Auth Protocol = 2, no AP REQ )
+
+
+
+
+8. Security Considerations
+
+   DHCP clients that do not know the DHCP serverÆs realm name will get
+   it from the proxy, as specified in IAKERB [7].  Since the proxy is
+   not authenticated, a DHCP client can be fooled into obtaining a
+   ticket for the wrong DHCP server in the wrong realm.
+
+S. Medvinsky, P. Lalwaney                                         -13-        
+
+Kerberos V Authentication Mode for Uninitialized Clients     July 2000
+
+
+
+   This could happen when the client leaves out the server realm name
+   in a TGS Request message to the proxy.  It is also possible,
+   however, for a client to directly request a DHCP server ticket with
+   an AS Request message.  In those cases, the same situation occurs
+   when the client leaves out the realm name in an AS Request.
+
+   This wrong DHCP server is still registered as a valid principal in a
+   database of a KDC that can be trusted by the client.  In some
+   circumstances a client may assume that a DHCP server that is a
+   Kerberos principal registered with a trusted KDC will not attempt to
+   deliberately misconfigure a client.
+
+   This specification provides a tradeoff between:
+
+        1) The DHCP clients knowing DHCP serverÆs realm ahead of time,
+           which provides for full 2-way authentication at the cost of
+           an additional configuration parameter.
+        2) The DHCP clients not requiring any additional configuration
+           information, besides a password or a key (and a public key
+           certificate if PKINIT is used).  This is at the cost of not
+           being able to fully authenticate the identity of the DHCP
+           server.
+
+
+
+9. References
+
+
+   [1]Droms, R., Arbaugh, W., "Dynamic Host Configuration Protocol",
+      RFC 2131, Bucknell University, March 1997.
+
+   [2]Droms, R., Arbaugh, W., "Authentication for DHCP Messages",
+      draft-ietf-dhc-authentication-13.txt, June 2000.
+
+   [3]Hornstein, K., Lemon, T., "DHCP Authentication Via Kerberos V",
+      draft-hornstein-dhc-kerbauth-02.txt, February 2000.
+
+   [4]Borella, M., Grabelsky, D., Lo, J., Tuniguchi, K., "Realm
+      Specific IP: Protocol Specification ", draft-ietf-nat-rsip-
+      protocol-06.txt, March 2000.
+
+   [5]Guttman, E., Perkins, C., Veizades, J., Day, M., "Service
+      Location Protocol, Version 2", RFC 2608, June 1999.
+
+   [6]Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network
+      Authentication Service (V5)", draft-ietf-cat-kerberos-revisions-
+      05.txt, March 2000.
+
+
+
+
+
+S. Medvinsky, P. Lalwaney                                         -14-        
+
+Kerberos V Authentication Mode for Uninitialized Clients     July 2000
+
+
+
+   [7]Swift, M., Trostle, J., "Initial Authentication and Pass Through
+      Authentication Using Kerberos V5 and the GSS-API (IAKERB)",
+      draft-ietf-cat-iakerb-03.txt, September 1999.
+
+   [8]Tung, B., C. Neuman, M. Hur, A. Medvinsky, S. Medvinsky, J. Wray,
+      J. Trostle, "Public Key Cryptography for Initial Authentication
+      in Kerberos", draft-ietf-cat-pk-init-11.txt, March 2000.
+
+   [9]Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April
+      1992.
+
+   [10]Krawczyk H., M. Bellare and R. Canetti, "HMAC: Keyed-Hashing for
+      Message Authentication," RFC 2104, February 1997.
+
+   [11]NIST, FIPS PUB 180-1, "Secure Hash Standard", April 1995.
+
+   [12]Horowitz, M., "Key Derivation for Authentication, Integrity, and
+      Privacy", draft-horowitz-key-derivation-02.txt, August 1998.
+
+   [13]Bradner, S. "The Internet Standards Process -- Revision 3", RFC
+   2026.
+
+
+
+ 10. Author's Addresses
+
+   Sasha Medvinsky
+   Motorola
+   6450 Sequence Drive
+   San Diego, CA 92121
+   Email: smedvinsky@gi.com
+
+   Poornima Lalwaney
+   Nokia
+   12278 Scripps Summit Drive
+   San Diego, CA  92131
+   Email: poornima.lalwaney@nokia.com
+
+
+11. Expiration
+
+   This memo is filed as <draft-smedvinsky-dhc-kerbauth-01.txt>, and
+   expires January 1, 2001.
+
+
+
+12. Intellectual Property Notices
+
+
+
+
+
+
+S. Medvinsky, P. Lalwaney                                         -15-        
+
+Kerberos V Authentication Mode for Uninitialized Clients    March 2000
+
+
+      This section contains two notices as required by [13] for
+   standards track documents.  Per [13], section 10.4(A):
+
+     The IETF takes no position regarding the validity or scope of any
+   intellectual property or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; neither does it represent that it
+   has made any effort to identify any such rights. Information on the
+   IETF's procedures with respect to rights in standards-track and
+   standards-related documentation can be found in BCP-11. Copies of
+   claims of rights made available for publication and any assurances
+   of licenses to be made available, or the result of an attempt made
+   to obtain a general license or permission for the use of such
+   proprietary rights by implementers or users of this specification
+   can be obtained from the IETF Secretariat.
+
+      Per [13] section 10.4(D):
+
+      The IETF has been notified of intellectual property rights
+   claimed in regard to some or all of the specification contained in
+   this document.  For more information consult the online list of
+   claimed rights.
+
+   13. Full Copyright Statement
+
+   Copyright (C) The Internet Society (1999).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph
+   are included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.  The limited permissions granted above are perpetual and
+   will not be revoked by the Internet Society or its successors or
+   assigns. This document and the information contained herein is
+   provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE
+   INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
+   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+S. Medvinsky, P. Lalwaney                                         -16-
+
\ No newline at end of file
diff --git a/crypto/heimdal/doc/standardisation/draft-swift-win2k-krb-referrals-01.txt b/crypto/heimdal/doc/standardisation/draft-swift-win2k-krb-referrals-01.txt
new file mode 100644
index 0000000..85d7456
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-swift-win2k-krb-referrals-01.txt
@@ -0,0 +1,5 @@
+This Internet-Draft has expired and is no longer available.
+
+Unrevised documents placed in the Internet-Drafts directories have a
+maximum life of six months. After that time, they must be updated, or
+they will be deleted. This document was deleted on July 17, 2000.
diff --git a/crypto/heimdal/doc/standardisation/draft-swift-win2k-krb-user2user-01.txt b/crypto/heimdal/doc/standardisation/draft-swift-win2k-krb-user2user-01.txt
new file mode 100644
index 0000000..85d7456
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-swift-win2k-krb-user2user-01.txt
@@ -0,0 +1,5 @@
+This Internet-Draft has expired and is no longer available.
+
+Unrevised documents placed in the Internet-Drafts directories have a
+maximum life of six months. After that time, they must be updated, or
+they will be deleted. This document was deleted on July 17, 2000.
diff --git a/crypto/heimdal/doc/standardisation/draft-thomas-snmpv3-kerbusm-00.txt b/crypto/heimdal/doc/standardisation/draft-thomas-snmpv3-kerbusm-00.txt
new file mode 100644
index 0000000..68c170b
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-thomas-snmpv3-kerbusm-00.txt
@@ -0,0 +1,1140 @@
+
+
+
+
+
+
+INTERNET-DRAFT   Kerberized USM Keying    M. Thomas
+                                          Cisco Systems
+                                          K. McCloghrie
+                                          Cisco Systems
+                                          July 13, 2000
+
+
+
+
+
+
+                         Kerberized USM Keying
+
+                   draft-thomas-snmpv3-kerbusm-00.txt
+
+
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.  Internet-Drafts are working
+   documents of the Internet Engineering Task Force (IETF), its areas,
+   and its working groups.  Note that other groups may also distribute
+   working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+Abstract
+
+   The KerbUSM MIB provides a means of leveraging a trusted third party
+   authentication and authorization mechanism using Kerberos for SNMP V3
+   USM users and their associated VACM views. The MIB encodes the normal
+   Kerberos AP-REQ and AP-REP means of both authenticating and creating
+   a shared secret between the SNMP V3 Manager and Agent.
+
+The SNMP Management Framework
+
+   The SNMP Management Framework presently consists of five major
+   components:  An overall architecture, described in RFC 2571
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00             [Page 1]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+   [RFC2571].  Mechanisms for describing and naming objects and events
+   for the purpose of management.  The first version of this Structure
+   of Management Information (SMI) is called SMIv1 and described in STD
+   16, RFC 1155 [RFC1155], STD 16, RFC 1212 [RFC1212] and RFC 1215
+   [RFC1215].  The second version, called SMIv2, is described in STD 58,
+   RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
+   [RFC2580].  Message protocols for transferring management
+   information.  The first version of the SNMP message protocol is
+   called SNMPv1 and described in STD 15, RFC 1157 [RFC1157].  A second
+   version of the SNMP message protocol, which is not an Internet
+   standards track protocol, is called SNMPv2c and described in RFC 1901
+   [RFC1901] and RFC 1906 [RFC1906].  The third version of the message
+   protocol is called SNMPv3 and described in RFC 1906 [RFC1906], RFC
+   2572 [RFC2572] and RFC 2574 [RFC2574].  Protocol operations for
+   accessing management information.  The first set of protocol
+   operations and associated PDU formats is described in STD 15, RFC
+   1157 [RFC1157].  A second set of protocol operations and associated
+   PDU formats is described in RFC 1905 [RFC1905].  A set of fundamental
+   applications described in RFC 2573 [RFC2573] and the view-based
+   access control mechanism described in RFC 2575 [RFC2575].
+
+   A more detailed introduction to the current SNMP Management Framework
+   can be found in RFC 2570 [RFC2570].
+
+   Managed objects are accessed via a virtual information store, termed
+   the Management Information Base or MIB.  Objects in the MIB are
+   defined using the mechanisms defined in the SMI.
+
+   This memo specifies a MIB module that is compliant to the SMIv2.  A
+   MIB conforming to the SMIv1 can be produced through the appropriate
+   translations.  The resulting translated MIB must be semantically
+   equivalent, except where objects or events are omitted because no
+   translation is possible (use of Counter64).  Some machine readable
+   information in SMIv2 will be converted into textual descriptions in
+   SMIv1 during the translation process.  However, this loss of machine
+   readable information is not considered to change the semantics of the
+   MIB.
+
+
+Introduction
+
+   The User based Security Model of SNMP V3 (USM) [2] provides a means
+   of associating different users with different access privileges of
+   the various MIB's that an agent supports. In conjunction with the
+   View based Access Control Model of SNMP V3 (VACM) [3], SNMP V3
+   provides a means of providing resistance from various threats both
+   from outside attacks such as spoofing, and inside attacks such as an
+   user having, say, SET access to MIB variable for which they are not
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00             [Page 2]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+   authorized.
+
+   SNMP V3, unfortunately, does not specify a means of doing key
+   distribution between the managers and the agents. For small numbers
+   of agents and managers, the O(n*m) manual keying is a cumbersome, but
+   possibly tractable problem. For a large number of agents with
+   distribution of managers, the key distribution quickly goes from
+   cumbersome to unmanageable. Also: there is always the lingering
+   concern of the security precautions taken for keys on either local
+   management stations, or even directories.
+
+   Kerberos [1] provides a means of centralizing key management into an
+   authentication and authorization server known as a Key Distribution
+   Center (KDC).  At a minimum, Kerberos changes the key distribution
+   problem from a O(n*m) problem to a O(n) problem since keys are shared
+   between the KDC and the Kerberos principals rather directly between
+   each host pair. Kerberos also provides a means to use public key
+   based authentication which can be used to further scale down the
+   number of pre-shared secrets required. Furthermore, a KDC is intended
+   and explicitly expected to be a standalone server which is managed
+   with a much higher level of security concern than a management
+   station or even a central directory which may host many services and
+   thus be exposed to many more possible vectors of attack.
+
+   The MIB defined in this memo describes a means of using the desirable
+   properties of Kerberos within the context of SNMP V3. Kerberos
+   defines a standardized means of communicating with the KDC as well as
+   a standard format of Kerberos tickets which Kerberos principals
+   exchange in order to authenticate to one another. The actual means of
+   exchanging tickets, however, is left as application specific. This
+   MIB defines the SNMP MIB designed to transport Kerberos tickets and
+   by doing so set up SNMP V3 USM keys for authentication and privacy.
+
+   It should be noted that using Kerberos does introduce reliance on a
+   key network element, the KDC. This flies in the face of one of SNMP's
+   dictums of working when the network is misbehaving. While this is a
+   valid concern, the risk of reliance on the KDC can be significantly
+   diminished with a few common sense actions. Since Kerberos tickets
+   can have long life times (days, weeks) a manager of key network
+   elements can and should maintain Kerberos tickets well ahead ticket
+   expiration so that likelihood of not being able to rekey a session
+   while the network is misbehaving is minimized. For non-critical, but
+   high fanout elements such as user CPE, etc, requiring a pre-fetched
+   ticket may not be practical, which puts the KDC into the critical
+   path. However, if all KDC's are unreachable, the non-critical network
+   elements are probably the least of the worries.
+
+
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00             [Page 3]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+Operation
+
+   The normal Kerberos application ticket exchange is accomplished by  a
+   client  first  fetching  a  service ticket from a KDC for the service
+   principal and then sending an AP-REQ  to  a  server  to  authenticate
+   itself  to  the  server. The server then sends a AP-REP to finish the
+   exchange. This MIB maps Kerberos' concept of client and  server  into
+   the  SNMP  V3  concept  of  Manager and Agent by designating that the
+   Kerberos Client is the SNMP V3 Agent. Although  it  could  be  argued
+   that an Agent is really a server, in practice there may be many, many
+   agents and relatively few managers. Also: Kerberos clients  may  make
+   use  of  public  key authentication as defined in [4], and it is very
+   advantageous to take advantage of that capability for  Agents  rather
+   than Managers.
+
+   The MIB is intended to be stateless and map USM users to Kerberos
+   principals. This mapping is explicitly done by putting a Kerberos
+   principal name into the usmUserSecurityName in the usmUser MIB and
+   instatiating the krbUsmMibEntry for the usmUserEntry. MIB variables
+   are accessed with INFORM's or TRAP PDU's and SET's to perform a
+   normal Kerberos AP-REQ/AP-REP exchange transaction which causes the
+   keys for a USM user to be derived and installed. The basic structure
+   of the MIB is a table which augements usmUserEntry's with a Kerberos
+   principal name as well as the transaction varbinds. In the normal
+   case, multiple varbinds should be sent in a single PDU which prevents
+   various race conditions, as well as increasing efficiency.
+
+   It should be noted that this MIB is silent on the subject of how the
+   Agent and Manager find the KDC. In practice, this may be either
+   statically provisioned or use either DNS SRV records (RFC 2782) or
+   Service Location (RFC 2608). This MIB is does not provide for a means
+   of doing cipher suite negotiation either. It is expected that the
+   choices for ciphers in the USM MIB will reflect site specific choices
+   for ciphers. This matches well with the general philosophy of
+   centralized keying.
+
+Keying Transactions
+
+   The following shows an error free transaction:
+
+   Note: optional steps or parameters are shown like [ ]
+
+
+
+
+
+
+
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00             [Page 4]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+
+    Agent                       Manager                            KDC
+ +--                                                               --+
+ | 1) <-------------------------------                               |
+ |     SET (krbUsmPrinTable[usmUserName].krbUsmMibNonce = xxxx;      |
+ |          [ krbUsmPrinTable[usmUserName].krbUsmMibTgt =            |
+ |                                  TGT[usmUserSecurityName] ]);     |
+ |                                                                   |
+ | 2) ------------------------------->                               |
+ |    Response                                                       |
+ +--                     (optional)                                --+
+
+   3) --------------------------------------------------------------->
+        TGS-REQ (krbUsmPrinTable[usmUserName].krbUsmMibMgrPrinName
+                 [, krbUsmPrinTable[usmUserName].krbUsmMibTgt]);
+
+   4) <--------------------------------------------------------------
+        Tick[usmUserSecurityName] = TGS-REP ();
+
+   5)  ------------------------------>
+        INFORM (krbUsmPrinTable[usmUserName].krbUsmMibApReq =
+                   AP_REQ[Tick[usmUserSecurityName]];
+                   [ krbUsmPrinTable[usmUserName].krbUsmMibNonce = xxxx]);
+
+   6)  <------------------------------
+        SET (krbUsmPrinTable[usmUserName].krbUsmMibApRep = AP_REP[]);
+
+
+   7)  ------------------------------>
+       Response
+
+
+   The above flow translates to:
+
+
+   1)  This step is used when the Manager does not currently have a ses-
+       sion with the Agent but wishes to start one. The Manager MAY
+       place a ticket granting ticket into the krbUsmMibMgrTgt varbind
+       in the same PDU as the krbUsmMibNonce if it does not share a
+       secret with the KDC (as would be the case if the Manager used
+       PKinit to do initial authentication with the KDC).
+
+
+   2)  This step acknowledges the SET. There are no MIB specific errors
+       which can happen here.
+
+
+   3)  If the Agent is not already in possession of a service ticket for
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00             [Page 5]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+       the Manager in its ticket cache, it MUST request a service ticket
+       from the Agent's KDC for the service principal given by
+       krbUsmMibMgrPrinName in the row that the krbUsmMibNonce was SET
+       in, optionally adding a krbUsmMibMgrTgt.  If the TGT is speci-
+       fied, the Manager's TGT must be placed in the additional-tickets
+       field with the ENC-TKT-IN-SKEY option set in the TGS-REQ to
+       obtain a service ticket (see section 3.3.3 of [1]).
+
+       Note:   a Kerberos TGS-REQ is but one way to obtain a service
+               ticket. An Agent may use any normal Kerberos means to
+               obtain the service ticket. This flow has also elided ini-
+               tial authentication (ie, AS-REQ) and any cross realm con-
+               siderations, though those may be necessary prerequisites
+               to obtaining the service ticket.
+
+   4)  If step 3 was performed, this step receives the ticket or an
+       error from the KDC.
+
+
+   5)  This step sends a krbUsmMibApReq to the Manager via an INFORM or
+       TRAP PDU.  If the message is the result of a request by the
+       Manager, krbUsmMibNonce received from the Manager MUST be sent in
+       the same PDU. If the Manager did not initiate the transaction,
+       the Agent MUST NOT send a krbUsmMibNonce varbind. The Agent also
+       MUST check krbUsmMibUnsolicitedNotify is not false, otherwise it
+       MUST abort the transaction.  All krbUsmMibApReq's MUST contain a
+       sequence nonce so that the resulting krbUsmMibApRep can provide a
+       proof of the freshness of the message to prevent replay attacks.
+
+       If the Agent encounters an error either generated by the KDC or
+       internally, the Agent MUST send an INFORM or TRAP PDU indicating
+       the error in the form of a KRB-ERROR placed in krbUsmMibApReq
+       with the same rules applied to krbUsmMibNonce and krbUsmMibUnsol-
+       icitedNotify above. If the Agent suspects that it is being
+       attacked by a purported Manager which is generating many failed
+       TGS-REQ's to the KDC, it SHOULD meter its TGS-REQ transactions
+       for that Manager to the KDC using an exponential backoff mechan-
+       ism truncated at 10 seconds.
+
+
+
+   6)  Upon recepit of an INFORM or TRAP PDU with a krbUsmMibApReq, a
+       Manager may accept the AP-REQ. If it is accompanied with a
+       krbUsmMibNonce it MUST correlate it with any outstanding transac-
+       tions using its stored nonce for the transaction. If it does not
+       correlate with a current nonce, the request MUST be rejected as
+       it may be a replay.
+
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00             [Page 6]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+       If the Manager chooses to reject an unsolicited keying request,
+       it SHOULD send a WrongValue Error to the Agent with the krbUsmMi-
+       bApReq as the subject of the WrongValue. If an Agent receives a
+       WrongValue Error from a Manager it MUST cease retransmission of
+       the INFORM or TRAP PDU's so as to mitigate event avalanches by
+       Agents. There is a possible denial of service attack here, but it
+       must be weighed against the larger problem of network congestion,
+       flapping, etc. Therefore, if the Agent finds that it cannot can-
+       cel an unsolicited Notify (ie, it must be reliable), it MUST use
+       a truncated exponential backoff mechanism with the maximum trun-
+       cation interval set to 10 minutes.
+
+       Otherwise, the Manager MUST send a SET PDU to the Agent which
+       contains a krbUsmMibApRep.
+
+
+   7)  If the Agent detects an error (including detecting replays) in
+       the final AP-REP, it MUST send a WrongValue error with a pointer
+       to the krbUsmMibApRep varbind to indicate its inability to estab-
+       lish the security association. Otherwise, receipt of the positive
+       acknowledgement from the final SET indicates to the Manager that
+       the proper keys have been installed on the Agent in the USM MIB.
+
+Unsolicited Agent Keying Requests
+
+   An Agent may find that it needs to set up a security association for
+   a USM user in order to notify a Manager of some event. When the Agent
+   engine receives a request for a notify, it SHOULD check to see if
+   keying material has been established for the user and that the keying
+   material is valid. If the keying material is not valid and the USM
+   user has been tagged as being a Kerberos principal in a realm, the
+   Agent SHOULD first try to instantiate a security association by
+   obtaining a service ticket for the USM User and follow steps 3-7 of
+   the flow above. This insures that the USM User will have proper key-
+   ing material and providing a mechanism to allow for casual security
+   associations to be built up and torn down. This is especially useful
+   for Agents which may not normally need to be under constant Manager
+   supervision, such as the case with high fan out user residential CPE
+   and other SNMP managed "appliances". In all cases, the Agent MUST NOT
+   send an unsolicited Notify if krbUsmUnsolicitedNotify is set to
+   false.
+
+   How the Agent obtains the Manager's address, how it determines
+   whether a Manager, realm, and whether it can be keyed using this MIB
+   is outside of the scope of this memo.
+
+   Note:   Although the MIB allows for a Manager to set up a session
+           using User-User mode of Kerberos by sending a TGT along with
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00             [Page 7]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+           the nonce, this, is limited to Manager initiated sessions
+           only since there is no easy way to store the Manager's ticket
+           in the MIB since it is publicly writable and as such would be
+           subject to denial of service attacks. Another method might be
+           to have the Agent send a krbUsmMibNonce to the Manager which
+           would tell it to instigate a session. Overall, it seems like
+           a marginal feature to allow a PKinit authenticated user be
+           the target of unsolicited informs and it would complicate the
+           transactions. For this reason, this scenario has been omitted
+           in favor of simplicity.
+
+Retransmissions
+
+   Since this MIB defines not only variables, but transactions, discus-
+   sion of the retransmission state machine is in order. There are two
+   similar but different state machines for the Manager Solicited and
+   Agent Unsolicited transactions.  There is one timer Timeout which
+   SHOULD take into consideration round trip considerations and MUST
+   implement a truncated exponential backoff mechanism. In addition, in
+   the case where an Agent makes an unsolicited Agent keying request,
+   the Agent SHOULD perform an initial random backoff if the keying
+   request to the Manager may result in a restart avalanche. A suitable
+   method is described in section 4.3.4 of [5].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00             [Page 8]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+
+Manager Solicited Retransmission State Machine
+
+                Timeout
+                 +---+
+                 |   |
+                 |   V
+              +-----------+ Set-Ack (2) +----------+
+              |           |------------>|          |
+              | Set-Nonce |             |  Ap-Req  |
+              |   (1)     |<------------|   (5)    |
+              +-----------+   Timeout   +----------+
+                   ^                         |
+                   |                         | Set-Ap-Rep
+                   |      +----------+       |  (6)
+                   +------|          |<------+
+                  Timeout | Estab-wt |
+                          |   (7)    |
+                          +----------+
+                               |
+                               |  Set-Ap-Rep-Ack (7)
+                               V
+                          +----------+
+                          |          |
+                          |  Estab   |
+                          |          |
+
+                          +----------+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00             [Page 9]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+
+Agent Unsolicited Retransmission State Machine
+
+                             Timeout
+                              +---+
+                              |   |
+                              |   V
+                          +----------+
+                          |          |
+                   +----> |  Ap-Req  |-------+
+                   |      |   (5)    |       |
+                   |      +----------+       |
+                   |                         |
+                   |                         | Set-Ap-Rep
+                   |      +----------+       |  (6)
+                   +------|          |<------+
+                  Timeout | Estab-wt |
+                          |   (7)    |
+                          +----------+
+                               |
+                               |  Set-Ap-Rep-Ack (7)
+                               V
+                          +----------+
+                          |          |
+                          |  Estab   |
+                          |          |
+                          +----------+
+
+Session Duration and Failures
+
+   The KerbUsmMib uses the ticket lifetime to determine the life of the
+   USM session. The Agent MUST keep track of whether the ticket which
+   instigated the session is valid whenever it forms PDU's for that par-
+   ticular user. If a session expires, or if it wasn't valid to begin
+   with (from the Agent's perspective), the Agent MUST reject the PDU by
+   sending a XXX Error [mat: help me here Keith... what does USM say
+   about this?].
+
+   Kerberos also inherently implies adding state to the Agent and
+   Manager since they share not only a key, but a lifetime associated
+   with that key. This is in some sense soft state because failure of an
+   Agent will cause it to reject PDU's for Managers with whom it does
+   not share a secret. The Manager can use the Error PDU's as an indica-
+   tion that it needs to reauthenticate with the Agent, taking care not
+   to loop. The Manager is even easier: when it reboots, it can either
+   check its credential cache to reconstruct state or cause the Agent to
+   reauthenticate to the Manager with its service ticket by initiating a
+   authentication transaction with the manager.
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 10]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+Manager Collisions
+
+   Managers may freely set up keys for different USM users using this
+   MIB without problem since they access different rows in the krbUsm-
+   PrinTable. However, multiple Managers trying to set up keys for the
+   same USM user is possible but discouraged. The requirement for the
+   Manager is that they MUST share the same service key with the KDC so
+   that they can all decrypt the same service ticket. There are two race
+   conditions, however, which are not well handled:
+
+
+
+1)  At the end of a ticket lifetime, one manager may request the agent
+    to refresh its service ticket causing a new session key to be
+    installed for the USM user leaving the other managers with stale
+    keys. The workaround here is that the Agent will reject the stale
+    manager's PDU's which should inform them to do their own rekeying
+    operations.
+
+
+2)  If multiple managers try to access the same row at the same time,
+    the Agent SHOULD try to keep the transactions separate based on the
+    nonce values. The Managers or the Agents SHOULD NOT break the
+    krbUsmMibNonce and any other additional varbinds into separate PDU's
+    as this may result in a meta stable state. Given normal MTU sizes,
+    this should not be an issue in practice, and this should  at worst
+    devolve into the case above.
+
+   In all cases, the krbUsmMibNonce MUST be the last value to be
+   transmitted, though its position within a PDU is unimportant.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 11]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+
+   KrbUSM MIB
+
+   KRB-USM-MIB DEFINITIONS ::= BEGIN
+   IMPORTS
+       MODULE-IDENTITY,
+       OBJECT-TYPE, OBJECT-IDENTITY,
+       snmpModules, Counter32, Unsigned32 FROM SNMPv2-SMI
+       TruthValue, DisplayString          FROM SNMPv2-TC
+       usmUserEntry                       FROM SNMP-USER-BASED-SM-MIB
+
+
+
+   krbUsmMib MODULE-IDENTITY
+           LAST-UPDATED "00071300Z"
+           ORGANIZATION "IETF SNMP V3 Working Group"
+           CONTACT-INFO
+             "Michael Thomas
+              Cisco Systems
+              375 E Tasman Drive
+              San Jose, Ca 95134
+              Phone: +1 408-525-5386
+              Fax: +1 801-382-5284
+              email: mat@cisco.com"
+           DESCRIPTION
+              "This MIB contains the MIB variables to
+               exchange Kerberos credentials and a session
+               key to be used to authenticate and set up
+               USM keys"
+
+           ::= { snmpModules nnn }   -- not sure what needs to be here.
+   krbUsmMibObjects OBJECT INDENTIFIER ::= { krbUsmMib 1 }
+
+   krbUsmMibAuthInAttemps
+               SYNTAX      Counter32
+               MAX-ACCESS  read-only
+               STATUS      current
+               DESCRIPTION
+                   "Counter of the number of Kerberos
+                    authorization attempts as defined by
+                    receipt of a PDU from a Manager with a
+                     krbUsmMibNonce set in the principal table."
+               ::= { krbUsmMibObjects 1 }
+
+   krbUsmMibAuthOutAttemps
+               SYNTAX      Counter32
+               MAX-ACCESS  read-only
+               STATUS      current
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 12]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+               DESCRIPTION
+                   "Counter of the number of unsolicited Kerberos
+                    authorization attempts as defined by
+                    an Agent sending an INFORM or TRAP PDU with a
+                    krbUsmMibApRep but without krbUsmApMibNonce
+                    varbind."
+               ::= { krbUsmMibObjects 2 }
+   krbUsmMibAuthInFail
+               SYNTAX      Counter32
+               MAX-ACCESS  read-only
+               STATUS      current
+               DESCRIPTION
+                   "Counter of the number of Kerberos
+                    authorization failures as defined by
+                    a Manager setting the krbUsmMibNonce
+                    in the principal table which results
+                    in some sort of failure to install keys
+                    in the requested USM user entry."
+               ::= { krbUsmMibObjects 3 }
+
+   krbUsmMibAuthOutFail
+               SYNTAX      Counter32
+               MAX-ACCESS  read-only
+               STATUS      current
+               DESCRIPTION
+                   "Counter of the number of unsolicited Kerberos
+                    authorization failures as defined by
+                    an Agent sending an INFORM or TRAP PDU with a
+                    krbUsmMibApRep but without a krbUsmMibNonce
+                    varbind which does not result in keys being
+                    installed for that USM user entry."
+               ::= { krbUsmMibObjects 4 }
+
+   krbUsmMibPrinTable OBJECT-TYPE
+               SYNTAX      SEQUENCE OF krbUsmMibEntry
+               MAX-ACCESS  not-accessible
+               STATUS      current
+               DESCRIPTION
+                   "Table which maps Kerberos principals with USM
+                    users as well as the per user variables to key
+                    up sessions"
+               ::= { krbUsmMibObjects 5 }
+
+   krbUsmMibPrinEntry OBJECT-TYPE
+               SYNTAX     KrbUsmMibPrinEntry
+               MAX-ACCESS  not-accessible
+               STATUS      current
+               DESCRIPTION
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 13]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+                   "an entry into the krbMibPrinTable which is a
+                    parallel table to UsmUserEntry table"
+               AUGMENTS { usmUserEntry }
+               ::= { krbUsmMibPrinTable 1 }
+
+   KrbUsmMibPrinEntry SEQUENCE
+    {
+                   krbUsmMibApReq                  OCTET STRING,
+                   krbUsmMibApRep                  OCTET STRING,
+                   krbUsmMibNonce                  OCTET STRING,
+                   krbUsmMibMgrTGT                 OCTET STRING,
+                   krbUsmMibUnsolicitedNotify      TruthValue,
+    }
+
+
+   krbUsmMibApReq OBJECT-TYPE
+               SYNTAX      OCTET STRING
+               MAX-ACCESS  accessible-for-notify
+               STATUS      current
+               DESCRIPTION
+                   "This variable contains a DER encoded Kerberos
+                    AP-REQ or KRB-ERROR for the USM user which is
+                    to be keyed. This is sent from the Agent to
+                    the Manager in an INFORM or TRAP request.
+                    KRB-ERROR MUST only be sent to the Manager
+                    if it is in response to a keying request from
+                    the Manager.
+                   "
+               ::= { krbUsmMibPrinEntry 1 }
+
+   krbUsmMibApRep OBJECT-TYPE
+               SYNTAX      OCTET STRING
+               MAX-ACCESS  read-write
+               STATUS      current
+               DESCRIPTION
+                   "This variable contains the DER encoded response
+                    to an AP-REQ. This variable is SET by the
+                    Manager to acknowledge receipt of an AP-REQ. If
+                    krbUsmMibApRep contains a Kerberos AP-REP, the
+                    Agent must derive keys from the session key
+                    of the Kerberos ticket in the AP-REQ and place
+                    them in the USM database in a manner specified
+                    by [RFC2574]. If the Manager detects an error,
+                    it will instead place a KRB-ERROR in this
+                    variable to inform the Agent of the error.
+
+                    This variable is in effect a write-only variable.
+                    attempts to read this variable will result in a
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 14]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+                    null octet string being returned"
+               ::= { krbUsmMibPrinEntry 2 }
+
+   krbUsmMibNonce OBJECT-TYPE
+               SYNTAX      OCTET STRING
+               MAX-ACCESS  read-write
+               STATUS      current
+               DESCRIPTION
+                   "SET'ing a krbUsmMibnonce allows a Manager to
+                    determine whether an INFORM or TRAP from an
+                    Agent is an outstanding keying request, or
+                    unsolicited from the Agent. The Manager
+                    initiates keying for a particular USM user
+                    by writing a nonce into the row for which
+                    desires to establish a security association.
+                    The nonce is an ASCII string of the form
+                    ``host:port?nonce'' where:
+
+                    host:  is either an FQDN, or valid ipv4 or ipv6
+                           numerical notation of the Manager which
+                           desires to initiate keying
+                    port:  is the destination port at which that the
+                           Manager may be contacted
+                    nonce: is a number generated by the Manager to
+                           correlate the transaction
+
+                    The same nonce MUST be sent to the Manager in a
+                    subsequent INFORM or TRAP with a krbUsmApReq.
+                    The Agent MUST use the host address and port
+                    supplied in the nonce as the destination of a
+                    subsequent INFORM or TRAP. Unsolicited keying
+                    requests MUST NOT contain a nonce, and should
+                    instead use the destination stored Notifies of
+                    this type.
+
+                    Nonces MUST be highly collision resistant either
+                    using a time based method or a suitable random
+                    number generator. Managers MUST never create
+                    nonces which are 0.
+
+                    This variable is in effect a write-only variable.
+                    Attempts to read this variable will result in a
+                    nonce of value 0 being returned"
+
+
+               ::= { krbUsmMibPrinEntry 3 }
+
+
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 15]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+   krbUsmMibMgrTgt OBJECT-TYPE
+               SYNTAX      OCTET STRING
+               MAX-ACCESS  read-write
+               STATUS      current
+               DESCRIPTION
+                   "If the Manager does not possess a symmetric
+                    key with the KDC as would be the case with
+                    a Manager using PKinit for authentication,
+                    the Manager MUST SET its DER encoded ticket
+                    granting ticket into KrbUsmMgrTgt along
+                    with krbUsmMibNonce.
+
+                    The agent will then attach the Manager's TGT
+                    into the additional tickets field of the
+                    TGS-REQ message to the KDC to get a User-User
+                    service ticket.
+
+                    This variable is in effect a write-only variable.
+                    Attempts to read this variable will result in a
+                    null octet string being returned"
+               ::= { krbUsmMibPrinEntry 4 }
+
+
+   krbUsmMibUnsolicitedNotify OBJECT-TYPE
+               SYNTAX      TruthValue
+               MAX-ACCESS  read-write
+               STATUS      current
+               DESCRIPTION
+                   "If this variable is false, the Agent MUST NOT
+                    send unsolicited INFORM or TRAP PDU's to the
+                    Manager.
+
+                    Attempts to SET this variable by the no-auth
+                    no-priv user MUST be rejected."
+               ::= { krbUsmMibPrinEntry 5 }
+
+   --
+   -- Conformance section... nothing optional.
+
+   krbUsmMibCompliences MODULE-COMPLIANCE
+               STATUS       current
+               DESCRIPTION "The compliance statement for SNMP
+                            engines whichimplement the KRB-USM-MIB
+                   "
+               MODULE       -- this module
+                       MANDATORY-GROUPS { krbUsmMib }
+       ::= { krbUsmMibCompliances 1 }
+
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 16]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+   END
+
+
+Key Derivation
+
+   The session key provides the basis for the keying material for the
+   USM user specified in the AP-REQ.  The actual keys for use for the
+   authentication and privacy are produced using the cryptographic hash-
+   ing function used to protect the ticket itself.  The keying material
+   is derived using this function, F(key, salt), using successive
+   interations of F over the salt string "SNMPV3RULZ%d", where %d is a
+   monotonic counter starting at zero. The bits are taken directly from
+   the successive interations to produce two keys of appropriate size
+   (as specified in the USM user row) for the authentication transform
+   first, and the privacy transform second. If the authentication
+   transform is null, the first bits of the derived key are used for the
+   privacy transform.
+
+Security Considerations
+
+   Various elements of this MIB must be readable and writable as the
+   no-auth, no-priv user. Unless specifically necessary for the key
+   negotiation, elements of this MIB SHOULD be protected by VACM views
+   which limit access. In particular, there is no reason anything in
+   this MIB should be visible to a no-auth, no-priv user with the excep-
+   tion of KrbUsmMibApReq, KrbUsmMibApRep, KrbUsmMibNonce, and
+   KrbUsmMibMgrTgt, and then only with the restrictions placed on them
+   in the MIB. As such, probing attacks are still possible, but should
+   not be profitable: all of the writable variables with interesting
+   information in them are defined in such a way as to be write only.
+
+   There are some interesting denial of service attacks which are possi-
+   ble by attackers spoofing managers and putting load on the KDC to
+   generate unnecessary tickets. For large numbers or agents this could
+   be problematic. This can probably be mitigated by the KDC prioritiz-
+   ing TGS-REQ's though.
+
+
+References
+
+[1]         The CAT Working Group,  J.  Kohl,  C.Neuman,  "The  Kerberos
+            Network  Authentication  Service  (V5)", RFC 1510, September
+            1993
+
+[2]         The SNMPV3 Working Group, U.  Blumenthal,  B.  Wijnen,  "The
+            User-based Security Model of SNMP V3", RFC 2574, April 1999
+
+[3]         The SNMPV3 Working Group, B. Wijnen, R. Presuhn,
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 17]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+            K.McCloghrie, "The View-based Access Control Model of SNMP
+            V3", RFC 2575, April 1999
+
+[4]         The CAT Working Group, Tung, et al, "Public Key Cryptography
+            for Initial Authentication in Kerberos", draft-ietf-cat-pk-
+            init-11, November 1999
+
+[5]         Arango, et al, "Media Gateway Control Protocl (MGCP)", RFC
+            2705, October 1999
+
+
+[RFC2571]   Harrington, D., Presuhn, R., and B. Wijnen, An Architecture
+            for Describing SNMP Management Frameworks, RFC 2571, April
+            1999.
+
+[RFC1155]   Rose, M., and K. McCloghrie, Structure and Identification of
+            Management Information for TCP/IP-based Internets, STD 16,
+            RFC 1155, May 1990.
+
+[RFC1212]   Rose, M., and K. McCloghrie, Concise MIB Definitions, STD
+            16, RFC 1212, March 1991.
+
+[RFC1215]   M. Rose, A Convention for Defining Traps for use with the
+            SNMP, RFC 1215, March 1991.
+
+[RFC2578]   McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
+            Rose, M., and S. Waldbusser, Structure of Management Infor-
+            mation Version 2 (SMIv2), STD 58, RFC 2578, April 1999.
+
+[RFC2579]   McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
+            Rose, M., and S. Waldbusser, Textual Conventions for SMIv2,
+            STD 58, RFC 2579, April 1999.
+
+[RFC2580]   McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
+            Rose, M., and S. Waldbusser, Conformance Statements for
+            SMIv2, STD 58, RFC 2580, April 1999.
+
+[RFC1157]   Case, J., Fedor, M., Schoffstall, M., and J. Davin, Simple
+            Network Management Protocol, STD 15, RFC 1157, May 1990.
+
+[RFC1901]   Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
+            Introduction to Community-based SNMPv2, RFC 1901, January
+            1996.
+
+[RFC1906]   Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, Tran-
+            sport Mappings for Version 2 of the Simple Network Manage-
+            ment Protocol (SNMPv2), RFC 1906, January 1996.
+
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 18]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+[RFC2572]   Case, J., Harrington D., Presuhn R., and B. Wijnen, Message
+            Processing and Dispatching for the Simple Network Management
+            Protocol (SNMP), RFC 2572, April 1999.
+
+[RFC2574]   Blumenthal, U., and B. Wijnen, User-based Security Model
+            (USM) for version 3 of the Simple Network Management Proto-
+            col (SNMPv3), RFC 2574, April 1999.
+
+[RFC1905]   Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, Pro-
+            tocol Operations for Version 2 of the Simple Network Manage-
+            ment Protocol (SNMPv2), RFC 1905, January 1996.
+
+[RFC2573]   Levi, D., Meyer, P., and B. Stewart, SNMPv3 Applications,
+            RFC 2573, April 1999.
+
+[RFC2575]   Wijnen, B., Presuhn, R., and K. McCloghrie, View-based
+            Access Control Model (VACM) for the Simple Network Manage-
+            ment Protocol (SNMP), RFC 2575, April 1999.
+
+[RFC2570]   Case, J., Mundy, R., Partain, D., and B. Stewart, Introduc-
+            tion to Version 3 of the Internet-standard Network Manage-
+            ment Framework, RFC 2570, April 1999.
+
+Author's Address
+
+          Michael Thomas
+          Cisco Systems
+          375 E Tasman Rd
+          San Jose, Ca, 95134, USA
+          Tel: +1 408-525-5386
+          email: mat@cisco.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 19]
+
+
diff --git a/crypto/heimdal/doc/standardisation/draft-trostle-win2k-cat-kerberos-set-passwd-00.txt b/crypto/heimdal/doc/standardisation/draft-trostle-win2k-cat-kerberos-set-passwd-00.txt
new file mode 100644
index 0000000..b89108a
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-trostle-win2k-cat-kerberos-set-passwd-00.txt
@@ -0,0 +1,227 @@
+
+CAT Working Group                                     Mike Swift 
+draft-trostle-win2k-cat-kerberos-set-passwd-00.txt    Microsoft               
+February 2000                                         Jonathan Trostle
+Category: Informational                               Cisco Systems
+                                                      John Brezak
+                                                      Microsoft
+
+         Extending Change Password for Setting Kerberos Passwords
+
+
+0. Status Of This Memo
+
+   This document is an Internet-Draft and is in full conformance with 
+   all provisions of Section 10 of RFC2026. 
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as 
+   Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six
+   months and may be updated, replaced, or obsoleted by other
+   documents at any time.  It is inappropriate to use Internet-
+   Drafts as reference material or to cite them other than as
+   "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   Comments and suggestions on this document are encouraged.  Comments 
+   on this document should be sent to the CAT working group discussion 
+   list:
+                       ietf-cat-wg@stanford.edu
+
+1. Abstract
+
+   The Kerberos [1] change password protocol [2], does not allow for 
+   an administrator to set a password for a new user. This functionality
+   is useful in some environments, and this proposal extends [2] to
+   allow password setting. The changes are: adding new fields to the 
+   request message to indicate the principal which is having its 
+   password set, not requiring the initial flag in the service ticket, 
+   using a new protocol version number, and adding three new result 
+   codes. 
+   
+2. The Protocol
+
+   The service must accept requests on UDP port 464 and TCP port 464 as 
+   well. The protocol consists of a single request message followed by 
+   a single reply message.  For UDP transport, each message must be fully 
+   contained in a single UDP packet.
+
+   For TCP transport, there is a 4 octet header in network byte order
+   precedes the message and specifies the length of the message. This
+
+   requirement is consistent with the TCP transport header in 1510bis.
+
+Request Message
+
+       0                   1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |         message length        |    protocol version number    |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |          AP_REQ length        |         AP_REQ data           /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      /                        KRB-PRIV message                       /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+   All 16 bit fields are in big-endian order. 
+
+   message length field: contains the number of bytes in the message 
+   including this field.
+
+   protocol version number: contains the hex constant 0xff80 (big-endian 
+   integer).
+
+   AP-REQ length: length of AP-REQ data, in bytes. If the length is zero, 
+   then the last field contains a KRB-ERROR message instead of a KRB-PRIV 
+   message.
+
+   AP-REQ data: (see [1]) The AP-REQ message must be for the service 
+   principal kadmin/changepw@REALM, where REALM is the REALM of the user 
+   who wishes to change/set his password. The ticket in the AP-REQ must 
+   must include a subkey in the Authenticator. To enable setting of 
+   passwords, it is not required that the initial flag be set in the 
+   Kerberos service ticket.
+
+   KRB-PRIV message (see [1]) This KRB-PRIV message must be generated 
+   using the subkey from the authenticator in the AP-REQ data. 
+
+   The user-data component of the message consists of the following ASN.1 
+   structure encoded as an OCTET STRING:
+
+   ChangePasswdData ::=  SEQUENCE {
+                       newpasswd[0]   OCTET STRING,
+                       targname[2]    PrincipalName OPTIONAL,
+                       targrealm[3]   Realm OPTIONAL
+                       }  
+
+   The server must verify the AP-REQ message, check whether the client 
+   principal in the ticket is authorized to set/change the password 
+   (either for that principal, or for the principal in the targname 
+   field if present), and decrypt the new password. The server also 
+   checks whether the initial flag is required for this request, 
+   replying with status 0x0007 if it is not set and should be. An 
+   authorization failure is cause to respond with status 0x0005. For 
+   forward compatibility, the server should be prepared to ignore fields 
+   after targrealm in the structure that it does not understand. 
+
+   The newpasswd field contains the cleartext password, and the server 
+   should apply any local policy checks including password policy checks. 
+   The server then generates the appropriate keytypes from the password
+
+   and stores them in the KDC database. If all goes well, status 0x0000 
+   is returned to the client in the reply message (see below).
+
+Reply Message
+
+       0                   1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |         message length        |    protocol version number    |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |          AP_REP length        |         AP-REP data           /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      /                         KRB-PRIV message                      /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+   All 16 bit fields are in big-endian order. 
+
+   message length field: contains the number of bytes in the message 
+   including this field.
+
+   protocol version number: contains the hex constant 0x0001 (big-endian 
+   integer). (The reply message has the same format as in [2]).
+
+   AP-REP length: length of AP-REP data, in bytes. If the length is zero, 
+   then the last field contains a KRB-ERROR message instead of a KRB-PRIV 
+   message.
+
+   AP-REP data: the AP-REP is the response to the AP-REQ in the request 
+   packet.
+   
+   KRB-PRIV from [2]: This KRB-PRIV message must be generated using the 
+   subkey in the authenticator in the AP-REQ data.
+
+   The server will respond with a KRB-PRIV message unless it cannot
+   decode the client AP-REQ or KRB-PRIV message, in which case it will
+   respond with a KRB-ERROR message. NOTE: Unlike change password version
+   1, the KRB-ERROR message will be sent back without any encapsulation.
+
+   The user-data component of the KRB-PRIV message, or e-data component 
+   of the KRB-ERROR message, must consist of the following data.
+
+       0                   1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |          result code          |        result string          /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+      result code (16 bits) (result codes 0-4 are from [2]):
+         The result code must have one of the following values (big-
+         endian integer):
+         KRB5_KPASSWD_SUCCESS      0 request succeeds (This value is not 
+                                     allowed in a KRB-ERROR message)
+         KRB5_KPASSWD_MALFORMED    1 request fails due to being malformed
+         KRB5_KPASSWD_HARDERROR    2 request fails due to "hard" error in
+                                     processing the request (for example, 
+                                     there is a resource or other problem 
+                                     causing the request to fail)
+
+         KRB5_KPASSWD_AUTHERROR    3 request fails due to an error in 
+                                     authentication processing
+         KRB5_KPASSWD_SOFTERROR    4 request fails due to a "soft" error 
+                                     in processing the request 
+         KRB5_KPASSWD_ACCESSDENIED 5 requestor not authorized
+         KRB5_KPASSWD_BAD_VERSION  6 protocol version unsupported
+         KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7 initial flag required
+         0xFFFF if the request fails for some other reason.
+         Although only a few non-zero result codes are specified here,
+         the client should accept any non-zero result code as indicating
+         failure.
+      result string - from [2]:
+         This field should contain information which the server thinks
+         might be useful to the user, such as feedback about policy
+         failures.  The string must be encoded in UTF-8.  It may be
+         omitted if the server does not wish to include it.  If it is
+         present, the client should display the string to the user.
+         This field is analogous to the string which follows the numeric
+         code in SMTP, FTP, and similar protocols.
+
+3. References
+ 
+   [1] J. Kohl, C. Neuman. The Kerberos Network Authentication
+   Service (V5). Request for Comments 1510.
+
+   [2] M. Horowitz. Kerberos Change Password Protocol.
+   ftp://ds.internic.net/internet-drafts/
+   draft-ietf-cat-kerb-chg-password-02.txt
+
+4. Expiration Date
+
+   This draft expires in August 2000.   
+
+5. Authors' Addresses
+
+   Jonathan Trostle
+   Cisco Systems
+   170 W. Tasman Dr.
+   San Jose, CA 95134
+   Email: jtrostle@cisco.com
+
+   Mike Swift 
+   1 Microsoft Way
+   Redmond, WA 98052
+   mikesw@microsoft.com
+
+   John Brezak
+   1 Microsoft Way
+   Redmond, WA 98052
+   jbrezak@microsoft.com
diff --git a/crypto/heimdal/doc/standardisation/draft-tso-telnet-krb5-04.txt b/crypto/heimdal/doc/standardisation/draft-tso-telnet-krb5-04.txt
new file mode 100644
index 0000000..e9611e3
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-tso-telnet-krb5-04.txt
@@ -0,0 +1,327 @@
+Network Working Group                                    T. Ts'o, Editor
+Internet-Draft                     Massachusetts Institute of Technology
+draft-tso-telnet-krb5-04.txt                                  April 2000
+
+               Telnet Authentication: Kerberos Version 5
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.  Internet-Drafts are working
+   documents of the Internet Engineering Task Force (IETF), its areas,
+   and its working groups.  Note that other groups may also distribute
+   working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference mate-
+   rial or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119.
+
+0. Abstract
+
+   This document describes how Kerberos Version 5 [1] is used with the
+   telnet protocol.   It describes an telnet authentication sub-option
+   to be used with the telnet authentication option [2].   This mecha-
+   nism can also used to provide keying material to provide data confi-
+   dentiality services in conjuction with the telnet encryption option
+   [3].
+
+1. Command Names and Codes
+
+   Authentication Types
+
+      KERBEROS_V5    2
+
+   Sub-option Commands
+
+                           Expires Sept 2000                    [Page 1]
+
+Internet-Draft        Kerberos Version 5 for Telnet           April 2000
+
+      AUTH               0
+      REJECT             1
+      ACCEPT             2
+      RESPONSE           3
+      FORWARD            4
+      FORWARD_ACCEPT     5
+      FORWARD_REJECT     6
+
+2.  Command Meanings
+
+   IAC SB AUTHENTICATION IS <authentication-type-pair> AUTH <Kerberos V5
+   KRB_AP_REQ message> IAC SE
+
+      This is used to pass the Kerberos V5 [1] KRB_AP_REQ message to the
+      remote side of the connection.  The first octet of the <authenti-
+      cation-type-pair> value is KERBEROS_V5, to indicate that Version 5
+      of Kerberos is being used.  The Kerberos V5 authenticator in the
+      KRB_AP_REQ message     must contain a Kerberos V5 checksum of the
+      two-byte authentication type pair.  This checksum must be verified
+      by the server to assure that the authentication type pair was cor-
+      rectly negotiated.  The Kerberos V5 authenticator must also in-
+      clude the optional subkey field, which shall be filled in with a
+      randomly chosen key.  This key shall be used for encryption pur-
+      poses if encryption is negotiated, and shall be used as the nego-
+      tiated session key (i.e., used as keyid 0) for the purposes of the
+      telnet encryption option; if the subkey is not filled in, then the
+      ticket session key will be used instead.
+
+      If data confidentiality services is desired the ENCRYPT_US-
+      ING_TELOPT flag must be set in the authentication-type-pair as
+      specified in [2].
+
+   IAC SB AUTHENTICATION REPLY <authentication-type-pair> ACCEPT IAC SE
+
+      This command indicates that the authentication was successful.
+
+      If the AUTH_HOW_MUTUAL bit is set in the second octet of the au-
+      thentication-type-pair, the RESPONSE command must be sent before
+      the ACCEPT command is sent.
+
+   IAC SB AUTHENTICATION REPLY <authentication-type-pair> REJECT <op-
+   tional reason for rejection> IAC SE
+
+      This command indicates that the authentication was not successful,
+      and if there is any more data in the sub-option, it is an ASCII
+      text message of the reason for the rejection.
+
+   IAC SB AUTHENTICATION REPLY <authentication-type-pair> RESPONSE
+   <KRB_AP_REP message> IAC SE
+
+                           Expires Sept 2000                    [Page 2]
+
+Internet-Draft        Kerberos Version 5 for Telnet           April 2000
+
+      This command is used to perform mutual authentication.  It is only
+      used when the AUTH_HOW_MUTUAL bit is set in the second octet of
+      the authentication-type-pair.  After an AUTH command is verified,
+      a RESPONSE command is sent which contains a Kerberos V5 KRB_AP_REP
+      message to perform the mutual authentication.
+
+   IAC SB AUTHENTICATION <authentication-type-pair> FORWARD <KRB_CRED
+   message> IAC SE
+
+      This command is used to forward kerberos credentials for use by
+      the remote session.  The credentials are passed as a Kerberos V5
+      KRB_CRED message which includes, among other things, the forwarded
+      Kerberos ticket and a session key associated with the ticket. Part
+      of the KRB_CRED message is encrypted in the key previously ex-
+      changed for the telnet session by the AUTH suboption.
+
+   IAC SB AUTHENTICATION <authentication-type-pair> FORWARD_ACCEPT IAC
+   SE
+
+      This command indicates that the credential forwarding was success-
+      ful.
+
+   IAC SB AUTHENTICATION <authentication-type-pair> FORWARD_REJECT <op-
+   tional reason for rejection> IAC SE
+
+      This command indicates that the credential forwarding was not suc-
+      cessful, and if there is any more data in the sub-option, it is an
+      ASCII text message of the reason for the rejection.
+
+3.  Implementation Rules
+
+   If the second octet of the authentication-type-pair has the AUTH_WHO
+   bit set to AUTH_CLIENT_TO_SERVER, then the client sends the initial
+   AUTH command, and the server responds with either ACCEPT or REJECT.
+   In addition, if the AUTH_HOW bit is set to AUTH_HOW_MUTUAL, the serv-
+   er will send a RESPONSE before it sends the ACCEPT.
+
+   If the second octet of the authentication-type-pair has the AUTH_WHO
+   bit set to AUTH_SERVER_TO_CLIENT, then the server sends the initial
+   AUTH command, and the client responds with either ACCEPT or REJECT.
+   In addition, if the AUTH_HOW bit is set to AUTH_HOW_MUTUAL, the
+   client will send a RESPONSE before it sends the ACCEPT.
+
+   The Kerberos principal used by the server will generally be of the
+   form "host/<hostname>@realm".  That is, the first component of the
+   Kerberos principal is "host"; the second component is the fully qual-
+   ified lower-case hostname of the server; and the realm is the Ker-
+   beros realm to which the server belongs.
+
+                           Expires Sept 2000                    [Page 3]
+
+Internet-Draft        Kerberos Version 5 for Telnet           April 2000
+
+   Any Telnet IAC characters that occur in the KRB_AP_REQ or KRB_AP_REP
+   messages, the KRB_CRED structure, or the optional rejection text
+   string must be doubled as specified in [4].  Otherwise the following
+   byte might be mis-interpreted as a Telnet command.
+
+4.  Examples
+
+   User "joe" may wish to log in as user "pete" on machine "foo".  If
+   "pete" has set things up on "foo" to allow "joe" access to his ac-
+   count, then the client would send IAC SB AUTHENTICATION NAME "pete"
+   IAC SE IAC SB AUTHENTICATION IS KERBEROS_V5 AUTH <KRB_AP_REQ_MESSAGE>
+   IAC SE
+
+   The server would then authenticate the user as "joe" from the
+   KRB_AP_REQ_MESSAGE, and if the KRB_AP_REQ_MESSAGE was accepted by
+   Kerberos, and if "pete" has allowed "joe" to use his account, the
+   server would then continue the authentication sequence by sending a
+   RESPONSE (to do mutual authentication, if it was requested) followed
+   by the ACCEPT.
+
+   If forwarding has been requested, the client then sends IAC SB AU-
+   THENTICATION IS KERBEROS_V5 CLIENT|MUTUAL FORWARD <KRB_CRED structure
+   with credentials to be forwarded> IAC SE.  If the server succeeds in
+   reading the forwarded credentials, the server sends FORWARD_ACCEPT
+   else, a FORWARD_REJECT is sent back.
+
+       Client                           Server
+                                        IAC DO AUTHENTICATION
+       IAC WILL AUTHENTICATION
+
+       [ The server is now free to request authentication information.
+         ]
+
+                                        IAC SB AUTHENTICATION SEND
+                                        KERBEROS_V5 CLIENT|MUTUAL
+                                        KERBEROS_V5 CLIENT|ONE_WAY IAC
+                                        SE
+
+       [ The server has requested mutual Version 5 Kerberos
+         authentication.  If mutual authentication is not supported,
+         then the server is willing to do one-way authentication.
+
+         The client will now respond with the name of the user that it
+         wants to log in as, and the Kerberos ticket.  ]
+
+       IAC SB AUTHENTICATION NAME
+       "pete" IAC SE
+       IAC SB AUTHENTICATION IS
+       KERBEROS_V5 CLIENT|MUTUAL AUTH
+       <KRB_AP_REQ message> IAC SE
+
+                           Expires Sept 2000                    [Page 4]
+
+Internet-Draft        Kerberos Version 5 for Telnet           April 2000
+
+       [ Since mutual authentication is desired, the server sends across
+         a RESPONSE to prove that it really is the right server.  ]
+
+                                        IAC SB AUTHENTICATION REPLY
+                                        KERBEROS_V5 CLIENT|MUTUAL
+                                        RESPONSE <KRB_AP_REP message>
+                                        IAC SE
+
+       [ The server responds with an ACCEPT command to state that the
+         authentication was successful.  ]
+
+                                        IAC SB AUTHENTICATION REPLY KER-
+                                        BEROS_V5 CLIENT|MUTUAL ACCEPT
+                                        IAC SE
+
+       [ If so requested, the client now sends the FORWARD command to
+         forward credentials to the remote site.  ]
+
+       IAC SB AUTHENTICATION IS KER-
+       BEROS_V5 CLIENT|MUTUAL
+       FORWARD <KRB_CRED message> IAC
+       SE
+
+       [ The server responds with a FORWARD_ACCEPT command to state that
+         the credential forwarding was successful.  ]
+
+                           Expires Sept 2000                    [Page 5]
+
+Internet-Draft        Kerberos Version 5 for Telnet           April 2000
+
+                                        IAC SB AUTHENTICATION REPLY KER-
+                                        BEROS_V5 CLIENT|MUTUAL FOR-
+                                        WARD_ACCEPT IAC SE
+
+5. Security Considerations
+
+   The selection of the random session key in the Kerberos V5 authenti-
+   cator is critical, since this key will be used for encrypting the
+   telnet data stream if encryption is enabled.  It is strongly advised
+   that the random key selection be done using cryptographic techniques
+   that involve the Kerberos ticket's session key.  For example, using
+   the current time, encrypting it with the ticket session key, and then
+   correcting for key parity is a strong way to generate a subsession
+   key, since the ticket session key is assumed to be never disclosed to
+   an attacker.
+
+   Care should be taken before forwarding a user's Kerberos credentials
+   to the remote server.  If the remote server is not trustworthy, this
+   could result in the user's credentials being compromised.  Hence, the
+   user interface should not forward credentials by default; it would be
+   far safer to either require the user to explicitly request creden-
+   tials forwarding for each connection, or to have a trusted list of
+   hosts for which credentials forwarding is enabled, but to not enable
+   credentials forwarding by default for all machines.
+
+6. IANA Considerations
+
+   The authentication type KERBEROS_V5 and its associated suboption values
+   are registered with IANA.  Any suboption values used to extend 
+   the protocol as described in this document must be registered
+   with IANA before use.  IANA is instructed not to issue new suboption
+   values without submission of documentation of their use.
+
+7. Acknowledgments
+
+   This document was originally written by Dave Borman of Cray Research,
+   Inc.  Theodore Ts'o of MIT revised it to reflect the latest implemen-
+   tation experience.  Cliff Neuman and Prasad Upasani of USC's Informa-
+   tion Sciences Institute developed the credential forwarding support.
+
+   In addition, the contributions of the Telnet Working Group are also
+   gratefully acknowledged.
+
+8. References
+
+   [1] Kohl, J. and B. Neuman, "The Kerberos Network Authentication Sys-
+       tem (V5)", RFC 1510, USC/Information Sciences Institute, Septem-
+       ber 1993.
+
+   [2] Internet Engineering Task Force, "Telnet Authentication", draft-
+       tso-telnet-auth-enc-04.txt, T. Ts'o, Editor, VA Linux Systems,
+           April 2000.
+
+   [3] Internet Engineering Task Force, "Telnet Data Encryption Option",
+       draft-tso-telnet-encryption-04.txt, T. Ts'o, Editor, VA Linux
+       Systems,     April 2000.
+
+   [4] Postel, J.B. and J. Reynolds, "Telnet Option Specifications", RFC
+
+                           Expires Sept 2000                    [Page 6]
+
+Internet-Draft        Kerberos Version 5 for Telnet           April 2000
+
+       855, STD 8, USC/Information Sciences Institute, May 1983.
+
+Editor's Address
+
+   Theodore Ts'o
+   Massachusetts Institute of Technology
+   MIT Room E40-343
+   77 Massachusetts Avenue
+   Cambridge, MA 02139
+
+   Phone: (617) 253-8091
+   EMail: tytso@mit.edu
+
+                           Expires Sept 2000                    [Page 7]
+
+
+    Jeffrey Altman * Sr.Software Designer * Kermit-95 for Win32 and OS/2
+                 The Kermit Project * Columbia University
+              612 West 115th St #716 * New York, NY * 10025
+  http://www.kermit-project.org/k95.html * kermit-support@kermit-project.org
+
+
diff --git a/crypto/heimdal/doc/standardisation/rc4-hmac.txt b/crypto/heimdal/doc/standardisation/rc4-hmac.txt
new file mode 100644
index 0000000..202d44e
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/rc4-hmac.txt
@@ -0,0 +1,587 @@
+CAT working group                                              M. Swift 
+Internet Draft                                                J. Brezak 
+Document: draft-brezak-win2k-krb-rc4-hmac-03.txt              Microsoft 
+Category: Informational                                       June 2000 
+ 
+ 
+           The Windows 2000 RC4-HMAC Kerberos encryption type 
+ 
+ 
+Status of this Memo 
+ 
+   This document is an Internet-Draft and is in full conformance with 
+   all provisions of Section 10 of RFC2026 [1]. Internet-Drafts are 
+   working documents of the Internet Engineering Task Force (IETF), its 
+   areas, and its working groups. Note that other groups may also 
+   distribute working documents as Internet-Drafts. Internet-Drafts are 
+   draft documents valid for a maximum of six months and may be 
+   updated, replaced, or obsoleted by other documents at any time. It 
+   is inappropriate to use Internet- Drafts as reference material or to 
+   cite them other than as "work in progress." 
+     
+   The list of current Internet-Drafts can be accessed at 
+   http://www.ietf.org/ietf/1id-abstracts.txt  
+   The list of Internet-Draft Shadow Directories can be accessed at 
+   http://www.ietf.org/shadow.html. 
+    
+1. Abstract 
+    
+   The Windows 2000 implementation of Kerberos introduces a new 
+   encryption type based on the RC4 encryption algorithm and using an 
+   MD5 HMAC for checksum. This is offered as an alternative to using 
+   the existing DES based encryption types. 
+    
+   The RC4-HMAC encryption types are used to ease upgrade of existing 
+   Windows NT environments, provide strong crypto (128-bit key 
+   lengths), and provide exportable (meet United States government 
+   export restriction requirements) encryption. 
+    
+   The Windows 2000 implementation of Kerberos contains new encryption 
+   and checksum types for two reasons: for export reasons early in the 
+   development process, 56 bit DES encryption could not be exported, 
+   and because upon upgrade from Windows NT 4.0 to Windows 2000, 
+   accounts will not have the appropriate DES keying material to do the 
+   standard DES encryption. Furthermore, 3DES is not available for 
+   export, and there was a desire to use a single flavor of encryption 
+   in the product for both US and international products. 
+    
+   As a result, there are two new encryption types and one new checksum 
+   type introduced in Windows 2000. 
+    
+    
+2. Conventions used in this document 
+    
+
+  
+Swift                  Category - Informational                      1 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
+   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in 
+   this document are to be interpreted as described in RFC-2119 [2]. 
+    
+3. Key Generation 
+    
+   On upgrade from existing Windows NT domains, the user accounts would 
+   not have a DES based key available to enable the use of DES base 
+   encryption types specified in RFC 1510. The key used for RC4-HMAC is 
+   the same as the existing Windows NT key (NT Password Hash) for 
+   compatibility reasons. Once the account password is changed, the DES 
+   based keys are created and maintained. Once the DES keys are 
+   available DES based encryption types can be used with Kerberos.  
+    
+   The RC4-HMAC String to key function is defined as follow: 
+    
+   String2Key(password) 
+    
+        K = MD4(UNICODE(password)) 
+         
+   The RC4-HMAC keys are generated by using the Windows UNICODE version 
+   of the password. Each Windows UNICODE character is encoded in 
+   little-endian format of 2 octets each. Then performing an MD4 [6] 
+   hash operation on just the UNICODE characters of the password (not 
+   including the terminating zero octets). 
+    
+   For an account with a password of "foo", this String2Key("foo") will 
+   return: 
+    
+        0xac, 0x8e, 0x65, 0x7f, 0x83, 0xdf, 0x82, 0xbe, 
+        0xea, 0x5d, 0x43, 0xbd, 0xaf, 0x78, 0x00, 0xcc 
+    
+4. Basic Operations 
+    
+   The MD5 HMAC function is defined in [3]. It is used in this 
+   encryption type for checksum operations. Refer to [3] for details on 
+   its operation. In this document this function is referred to as 
+   HMAC(Key, Data) returning the checksum using the specified key on 
+   the data. 
+    
+   The basic MD5 hash operation is used in this encryption type and 
+   defined in [7]. In this document this function is referred to as 
+   MD5(Data) returning the checksum of the data. 
+    
+   RC4 is a stream cipher licensed by RSA Data Security [RSADSI]. A       
+   compatible cipher is described in [8]. In this document the function 
+   is referred to as RC4(Key, Data) returning the encrypted data using 
+   the specified key on the data. 
+    
+   These encryption types use key derivation as defined in [9] (RFC-
+   1510BIS) in Section titled "Key Derivation". With each message, the 
+   message type (T) is used as a component of the keying material. This 
+   summarizes the different key derivation values used in the various 
+  
+Swift                  Category - Informational                      2 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+   operations. Note that these differ from the key derivations used in 
+   other Kerberos encryption types. 
+    
+        T = 1 for TS-ENC-TS in the AS-Request 
+        T = 8 for the AS-Reply  
+        T = 7 for the Authenticator in the TGS-Request 
+        T = 8 for the TGS-Reply  
+        T = 2 for the Server Ticket in the AP-Request 
+        T = 11 for the Authenticator in the AP-Request 
+        T = 12 for the Server returned AP-Reply 
+        T = 15 in the generation of checksum for the MIC token 
+        T = 0 in the generation of sequence number for the MIC token  
+        T = 13 in the generation of checksum for the WRAP token 
+        T = 0 in the generation of sequence number for the WRAP token  
+        T = 0 in the generation of encrypted data for the WRAPPED token 
+    
+   All strings in this document are ASCII unless otherwise specified. 
+   The lengths of ASCII encoded character strings include the trailing 
+   terminator character (0). 
+    
+   The concat(a,b,c,...) function will return the logical concatenation 
+   (left to right) of the values of the arguments. 
+    
+   The nonce(n) function returns a pseudo-random number of "n" octets. 
+    
+5. Checksum Types 
+    
+   There is one checksum type used in this encryption type. The 
+   Kerberos constant for this type is: 
+        #define KERB_CHECKSUM_HMAC_MD5 (-138) 
+    
+   The function is defined as follows: 
+    
+   K - is the Key 
+   T - the message type, encoded as a little-endian four byte integer 
+    
+   CHKSUM(K, T, data) 
+    
+        Ksign = HMAC(K, "signaturekey")  //includes zero octet at end 
+        tmp = MD5(concat(T, data)) 
+        CHKSUM = HMAC(Ksign, tmp) 
+    
+    
+6. Encryption Types 
+    
+   There are two encryption types used in these encryption types. The 
+   Kerberos constants for these types are: 
+        #define KERB_ETYPE_RC4_HMAC             23 
+        #define KERB_ETYPE_RC4_HMAC_EXP         24 
+    
+   The basic encryption function is defined as follow: 
+    
+   T = the message type, encoded as a little-endian four byte integer. 
+  
+Swift                  Category - Informational                      3 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+    
+        BYTE L40[14] = "fortybits"; 
+        BYTE SK = "signaturekey"; 
+         
+        ENCRYPT (K, fRC4_EXP, T, data, data_len, edata, edata_len) 
+        { 
+            if (fRC4_EXP){ 
+                *((DWORD *)(L40+10)) = T; 
+                HMAC (K, L40, 10 + 4, K1); 
+            }else{ 
+                HMAC (K, &T, 4, K1); 
+            } 
+            memcpy (K2, K1, 16); 
+            if (fRC4_EXP) memset (K1+7, 0xAB, 9); 
+            add_8_random_bytes(data, data_len, conf_plus_data); 
+            HMAC (K2, conf_plus_data, 8 + data_len, checksum); 
+            HMAC (K1, checksum, 16, K3); 
+            RC4(K3, conf_plus_data, 8 + data_len, edata + 16); 
+            memcpy (edata, checksum, 16); 
+            edata_len = 16 + 8 + data_len; 
+        }         
+         
+        DECRYPT (K, fRC4_EXP, T, edata, edata_len, data, data_len) 
+        { 
+            if (fRC4_EXP){ 
+                *((DWORD *)(L40+10)) = T; 
+                HMAC (K, L40, 14, K1); 
+            }else{ 
+                HMAC (K, &T, 4, K1); 
+            } 
+            memcpy (K2, K1, 16); 
+            if (fRC4_EXP) memset (K1+7, 0xAB, 9); 
+            HMAC (K1, edata, 16, K3); // checksum is at edata 
+            RC4(K3, edata + 16, edata_len - 16, edata + 16); 
+            data_len = edata_len - 16 - 8; 
+            memcpy (data, edata + 16 + 8, data_len); 
+             
+            // verify generated and received checksums 
+            HMAC (K2, edata + 16, edata_len - 16, checksum); 
+            if (memcmp(edata, checksum, 16) != 0)  
+                printf("CHECKSUM ERROR  !!!!!!\n"); 
+        } 
+    
+   The header field on the encrypted data in KDC messages is: 
+    
+        typedef struct _RC4_MDx_HEADER { 
+            UCHAR Checksum[16]; 
+            UCHAR Confounder[8]; 
+        } RC4_MDx_HEADER, *PRC4_MDx_HEADER; 
+         
+   The KDC message is encrypted using the ENCRYPT function not 
+   including the Checksum in the RC4_MDx_HEADER. 
+    
+  
+Swift                  Category - Informational                      4 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+   The character constant "fortybits" evolved from the time when a 40-
+   bit key length was all that was exportable from the United States. 
+   It is now used to recognize that the key length is of "exportable" 
+   length. In this description, the key size is actually 56-bits. 
+    
+7. Key Strength Negotiation 
+    
+   A Kerberos client and server can negotiate over key length if they 
+   are using mutual authentication. If the client is unable to perform 
+   full strength encryption, it may propose a key in the "subkey" field 
+   of the authenticator, using a weaker encryption type. The server 
+   must then either return the same key or suggest its own key in the 
+   subkey field of the AP reply message. The key used to encrypt data 
+   is derived from the key returned by the server. If the client is 
+   able to perform strong encryption but the server is not, it may 
+   propose a subkey in the AP reply without first being sent a subkey 
+   in the authenticator. 
+ 
+8. GSSAPI Kerberos V5 Mechanism Type  
+ 
+8.1 Mechanism Specific Changes 
+    
+   The GSSAPI per-message tokens also require new checksum and 
+   encryption types. The GSS-API per-message tokens must be changed to 
+   support these new encryption types (See [5] Section 1.2.2). The 
+   sealing algorithm identifier (SEAL_ALG) for an RC4 based encryption 
+   is: 
+        Byte 4..5 SEAL_ALG      0x10 0x00 - RC4 
+    
+   The signing algorithm identifier (SGN_ALG) for MD5 HMAC is: 
+        Byte 2..3 SGN ALG       0x11 0x00 - HMAC 
+    
+   The only support quality of protection is: 
+        #define GSS_KRB5_INTEG_C_QOP_DEFAULT    0x0 
+    
+   In addition, when using an RC4 based encryption type, the sequence 
+   number is sent in big-endian rather than little-endian order. 
+    
+   The Windows 2000 implementation also defines new GSSAPI flags in the 
+   initial token passed when initializing a security context. These 
+   flags are passed in the checksum field of the authenticator (See [5] 
+   Section 1.1.1). 
+    
+   GSS_C_DCE_STYLE - This flag was added for use with Microsoft’s 
+   implementation of DCE RPC, which initially expected three legs of 
+   authentication. Setting this flag causes an extra AP reply to be 
+   sent from the client back to the server after receiving the server’s 
+   AP reply. In addition, the context negotiation tokens do not have 
+   GSSAPI framing - they are raw AP message and do not include object 
+   identifiers. 
+        #define GSS_C_DCE_STYLE                 0x1000 
+    
+
+  
+Swift                  Category - Informational                      5 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+   GSS_C_IDENTIFY_FLAG - This flag allows the client to indicate to the 
+   server that it should only allow the server application to identify 
+   the client by name and ID, but not to impersonate the client. 
+        #define GSS_C_IDENTIFY_FLAG             0x2000 
+         
+   GSS_C_EXTENDED_ERROR_FLAG - Setting this flag indicates that the 
+   client wants to be informed of extended error information. In 
+   particular, Windows 2000 status codes may be returned in the data 
+   field of a Kerberos error message. This allows the client to 
+   understand a server failure more precisely. In addition, the server 
+   may return errors to the client that are normally handled at the 
+   application layer in the server, in order to let the client try to 
+   recover. After receiving an error message, the client may attempt to 
+   resubmit an AP request. 
+        #define GSS_C_EXTENDED_ERROR_FLAG       0x4000 
+    
+   These flags are only used if a client is aware of these conventions 
+   when using the SSPI on the Windows platform, they are not generally 
+   used by default. 
+    
+   When NetBIOS addresses are used in the GSSAPI, they are identified 
+   by the GSS_C_AF_NETBIOS value. This value is defined as: 
+        #define GSS_C_AF_NETBIOS                0x14 
+   NetBios addresses are 16-octet addresses typically composed of 1 to 
                                                                 th
   15 characters, trailing blank (ascii char 20) filled, with a 16  
+   octet of 0x0. 
+    
+8.2 GSSAPI Checksum Type 
+    
+   The GSSAPI checksum type and algorithm is defined in Section 5. Only 
+   the first 8 octets of the checksum are used. The resulting checksum 
+   is stored in the SGN_CKSUM field (See [5] Section 1.2) for 
+   GSS_GetMIC() and GSS_Wrap(conf_flag=FALSE). 
+    
+        MIC (K, fRC4_EXP, seq_num, MIC_hdr, msg, msg_len, 
+             MIC_seq, MIC_checksum) 
+        { 
+            HMAC (K, SK, 13, K4); 
+            T = 15; 
+            memcpy (T_plus_hdr_plus_msg + 00, &T, 4); 
+            memcpy (T_plus_hdr_plus_msg + 04, MIC_hdr, 8);  
+                                                // 0101 1100 FFFFFFFF 
+            memcpy (T_plus_hdr_plus_msg + 12, msg, msg_len); 
+            MD5 (T_hdr_msg, 4 + 8 + msg_len, MD5_of_T_hdr_msg); 
+            HMAC (K4, MD5_of_T_hdr_msg, CHKSUM); 
+            memcpy (MIC_checksum, CHKSUM, 8); // use only first 8 bytes 
+          
+            T = 0; 
+            if (fRC4_EXP){  
+                *((DWORD *)(L40+10)) = T; 
+                HMAC (K, L40, 14, K5); 
+            }else{ 
+                HMAC (K, &T, 4, K5); 
+  
+Swift                  Category - Informational                      6 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+            } 
+            if (fRC4_EXP) memset(K5+7, 0xAB, 9); 
+            HMAC(K5, MIT_checksum, 8, K6); 
+            copy_seq_num_in_big_endian(seq_num, seq_plus_direction); 
+        //0x12345678 
+            copy_direction_flag (direction_flag, seq_plus_direction + 
+        4); //0x12345678FFFFFFFF 
+            RC4(K6, seq_plus_direction, 8, MIC_seq); 
+        } 
+    
+8.3 GSSAPI Encryption Types 
+    
+   There are two encryption types for GSSAPI message tokens, one that 
+   is 128 bits in strength, and one that is 56 bits in strength as 
+   defined in Section 6. 
+    
+   All padding is rounded up to 1 byte. One byte is needed to say that 
+   there is 1 byte of padding. The DES based mechanism type uses 8 byte 
+   padding. See [5] Section 1.2.2.3. 
+    
+   The encryption mechanism used for GSS wrap based messages is as 
+   follow: 
+    
+    
+        WRAP (K, fRC4_EXP, seq_num, WRAP_hdr, msg, msg_len, 
+              WRAP_seq, WRAP_checksum, edata, edata_len) 
+        { 
+            HMAC (K, SK, 13, K7); 
+            T = 13; 
+            PAD = 1; 
+            memcpy (T_hdr_conf_msg_pad + 00, &T, 4); 
+            memcpy (T_hdr_conf_msg_pad + 04, WRAP_hdr, 8); // 0101 1100 
+        FFFFFFFF 
+            memcpy (T_hdr_conf_msg_pad + 12, msg, msg_len); 
+            memcpy (T_hdr_conf_msg_pad + 12 + msg_len, &PAD, 1); 
+            MD5 (T_hdr_conf_msg_pad, 
+                 4 + 8 + 8 + msg_len + 1, 
+                 MD5_of_T_hdr_conf_msg_pad); 
+            HMAC (K7, MD5_of_T_hdr_conf_msg_pad, CHKSUM); 
+            memcpy (WRAP_checksum, CHKSUM, 8); // use only first 8 
+        bytes 
+          
+            T = 0; 
+            if (fRC4_EXP){  
+                *((DWORD *)(L40+10)) = T; 
+                HMAC (K, L40, 14, K8); 
+            }else{ 
+                HMAC (K, &T, 4, K8); 
+            } 
+            if (fRC4_EXP) memset(K8+7, 0xAB, 9); 
+            HMAC(K8, WRAP_checksum, 8, K9); 
+            copy_seq_num_in_big_endian(seq_num, seq_plus_direction); 
+        //0x12345678 
+  
+Swift                  Category - Informational                      7 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+            copy_direction_flag (direction_flag, seq_plus_direction + 
+        4); //0x12345678FFFFFFFF 
+            RC4(K9, seq_plus_direction, 8, WRAP_seq); 
+          
+            for (i = 0; i < 16; i++) K10 [i] ^= 0xF0; // XOR each byte 
+        of key with 0xF0 
+            T = 0; 
+            if (fRC4_EXP){ 
+                *(DWORD *)(L40+10) = T; 
+                HMAC(K10, L40, 14, K11); 
+                memset(K11+7, 0xAB, 9); 
+            }else{ 
+                HMAC(K10, &T, 4, K11);  
+            } 
+            HMAC(K11, seq_num, 4, K12); 
+            RC4(K12, T_hdr_conf_msg_pad + 4 + 8, 8 + msg_len + 1, 
+        edata); /* skip T & hdr */ 
+            edata_len = 8 + msg_len + 1; // conf + msg_len + pad 
+         } 
+          
+    
+   The character constant "fortybits" evolved from the time when a 40-
+   bit key length was all that was exportable from the United States. 
+   It is now used to recognize that the key length is of "exportable" 
+   length. In this description, the key size is actually 56-bits. 
+    
+9. Security Considerations 
+ 
+   Care must be taken in implementing this encryption type because it 
+   uses a stream cipher. If a different IV isn’t used in each direction 
+   when using a session key, the encryption is weak. By using the 
+   sequence number as an IV, this is avoided. 
+    
+10. Acknowledgements 
+    
+   We would like to thank Salil Dangi for the valuable input in 
+   refining the descriptions of the functions and review input. 
+     
+11. References 
+ 
+   1  Bradner, S., "The Internet Standards Process -- Revision 3", BCP 
+      9, RFC 2026, October 1996. 
+    
+   2  Bradner, S., "Key words for use in RFCs to Indicate Requirement 
+      Levels", BCP 14, RFC 2119, March 1997 
+    
+   3  Krawczyk, H., Bellare, M., Canetti, R.,"HMAC: Keyed-Hashing for 
+      Message Authentication", RFC 2104, February 1997 
+    
+   4  Kohl, J., Neuman, C., "The Kerberos Network Authentication 
+      Service (V5)", RFC 1510, September 1993 
+ 
+ 
+  
+Swift                  Category - Informational                      8 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+ 
+   5  Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC-1964, 
+      June 1996 
+ 
+   6  R. Rivest, "The MD4 Message-Digest Algorithm", RFC-1320, April 
+      1992 
+ 
+   7  R. Rivest, "The MD5 Message-Digest Algorithm", RFC-1321, April 
+      1992 
+ 
+   8  Thayer, R. and K. Kaukonen, "A Stream Cipher Encryption             
+      Algorithm", Work in Progress. 
+ 
+   9  RC4 is a proprietary encryption algorithm available under license 
+      from RSA Data Security Inc.  For licensing information, contact: 
+       
+         RSA Data Security, Inc. 
+         100 Marine Parkway 
+         Redwood City, CA 94065-1031 
+ 
+   10 Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network 
+      Authentication Service (V5)", draft-ietf-cat-kerberos-revisions-
+      04.txt, June 25, 1999 
+ 
+    
+12. Author's Addresses 
+    
+   Mike Swift 
+   Dept. of Computer Science 
+   Sieg Hall 
+   University of Washington 
+   Seattle, WA 98105 
+   Email: mikesw@cs.washington.edu  
+    
+   John Brezak 
+   Microsoft 
+   One Microsoft Way 
+   Redmond, Washington 
+   Email: jbrezak@microsoft.com 
+    
+    
+
+
+
+
+
+
+
+
+
+
+
+
+  
+Swift                  Category - Informational                      9 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type    October 1999 
+ 
+ 
+    
+13. Full Copyright Statement 
+ 
+   "Copyright (C) The Internet Society (2000). All Rights Reserved. 
+    
+   This document and translations of it may be copied and          
+   furnished to others, and derivative works that comment on or          
+   otherwise explain it or assist in its implementation may be          
+   prepared, copied, published and distributed, in whole or in          
+   part, without restriction of any kind, provided that the above          
+   copyright notice and this paragraph are included on all such          
+   copies and derivative works.  However, this document itself may          
+   not be modified in any way, such as by removing the copyright          
+   notice or references to the Internet Society or other Internet          
+   organizations, except as needed for the purpose of developing          
+   Internet standards in which case the procedures for copyrights          
+   defined in the Internet Standards process must be followed, or          
+   as required to translate it into languages other than English. 
+    
+   The limited permissions granted above are perpetual and will          
+   not be revoked by the Internet Society or its successors or          
+   assigns. 
+    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+  
+Swift                  Category - Informational                     10 
+
diff --git a/crypto/heimdal/doc/whatis.texi b/crypto/heimdal/doc/whatis.texi
index 97d4da2..eff52d7 100644
--- a/crypto/heimdal/doc/whatis.texi
+++ b/crypto/heimdal/doc/whatis.texi
@@ -1,3 +1,5 @@
+@c $Id: whatis.texi,v 1.5 2001/01/28 22:11:23 assar Exp $
+
 @node What is Kerberos?, Building and Installing, Introduction, Top
 @chapter What is Kerberos?
 
diff --git a/crypto/heimdal/doc/win2k.texi b/crypto/heimdal/doc/win2k.texi
index 1a0e731..baa1b47 100644
--- a/crypto/heimdal/doc/win2k.texi
+++ b/crypto/heimdal/doc/win2k.texi
@@ -1,4 +1,6 @@
-@node Windows 2000 compatability, Acknowledgments, Kerberos 4 issues, Top
+@c $Id: win2k.texi,v 1.12 2001/01/28 22:10:35 assar Exp $
+
+@node Windows 2000 compatability, Acknowledgments, Migration, Top
 @comment  node-name,  next,  previous,  up
 @chapter Windows 2000 compatability
 
@@ -7,37 +9,182 @@ Kerberos 5.  Their implementation, however, has some quirks,
 peculiarities, and bugs.  This chapter is a short summary of the things
 that we have found out while trying to test Heimdal against Windows
 2000.  Another big problem with the Kerberos implementation in Windows
-2000 is the almost complete lack of documentation.
+2000 is that the available documentation is more focused on getting
+things to work rather than how they work and not that useful in figuring
+out how things really work.
 
 This information should apply to Heimdal @value{VERSION} and Windows
-2000 RC1.  It's of course subject all the time and mostly consists of
+2000 Professional.  It's of course subject all the time and mostly consists of
 our not so inspired guesses.  Hopefully it's still somewhat useful.
 
 @menu
+* Configuring Windows 2000 to use a Heimdal KDC::  
+* Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC::  
+* Create account mappings::     
 * Encryption types::            
 * Authorization data::          
+* Quirks of Windows 2000 KDC::  
+* Useful links when reading about the Windows 2000::  
 @end menu
 
-@node Encryption types, Authorization data, Windows 2000 compatability, Windows 2000 compatability
+@node Configuring Windows 2000 to use a Heimdal KDC, Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Windows 2000 compatability, Windows 2000 compatability
+@comment node-name, next, precious, up
+@section Configuring Windows 2000 to use a Heimdal KDC
+
+You need the command line program called @code{ksetup.exe} which is available
+in the file @code{SUPPORT/TOOLS/SUPPORT.CAB} on the Windows 2000 Professional
+CD-ROM. This program is used to configure the Kerberos settings on a
+Workstation.
+
+@code{Ksetup} store the domain information under the registry key:
+@code{HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Kerberos\Domains}.
+
+Use the kadmin program in Heimdal to create a host principal in the
+Kerberos realm.
+
+@example
+unix% kadmin
+kadmin> ank -pw password host/datan.my.domain
+@end example
+
+You must configure the Workstation as a member of a workgroup, as opposed
+to a member in an NT domain, and specify the KDC server of the realm
+as follows:
+@example
+C:> ksetup /setdomain MY.REALM
+C:> ksetup /addkdc MY.REALM kdc.my.domain
+@end example
+
+Set the machine password, i.e. create the local keytab:
+@example
+C:> ksetup /setmachpassword password
+@end example
+
+The workstation must now be rebooted.
+
+A mapping between local NT users and Kerberos principals must be specified,
+you have two choices:
+
+@example
+C:> ksetup /mapuser user@@MY.REALM nt_user
+@end example
+
+This will map a user to a specific principal, this allows you to have
+other usernames in the realm than in your NT user database. (Don't ask
+me why on earth you would want that...)
+
+You can also say:
+@example
+C:> ksetup /mapuser * *
+@end example
+The Windows machine will now map any user to the corresponding principal,
+for example @samp{nisse} to the principal @samp{nisse@@MY.REALM}.
+(This is most likely what you want.)
+
+@node Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Create account mappings, Configuring Windows 2000 to use a Heimdal KDC, Windows 2000 compatability
+@comment node-name, next, precious, up
+@section Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC
+
+See also the Step-by-Step guide from Microsoft, referenced below.
+
+Install Windows 2000, and create a new controller (Active Directory
+Server) for the domain.
+
+By default the trust will be non-transitive. This means that only users
+directly from the trusted domain may authenticate. This can be changed
+to transitive by using the @code{netdom.exe} tool.
+
+You need to tell Windows 2000 on what hosts to find the KDCs for the
+non-Windows realm with @code{ksetup}, see @xref{Configuring Windows 2000
+to use a Heimdal KDC}.
+
+This need to be done on all computers that want enable cross-realm
+login with @code{Mapped Names}.
+
+Then you need to add the inter-realm keys on the Windows kdc. Start the
+Domain Tree Management tool. (Found in Programs, Administrative tools,
+Active Directory Domains and Trusts).
+
+Right click on Properties of your domain, select the Trust tab.  Press
+Add on the appropriate trust windows and enter domain name and
+password. When prompted if this is a non-Windows Kerberos realm, press
+OK.
+
+Do not forget to add trusts in both directions.
+
+You also need to add the inter-realm keys to the Heimdal KDC. There are
+some tweaks that you need to do to @file{krb5.conf} beforehand.
+
+@example
+[libdefaults]
+	default_etypes = des-cbc-crc
+	default_etypes_des = des-cbc-crc
+@end example
+
+since otherwise checksum types that are not understood by Windows 2000
+will be generated (@xref{Quirks of Windows 2000 KDC}.).
+
+Another issue is salting.  Since Windows 2000 does not seem to
+understand Kerberos 4 salted hashes you might need to turn off anything
+similar to the following if you have it, at least while adding the
+principals that are going to share keys with Windows 2000.
+
+@example
+	[kadmin]default_keys = des3:pw-salt des:pw-salt des:pw-salt:
+@end example
+
+You must also set:
+
+Once that is also done, you can add the required inter-realm keys:
+
+@example
+kadmin add krbtgt/NT.REALM.EXAMPLE.COM@@EXAMPLE.COM
+kadmin add krbtgt/REALM.EXAMPLE.COM@@NT.EXAMPLE.COM
+@end example
+
+Use the same passwords for both keys.
+
+Do not forget to reboot before trying the new realm-trust (after running
+@code{ksetup}). It looks like it might work, but packets are never sent to the
+non-Windows KDC.
+
+@node Create account mappings, Encryption types, Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Windows 2000 compatability
+@comment node-name, next, precious, up
+@section Create account mappings
+
+Start the @code{Active Directory Users and Computers} tool. Select the
+View menu, that is in the left corner just below the real menu (or press
+Alt-V), and select Advanced Features. Right click on the user that you
+are going to do a name mapping for and choose Name mapping.
+
+Click on the Kerberos Names tab and add a new principal from the
+non-Windows domain.
+
+@node Encryption types, Authorization data, Create account mappings, Windows 2000 compatability
 @comment  node-name,  next,  previous,  up
 @section Encryption types
 
 Windows 2000 supports both the standard DES encryptions (des-cbc-crc and
-des-cbc-md5) and its own proprietary encryption that is based on md4 and
-rc4 and which is supposed to be described in
-draft-brezak-win2k-krb-rc4-hmac-01.txt.  To enable a given principal to
-use DES, it needs to have DES keys in the database.  To do this, you
-need to enable DES keys for the particular principal with the user
-administration tool and then change the password.
-
-@node Authorization data,  , Encryption types, Windows 2000 compatability
+des-cbc-md5) and its own proprietary encryption that is based on MD4 and
+rc4 that is documented in and is supposed to be described in
+@file{draft-brezak-win2k-krb-rc4-hmac-03.txt}.  New users will get both
+MD4 and DES keys.  Users that are converted from a NT4 database, will
+only have MD4 passwords and will need a password change to get a DES
+key.
+
+Heimdal implements both of these encryption types, but since DES is the
+standard and the hmac-code is somewhat newer, it is likely to work better.
+
+@node Authorization data, Quirks of Windows 2000 KDC, Encryption types, Windows 2000 compatability
 @comment  node-name,  next,  previous,  up
 @section Authorization data
 
 The Windows 2000 KDC also adds extra authorization data in tickets.
 It is at this point unclear what triggers it to do this.  The format of
-this data is unknown and according to Microsoft, subject to change.  A
-simple way of getting hold of the data to be able to understand it
+this data is only available under a ``secret'' license from Microsoft,
+which prohibits you implementing it.
+
+A simple way of getting hold of the data to be able to understand it
 better is described here.
 
 @enumerate
@@ -56,3 +203,82 @@ the file.
 analyzing the data.
 @end enumerate
 
+@node Quirks of Windows 2000 KDC, Useful links when reading about the Windows 2000, Authorization data, Windows 2000 compatability
+@comment  node-name,  next,  previous,  up
+@section Quirks of Windows 2000 KDC
+
+There are some issues with salts and Windows 2000.  Using an empty salt,
+which is the only one that Kerberos 4 supported and is therefore known
+as a Kerberos 4 compatible salt does not work, as far as we can tell
+from out experiments and users reports.  Therefore, you have to make
+sure you keep around keys with all the different types of salts that are
+required.
+
+Microsoft seems also to have forgotten to implement the checksum
+algorithms @samp{rsa-md4-des} and @samp{rsa-md5-des}. This can make Name
+mapping (@pxref{Create account mappings}) fail if a @code{des-cbc-md5} key
+is used. To make the KDC return only @code{des-cbc-crc} you must delete
+the @code{des-cbc-md5} key from the kdc using the @code{kadmin
+del_enctype} command.
+
+@example
+kadmin del_enctype lha des-cbc-md5
+@end example
+
+You should also add the following entries to the @file{krb5.conf} file:
+
+@example
+[libdefaults]
+	default_etypes = des-cbc-crc
+	default_etypes_des = des-cbc-crc
+@end example
+
+These configuration options will make sure that no checksums of the
+unsupported types are generated.
+
+@node Useful links when reading about the Windows 2000,  , Quirks of Windows 2000 KDC, Windows 2000 compatability
+@comment  node-name,  next,  previous,  up
+@section Useful links when reading about the Windows 2000
+
+There are lots of text about Kerberos on Microsoft's web site, here is a
+short list of the interesting documents that we have managed to find.
+
+@itemize @bullet
+
+@item Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability -
+@url{http://www.microsoft.com/windows2000/library/planning/security/kerbsteps.asp}
+Kerberos GSS-API (in Windows-ize SSPI), Windows as a client in a
+non-Windows KDC realm, adding unix clients to a Windows 2000 KDC, and
+adding cross-realm trust (@xref{Inter-Realm keys (trust) between Windows 2000
+and a Heimdal KDC}.).
+
+@item Windows 2000 Kerberos Authentication - 
+@url{http://www.microsoft.com/TechNet/win2000/win2ksrv/technote/kerberos.asp}
+White paper that describes how Kerberos is used in Windows 2000.
+
+@item Overview of kerberos -
+@url{http://support.microsoft.com/support/kb/articles/Q248/7/58.ASP}
+Links to useful other links.
+
+@item Klist for windows - 
+@url{http://msdn.microsoft.com/library/periodic/period00/security0500.htm}
+Describes where to get a klist for Windows 2000.
+
+@item Event logging for kerberos -
+@url{http://support.microsoft.com/support/kb/articles/Q262/1/77.ASP}.
+Basicly it say that you can add a registry key
+@code{HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\LogLevel}
+with value DWORD equal to 1, and then you'll get logging in the Event
+Logger.
+
+@item Access to the active directory through LDAP
+@url{http://msdn.microsoft.com/library/techart/kerberossamp.htm}
+
+@end itemize
+
+Other useful programs include these:
+
+@itemize @bullet
+@item pwdump2
+@url{http://www.webspan.net/~tas/pwdump2/}
+@end itemize
diff --git a/crypto/heimdal/etc/services.append b/crypto/heimdal/etc/services.append
index e3a31f9..0d4559a 100644
--- a/crypto/heimdal/etc/services.append
+++ b/crypto/heimdal/etc/services.append
@@ -1,5 +1,5 @@
 #
-# $Id: services.append,v 1.4 1999/07/23 21:36:03 assar Exp $
+# $Id: services.append,v 1.5 2000/06/07 02:52:51 assar Exp $
 #
 # Kerberos services
 #
@@ -25,3 +25,5 @@ kf		2110/tcp			# forward credentials
 kx		2111/tcp			# X over kerberos
 kip		2112/tcp			# IP over kerberos
 kauth		2120/tcp			# Remote kauth
+iprop		2121/tcp			# incremental propagation
+krb524		4444/udp			# MIT 5->4
diff --git a/crypto/heimdal/include/Makefile.am b/crypto/heimdal/include/Makefile.am
index f9d240b..8ca0f75 100644
--- a/crypto/heimdal/include/Makefile.am
+++ b/crypto/heimdal/include/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.30 1999/12/21 17:03:11 assar Exp $
+# $Id: Makefile.am,v 1.31 2000/07/02 16:08:29 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
@@ -39,6 +39,7 @@ CLEANFILES =		\
 	krb5_err.h	\
 	md4.h		\
 	md5.h		\
+	rc4.h		\
 	otp.h		\
 	parse_time.h	\
 	parse_units.h	\
diff --git a/crypto/heimdal/include/Makefile.in b/crypto/heimdal/include/Makefile.in
index dd23443..705f743 100644
--- a/crypto/heimdal/include/Makefile.in
+++ b/crypto/heimdal/include/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.30 1999/12/21 17:03:11 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,22 +95,32 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.31 2000/07/02 16:08:29 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
@@ -117,6 +130,8 @@ INCLUDES = -DHOST=\"$(CANONICAL_HOST)\"
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,24 +170,20 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 CHECK_LOCAL = 
 
 SUBDIRS = kadm5
@@ -178,8 +192,43 @@ noinst_PROGRAMS = bits
 
 include_HEADERS = krb5-types.h
 
-CLEANFILES =  	asn1.h			asn1_err.h		base64.h		com_err.h		com_right.h		der.h			des.h			editline.h		err.h			getarg.h		glob.h			gssapi.h		hdb.h			hdb_asn1.h		hdb_err.h		heim_err.h		kafs.h			krb5-protos.h		krb5-private.h		krb5-types.h		krb5.h			krb5_err.h		md4.h			md5.h			otp.h			parse_time.h		parse_units.h		resolve.h		roken-common.h		roken.h			sha.h			sl.h			xdbm.h
+CLEANFILES = \
+	asn1.h		\
+	asn1_err.h	\
+	base64.h	\
+	com_err.h	\
+	com_right.h	\
+	der.h		\
+	des.h		\
+	editline.h	\
+	err.h		\
+	getarg.h	\
+	glob.h		\
+	gssapi.h	\
+	hdb.h		\
+	hdb_asn1.h	\
+	hdb_err.h	\
+	heim_err.h	\
+	kafs.h		\
+	krb5-protos.h	\
+	krb5-private.h	\
+	krb5-types.h	\
+	krb5.h		\
+	krb5_err.h	\
+	md4.h		\
+	md5.h		\
+	rc4.h		\
+	otp.h		\
+	parse_time.h	\
+	parse_units.h	\
+	resolve.h	\
+	roken-common.h	\
+	roken.h		\
+	sha.h		\
+	sl.h		\
+	xdbm.h
 
+subdir = include
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = config.h
 CONFIG_CLEAN_FILES = 
@@ -190,7 +239,6 @@ PROGRAMS =  $(noinst_PROGRAMS)
 DEFS = @DEFS@ -I. -I$(srcdir) -I.
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
-LIBS = @LIBS@
 X_CFLAGS = @X_CFLAGS@
 X_LIBS = @X_LIBS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
@@ -200,26 +248,28 @@ bits_OBJECTS =  bits.$(OBJEXT)
 bits_LDADD = $(LDADD)
 bits_DEPENDENCIES = 
 bits_LDFLAGS = 
-CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  bits.c
 HEADERS =  $(include_HEADERS)
 
-DIST_COMMON =  ./stamp-h.in Makefile.am Makefile.in config.h.in
+depcomp = 
+DIST_COMMON =  $(include_HEADERS) ./stamp-h.in Makefile.am Makefile.in \
+config.h.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
 SOURCES = bits.c
 OBJECTS = bits.$(OBJEXT)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign include/Makefile
 
@@ -234,18 +284,22 @@ config.h: stamp-h
 		$(MAKE) stamp-h; \
 	else :; fi
 stamp-h: $(srcdir)/config.h.in $(top_builddir)/config.status
+	@rm -f stamp-h stamp-hT
+	@echo timestamp > stamp-hT 2> /dev/null
 	cd $(top_builddir) \
 	  && CONFIG_FILES= CONFIG_HEADERS=include/config.h \
 	     $(SHELL) ./config.status
-	@echo timestamp > stamp-h 2> /dev/null
-$(srcdir)/config.h.in: $(srcdir)/stamp-h.in
+	@mv stamp-hT stamp-h
+$(srcdir)/config.h.in: $(srcdir)/./stamp-h.in
 	@if test ! -f $@; then \
-		rm -f $(srcdir)/stamp-h.in; \
-		$(MAKE) $(srcdir)/stamp-h.in; \
+		rm -f $(srcdir)/./stamp-h.in; \
+		$(MAKE) $(srcdir)/./stamp-h.in; \
 	else :; fi
-$(srcdir)/stamp-h.in: $(top_srcdir)/configure.in $(ACLOCAL_M4) 
+$(srcdir)/./stamp-h.in: $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/acconfig.h
+	@rm -f $(srcdir)/./stamp-h.in $(srcdir)/./stamp-h.inT
+	@echo timestamp > $(srcdir)/./stamp-h.inT 2> /dev/null
 	cd $(top_srcdir) && $(AUTOHEADER)
-	@echo timestamp > $(srcdir)/stamp-h.in 2> /dev/null
+	@mv $(srcdir)/./stamp-h.inT $(srcdir)/./stamp-h.in
 
 mostlyclean-hdr:
 
@@ -265,20 +319,6 @@ distclean-noinstPROGRAMS:
 
 maintainer-clean-noinstPROGRAMS:
 
-.c.o:
-	$(COMPILE) -c $<
-
-# FIXME: We should only use cygpath when building on Windows,
-# and only if it is available.
-.c.obj:
-	$(COMPILE) -c `cygpath -w $<`
-
-.s.o:
-	$(COMPILE) -c $<
-
-.S.o:
-	$(COMPILE) -c $<
-
 mostlyclean-compile:
 	-rm -f *.o core *.core
 	-rm -f *.$(OBJEXT)
@@ -290,15 +330,6 @@ distclean-compile:
 
 maintainer-clean-compile:
 
-.c.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.s.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.S.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -312,20 +343,29 @@ maintainer-clean-libtool:
 bits$(EXEEXT): $(bits_OBJECTS) $(bits_DEPENDENCIES)
 	@rm -f bits$(EXEEXT)
 	$(LINK) $(bits_LDFLAGS) $(bits_OBJECTS) $(bits_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
 
 install-includeHEADERS: $(include_HEADERS)
 	@$(NORMAL_INSTALL)
 	$(mkinstalldirs) $(DESTDIR)$(includedir)
 	@list='$(include_HEADERS)'; for p in $$list; do \
 	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
-	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p"; \
-	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f; \
 	done
 
 uninstall-includeHEADERS:
 	@$(NORMAL_UNINSTALL)
-	list='$(include_HEADERS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(includedir)/$$p; \
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(includedir)/$$f"; \
+	  rm -f $(DESTDIR)$(includedir)/$$f; \
 	done
 
 # This directory's subdirectories are mostly independent; you can cd
@@ -335,8 +375,6 @@ uninstall-includeHEADERS:
 #     (which will cause the Makefiles to be regenerated when you run `make');
 # (2) otherwise, pass the desired values on the `make' command line.
 
-@SET_MAKE@
-
 all-recursive install-data-recursive install-exec-recursive \
 installdirs-recursive install-recursive uninstall-recursive  \
 check-recursive installcheck-recursive info-recursive dvi-recursive:
@@ -364,7 +402,7 @@ maintainer-clean-recursive:
 	dot_seen=no; \
 	rev=''; list='$(SUBDIRS)'; for subdir in $$list; do \
 	  rev="$$subdir $$rev"; \
-	  test "$$subdir" = "." && dot_seen=yes; \
+	  if test "$$subdir" = "."; then dot_seen=yes; else :; fi; \
 	done; \
 	test "$$dot_seen" = "no" && rev=". $$rev"; \
 	target=`echo $@ | sed s/-recursive//`; \
@@ -385,15 +423,17 @@ tags-recursive:
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS: tags-recursive $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) $(LISP)
+TAGS: tags-recursive $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
 	list='$(SUBDIRS)'; for subdir in $$list; do \
@@ -401,12 +441,14 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) $(LI
 	    test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \
    fi; \
 	done; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)config.h.in$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags config.h.in $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags config.h.in $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -419,17 +461,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = include
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	for subdir in $(SUBDIRS); do \
@@ -437,7 +478,6 @@ distdir: $(DISTFILES)
 	    test -d $(distdir)/$$subdir \
 	    || mkdir $(distdir)/$$subdir \
 	    || exit 1; \
-	    chmod 777 $(distdir)/$$subdir; \
 	    (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$(top_distdir) distdir=../$(distdir)/$$subdir distdir) \
 	      || exit 1; \
 	  fi; \
@@ -471,7 +511,7 @@ uninstall: uninstall-recursive
 all-am: Makefile $(PROGRAMS) $(HEADERS) config.h all-local
 all-redirect: all-recursive-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs: installdirs-recursive
 installdirs-am:
 	$(mkinstalldirs)  $(DESTDIR)$(includedir)
@@ -487,6 +527,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-hdr mostlyclean-noinstPROGRAMS \
 		mostlyclean-compile mostlyclean-libtool \
 		mostlyclean-tags mostlyclean-generic
@@ -521,18 +562,18 @@ clean-noinstPROGRAMS maintainer-clean-noinstPROGRAMS \
 mostlyclean-compile distclean-compile clean-compile \
 maintainer-clean-compile mostlyclean-libtool distclean-libtool \
 clean-libtool maintainer-clean-libtool uninstall-includeHEADERS \
-install-includeHEADERS install-data-recursive uninstall-data-recursive \
-install-exec-recursive uninstall-exec-recursive installdirs-recursive \
-uninstalldirs-recursive all-recursive check-recursive \
-installcheck-recursive info-recursive dvi-recursive \
-mostlyclean-recursive distclean-recursive clean-recursive \
+install-includeHEADERS install-recursive uninstall-recursive \
+install-data-recursive uninstall-data-recursive install-exec-recursive \
+uninstall-exec-recursive installdirs-recursive uninstalldirs-recursive \
+all-recursive check-recursive installcheck-recursive info-recursive \
+dvi-recursive mostlyclean-recursive distclean-recursive clean-recursive \
 maintainer-clean-recursive tags tags-recursive mostlyclean-tags \
 distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
 dvi-am dvi check-local check check-am installcheck-am installcheck \
 all-recursive-am install-exec-am install-exec install-data-local \
 install-data-am install-data install-am install uninstall-am uninstall \
-all-local all-redirect all-am all installdirs-am installdirs \
-mostlyclean-generic distclean-generic clean-generic \
+all-local all-redirect all-am all install-strip installdirs-am \
+installdirs mostlyclean-generic distclean-generic clean-generic \
 maintainer-clean-generic clean mostlyclean distclean maintainer-clean
 
 
@@ -541,7 +582,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -553,8 +597,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -623,87 +667,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/include/bits.c b/crypto/heimdal/include/bits.c
index 5eb9bd0..0c8fcdd 100644
--- a/crypto/heimdal/include/bits.c
+++ b/crypto/heimdal/include/bits.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,36 +33,22 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: bits.c,v 1.16 1999/12/02 17:04:57 joda Exp $");
+RCSID("$Id: bits.c,v 1.18 2000/08/27 05:42:46 assar Exp $");
 #endif
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
 #include <ctype.h>
 
-static void
-my_strupr(char *s)
-{
-    char *p = s;
-
-    while(*p){
-	if(islower((unsigned char)*p))
-	    *p = toupper((unsigned char)*p);
-	p++;
-    }	
-}
-
-
 #define BITSIZE(TYPE)						\
 {								\
-    int b = 0; TYPE x = 1, zero = 0; char *pre = "u_";		\
+    int b = 0; TYPE x = 1, zero = 0; char *pre = "u";		\
     char tmp[128], tmp2[128];					\
     while(x){ x <<= 1; b++; if(x < zero) pre=""; }		\
     if(b >= len){						\
         int tabs;						\
 	sprintf(tmp, "%sint%d_t" , pre, len);			\
 	sprintf(tmp2, "typedef %s %s;", #TYPE, tmp);		\
-	my_strupr(tmp);						\
 	tabs = 5 - strlen(tmp2) / 8;				\
         fprintf(f, "%s", tmp2);					\
 	while(tabs-- > 0) fprintf(f, "\t");			\
@@ -71,6 +57,19 @@ my_strupr(char *s)
     }								\
 }
 
+#ifndef HAVE___ATTRIBUTE__
+#define __attribute__(x)
+#endif
+
+static void
+try_signed(FILE *f, int len)  __attribute__ ((unused));
+
+static void
+try_unsigned(FILE *f, int len) __attribute__ ((unused));
+
+static int
+print_bt(FILE *f, int flag) __attribute__ ((unused));
+
 static void
 try_signed(FILE *f, int len)
 {
@@ -132,7 +131,7 @@ int main(int argc, char **argv)
     }
     fprintf(f, "/* %s -- this file was generated for %s by\n", fn, HOST);
     fprintf(f, "   %*s    %s */\n\n", (int)strlen(fn), "", 
-	    "$Id: bits.c,v 1.16 1999/12/02 17:04:57 joda Exp $");
+	    "$Id: bits.c,v 1.18 2000/08/27 05:42:46 assar Exp $");
     fprintf(f, "#ifndef %s\n", hb);
     fprintf(f, "#define %s\n", hb);
     fprintf(f, "\n");
@@ -173,22 +172,42 @@ int main(int argc, char **argv)
 #endif /* HAVE_INT64_T */
 #endif
 
-#ifndef HAVE_U_INT8_T
+#ifndef HAVE_UINT8_T
     flag = print_bt(f, flag);
     try_unsigned (f, 8);
-#endif /* HAVE_INT8_T */
-#ifndef HAVE_U_INT16_T
+#endif /* HAVE_UINT8_T */
+#ifndef HAVE_UINT16_T
     flag = print_bt(f, flag);
     try_unsigned (f, 16);
+#endif /* HAVE_UINT16_T */
+#ifndef HAVE_UINT32_T
+    flag = print_bt(f, flag);
+    try_unsigned (f, 32);
+#endif /* HAVE_UINT32_T */
+#if 0
+#ifndef HAVE_UINT64_T
+    flag = print_bt(f, flag);
+    try_unsigned (f, 64);
+#endif /* HAVE_UINT64_T */
+#endif
+
+#define X(S) fprintf(f, "typedef uint" #S "_t u_int" #S "_t;\n")
+#ifndef HAVE_U_INT8_T
+    flag = print_bt(f, flag);
+    X(8);
+#endif /* HAVE_U_INT8_T */
+#ifndef HAVE_U_INT16_T
+    flag = print_bt(f, flag);
+    X(16);
 #endif /* HAVE_U_INT16_T */
 #ifndef HAVE_U_INT32_T
     flag = print_bt(f, flag);
-    try_unsigned (f, 32);
+    X(32);
 #endif /* HAVE_U_INT32_T */
 #if 0
 #ifndef HAVE_U_INT64_T
     flag = print_bt(f, flag);
-    try_unsigned (f, 64);
+    X(64);
 #endif /* HAVE_U_INT64_T */
 #endif
 
diff --git a/crypto/heimdal/include/config.h.in b/crypto/heimdal/include/config.h.in
index 9707f56..069bc3f 100644
--- a/crypto/heimdal/include/config.h.in
+++ b/crypto/heimdal/include/config.h.in
@@ -1,1102 +1,1201 @@
 /* include/config.h.in.  Generated automatically from configure.in by autoheader.  */
 
-/* Define to empty if the keyword does not work.  */
-#undef const
-
-/* Define to `int' if <sys/types.h> doesn't define.  */
-#undef gid_t
+#ifndef RCSID
+#define RCSID(msg) static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
+#endif
 
-/* Define as __inline if that's what the C compiler calls it.  */
-#undef inline
+#undef BINDIR 
+#undef LIBDIR
+#undef LIBEXECDIR
+#undef SBINDIR
 
-/* Define to `long' if <sys/types.h> doesn't define.  */
-#undef off_t
+#undef HAVE_INT8_T
+#undef HAVE_INT16_T
+#undef HAVE_INT32_T
+#undef HAVE_INT64_T
+#undef HAVE_U_INT8_T
+#undef HAVE_U_INT16_T
+#undef HAVE_U_INT32_T
+#undef HAVE_U_INT64_T
 
-/* Define to `int' if <sys/types.h> doesn't define.  */
-#undef pid_t
+/* Maximum values on all known systems */
+#define MaxHostNameLen (64+4)
+#define MaxPathLen (1024+4)
 
-/* Define as the return type of signal handlers (int or void).  */
-#undef RETSIGTYPE
 
-/* Define to `unsigned' if <sys/types.h> doesn't define.  */
-#undef size_t
 
-/* Define if you have the ANSI C header files.  */
-#undef STDC_HEADERS
-
-/* Define if you can safely include both <sys/time.h> and <time.h>.  */
-#undef TIME_WITH_SYS_TIME
+/* Define if you want authentication support in telnet. */
+#undef AUTHENTICATION
 
-/* Define if your <sys/time.h> declares struct tm.  */
-#undef TM_IN_SYS_TIME
+/* Define if realloc(NULL) doesn't work. */
+#undef BROKEN_REALLOC
 
-/* Define to `int' if <sys/types.h> doesn't define.  */
-#undef uid_t
+/* Define if you want support for DCE/DFS PAG's. */
+#undef DCE
 
-/* Define if the X Window System is missing or not being used.  */
-#undef X_DISPLAY_MISSING
+/* Define if you want to use DES encryption in telnet. */
+#undef DES_ENCRYPTION
 
-/* Define if lex declares yytext as a char * by default, not a char[].  */
-#undef YYTEXT_POINTER
+/* Define this to enable diagnostics in telnet. */
+#undef DIAGNOSTICS
 
-/* Define if you have the MD4Init function.  */
-#undef HAVE_MD4INIT
+/* Define if you want encryption support in telnet. */
+#undef ENCRYPTION
 
-/* Define if you have the MD4_Init function.  */
-#undef HAVE_MD4_INIT
+/* define if sys/param.h defines the endiness */
+#undef ENDIANESS_IN_SYS_PARAM_H
 
-/* Define if you have the MD5Init function.  */
-#undef HAVE_MD5INIT
+/* Define this if you want support for broken ENV_{VAR,VAL} telnets. */
+#undef ENV_HACK
 
-/* Define if you have the MD5_Init function.  */
-#undef HAVE_MD5_INIT
+/* define if prototype of gethostbyaddr is compatible with struct hostent
+   *gethostbyaddr(const void *, size_t, int) */
+#undef GETHOSTBYADDR_PROTO_COMPATIBLE
 
-/* Define if you have the SHA1Init function.  */
-#undef HAVE_SHA1INIT
+/* define if prototype of gethostbyname is compatible with struct hostent
+   *gethostbyname(const char *) */
+#undef GETHOSTBYNAME_PROTO_COMPATIBLE
 
-/* Define if you have the SHA1_Init function.  */
-#undef HAVE_SHA1_INIT
+/* define if prototype of getservbyname is compatible with struct servent
+   *getservbyname(const char *, const char *) */
+#undef GETSERVBYNAME_PROTO_COMPATIBLE
 
-/* Define if you have the XauFileName function.  */
-#undef HAVE_XAUFILENAME
+/* define if prototype of getsockname is compatible with int getsockname(int,
+   struct sockaddr*, socklen_t*) */
+#undef GETSOCKNAME_PROTO_COMPATIBLE
 
-/* Define if you have the XauReadAuth function.  */
-#undef HAVE_XAUREADAUTH
+/* Define if you have the <arpa/ftp.h> header file. */
+#undef HAVE_ARPA_FTP_H
 
-/* Define if you have the XauWriteAuth function.  */
-#undef HAVE_XAUWRITEAUTH
+/* Define if you have the <arpa/inet.h> header file. */
+#undef HAVE_ARPA_INET_H
 
-/* Define if you have the _getpty function.  */
-#undef HAVE__GETPTY
+/* Define if you have the <arpa/nameser.h> header file. */
+#undef HAVE_ARPA_NAMESER_H
 
-/* Define if you have the _scrsize function.  */
-#undef HAVE__SCRSIZE
+/* Define if you have the <arpa/telnet.h> header file. */
+#undef HAVE_ARPA_TELNET_H
 
-/* Define if you have the asnprintf function.  */
+/* Define if you have the `asnprintf' function. */
 #undef HAVE_ASNPRINTF
 
-/* Define if you have the asprintf function.  */
+/* Define if you have the `asprintf' function. */
 #undef HAVE_ASPRINTF
 
-/* Define if you have the cap_set_proc function.  */
+/* Define if you have the <bind/bitypes.h> header file. */
+#undef HAVE_BIND_BITYPES_H
+
+/* Define if you have the <bsdsetjmp.h> header file. */
+#undef HAVE_BSDSETJMP_H
+
+/* Define if you have the <capability.h> header file. */
+#undef HAVE_CAPABILITY_H
+
+/* Define if you have the `cap_set_proc' function. */
 #undef HAVE_CAP_SET_PROC
 
-/* Define if you have the cgetent function.  */
+/* Define if you have the `cgetent' function. */
 #undef HAVE_CGETENT
 
-/* Define if you have the chown function.  */
+/* Define if you have the `chown' function. */
 #undef HAVE_CHOWN
 
-/* Define if you have the copyhostent function.  */
+/* Define if you have the <config.h> header file. */
+#undef HAVE_CONFIG_H
+
+/* Define if you have the `copyhostent' function. */
 #undef HAVE_COPYHOSTENT
 
-/* Define if you have the crypt function.  */
+/* Define if you have the `crypt' function. */
 #undef HAVE_CRYPT
 
-/* Define if you have the daemon function.  */
+/* Define if you have the <crypt.h> header file. */
+#undef HAVE_CRYPT_H
+
+/* Define if you have the <curses.h> header file. */
+#undef HAVE_CURSES_H
+
+/* Define if you have the `daemon' function. */
 #undef HAVE_DAEMON
 
-/* Define if you have the dbm_firstkey function.  */
+/* Define if you have the `dbm_firstkey' function. */
 #undef HAVE_DBM_FIRSTKEY
 
-/* Define if you have the dbopen function.  */
+/* Define if you have the <dbm.h> header file. */
+#undef HAVE_DBM_H
+
+/* Define if you have the `dbopen' function. */
 #undef HAVE_DBOPEN
 
-/* Define if you have the des_cbc_encrypt function.  */
+/* Define if you have the <db_185.h> header file. */
+#undef HAVE_DB_185_H
+
+/* Define if you have the `db_create' function. */
+#undef HAVE_DB_CREATE
+
+/* Define if you have the <db.h> header file. */
+#undef HAVE_DB_H
+
+/* Define if you have the `des_cbc_encrypt' function. */
 #undef HAVE_DES_CBC_ENCRYPT
 
-/* Define if you have the dlopen function.  */
+/* Define if you have the <dirent.h> header file. */
+#undef HAVE_DIRENT_H
+
+/* Define if you have the <dlfcn.h> header file. */
+#undef HAVE_DLFCN_H
+
+/* Define if you have the `dlopen' function. */
 #undef HAVE_DLOPEN
 
-/* Define if you have the dn_expand function.  */
+/* Define if you have the `dn_expand' function. */
 #undef HAVE_DN_EXPAND
 
-/* Define if you have the el_init function.  */
+/* Define if you have the `el_init' function. */
 #undef HAVE_EL_INIT
 
-/* Define if you have the err function.  */
+/* define if your system declares environ */
+#undef HAVE_ENVIRON_DECLARATION
+
+/* Define if you have the `err' function. */
 #undef HAVE_ERR
 
-/* Define if you have the errx function.  */
+/* Define if you have the <errno.h> header file. */
+#undef HAVE_ERRNO_H
+
+/* Define if you have the `errx' function. */
 #undef HAVE_ERRX
 
-/* Define if you have the fchown function.  */
+/* Define if you have the <err.h> header file. */
+#undef HAVE_ERR_H
+
+/* Define if you have the `fchown' function. */
 #undef HAVE_FCHOWN
 
-/* Define if you have the fcntl function.  */
+/* Define if you have the `fcntl' function. */
 #undef HAVE_FCNTL
 
-/* Define if you have the flock function.  */
+/* Define if you have the <fcntl.h> header file. */
+#undef HAVE_FCNTL_H
+
+/* Define if you have the `flock' function. */
 #undef HAVE_FLOCK
 
-/* Define if you have the fnmatch function.  */
+/* Define if you have the `fnmatch' function. */
 #undef HAVE_FNMATCH
 
-/* Define if you have the freeaddrinfo function.  */
+/* Define if you have the <fnmatch.h> header file. */
+#undef HAVE_FNMATCH_H
+
+/* Define if el_init takes four arguments. */
+#undef HAVE_FOUR_VALUED_EL_INIT
+
+/* define if krb_put_int takes four arguments. */
+#undef HAVE_FOUR_VALUED_KRB_PUT_INT
+
+/* Define if you have the `freeaddrinfo' function. */
 #undef HAVE_FREEADDRINFO
 
-/* Define if you have the freehostent function.  */
+/* Define if you have the `freehostent' function. */
 #undef HAVE_FREEHOSTENT
 
-/* Define if you have the gai_strerror function.  */
+/* Define if you have the `gai_strerror' function. */
 #undef HAVE_GAI_STRERROR
 
-/* Define if you have the getaddrinfo function.  */
+/* Define if you have the <gdbm/ndbm.h> header file. */
+#undef HAVE_GDBM_NDBM_H
+
+/* Define if you have the `getaddrinfo' function. */
 #undef HAVE_GETADDRINFO
 
-/* Define if you have the getcwd function.  */
+/* Define if you have the `getconfattr' function. */
+#undef HAVE_GETCONFATTR
+
+/* Define if you have the `getcwd' function. */
 #undef HAVE_GETCWD
 
-/* Define if you have the getdtablesize function.  */
+/* Define if you have the `getdtablesize' function. */
 #undef HAVE_GETDTABLESIZE
 
-/* Define if you have the getegid function.  */
+/* Define if you have the `getegid' function. */
 #undef HAVE_GETEGID
 
-/* Define if you have the geteuid function.  */
+/* Define if you have the `geteuid' function. */
 #undef HAVE_GETEUID
 
-/* Define if you have the getgid function.  */
+/* Define if you have the `getgid' function. */
 #undef HAVE_GETGID
 
-/* Define if you have the gethostbyname function.  */
+/* Define if you have the `gethostbyname' function. */
 #undef HAVE_GETHOSTBYNAME
 
-/* Define if you have the gethostbyname2 function.  */
+/* Define if you have the `gethostbyname2' function. */
 #undef HAVE_GETHOSTBYNAME2
 
-/* Define if you have the gethostname function.  */
+/* Define if you have the `gethostname' function. */
 #undef HAVE_GETHOSTNAME
 
-/* Define if you have the getipnodebyaddr function.  */
+/* Define if you have the `getifaddrs' function. */
+#undef HAVE_GETIFADDRS
+
+/* Define if you have the `getipnodebyaddr' function. */
 #undef HAVE_GETIPNODEBYADDR
 
-/* Define if you have the getipnodebyname function.  */
+/* Define if you have the `getipnodebyname' function. */
 #undef HAVE_GETIPNODEBYNAME
 
-/* Define if you have the getlogin function.  */
+/* Define if you have the `getlogin' function. */
 #undef HAVE_GETLOGIN
 
-/* Define if you have the getmsg function.  */
+/* Define if you have a working getmsg. */
 #undef HAVE_GETMSG
 
-/* Define if you have the getnameinfo function.  */
+/* Define if you have the `getnameinfo' function. */
 #undef HAVE_GETNAMEINFO
 
-/* Define if you have the getopt function.  */
+/* Define if you have the `getopt' function. */
 #undef HAVE_GETOPT
 
-/* Define if you have the getpwnam_r function.  */
+/* Define if you have the `getpwnam_r' function. */
 #undef HAVE_GETPWNAM_R
 
-/* Define if you have the getrlimit function.  */
+/* Define if you have the `getrlimit' function. */
 #undef HAVE_GETRLIMIT
 
-/* Define if you have the getsockopt function.  */
+/* Define if you have the `getsockopt' function. */
 #undef HAVE_GETSOCKOPT
 
-/* Define if you have the getspnam function.  */
+/* Define if you have the `getspnam' function. */
 #undef HAVE_GETSPNAM
 
-/* Define if you have the gettimeofday function.  */
+/* Define if you have the `gettimeofday' function. */
 #undef HAVE_GETTIMEOFDAY
 
-/* Define if you have the getudbnam function.  */
+/* Define if you have the `getudbnam' function. */
 #undef HAVE_GETUDBNAM
 
-/* Define if you have the getuid function.  */
+/* Define if you have the `getuid' function. */
 #undef HAVE_GETUID
 
-/* Define if you have the getusershell function.  */
+/* Define if you have the `getusershell' function. */
 #undef HAVE_GETUSERSHELL
 
-/* Define if you have the grantpt function.  */
+/* define if you have a glob() that groks GLOB_BRACE, GLOB_NOCHECK,
+   GLOB_QUOTE, and GLOB_TILDE */
+#undef HAVE_GLOB
+
+/* Define if you have the `grantpt' function. */
 #undef HAVE_GRANTPT
 
-/* Define if you have the hstrerror function.  */
+/* Define if you have the <grp.h> header file. */
+#undef HAVE_GRP_H
+
+/* Define if you have the `hstrerror' function. */
 #undef HAVE_HSTRERROR
 
-/* Define if you have the inet_aton function.  */
+/* Define if you have the `h_errlist' variable. */
+#undef HAVE_H_ERRLIST
+
+/* define if your system declares h_errlist */
+#undef HAVE_H_ERRLIST_DECLARATION
+
+/* Define if you have the `h_errno' variable. */
+#undef HAVE_H_ERRNO
+
+/* define if your system declares h_errno */
+#undef HAVE_H_ERRNO_DECLARATION
+
+/* Define if you have the `h_nerr' variable. */
+#undef HAVE_H_NERR
+
+/* define if your system declares h_nerr */
+#undef HAVE_H_NERR_DECLARATION
+
+/* Define if you have the <ifaddrs.h> header file. */
+#undef HAVE_IFADDRS_H
+
+/* Define if you have the `inet_aton' function. */
 #undef HAVE_INET_ATON
 
-/* Define if you have the inet_ntop function.  */
+/* Define if you have the `inet_ntop' function. */
 #undef HAVE_INET_NTOP
 
-/* Define if you have the inet_pton function.  */
+/* Define if you have the `inet_pton' function. */
 #undef HAVE_INET_PTON
 
-/* Define if you have the initgroups function.  */
+/* Define if you have the `initgroups' function. */
 #undef HAVE_INITGROUPS
 
-/* Define if you have the innetgr function.  */
+/* Define if you have the `innetgr' function. */
 #undef HAVE_INNETGR
 
-/* Define if you have the iruserok function.  */
+/* Define if you have the <inttypes.h> header file. */
+#undef HAVE_INTTYPES_H
+
+/* Define if you have the <io.h> header file. */
+#undef HAVE_IO_H
+
+/* Define if you have IPv6. */
+#undef HAVE_IPV6
+
+/* Define if you have the `iruserok' function. */
 #undef HAVE_IRUSEROK
 
-/* Define if you have the krb_disable_debug function.  */
+/* Define if you have the `krb_disable_debug' function. */
 #undef HAVE_KRB_DISABLE_DEBUG
 
-/* Define if you have the krb_enable_debug function.  */
+/* Define if you have the `krb_enable_debug' function. */
 #undef HAVE_KRB_ENABLE_DEBUG
 
-/* Define if you have the krb_get_our_ip_for_realm function.  */
+/* Define if you have the `krb_get_our_ip_for_realm' function. */
 #undef HAVE_KRB_GET_OUR_IP_FOR_REALM
 
-/* Define if you have the logwtmp function.  */
+/* Define if you have the <limits.h> header file. */
+#undef HAVE_LIMITS_H
+
+/* Define if you have the `logwtmp' function. */
 #undef HAVE_LOGWTMP
 
-/* Define if you have the long_long function.  */
+/* Define if the system has the type `long long'. */
 #undef HAVE_LONG_LONG
 
-/* Define if you have the lstat function.  */
+/* Define if you have the `lstat' function. */
 #undef HAVE_LSTAT
 
-/* Define if you have the memmove function.  */
+/* Define if you have the <maillock.h> header file. */
+#undef HAVE_MAILLOCK_H
+
+/* Define if you have the `MD4_Init' function. */
+#undef HAVE_MD4_INIT
+
+/* Define if you have the `MD5_Init' function. */
+#undef HAVE_MD5_INIT
+
+/* Define if you have the `memmove' function. */
 #undef HAVE_MEMMOVE
 
-/* Define if you have the mkstemp function.  */
+/* Define if you have the <memory.h> header file. */
+#undef HAVE_MEMORY_H
+
+/* Define if you have the `mkstemp' function. */
 #undef HAVE_MKSTEMP
 
-/* Define if you have the mktime function.  */
+/* Define if you have the `mktime' function. */
 #undef HAVE_MKTIME
 
-/* Define if you have the ptsname function.  */
-#undef HAVE_PTSNAME
-
-/* Define if you have the putenv function.  */
-#undef HAVE_PUTENV
+/* Define if you have the <ndbm.h> header file. */
+#undef HAVE_NDBM_H
 
-/* Define if you have the rand function.  */
-#undef HAVE_RAND
+/* Define if you have the <netdb.h> header file. */
+#undef HAVE_NETDB_H
 
-/* Define if you have the random function.  */
-#undef HAVE_RANDOM
+/* Define if you have the <netinet6/in6.h> header file. */
+#undef HAVE_NETINET6_IN6_H
 
-/* Define if you have the rcmd function.  */
-#undef HAVE_RCMD
+/* Define if you have the <netinet6/in6_var.h> header file. */
+#undef HAVE_NETINET6_IN6_VAR_H
 
-/* Define if you have the readv function.  */
-#undef HAVE_READV
+/* Define if you have the <netinet/in6.h> header file. */
+#undef HAVE_NETINET_IN6_H
 
-/* Define if you have the recvmsg function.  */
-#undef HAVE_RECVMSG
+/* Define if you have the <netinet/in6_machtypes.h> header file. */
+#undef HAVE_NETINET_IN6_MACHTYPES_H
 
-/* Define if you have the res_search function.  */
-#undef HAVE_RES_SEARCH
+/* Define if you have the <netinet/in6_var.h> header file. */
+#undef HAVE_NETINET_IN6_VAR_H
 
-/* Define if you have the revoke function.  */
-#undef HAVE_REVOKE
+/* Define if you have the <netinet/in.h> header file. */
+#undef HAVE_NETINET_IN_H
 
-/* Define if you have the sa_family_t function.  */
-#undef HAVE_SA_FAMILY_T
+/* Define if you have the <netinet/in_systm.h> header file. */
+#undef HAVE_NETINET_IN_SYSTM_H
 
-/* Define if you have the select function.  */
-#undef HAVE_SELECT
+/* Define if you have the <netinet/ip.h> header file. */
+#undef HAVE_NETINET_IP_H
 
-/* Define if you have the sendmsg function.  */
-#undef HAVE_SENDMSG
+/* Define if you have the <netinet/tcp.h> header file. */
+#undef HAVE_NETINET_TCP_H
 
-/* Define if you have the setegid function.  */
-#undef HAVE_SETEGID
+/* Define if you want to use Netinfo instead of krb5.conf. */
+#undef HAVE_NETINFO
 
-/* Define if you have the setenv function.  */
-#undef HAVE_SETENV
+/* Define if you have the <netinfo/ni.h> header file. */
+#undef HAVE_NETINFO_NI_H
 
-/* Define if you have the seteuid function.  */
-#undef HAVE_SETEUID
+/* Define if you have the <net/if.h> header file. */
+#undef HAVE_NET_IF_H
 
-/* Define if you have the setitimer function.  */
-#undef HAVE_SETITIMER
+/* Define if you have the <openssl/des.h> header file. */
+#undef HAVE_OPENSSL_DES_H
 
-/* Define if you have the setlim function.  */
-#undef HAVE_SETLIM
+/* Define if you have the <openssl/md4.h> header file. */
+#undef HAVE_OPENSSL_MD4_H
 
-/* Define if you have the setlogin function.  */
-#undef HAVE_SETLOGIN
+/* Define if you have the <openssl/md5.h> header file. */
+#undef HAVE_OPENSSL_MD5_H
 
-/* Define if you have the setpcred function.  */
-#undef HAVE_SETPCRED
+/* Define if you have the <openssl/rc4.h> header file. */
+#undef HAVE_OPENSSL_RC4_H
 
-/* Define if you have the setpgid function.  */
-#undef HAVE_SETPGID
+/* Define if you have the <openssl/sha.h> header file. */
+#undef HAVE_OPENSSL_SHA_H
 
-/* Define if you have the setproctitle function.  */
-#undef HAVE_SETPROCTITLE
+/* define if your system declares optarg */
+#undef HAVE_OPTARG_DECLARATION
 
-/* Define if you have the setregid function.  */
-#undef HAVE_SETREGID
+/* define if your system declares opterr */
+#undef HAVE_OPTERR_DECLARATION
 
-/* Define if you have the setresgid function.  */
-#undef HAVE_SETRESGID
+/* define if your system declares optind */
+#undef HAVE_OPTIND_DECLARATION
 
-/* Define if you have the setresuid function.  */
-#undef HAVE_SETRESUID
+/* define if your system declares optopt */
+#undef HAVE_OPTOPT_DECLARATION
 
-/* Define if you have the setreuid function.  */
-#undef HAVE_SETREUID
+/* Define to enable basic OSF C2 support. */
+#undef HAVE_OSFC2
 
-/* Define if you have the setsid function.  */
-#undef HAVE_SETSID
+/* Define if you have the <paths.h> header file. */
+#undef HAVE_PATHS_H
 
-/* Define if you have the setsockopt function.  */
-#undef HAVE_SETSOCKOPT
+/* Define if you have the `pidfile' function. */
+#undef HAVE_PIDFILE
 
-/* Define if you have the setutent function.  */
-#undef HAVE_SETUTENT
+/* Define if you have the <pthread.h> header file. */
+#undef HAVE_PTHREAD_H
 
-/* Define if you have the sgi_getcapabilitybyname function.  */
-#undef HAVE_SGI_GETCAPABILITYBYNAME
+/* Define if you have the `ptsname' function. */
+#undef HAVE_PTSNAME
 
-/* Define if you have the sigaction function.  */
-#undef HAVE_SIGACTION
+/* Define if you have the <pty.h> header file. */
+#undef HAVE_PTY_H
 
-/* Define if you have the socket function.  */
-#undef HAVE_SOCKET
+/* Define if you have the `putenv' function. */
+#undef HAVE_PUTENV
 
-/* Define if you have the socklen_t function.  */
-#undef HAVE_SOCKLEN_T
+/* Define if you have the <pwd.h> header file. */
+#undef HAVE_PWD_H
 
-/* Define if you have the strcasecmp function.  */
-#undef HAVE_STRCASECMP
+/* Define if you have the `rand' function. */
+#undef HAVE_RAND
 
-/* Define if you have the strdup function.  */
-#undef HAVE_STRDUP
+/* Define if you have the `random' function. */
+#undef HAVE_RANDOM
 
-/* Define if you have the strerror function.  */
-#undef HAVE_STRERROR
+/* Define if you have the `RC4' function. */
+#undef HAVE_RC4
 
-/* Define if you have the strftime function.  */
-#undef HAVE_STRFTIME
+/* Define if you have the `rcmd' function. */
+#undef HAVE_RCMD
 
-/* Define if you have the strlcat function.  */
-#undef HAVE_STRLCAT
+/* Define if you have a readline compatible library. */
+#undef HAVE_READLINE
 
-/* Define if you have the strlcpy function.  */
-#undef HAVE_STRLCPY
+/* Define if you have the `readv' function. */
+#undef HAVE_READV
 
-/* Define if you have the strlwr function.  */
-#undef HAVE_STRLWR
+/* Define if you have the `recvmsg' function. */
+#undef HAVE_RECVMSG
 
-/* Define if you have the strncasecmp function.  */
-#undef HAVE_STRNCASECMP
+/* Define if you have the <resolv.h> header file. */
+#undef HAVE_RESOLV_H
 
-/* Define if you have the strndup function.  */
-#undef HAVE_STRNDUP
+/* Define if you have the `res_search' function. */
+#undef HAVE_RES_SEARCH
 
-/* Define if you have the strnlen function.  */
-#undef HAVE_STRNLEN
+/* Define if you have the `revoke' function. */
+#undef HAVE_REVOKE
 
-/* Define if you have the strptime function.  */
-#undef HAVE_STRPTIME
+/* Define if you have the <rpcsvc/dbm.h> header file. */
+#undef HAVE_RPCSVC_DBM_H
 
-/* Define if you have the strsep function.  */
-#undef HAVE_STRSEP
+/* Define if you have the <rpcsvc/ypclnt.h> header file. */
+#undef HAVE_RPCSVC_YPCLNT_H
 
-/* Define if you have the strstr function.  */
-#undef HAVE_STRSTR
+/* Define if you have the <sac.h> header file. */
+#undef HAVE_SAC_H
 
-/* Define if you have the strtok_r function.  */
-#undef HAVE_STRTOK_R
+/* Define if the system has the type `sa_family_t'. */
+#undef HAVE_SA_FAMILY_T
 
-/* Define if you have the struct_addrinfo function.  */
-#undef HAVE_STRUCT_ADDRINFO
+/* Define if you have the <security/pam_modules.h> header file. */
+#undef HAVE_SECURITY_PAM_MODULES_H
 
-/* Define if you have the struct_sockaddr function.  */
-#undef HAVE_STRUCT_SOCKADDR
+/* Define if you have the `select' function. */
+#undef HAVE_SELECT
 
-/* Define if you have the struct_sockaddr_storage function.  */
-#undef HAVE_STRUCT_SOCKADDR_STORAGE
+/* Define if you have the `sendmsg' function. */
+#undef HAVE_SENDMSG
 
-/* Define if you have the strupr function.  */
-#undef HAVE_STRUPR
+/* Define if you have the `setegid' function. */
+#undef HAVE_SETEGID
 
-/* Define if you have the swab function.  */
-#undef HAVE_SWAB
+/* Define if you have the `setenv' function. */
+#undef HAVE_SETENV
 
-/* Define if you have the sysconf function.  */
-#undef HAVE_SYSCONF
+/* Define if you have the `seteuid' function. */
+#undef HAVE_SETEUID
 
-/* Define if you have the sysctl function.  */
-#undef HAVE_SYSCTL
+/* Define if you have the `setitimer' function. */
+#undef HAVE_SETITIMER
 
-/* Define if you have the syslog function.  */
-#undef HAVE_SYSLOG
+/* Define if you have the `setlim' function. */
+#undef HAVE_SETLIM
 
-/* Define if you have the tgetent function.  */
-#undef HAVE_TGETENT
+/* Define if you have the `setlogin' function. */
+#undef HAVE_SETLOGIN
 
-/* Define if you have the timegm function.  */
-#undef HAVE_TIMEGM
+/* Define if you have the `setpcred' function. */
+#undef HAVE_SETPCRED
 
-/* Define if you have the ttyname function.  */
-#undef HAVE_TTYNAME
+/* Define if you have the `setpgid' function. */
+#undef HAVE_SETPGID
 
-/* Define if you have the ttyslot function.  */
-#undef HAVE_TTYSLOT
+/* Define if you have the `setproctitle' function. */
+#undef HAVE_SETPROCTITLE
 
-/* Define if you have the umask function.  */
-#undef HAVE_UMASK
+/* Define if you have the `setregid' function. */
+#undef HAVE_SETREGID
 
-/* Define if you have the uname function.  */
-#undef HAVE_UNAME
+/* Define if you have the `setresgid' function. */
+#undef HAVE_SETRESGID
 
-/* Define if you have the unlockpt function.  */
-#undef HAVE_UNLOCKPT
+/* Define if you have the `setresuid' function. */
+#undef HAVE_SETRESUID
 
-/* Define if you have the unsetenv function.  */
-#undef HAVE_UNSETENV
+/* Define if you have the `setreuid' function. */
+#undef HAVE_SETREUID
 
-/* Define if you have the vasnprintf function.  */
-#undef HAVE_VASNPRINTF
+/* Define if you have the `setsid' function. */
+#undef HAVE_SETSID
 
-/* Define if you have the vasprintf function.  */
-#undef HAVE_VASPRINTF
+/* Define if you have the `setsockopt' function. */
+#undef HAVE_SETSOCKOPT
 
-/* Define if you have the verr function.  */
-#undef HAVE_VERR
+/* Define if you have the `setutent' function. */
+#undef HAVE_SETUTENT
 
-/* Define if you have the verrx function.  */
-#undef HAVE_VERRX
+/* Define if you have the `sgi_getcapabilitybyname' function. */
+#undef HAVE_SGI_GETCAPABILITYBYNAME
 
-/* Define if you have the vhangup function.  */
-#undef HAVE_VHANGUP
+/* Define if you have the <sgtty.h> header file. */
+#undef HAVE_SGTTY_H
 
-/* Define if you have the vsyslog function.  */
-#undef HAVE_VSYSLOG
+/* Define if you have the `SHA1_Init' function. */
+#undef HAVE_SHA1_INIT
 
-/* Define if you have the vwarn function.  */
-#undef HAVE_VWARN
+/* Define if you have the <shadow.h> header file. */
+#undef HAVE_SHADOW_H
 
-/* Define if you have the vwarnx function.  */
-#undef HAVE_VWARNX
+/* Define if you have the <siad.h> header file. */
+#undef HAVE_SIAD_H
 
-/* Define if you have the warn function.  */
-#undef HAVE_WARN
+/* Define if you have the `sigaction' function. */
+#undef HAVE_SIGACTION
 
-/* Define if you have the warnx function.  */
-#undef HAVE_WARNX
+/* Define if you have the <signal.h> header file. */
+#undef HAVE_SIGNAL_H
 
-/* Define if you have the writev function.  */
-#undef HAVE_WRITEV
+/* define if you have a working snprintf */
+#undef HAVE_SNPRINTF
 
-/* Define if you have the yp_get_default_domain function.  */
-#undef HAVE_YP_GET_DEFAULT_DOMAIN
+/* Define if you have the `socket' function. */
+#undef HAVE_SOCKET
 
-/* Define if you have the <arpa/ftp.h> header file.  */
-#undef HAVE_ARPA_FTP_H
+/* Define if the system has the type `socklen_t'. */
+#undef HAVE_SOCKLEN_T
 
-/* Define if you have the <arpa/inet.h> header file.  */
-#undef HAVE_ARPA_INET_H
+/* Define if you have the <standards.h> header file. */
+#undef HAVE_STANDARDS_H
 
-/* Define if you have the <arpa/nameser.h> header file.  */
-#undef HAVE_ARPA_NAMESER_H
+/* Define if you have the <stdlib.h> header file. */
+#undef HAVE_STDLIB_H
 
-/* Define if you have the <arpa/telnet.h> header file.  */
-#undef HAVE_ARPA_TELNET_H
+/* Define if you have the `strcasecmp' function. */
+#undef HAVE_STRCASECMP
 
-/* Define if you have the <bind/bitypes.h> header file.  */
-#undef HAVE_BIND_BITYPES_H
+/* Define if you have the `strdup' function. */
+#undef HAVE_STRDUP
 
-/* Define if you have the <bsdsetjmp.h> header file.  */
-#undef HAVE_BSDSETJMP_H
+/* Define if you have the `strerror' function. */
+#undef HAVE_STRERROR
 
-/* Define if you have the <capability.h> header file.  */
-#undef HAVE_CAPABILITY_H
+/* Define if you have the `strftime' function. */
+#undef HAVE_STRFTIME
 
-/* Define if you have the <crypt.h> header file.  */
-#undef HAVE_CRYPT_H
+/* Define if you have the <strings.h> header file. */
+#undef HAVE_STRINGS_H
 
-/* Define if you have the <curses.h> header file.  */
-#undef HAVE_CURSES_H
+/* Define if you have the <string.h> header file. */
+#undef HAVE_STRING_H
 
-/* Define if you have the <db.h> header file.  */
-#undef HAVE_DB_H
+/* Define if you have the `strlcat' function. */
+#undef HAVE_STRLCAT
 
-/* Define if you have the <db_185.h> header file.  */
-#undef HAVE_DB_185_H
+/* Define if you have the `strlcpy' function. */
+#undef HAVE_STRLCPY
 
-/* Define if you have the <dbm.h> header file.  */
-#undef HAVE_DBM_H
+/* Define if you have the `strlwr' function. */
+#undef HAVE_STRLWR
 
-/* Define if you have the <dirent.h> header file.  */
-#undef HAVE_DIRENT_H
+/* Define if you have the `strncasecmp' function. */
+#undef HAVE_STRNCASECMP
 
-/* Define if you have the <dlfcn.h> header file.  */
-#undef HAVE_DLFCN_H
+/* Define if you have the `strndup' function. */
+#undef HAVE_STRNDUP
 
-/* Define if you have the <err.h> header file.  */
-#undef HAVE_ERR_H
+/* Define if you have the `strnlen' function. */
+#undef HAVE_STRNLEN
 
-/* Define if you have the <errno.h> header file.  */
-#undef HAVE_ERRNO_H
+/* Define if you have the <stropts.h> header file. */
+#undef HAVE_STROPTS_H
 
-/* Define if you have the <fcntl.h> header file.  */
-#undef HAVE_FCNTL_H
+/* Define if you have the `strptime' function. */
+#undef HAVE_STRPTIME
 
-/* Define if you have the <fnmatch.h> header file.  */
-#undef HAVE_FNMATCH_H
+/* Define if you have the `strsep' function. */
+#undef HAVE_STRSEP
 
-/* Define if you have the <grp.h> header file.  */
-#undef HAVE_GRP_H
+/* Define if you have the `strsep_copy' function. */
+#undef HAVE_STRSEP_COPY
 
-/* Define if you have the <inttypes.h> header file.  */
-#undef HAVE_INTTYPES_H
+/* Define if you have the `strstr' function. */
+#undef HAVE_STRSTR
 
-/* Define if you have the <io.h> header file.  */
-#undef HAVE_IO_H
+/* Define if you have the `strsvis' function. */
+#undef HAVE_STRSVIS
 
-/* Define if you have the <limits.h> header file.  */
-#undef HAVE_LIMITS_H
+/* Define if you have the `strtok_r' function. */
+#undef HAVE_STRTOK_R
 
-/* Define if you have the <maillock.h> header file.  */
-#undef HAVE_MAILLOCK_H
+/* Define if the system has the type `struct addrinfo'. */
+#undef HAVE_STRUCT_ADDRINFO
 
-/* Define if you have the <ndbm.h> header file.  */
-#undef HAVE_NDBM_H
+/* Define if the system has the type `struct ifaddrs'. */
+#undef HAVE_STRUCT_IFADDRS
 
-/* Define if you have the <net/if.h> header file.  */
-#undef HAVE_NET_IF_H
+/* Define if the system has the type `struct sockaddr'. */
+#undef HAVE_STRUCT_SOCKADDR
 
-/* Define if you have the <netdb.h> header file.  */
-#undef HAVE_NETDB_H
+/* Define if struct sockaddr has field sa_len. */
+#undef HAVE_STRUCT_SOCKADDR_SA_LEN
 
-/* Define if you have the <netinet/in.h> header file.  */
-#undef HAVE_NETINET_IN_H
+/* Define if the system has the type `struct sockaddr_storage'. */
+#undef HAVE_STRUCT_SOCKADDR_STORAGE
 
-/* Define if you have the <netinet/in6.h> header file.  */
-#undef HAVE_NETINET_IN6_H
+/* define if you have struct spwd */
+#undef HAVE_STRUCT_SPWD
 
-/* Define if you have the <netinet/in6_machtypes.h> header file.  */
-#undef HAVE_NETINET_IN6_MACHTYPES_H
+/* Define if struct tm has field tm_gmtoff. */
+#undef HAVE_STRUCT_TM_TM_GMTOFF
 
-/* Define if you have the <netinet/in6_var.h> header file.  */
-#undef HAVE_NETINET_IN6_VAR_H
+/* Define if struct tm has field tm_zone. */
+#undef HAVE_STRUCT_TM_TM_ZONE
 
-/* Define if you have the <netinet/in_systm.h> header file.  */
-#undef HAVE_NETINET_IN_SYSTM_H
+/* Define if struct utmpx has field ut_exit. */
+#undef HAVE_STRUCT_UTMPX_UT_EXIT
 
-/* Define if you have the <netinet/ip.h> header file.  */
-#undef HAVE_NETINET_IP_H
+/* Define if struct utmpx has field ut_syslen. */
+#undef HAVE_STRUCT_UTMPX_UT_SYSLEN
 
-/* Define if you have the <netinet/tcp.h> header file.  */
-#undef HAVE_NETINET_TCP_H
+/* Define if struct utmp has field ut_addr. */
+#undef HAVE_STRUCT_UTMP_UT_ADDR
 
-/* Define if you have the <netinet6/in6.h> header file.  */
-#undef HAVE_NETINET6_IN6_H
+/* Define if struct utmp has field ut_host. */
+#undef HAVE_STRUCT_UTMP_UT_HOST
 
-/* Define if you have the <netinfo/ni.h> header file.  */
-#undef HAVE_NETINFO_NI_H
+/* Define if struct utmp has field ut_id. */
+#undef HAVE_STRUCT_UTMP_UT_ID
 
-/* Define if you have the <paths.h> header file.  */
-#undef HAVE_PATHS_H
+/* Define if struct utmp has field ut_pid. */
+#undef HAVE_STRUCT_UTMP_UT_PID
 
-/* Define if you have the <pthread.h> header file.  */
-#undef HAVE_PTHREAD_H
+/* Define if struct utmp has field ut_type. */
+#undef HAVE_STRUCT_UTMP_UT_TYPE
 
-/* Define if you have the <pty.h> header file.  */
-#undef HAVE_PTY_H
+/* Define if struct utmp has field ut_user. */
+#undef HAVE_STRUCT_UTMP_UT_USER
 
-/* Define if you have the <pwd.h> header file.  */
-#undef HAVE_PWD_H
+/* define if struct winsize is declared in sys/termios.h */
+#undef HAVE_STRUCT_WINSIZE
 
-/* Define if you have the <resolv.h> header file.  */
-#undef HAVE_RESOLV_H
+/* Define if you have the `strunvis' function. */
+#undef HAVE_STRUNVIS
 
-/* Define if you have the <rpcsvc/dbm.h> header file.  */
-#undef HAVE_RPCSVC_DBM_H
+/* Define if you have the `strupr' function. */
+#undef HAVE_STRUPR
 
-/* Define if you have the <sac.h> header file.  */
-#undef HAVE_SAC_H
+/* Define if you have the `strvis' function. */
+#undef HAVE_STRVIS
 
-/* Define if you have the <security/pam_modules.h> header file.  */
-#undef HAVE_SECURITY_PAM_MODULES_H
+/* Define if you have the `strvisx' function. */
+#undef HAVE_STRVISX
 
-/* Define if you have the <sgtty.h> header file.  */
-#undef HAVE_SGTTY_H
+/* Define if you have the `svis' function. */
+#undef HAVE_SVIS
 
-/* Define if you have the <shadow.h> header file.  */
-#undef HAVE_SHADOW_H
+/* Define if you have the `swab' function. */
+#undef HAVE_SWAB
 
-/* Define if you have the <siad.h> header file.  */
-#undef HAVE_SIAD_H
+/* Define if you have the `sysconf' function. */
+#undef HAVE_SYSCONF
 
-/* Define if you have the <signal.h> header file.  */
-#undef HAVE_SIGNAL_H
+/* Define if you have the `sysctl' function. */
+#undef HAVE_SYSCTL
 
-/* Define if you have the <standards.h> header file.  */
-#undef HAVE_STANDARDS_H
+/* Define if you have the `syslog' function. */
+#undef HAVE_SYSLOG
 
-/* Define if you have the <stropts.h> header file.  */
-#undef HAVE_STROPTS_H
+/* Define if you have the <syslog.h> header file. */
+#undef HAVE_SYSLOG_H
 
-/* Define if you have the <sys/bitypes.h> header file.  */
+/* Define if you have the <sys/bitypes.h> header file. */
 #undef HAVE_SYS_BITYPES_H
 
-/* Define if you have the <sys/capability.h> header file.  */
+/* Define if you have the <sys/capability.h> header file. */
 #undef HAVE_SYS_CAPABILITY_H
 
-/* Define if you have the <sys/category.h> header file.  */
+/* Define if you have the <sys/category.h> header file. */
 #undef HAVE_SYS_CATEGORY_H
 
-/* Define if you have the <sys/file.h> header file.  */
+/* Define if you have the <sys/file.h> header file. */
 #undef HAVE_SYS_FILE_H
 
-/* Define if you have the <sys/filio.h> header file.  */
+/* Define if you have the <sys/filio.h> header file. */
 #undef HAVE_SYS_FILIO_H
 
-/* Define if you have the <sys/ioccom.h> header file.  */
+/* Define if you have the <sys/ioccom.h> header file. */
 #undef HAVE_SYS_IOCCOM_H
 
-/* Define if you have the <sys/ioctl.h> header file.  */
+/* Define if you have the <sys/ioctl.h> header file. */
 #undef HAVE_SYS_IOCTL_H
 
-/* Define if you have the <sys/param.h> header file.  */
+/* Define if you have the <sys/param.h> header file. */
 #undef HAVE_SYS_PARAM_H
 
-/* Define if you have the <sys/proc.h> header file.  */
+/* Define if you have the <sys/proc.h> header file. */
 #undef HAVE_SYS_PROC_H
 
-/* Define if you have the <sys/pty.h> header file.  */
-#undef HAVE_SYS_PTY_H
-
-/* Define if you have the <sys/ptyio.h> header file.  */
+/* Define if you have the <sys/ptyio.h> header file. */
 #undef HAVE_SYS_PTYIO_H
 
-/* Define if you have the <sys/ptyvar.h> header file.  */
+/* Define if you have the <sys/ptyvar.h> header file. */
 #undef HAVE_SYS_PTYVAR_H
 
-/* Define if you have the <sys/resource.h> header file.  */
+/* Define if you have the <sys/pty.h> header file. */
+#undef HAVE_SYS_PTY_H
+
+/* Define if you have the <sys/resource.h> header file. */
 #undef HAVE_SYS_RESOURCE_H
 
-/* Define if you have the <sys/select.h> header file.  */
+/* Define if you have the <sys/select.h> header file. */
 #undef HAVE_SYS_SELECT_H
 
-/* Define if you have the <sys/socket.h> header file.  */
+/* Define if you have the <sys/socket.h> header file. */
 #undef HAVE_SYS_SOCKET_H
 
-/* Define if you have the <sys/sockio.h> header file.  */
+/* Define if you have the <sys/sockio.h> header file. */
 #undef HAVE_SYS_SOCKIO_H
 
-/* Define if you have the <sys/stat.h> header file.  */
+/* Define if you have the <sys/stat.h> header file. */
 #undef HAVE_SYS_STAT_H
 
-/* Define if you have the <sys/str_tty.h> header file.  */
-#undef HAVE_SYS_STR_TTY_H
-
-/* Define if you have the <sys/stream.h> header file.  */
+/* Define if you have the <sys/stream.h> header file. */
 #undef HAVE_SYS_STREAM_H
 
-/* Define if you have the <sys/stropts.h> header file.  */
+/* Define if you have the <sys/stropts.h> header file. */
 #undef HAVE_SYS_STROPTS_H
 
-/* Define if you have the <sys/strtty.h> header file.  */
+/* Define if you have the <sys/strtty.h> header file. */
 #undef HAVE_SYS_STRTTY_H
 
-/* Define if you have the <sys/syscall.h> header file.  */
+/* Define if you have the <sys/str_tty.h> header file. */
+#undef HAVE_SYS_STR_TTY_H
+
+/* Define if you have the <sys/syscall.h> header file. */
 #undef HAVE_SYS_SYSCALL_H
 
-/* Define if you have the <sys/sysctl.h> header file.  */
+/* Define if you have the <sys/sysctl.h> header file. */
 #undef HAVE_SYS_SYSCTL_H
 
-/* Define if you have the <sys/termio.h> header file.  */
+/* Define if you have the <sys/termio.h> header file. */
 #undef HAVE_SYS_TERMIO_H
 
-/* Define if you have the <sys/time.h> header file.  */
-#undef HAVE_SYS_TIME_H
-
-/* Define if you have the <sys/timeb.h> header file.  */
+/* Define if you have the <sys/timeb.h> header file. */
 #undef HAVE_SYS_TIMEB_H
 
-/* Define if you have the <sys/times.h> header file.  */
+/* Define if you have the <sys/times.h> header file. */
 #undef HAVE_SYS_TIMES_H
 
-/* Define if you have the <sys/tty.h> header file.  */
+/* Define if you have the <sys/time.h> header file. */
+#undef HAVE_SYS_TIME_H
+
+/* Define if you have the <sys/tty.h> header file. */
 #undef HAVE_SYS_TTY_H
 
-/* Define if you have the <sys/types.h> header file.  */
+/* Define if you have the <sys/types.h> header file. */
 #undef HAVE_SYS_TYPES_H
 
-/* Define if you have the <sys/uio.h> header file.  */
+/* Define if you have the <sys/uio.h> header file. */
 #undef HAVE_SYS_UIO_H
 
-/* Define if you have the <sys/un.h> header file.  */
+/* Define if you have the <sys/un.h> header file. */
 #undef HAVE_SYS_UN_H
 
-/* Define if you have the <sys/utsname.h> header file.  */
+/* Define if you have the <sys/utsname.h> header file. */
 #undef HAVE_SYS_UTSNAME_H
 
-/* Define if you have the <sys/wait.h> header file.  */
+/* Define if you have the <sys/wait.h> header file. */
 #undef HAVE_SYS_WAIT_H
 
-/* Define if you have the <syslog.h> header file.  */
-#undef HAVE_SYSLOG_H
+/* Define if you have the <termios.h> header file. */
+#undef HAVE_TERMIOS_H
+
+/* Define if you have the <termio.h> header file. */
+#undef HAVE_TERMIO_H
 
-/* Define if you have the <term.h> header file.  */
+/* Define if you have the <term.h> header file. */
 #undef HAVE_TERM_H
 
-/* Define if you have the <termio.h> header file.  */
-#undef HAVE_TERMIO_H
+/* Define if you have the `tgetent' function. */
+#undef HAVE_TGETENT
 
-/* Define if you have the <termios.h> header file.  */
-#undef HAVE_TERMIOS_H
+/* Define if you have the `timegm' function. */
+#undef HAVE_TIMEGM
+
+/* Define if you have the `timezone' variable. */
+#undef HAVE_TIMEZONE
+
+/* define if your system declares timezone */
+#undef HAVE_TIMEZONE_DECLARATION
 
-/* Define if you have the <time.h> header file.  */
+/* Define if you have the <time.h> header file. */
 #undef HAVE_TIME_H
 
-/* Define if you have the <tmpdir.h> header file.  */
+/* Define if you have the <tmpdir.h> header file. */
 #undef HAVE_TMPDIR_H
 
-/* Define if you have the <udb.h> header file.  */
-#undef HAVE_UDB_H
+/* Define if you have the `ttyname' function. */
+#undef HAVE_TTYNAME
 
-/* Define if you have the <unistd.h> header file.  */
-#undef HAVE_UNISTD_H
+/* Define if you have the `ttyslot' function. */
+#undef HAVE_TTYSLOT
 
-/* Define if you have the <util.h> header file.  */
-#undef HAVE_UTIL_H
+/* Define if you have the <udb.h> header file. */
+#undef HAVE_UDB_H
 
-/* Define if you have the <utmp.h> header file.  */
-#undef HAVE_UTMP_H
+/* Define if you have the `umask' function. */
+#undef HAVE_UMASK
 
-/* Define if you have the <utmpx.h> header file.  */
-#undef HAVE_UTMPX_H
+/* Define if you have the `uname' function. */
+#undef HAVE_UNAME
 
-/* Define if you have the X11 library (-lX11).  */
-#undef HAVE_LIBX11
+/* Define if you have the <unistd.h> header file. */
+#undef HAVE_UNISTD_H
 
-/* Define if you have the Xau library (-lXau).  */
-#undef HAVE_LIBXAU
+/* Define if you have the `unlockpt' function. */
+#undef HAVE_UNLOCKPT
 
-/* Define if you have the c_r library (-lc_r).  */
-#undef HAVE_LIBC_R
+/* Define if you have the `unsetenv' function. */
+#undef HAVE_UNSETENV
 
-/* Define if you have the crypt library (-lcrypt).  */
-#undef HAVE_LIBCRYPT
+/* Define if you have the `unvis' function. */
+#undef HAVE_UNVIS
 
-/* Define if you have the crypto library (-lcrypto).  */
-#undef HAVE_LIBCRYPTO
+/* Define if you have the <userconf.h> header file. */
+#undef HAVE_USERCONF_H
 
-/* Define if you have the curses library (-lcurses).  */
-#undef HAVE_LIBCURSES
+/* Define if you have the <usersec.h> header file. */
+#undef HAVE_USERSEC_H
 
-/* Define if you have the des library (-ldes).  */
-#undef HAVE_LIBDES
+/* Define if you have the <util.h> header file. */
+#undef HAVE_UTIL_H
 
-/* Define if you have the dl library (-ldl).  */
-#undef HAVE_LIBDL
+/* Define if you have the <utmpx.h> header file. */
+#undef HAVE_UTMPX_H
 
-/* Define if you have the edit library (-ledit).  */
-#undef HAVE_LIBEDIT
+/* Define if you have the <utmp.h> header file. */
+#undef HAVE_UTMP_H
 
-/* Define if you have the gdbm library (-lgdbm).  */
-#undef HAVE_LIBGDBM
+/* Define if you have the `vasnprintf' function. */
+#undef HAVE_VASNPRINTF
 
-/* Define if you have the inet6 library (-linet6).  */
-#undef HAVE_LIBINET6
+/* Define if you have the `vasprintf' function. */
+#undef HAVE_VASPRINTF
 
-/* Define if you have the ip6 library (-lip6).  */
-#undef HAVE_LIBIP6
+/* Define if you have the `verr' function. */
+#undef HAVE_VERR
 
-/* Define if you have the ncurses library (-lncurses).  */
-#undef HAVE_LIBNCURSES
+/* Define if you have the `verrx' function. */
+#undef HAVE_VERRX
 
-/* Define if you have the ndbm library (-lndbm).  */
-#undef HAVE_LIBNDBM
+/* Define if you have the `vhangup' function. */
+#undef HAVE_VHANGUP
 
-/* Define if you have the nsl library (-lnsl).  */
-#undef HAVE_LIBNSL
+/* Define if you have the `vis' function. */
+#undef HAVE_VIS
 
-/* Define if you have the resolv library (-lresolv).  */
-#undef HAVE_LIBRESOLV
+/* Define if you have the <vis.h> header file. */
+#undef HAVE_VIS_H
 
-/* Define if you have the socket library (-lsocket).  */
-#undef HAVE_LIBSOCKET
+/* define if you have a working vsnprintf */
+#undef HAVE_VSNPRINTF
 
-/* Define if you have the syslog library (-lsyslog).  */
-#undef HAVE_LIBSYSLOG
+/* Define if you have the `vsyslog' function. */
+#undef HAVE_VSYSLOG
 
-/* Define if you have the termcap library (-ltermcap).  */
-#undef HAVE_LIBTERMCAP
+/* Define if you have the `vwarn' function. */
+#undef HAVE_VWARN
 
-/* Define if you have the util library (-lutil).  */
-#undef HAVE_LIBUTIL
+/* Define if you have the `vwarnx' function. */
+#undef HAVE_VWARNX
 
-/* Name of package */
-#undef PACKAGE
+/* Define if you have the `warn' function. */
+#undef HAVE_WARN
 
-/* Version number of package */
-#undef VERSION
+/* Define if you have the `warnx' function. */
+#undef HAVE_WARNX
 
-/* Define to what version of SunOS you are running. */
-#undef SunOS
+/* Define if you have the <winsock.h> header file. */
+#undef HAVE_WINSOCK_H
 
-/* define if your compiler has __attribute__ */
-#undef HAVE___ATTRIBUTE__
+/* Define if you have the `writev' function. */
+#undef HAVE_WRITEV
 
-/* Define if you have the krb4 package. */
-#undef KRB4
+/* define if struct winsize has ws_xpixel */
+#undef HAVE_WS_XPIXEL
 
-/* define if krb_put_int takes four arguments. */
-#undef HAVE_FOUR_VALUED_KRB_PUT_INT
+/* define if struct winsize has ws_ypixel */
+#undef HAVE_WS_YPIXEL
 
-/* Define to one if your krb.h doesn't */
-#undef KRB_VERIFY_SECURE
+/* Define if you have the `XauFileName' function. */
+#undef HAVE_XAUFILENAME
 
-/* Define to two if your krb.h doesn't */
-#undef KRB_VERIFY_SECURE_FAIL
+/* Define if you have the `XauReadAuth' function. */
+#undef HAVE_XAUREADAUTH
 
-/* Define to zero if your krb.h doesn't */
-#undef KRB_VERIFY_NOT_SECURE
+/* Define if you have the `XauWriteAuth' function. */
+#undef HAVE_XAUWRITEAUTH
 
-/* Enable Kerberos 5 support in applications. */
-#undef KRB5
+/* Define if you have the `yp_get_default_domain' function. */
+#undef HAVE_YP_GET_DEFAULT_DOMAIN
 
-/* Define if you want to use the KDC as a kaserver. */
-#undef KASERVER
+/* Define if you have the `_getpty' function. */
+#undef HAVE__GETPTY
 
-/* Define if you want support in hprop for reading kaserver databases */
-#undef KASERVER_DB
+/* Define if you have the `_scrsize' function. */
+#undef HAVE__SCRSIZE
 
-/* Define if you want OTP support in applications. */
-#undef OTP
+/* define if your compiler has __attribute__ */
+#undef HAVE___ATTRIBUTE__
 
-/* Define to enable basic OSF C2 support. */
-#undef HAVE_OSFC2
+/* Define if you have the `__progname' variable. */
+#undef HAVE___PROGNAME
 
-/* Define if you have the readline package. */
-#undef READLINE
+/* define if your system declares __progname */
+#undef HAVE___PROGNAME_DECLARATION
 
 /* Define if you have the hesiod package. */
 #undef HESIOD
 
-/* define if target is big endian */
-#undef WORDS_BIGENDIAN
-
-/* define if sys/param.h defines the endiness */
-#undef ENDIANESS_IN_SYS_PARAM_H
-
-/* Define this to what the type ssize_t should be. */
-#undef ssize_t
-
-/* Define this to what the type mode_t should be. */
-#undef mode_t
-
-/* Define this to what the type sig_atomic_t should be. */
-#undef sig_atomic_t
-
-/* Define if you want to use Netinfo instead of krb5.conf. */
-#undef HAVE_NETINFO
-
-/* Define if you have IPv6. */
-#undef HAVE_IPV6
-
-/* define if you have a working snprintf */
-#undef HAVE_SNPRINTF
-
-/* define if the system is missing a prototype for snprintf() */
-#undef NEED_SNPRINTF_PROTO
-
-/* define if you have a working vsnprintf */
-#undef HAVE_VSNPRINTF
-
-/* define if the system is missing a prototype for vsnprintf() */
-#undef NEED_VSNPRINTF_PROTO
-
-/* define if you have a glob() that groks 
-	GLOB_BRACE, GLOB_NOCHECK, GLOB_QUOTE, and GLOB_TILDE */
-#undef HAVE_GLOB
+/* Define if you want to use the KDC as a kaserver. */
+#undef KASERVER
 
-/* define if the system is missing a prototype for glob() */
-#undef NEED_GLOB_PROTO
+/* Define if you want support in hprop for reading kaserver databases */
+#undef KASERVER_DB
 
-/* Define if getlogin has POSIX flavour (and not BSD). */
-#undef POSIX_GETLOGIN
+/* Define if you have the krb4 package. */
+#undef KRB4
 
-/* Define if getpwnam_r has POSIX flavour. */
-#undef POSIX_GETPWNAM_R
+/* Enable Kerberos 5 support in applications. */
+#undef KRB5
 
-/* Define if signal handlers return void. */
-#undef VOID_RETSIGTYPE
+/* Define if krb_mk_req takes cons char * */
+#undef KRB_MK_REQ_CONST
 
-/* define if the system is missing a prototype for hstrerror() */
-#undef NEED_HSTRERROR_PROTO
+/* Define to zero if your krb.h doesn't */
+#undef KRB_VERIFY_NOT_SECURE
 
-/* define if the system is missing a prototype for asprintf() */
-#undef NEED_ASPRINTF_PROTO
+/* Define to one if your krb.h doesn't */
+#undef KRB_VERIFY_SECURE
 
-/* define if the system is missing a prototype for vasprintf() */
-#undef NEED_VASPRINTF_PROTO
+/* Define to two if your krb.h doesn't */
+#undef KRB_VERIFY_SECURE_FAIL
 
 /* define if the system is missing a prototype for asnprintf() */
 #undef NEED_ASNPRINTF_PROTO
 
-/* define if the system is missing a prototype for vasnprintf() */
-#undef NEED_VASNPRINTF_PROTO
-
-/* define if the system is missing a prototype for setenv() */
-#undef NEED_SETENV_PROTO
+/* define if the system is missing a prototype for asprintf() */
+#undef NEED_ASPRINTF_PROTO
 
-/* define if the system is missing a prototype for unsetenv() */
-#undef NEED_UNSETENV_PROTO
+/* define if the system is missing a prototype for crypt() */
+#undef NEED_CRYPT_PROTO
 
 /* define if the system is missing a prototype for gethostname() */
 #undef NEED_GETHOSTNAME_PROTO
 
-/* define if the system is missing a prototype for mkstemp() */
-#undef NEED_MKSTEMP_PROTO
-
 /* define if the system is missing a prototype for getusershell() */
 #undef NEED_GETUSERSHELL_PROTO
 
-/* define if the system is missing a prototype for inet_aton() */
-#undef NEED_INET_ATON_PROTO
+/* define if the system is missing a prototype for glob() */
+#undef NEED_GLOB_PROTO
 
-/* Define if realloc(NULL) doesn't work. */
-#undef BROKEN_REALLOC
+/* define if the system is missing a prototype for hstrerror() */
+#undef NEED_HSTRERROR_PROTO
 
-/* define if prototype of gethostbyname is compatible with
-	struct hostent *gethostbyname(const char *) */
-#undef GETHOSTBYNAME_PROTO_COMPATIBLE
+/* define if the system is missing a prototype for inet_aton() */
+#undef NEED_INET_ATON_PROTO
 
-/* define if prototype of gethostbyaddr is compatible with
-	struct hostent *gethostbyaddr(const void *, size_t, int) */
-#undef GETHOSTBYADDR_PROTO_COMPATIBLE
+/* define if the system is missing a prototype for mkstemp() */
+#undef NEED_MKSTEMP_PROTO
 
-/* define if prototype of getservbyname is compatible with
-	struct servent *getservbyname(const char *, const char *) */
-#undef GETSERVBYNAME_PROTO_COMPATIBLE
+/* define if the system is missing a prototype for setenv() */
+#undef NEED_SETENV_PROTO
 
-/* define if prototype of openlog is compatible with
-	void openlog(const char *, int, int) */
-#undef OPENLOG_PROTO_COMPATIBLE
+/* define if the system is missing a prototype for snprintf() */
+#undef NEED_SNPRINTF_PROTO
 
-/* define if the system is missing a prototype for crypt() */
-#undef NEED_CRYPT_PROTO
+/* define if the system is missing a prototype for strsep() */
+#undef NEED_STRSEP_PROTO
 
 /* define if the system is missing a prototype for strtok_r() */
 #undef NEED_STRTOK_R_PROTO
 
-/* define if the system is missing a prototype for strsep() */
-#undef NEED_STRSEP_PROTO
-
-/* define if you have h_errno */
-#undef HAVE_H_ERRNO
+/* define if the system is missing a prototype for unsetenv() */
+#undef NEED_UNSETENV_PROTO
 
-/* define if your system declares h_errno */
-#undef HAVE_H_ERRNO_DECLARATION
+/* define if the system is missing a prototype for vasnprintf() */
+#undef NEED_VASNPRINTF_PROTO
 
-/* define if you have h_errlist */
-#undef HAVE_H_ERRLIST
+/* define if the system is missing a prototype for vasprintf() */
+#undef NEED_VASPRINTF_PROTO
 
-/* define if your system declares h_errlist */
-#undef HAVE_H_ERRLIST_DECLARATION
+/* define if the system is missing a prototype for vsnprintf() */
+#undef NEED_VSNPRINTF_PROTO
 
-/* define if you have h_nerr */
-#undef HAVE_H_NERR
+/* Define this to enable old environment option in telnet. */
+#undef OLD_ENVIRON
 
-/* define if your system declares h_nerr */
-#undef HAVE_H_NERR_DECLARATION
+/* Define if you have the openldap package. */
+#undef OPENLDAP
 
-/* define if you have __progname */
-#undef HAVE___PROGNAME
+/* define if prototype of openlog is compatible with void openlog(const char
+   *, int, int) */
+#undef OPENLOG_PROTO_COMPATIBLE
 
-/* define if your system declares __progname */
-#undef HAVE___PROGNAME_DECLARATION
+/* Define if you want OTP support in applications. */
+#undef OTP
 
-/* define if your system declares optarg */
-#undef HAVE_OPTARG_DECLARATION
+/* Name of package */
+#undef PACKAGE
 
-/* define if your system declares optind */
-#undef HAVE_OPTIND_DECLARATION
+/* Define if getlogin has POSIX flavour (and not BSD). */
+#undef POSIX_GETLOGIN
 
-/* define if your system declares opterr */
-#undef HAVE_OPTERR_DECLARATION
+/* Define if getpwnam_r has POSIX flavour. */
+#undef POSIX_GETPWNAM_R
 
-/* define if your system declares optopt */
-#undef HAVE_OPTOPT_DECLARATION
+/* Define if you have the readline package. */
+#undef READLINE
 
-/* define if your system declares environ */
-#undef HAVE_ENVIRON_DECLARATION
+/* Define as the return type of signal handlers (`int' or `void'). */
+#undef RETSIGTYPE
 
-/* Define if struct utmp has field ut_addr. */
-#undef HAVE_STRUCT_UTMP_UT_ADDR
+/* Define if you have the ANSI C header files. */
+#undef STDC_HEADERS
 
-/* Define if struct utmp has field ut_host. */
-#undef HAVE_STRUCT_UTMP_UT_HOST
+/* Define if you have streams ptys. */
+#undef STREAMSPTY
 
-/* Define if struct utmp has field ut_id. */
-#undef HAVE_STRUCT_UTMP_UT_ID
+/* Define to what version of SunOS you are running. */
+#undef SunOS
 
-/* Define if struct utmp has field ut_pid. */
-#undef HAVE_STRUCT_UTMP_UT_PID
+/* Define if you can safely include both <sys/time.h> and <time.h>. */
+#undef TIME_WITH_SYS_TIME
 
-/* Define if struct utmp has field ut_type. */
-#undef HAVE_STRUCT_UTMP_UT_TYPE
+/* Define if your <sys/time.h> declares `struct tm'. */
+#undef TM_IN_SYS_TIME
 
-/* Define if struct utmp has field ut_user. */
-#undef HAVE_STRUCT_UTMP_UT_USER
+/* Version number of package */
+#undef VERSION
 
-/* Define if struct utmpx has field ut_exit. */
-#undef HAVE_STRUCT_UTMPX_UT_EXIT
+/* Define if signal handlers return void. */
+#undef VOID_RETSIGTYPE
 
-/* Define if struct utmpx has field ut_syslen. */
-#undef HAVE_STRUCT_UTMPX_UT_SYSLEN
+/* define if target is big endian */
+#undef WORDS_BIGENDIAN
 
-/* Define if struct tm has field tm_gmtoff. */
-#undef HAVE_STRUCT_TM_TM_GMTOFF
+/* Define if the X Window System is missing or not being used. */
+#undef X_DISPLAY_MISSING
 
-/* Define if struct tm has field tm_zone. */
-#undef HAVE_STRUCT_TM_TM_ZONE
+/* Define if `lex' declares `yytext' as a `char *' by default, not a `char[]'.
+   */
+#undef YYTEXT_POINTER
 
-/* define if you have timezone */
-#undef HAVE_TIMEZONE
+/* Define to empty if `const' does not conform to ANSI C. */
+#undef const
 
-/* define if your system declares timezone */
-#undef HAVE_TIMEZONE_DECLARATION
+/* Define to `int' if <sys/types.h> doesn't define. */
+#undef gid_t
 
-/* define if struct winsize is declared in sys/termios.h */
-#undef HAVE_STRUCT_WINSIZE
+/* Define as `__inline' if that's what the C compiler calls it, or to nothing
+   if it is not supported. */
+#undef inline
 
-/* define if struct winsize has ws_xpixel */
-#undef HAVE_WS_XPIXEL
+/* Define this to what the type mode_t should be. */
+#undef mode_t
 
-/* define if struct winsize has ws_ypixel */
-#undef HAVE_WS_YPIXEL
+/* Define to `long' if <sys/types.h> does not define. */
+#undef off_t
 
-/* define if you have struct spwd */
-#undef HAVE_STRUCT_SPWD
+/* Define to `int' if <sys/types.h> does not define. */
+#undef pid_t
 
-/* Define if struct sockaddr has field sa_len. */
-#undef HAVE_STRUCT_SOCKADDR_SA_LEN
+/* Define this to what the type sig_atomic_t should be. */
+#undef sig_atomic_t
 
-/* Define if el_init takes four arguments. */
-#undef HAVE_FOUR_VALUED_EL_INIT
+/* Define to `unsigned' if <sys/types.h> does not define. */
+#undef size_t
 
-/* Define if you have a readline compatible library. */
-#undef HAVE_READLINE
+/* Define this to what the type ssize_t should be. */
+#undef ssize_t
 
-/* Define if you want authentication support in telnet. */
-#undef AUTHENTICATION
+/* Define to `int' if <sys/types.h> doesn't define. */
+#undef uid_t
 
-/* Define if you want encryption support in telnet. */
-#undef ENCRYPTION
+#ifdef VOID_RETSIGTYPE
+#define SIGRETURN(x) return
+#else
+#define SIGRETURN(x) return (RETSIGTYPE)(x)
+#endif
 
-/* Define if you want to use DES encryption in telnet. */
-#undef DES_ENCRYPTION
+#ifdef BROKEN_REALLOC
+#define realloc(X, Y) isoc_realloc((X), (Y))
+#define isoc_realloc(X, Y) ((X) ? realloc((X), (Y)) : malloc(Y))
+#endif
 
-/* Define this to enable diagnostics in telnet. */
-#undef DIAGNOSTICS
+#if defined(HAVE_FOUR_VALUED_KRB_PUT_INT) || !defined(KRB4)
+#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (L), (S))
+#else
+#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (S))
+#endif
 
-/* Define this to enable old environment option in telnet. */
-#undef OLD_ENVIRON
 
-/* Define this if you want support for broken ENV_{VAR,VAL} telnets. */
-#undef ENV_HACK
+#ifdef VOID_RETSIGTYPE
+#define SIGRETURN(x) return
+#else
+#define SIGRETURN(x) return (RETSIGTYPE)(x)
+#endif
 
-/* Define if you have streams ptys. */
-#undef STREAMSPTY
+#ifdef BROKEN_REALLOC
+#define realloc(X, Y) isoc_realloc((X), (Y))
+#define isoc_realloc(X, Y) ((X) ? realloc((X), (Y)) : malloc(Y))
+#endif
 
+#undef BINDIR 
+#undef LIBDIR
+#undef LIBEXECDIR
+#undef SBINDIR
 
 #undef BINDIR 
 #undef LIBDIR
@@ -1111,6 +1210,10 @@
 #undef HAVE_U_INT16_T
 #undef HAVE_U_INT32_T
 #undef HAVE_U_INT64_T
+#undef HAVE_UINT8_T
+#undef HAVE_UINT16_T
+#undef HAVE_UINT32_T
+#undef HAVE_UINT64_T
 
 #if defined(HAVE_FOUR_VALUED_KRB_PUT_INT) || !defined(KRB4)
 #define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (L), (S))
diff --git a/crypto/heimdal/include/kadm5/Makefile.in b/crypto/heimdal/include/kadm5/Makefile.in
index 895c9f5..02f8027 100644
--- a/crypto/heimdal/include/kadm5/Makefile.in
+++ b/crypto/heimdal/include/kadm5/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.6 1999/03/20 13:58:17 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.6 1999/03/20 13:58:17 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,28 +170,25 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
 CLEANFILES = admin.h kadm5_err.h private.h
+subdir = include/kadm5
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -181,13 +196,14 @@ CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES = 
+depcomp = 
 DIST_COMMON =  Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
 all: all-redirect
 .SUFFIXES:
@@ -205,17 +221,16 @@ TAGS:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = include/kadm5
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
@@ -244,7 +259,7 @@ uninstall: uninstall-am
 all-am: Makefile all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
 
 
@@ -258,6 +273,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-generic
 
 mostlyclean: mostlyclean-am
@@ -280,8 +296,8 @@ maintainer-clean: maintainer-clean-am
 .PHONY: tags distdir info-am info dvi-am dvi check-local check check-am \
 installcheck-am installcheck install-exec-am install-exec \
 install-data-local install-data-am install-data install-am install \
-uninstall-am uninstall all-local all-redirect all-am all installdirs \
-mostlyclean-generic distclean-generic clean-generic \
+uninstall-am uninstall all-local all-redirect all-am all install-strip \
+installdirs mostlyclean-generic distclean-generic clean-generic \
 maintainer-clean-generic clean mostlyclean distclean maintainer-clean
 
 
@@ -290,7 +306,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -302,8 +321,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -372,87 +391,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/kadmin/ChangeLog b/crypto/heimdal/kadmin/ChangeLog
index 05ee0d4..f28577c 100644
--- a/crypto/heimdal/kadmin/ChangeLog
+++ b/crypto/heimdal/kadmin/ChangeLog
@@ -1,3 +1,236 @@
+2001-01-29  Assar Westerlund  <assar@sics.se>
+
+	* kadm_conn.c (spawn_child): close the newly created socket in the
+	packet, it's not used.  from <shadow@dementia.org>
+	* version4.c (decode_packet): check success of
+	krb5_425_conv_principal.  from <shadow@dementia.org>
+
+2001-01-12  Assar Westerlund  <assar@sics.se>
+
+	* util.c (parse_attributes): make empty string mean no attributes,
+	specifying the empty string at the command line should give you no
+	attributes, but just pressing return at the prompt gives you
+	default attributes
+	(edit_entry): only pick up values from the default principal if they
+	aren't set in the principal being edited
+
+2001-01-04  Assar Westerlund  <assar@sics.se>
+
+	* load.c (doit): print an error and bail out if storing an entry
+	in the database fails.  The most likely reason for it failing is
+	out-of-space.
+
+2000-12-31  Assar Westerlund  <assar@sics.se>
+
+	* kadmind.c (main): handle krb5_init_context failure consistently
+	* kadmin.c (main): handle krb5_init_context failure consistently
+	* add-random-users.c (add_user): handle krb5_init_context failure
+	consistently
+
+	* kadm_conn.c (spawn_child): use a struct sockaddr_storage
+
+2000-12-15  Johan Danielsson  <joda@pdc.kth.se>
+
+	* get.c: avoid asprintf'ing NULL strings
+
+2000-12-14  Johan Danielsson  <joda@pdc.kth.se>
+
+	* load.c: fix option parsing
+
+2000-11-16  Assar Westerlund  <assar@sics.se>
+
+	* kadm_conn.c (wait_for_connection): check for fd's being too
+	large to select on
+
+2000-11-09  Johan Danielsson  <joda@pdc.kth.se>
+
+	* get.c: don't try to print modifier name if it isn't set (from
+	Jacques A. Vidrine" <n@nectar.com>)
+
+2000-09-19  Assar Westerlund  <assar@sics.se>
+
+	* server.c (kadmind_loop): send in keytab to v4 handling function
+	* version4.c: allow the specification of what keytab to use
+
+	* get.c (print_entry_long): actually print the actual saltvalue
+	used if it's not the default
+
+2000-09-10  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kadmin.c: add option parsing, and add `privs' as an alias for
+	`privileges'
+
+	* init.c: complain if there's no realm name specified
+
+	* rename.c: add option parsing
+
+	* load.c: add option parsing
+
+	* get.c: make `get' and `list' aliases to each other, but with
+	different defaults
+
+	* del_enctype.c: add option parsing
+
+	* del.c: add option parsing
+
+	* ank.c: calling the command `add' make more sense from an english
+	pov
+
+	* Makefile.am: add kadmin manpage
+
+	* kadmin.8: short manpage
+
+	* kadmin.c: `quit' should be a alias for `exit', not `help'
+
+2000-08-27  Assar Westerlund  <assar@sics.se>
+
+	* server.c (handle_v5): do not try to perform stupid stunts when
+	printing errors
+
+2000-08-19  Assar Westerlund  <assar@sics.se>
+
+	* util.c (str2time_t): add alias for `now'.
+
+2000-08-18  Assar Westerlund  <assar@sics.se>
+
+	* server.c (handle_v5): accept any kadmin/admin@* principal as the
+	server
+	* kadmind.c: remove extra prototype of kadmind_loop
+	* kadmin_locl.h (kadmind_loop): add prototype
+	
+	* init.c (usage): print init-usage and not add-dito
+	
+2000-08-07  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kadmind.c: use roken_getsockname
+
+2000-08-07  Assar Westerlund  <assar@sics.se>
+
+	* kadmind.c, kadm_conn.c: use socklen_t instead of int where
+	appropriate.  From <thorpej@netbsd.org>
+
+2000-08-04  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: link with pidfile library
+
+	* kadmind.c: write a pid file, and setup password quality
+	functions
+
+	* kadmin_locl.h: util.h
+
+2000-07-27  Assar Westerlund  <assar@sics.se>
+
+	* version4.c (decode_packet): be totally consistent with the
+	prototype of des_cbc_cksum
+	* kadmind.c: use sa_size instead of sa_len, some systems define
+	this to emulate anonymous unions
+	* kadm_conn.c: use sa_size instead of sa_len, some systems define
+	this to emulate anonymous unions
+
+2000-07-24  Assar Westerlund  <assar@sics.se>
+
+	* kadmin.c (commands): add quit
+	* load.c (doit): truncate the log since there's no way of knowing
+	what changes are going to be added
+
+2000-07-23  Assar Westerlund  <assar@sics.se>
+
+	* util.c (str2time_t): be more careful with strptime that might
+	zero out the `struct tm'
+
+2000-07-22  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kadm_conn.c: make the parent process wait for children and
+	terminate after receiving a signal, also terminate on SIGINT
+
+2000-07-22  Assar Westerlund  <assar@sics.se>
+
+	* version4.c: map both princ_expire_time and pw_expiration to v4
+	principal expiration
+
+2000-07-22  Johan Danielsson  <joda@pdc.kth.se>
+
+	* version4.c (handle_v4): check for termination
+
+	* server.c (v5_loop): check for termination
+
+	* kadm_conn.c (wait_term): if we're doing something, set just set
+	a flag otherwise exit rightaway
+
+	* server.c: use krb5_read_priv_message; (v5_loop): check for EOF
+
+2000-07-21  Assar Westerlund  <assar@sics.se>
+
+	* kadm_conn.c: remove sys/select.h.  make signal handlers
+	type-correct and static
+
+	* kadmin_locl.h: add limits.h and sys/select.h
+
+2000-07-20  Assar Westerlund  <assar@sics.se>
+
+	* init.c (init): also create `kadmin/hprop'
+	* kadmind.c: ports is a string argument
+	* kadm_conn.c (start_server): fix printf format
+
+	* kadmin_locl.h: add <sys/select.h>
+	* kadm_conn.c: remove sys/select.h.  make signal handlers
+	type-correct and static
+
+	* kadmin_locl.h: add limits.h and sys/select.h
+
+2000-07-17  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kadm_conn.c: put all processes in a new process group
+
+	* server.c (v5_loop): use krb5_{read,write}_priv_message
+
+2000-07-11  Johan Danielsson  <joda@pdc.kth.se>
+
+	* version4.c: change log strings to match the v5 counterparts
+
+	* mod.c: allow setting kvno
+
+	* kadmind.c: if stdin is not a socket create and listen to sockets
+
+	* kadm_conn.c: socket creation functions
+
+	* util.c (deltat2str): treat 0 and INT_MAX as never
+
+2000-07-08  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (INCLUDES): add ../lib/krb5
+	* kadmin_locl.h: add krb5_locl.h (since we just use some stuff
+	from there)
+
+2000-06-07  Assar Westerlund  <assar@sics.se>
+
+	* add-random-users.c: new testing program that adds a number of
+	randomly generated users
+
+2000-04-12  Assar Westerlund  <assar@sics.se>
+
+	* cpw.c (do_cpw_entry): call set_password if no argument is given,
+	it will prompt for the password.
+	* kadmin.c: make help only print the commands that are actually
+	available.
+
+2000-04-03  Assar Westerlund  <assar@sics.se>
+
+	* del_enctype.c (del_enctype): set ignore correctly
+
+2000-04-02  Assar Westerlund  <assar@sics.se>
+
+	* kadmin.c (main): make parse errors a fatal error
+	* init.c (init): create changepw/kerberos with disallow-tgt and
+	pwchange attributes
+
+2000-03-23  Assar Westerlund  <assar@sics.se>
+
+	* util.c (hex2n, parse_des_key): add
+	* server.c (kadmind_dispatch): add kadm_chpass_with_key
+	* cpw.c: add --key
+	* ank.c: add --key
+
 2000-02-16  Assar Westerlund  <assar@sics.se>
 
 	* load.c (doit): check return value from parse_hdbflags2int
diff --git a/crypto/heimdal/kadmin/Makefile.am b/crypto/heimdal/kadmin/Makefile.am
index 2bafb55..5852198 100644
--- a/crypto/heimdal/kadmin/Makefile.am
+++ b/crypto/heimdal/kadmin/Makefile.am
@@ -1,13 +1,17 @@
-# $Id: Makefile.am,v 1.25 2000/01/06 08:04:13 assar Exp $
+# $Id: Makefile.am,v 1.32 2000/11/15 22:51:12 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += $(INCLUDE_readline) $(INCLUDE_krb4)
+INCLUDES += $(INCLUDE_readline) $(INCLUDE_krb4) -I$(srcdir)/../lib/krb5
 
 sbin_PROGRAMS = kadmin
 
 libexec_PROGRAMS = kadmind
 
+man_MANS = kadmin.8 kadmind.8
+
+noinst_PROGRAMS = add_random_users
+
 kadmin_SOURCES =				\
 	ank.c					\
 	cpw.c					\
@@ -30,20 +34,29 @@ KRB4LIB = $(LIB_krb4)
 version4_c = version4.c
 endif
 
-kadmind_SOURCES = kadmind.c server.c kadmin_locl.h $(version4_c)
+kadmind_SOURCES =				\
+	kadmind.c				\
+	server.c				\
+	kadmin_locl.h				\
+	$(version4_c)				\
+	kadm_conn.c
 
 EXTRA_kadmind_SOURCES = version4.c
 
+add_random_users_SOURCES = add-random-users.c
+
 COMMON_LDADD = \
 	$(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
-	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_des) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken) \
 	$(DBLIB)
 
 kadmind_LDADD = $(KRB4LIB) $(top_builddir)/lib/kadm5/libkadm5srv.la \
 	$(COMMON_LDADD) \
+	$(LIB_pidfile) \
 	$(LIB_dlopen)
 
 kadmin_LDADD = \
@@ -53,3 +66,9 @@ kadmin_LDADD = \
 	$(LIB_readline) \
 	$(COMMON_LDADD) \
 	$(LIB_dlopen)
+
+add_random_users_LDADD = \
+	$(top_builddir)/lib/kadm5/libkadm5clnt.la \
+	$(top_builddir)/lib/kadm5/libkadm5srv.la \
+	$(COMMON_LDADD) \
+	$(LIB_dlopen)
diff --git a/crypto/heimdal/kadmin/Makefile.in b/crypto/heimdal/kadmin/Makefile.in
index b7fa775..1e84e56 100644
--- a/crypto/heimdal/kadmin/Makefile.in
+++ b/crypto/heimdal/kadmin/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.25 2000/01/06 08:04:13 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.32 2000/11/15 22:51:12 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include $(INCLUDE_readline) $(INCLUDE_krb4)
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_readline) $(INCLUDE_krb4) -I$(srcdir)/../lib/krb5
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,24 +170,20 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
@@ -177,84 +191,147 @@ sbin_PROGRAMS = kadmin
 
 libexec_PROGRAMS = kadmind
 
-kadmin_SOURCES =  	ank.c						cpw.c						del.c						del_enctype.c					dump.c						ext.c						get.c						init.c						kadmin.c					load.c						mod.c						rename.c					util.c						random_password.c				kadmin_locl.h
+man_MANS = kadmin.8 kadmind.8
+
+noinst_PROGRAMS = add_random_users
 
+kadmin_SOURCES = \
+	ank.c					\
+	cpw.c					\
+	del.c					\
+	del_enctype.c				\
+	dump.c					\
+	ext.c					\
+	get.c					\
+	init.c					\
+	kadmin.c				\
+	load.c					\
+	mod.c					\
+	rename.c				\
+	util.c					\
+	random_password.c			\
+	kadmin_locl.h
 
-@KRB4_TRUE@KRB4LIB = $(LIB_krb4)
-@KRB4_TRUE@version4_c = version4.c
 
-kadmind_SOURCES = kadmind.c server.c kadmin_locl.h $(version4_c)
+@KRB4_TRUE@KRB4LIB = @KRB4_TRUE@$(LIB_krb4)
+@KRB4_TRUE@version4_c = @KRB4_TRUE@version4.c
+
+kadmind_SOURCES = \
+	kadmind.c				\
+	server.c				\
+	kadmin_locl.h				\
+	$(version4_c)				\
+	kadm_conn.c
+
 
 EXTRA_kadmind_SOURCES = version4.c
 
-COMMON_LDADD =  	$(top_builddir)/lib/hdb/libhdb.la 	$(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/des/libdes.la 	$(top_builddir)/lib/asn1/libasn1.la 	$(LIB_roken) 	$(DBLIB)
+add_random_users_SOURCES = add-random-users.c
+
+COMMON_LDADD = \
+	$(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken) \
+	$(DBLIB)
+
 
+kadmind_LDADD = $(KRB4LIB) $(top_builddir)/lib/kadm5/libkadm5srv.la \
+	$(COMMON_LDADD) \
+	$(LIB_pidfile) \
+	$(LIB_dlopen)
 
-kadmind_LDADD = $(KRB4LIB) $(top_builddir)/lib/kadm5/libkadm5srv.la 	$(COMMON_LDADD) 	$(LIB_dlopen)
 
+kadmin_LDADD = \
+	$(top_builddir)/lib/kadm5/libkadm5clnt.la \
+	$(top_builddir)/lib/kadm5/libkadm5srv.la \
+	$(top_builddir)/lib/sl/libsl.la \
+	$(LIB_readline) \
+	$(COMMON_LDADD) \
+	$(LIB_dlopen)
 
-kadmin_LDADD =  	$(top_builddir)/lib/kadm5/libkadm5clnt.la 	$(top_builddir)/lib/kadm5/libkadm5srv.la 	$(top_builddir)/lib/sl/libsl.la 	$(LIB_readline) 	$(COMMON_LDADD) 	$(LIB_dlopen)
 
+add_random_users_LDADD = \
+	$(top_builddir)/lib/kadm5/libkadm5clnt.la \
+	$(top_builddir)/lib/kadm5/libkadm5srv.la \
+	$(COMMON_LDADD) \
+	$(LIB_dlopen)
+
+subdir = kadmin
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../include/config.h
 CONFIG_CLEAN_FILES = 
 libexec_PROGRAMS =  kadmind$(EXEEXT)
+noinst_PROGRAMS =  add_random_users$(EXEEXT)
 sbin_PROGRAMS =  kadmin$(EXEEXT)
-PROGRAMS =  $(libexec_PROGRAMS) $(sbin_PROGRAMS)
+PROGRAMS =  $(libexec_PROGRAMS) $(noinst_PROGRAMS) $(sbin_PROGRAMS)
 
 
 DEFS = @DEFS@ -I. -I$(srcdir) -I../include
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
-LIBS = @LIBS@
 X_CFLAGS = @X_CFLAGS@
 X_LIBS = @X_LIBS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
-@KRB4_TRUE@kadmind_OBJECTS =  kadmind.$(OBJEXT) server.$(OBJEXT) \
-@KRB4_TRUE@version4.$(OBJEXT)
-@KRB4_FALSE@kadmind_OBJECTS =  kadmind.$(OBJEXT) server.$(OBJEXT)
-@KRB4_TRUE@kadmind_DEPENDENCIES =  \
-@KRB4_TRUE@$(top_builddir)/lib/kadm5/libkadm5srv.la \
-@KRB4_TRUE@$(top_builddir)/lib/hdb/libhdb.la \
-@KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
-@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la \
-@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
-@KRB4_FALSE@kadmind_DEPENDENCIES =  \
-@KRB4_FALSE@$(top_builddir)/lib/kadm5/libkadm5srv.la \
-@KRB4_FALSE@$(top_builddir)/lib/hdb/libhdb.la \
-@KRB4_FALSE@$(top_builddir)/lib/krb5/libkrb5.la \
-@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la \
-@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
-kadmind_LDFLAGS = 
-kadmin_OBJECTS =  ank.$(OBJEXT) cpw.$(OBJEXT) del.$(OBJEXT) \
+am_add_random_users_OBJECTS =  add-random-users.$(OBJEXT)
+add_random_users_OBJECTS =  $(am_add_random_users_OBJECTS)
+add_random_users_DEPENDENCIES =  \
+$(top_builddir)/lib/kadm5/libkadm5clnt.la \
+$(top_builddir)/lib/kadm5/libkadm5srv.la \
+$(top_builddir)/lib/hdb/libhdb.la $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+add_random_users_LDFLAGS = 
+am_kadmin_OBJECTS =  ank.$(OBJEXT) cpw.$(OBJEXT) del.$(OBJEXT) \
 del_enctype.$(OBJEXT) dump.$(OBJEXT) ext.$(OBJEXT) get.$(OBJEXT) \
 init.$(OBJEXT) kadmin.$(OBJEXT) load.$(OBJEXT) mod.$(OBJEXT) \
 rename.$(OBJEXT) util.$(OBJEXT) random_password.$(OBJEXT)
+kadmin_OBJECTS =  $(am_kadmin_OBJECTS)
 kadmin_DEPENDENCIES =  $(top_builddir)/lib/kadm5/libkadm5clnt.la \
 $(top_builddir)/lib/kadm5/libkadm5srv.la \
 $(top_builddir)/lib/sl/libsl.la $(top_builddir)/lib/hdb/libhdb.la \
-$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/des/libdes.la \
-$(top_builddir)/lib/asn1/libasn1.la
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/asn1/libasn1.la
 kadmin_LDFLAGS = 
-CFLAGS = @CFLAGS@
+@KRB4_FALSE@am_kadmind_OBJECTS =  kadmind.$(OBJEXT) server.$(OBJEXT) \
+@KRB4_FALSE@kadm_conn.$(OBJEXT)
+@KRB4_TRUE@am_kadmind_OBJECTS =  kadmind.$(OBJEXT) server.$(OBJEXT) \
+@KRB4_TRUE@version4.$(OBJEXT) kadm_conn.$(OBJEXT)
+kadmind_OBJECTS =  $(am_kadmind_OBJECTS)
+@KRB4_FALSE@kadmind_DEPENDENCIES =  \
+@KRB4_FALSE@$(top_builddir)/lib/kadm5/libkadm5srv.la \
+@KRB4_FALSE@$(top_builddir)/lib/hdb/libhdb.la \
+@KRB4_FALSE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_TRUE@kadmind_DEPENDENCIES =  \
+@KRB4_TRUE@$(top_builddir)/lib/kadm5/libkadm5srv.la \
+@KRB4_TRUE@$(top_builddir)/lib/hdb/libhdb.la \
+@KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+kadmind_LDFLAGS = 
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(add_random_users_SOURCES) $(kadmin_SOURCES) \
+$(kadmind_SOURCES) $(EXTRA_kadmind_SOURCES)
+man8dir = $(mandir)/man8
+MANS = $(man_MANS)
+depcomp = 
 DIST_COMMON =  ChangeLog Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
-SOURCES = $(kadmind_SOURCES) $(EXTRA_kadmind_SOURCES) $(kadmin_SOURCES)
-OBJECTS = $(kadmind_OBJECTS) $(kadmin_OBJECTS)
+SOURCES = $(add_random_users_SOURCES) $(kadmin_SOURCES) $(kadmind_SOURCES) $(EXTRA_kadmind_SOURCES)
+OBJECTS = $(am_add_random_users_OBJECTS) $(am_kadmin_OBJECTS) $(am_kadmind_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign kadmin/Makefile
 
@@ -277,17 +354,29 @@ install-libexecPROGRAMS: $(libexec_PROGRAMS)
 	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
 	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f; \
 	  else :; fi; \
 	done
 
 uninstall-libexecPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	list='$(libexec_PROGRAMS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \
+	  rm -f $(DESTDIR)$(libexecdir)/$$f; \
 	done
 
+mostlyclean-noinstPROGRAMS:
+
+clean-noinstPROGRAMS:
+	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+
+distclean-noinstPROGRAMS:
+
+maintainer-clean-noinstPROGRAMS:
+
 mostlyclean-sbinPROGRAMS:
 
 clean-sbinPROGRAMS:
@@ -302,31 +391,20 @@ install-sbinPROGRAMS: $(sbin_PROGRAMS)
 	$(mkinstalldirs) $(DESTDIR)$(sbindir)
 	@list='$(sbin_PROGRAMS)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(sbindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(sbindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(sbindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(sbindir)/$$f; \
 	  else :; fi; \
 	done
 
 uninstall-sbinPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	list='$(sbin_PROGRAMS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(sbindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	@list='$(sbin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(sbindir)/$$f"; \
+	  rm -f $(DESTDIR)$(sbindir)/$$f; \
 	done
 
-.c.o:
-	$(COMPILE) -c $<
-
-# FIXME: We should only use cygpath when building on Windows,
-# and only if it is available.
-.c.obj:
-	$(COMPILE) -c `cygpath -w $<`
-
-.s.o:
-	$(COMPILE) -c $<
-
-.S.o:
-	$(COMPILE) -c $<
-
 mostlyclean-compile:
 	-rm -f *.o core *.core
 	-rm -f *.$(OBJEXT)
@@ -338,15 +416,6 @@ distclean-compile:
 
 maintainer-clean-compile:
 
-.c.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.s.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.S.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -357,33 +426,88 @@ distclean-libtool:
 
 maintainer-clean-libtool:
 
-kadmind$(EXEEXT): $(kadmind_OBJECTS) $(kadmind_DEPENDENCIES)
-	@rm -f kadmind$(EXEEXT)
-	$(LINK) $(kadmind_LDFLAGS) $(kadmind_OBJECTS) $(kadmind_LDADD) $(LIBS)
+add_random_users$(EXEEXT): $(add_random_users_OBJECTS) $(add_random_users_DEPENDENCIES)
+	@rm -f add_random_users$(EXEEXT)
+	$(LINK) $(add_random_users_LDFLAGS) $(add_random_users_OBJECTS) $(add_random_users_LDADD) $(LIBS)
 
 kadmin$(EXEEXT): $(kadmin_OBJECTS) $(kadmin_DEPENDENCIES)
 	@rm -f kadmin$(EXEEXT)
 	$(LINK) $(kadmin_LDFLAGS) $(kadmin_OBJECTS) $(kadmin_LDADD) $(LIBS)
 
+kadmind$(EXEEXT): $(kadmind_OBJECTS) $(kadmind_DEPENDENCIES)
+	@rm -f kadmind$(EXEEXT)
+	$(LINK) $(kadmind_LDFLAGS) $(kadmind_OBJECTS) $(kadmind_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+install-man8:
+	$(mkinstalldirs) $(DESTDIR)$(man8dir)
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \
+	done
+
+uninstall-man8:
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man8dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man8
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man8
+
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -396,17 +520,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = kadmin
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
@@ -424,20 +547,22 @@ install-exec-am: install-libexecPROGRAMS install-sbinPROGRAMS
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 install-exec: install-exec-am
 
-install-data-am: install-data-local
+install-data-am: install-man install-data-local
 install-data: install-data-am
 
 install-am: all-am
 	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
 install: install-am
-uninstall-am: uninstall-libexecPROGRAMS uninstall-sbinPROGRAMS
+uninstall-am: uninstall-libexecPROGRAMS uninstall-sbinPROGRAMS \
+		uninstall-man
 uninstall: uninstall-am
-all-am: Makefile $(PROGRAMS) all-local
+all-am: Makefile $(PROGRAMS) $(MANS) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
-	$(mkinstalldirs)  $(DESTDIR)$(libexecdir) $(DESTDIR)$(sbindir)
+	$(mkinstalldirs)  $(DESTDIR)$(libexecdir) $(DESTDIR)$(sbindir) \
+		$(DESTDIR)$(mandir)/man8
 
 
 mostlyclean-generic:
@@ -449,25 +574,30 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
-mostlyclean-am:  mostlyclean-libexecPROGRAMS mostlyclean-sbinPROGRAMS \
-		mostlyclean-compile mostlyclean-libtool \
-		mostlyclean-tags mostlyclean-generic
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-libexecPROGRAMS mostlyclean-noinstPROGRAMS \
+		mostlyclean-sbinPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
 
 mostlyclean: mostlyclean-am
 
-clean-am:  clean-libexecPROGRAMS clean-sbinPROGRAMS clean-compile \
-		clean-libtool clean-tags clean-generic mostlyclean-am
+clean-am:  clean-libexecPROGRAMS clean-noinstPROGRAMS clean-sbinPROGRAMS \
+		clean-compile clean-libtool clean-tags clean-generic \
+		mostlyclean-am
 
 clean: clean-am
 
-distclean-am:  distclean-libexecPROGRAMS distclean-sbinPROGRAMS \
-		distclean-compile distclean-libtool distclean-tags \
-		distclean-generic clean-am
+distclean-am:  distclean-libexecPROGRAMS distclean-noinstPROGRAMS \
+		distclean-sbinPROGRAMS distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
 	-rm -f libtool
 
 distclean: distclean-am
 
 maintainer-clean-am:  maintainer-clean-libexecPROGRAMS \
+		maintainer-clean-noinstPROGRAMS \
 		maintainer-clean-sbinPROGRAMS maintainer-clean-compile \
 		maintainer-clean-libtool maintainer-clean-tags \
 		maintainer-clean-generic distclean-am
@@ -479,18 +609,21 @@ maintainer-clean: maintainer-clean-am
 .PHONY: mostlyclean-libexecPROGRAMS distclean-libexecPROGRAMS \
 clean-libexecPROGRAMS maintainer-clean-libexecPROGRAMS \
 uninstall-libexecPROGRAMS install-libexecPROGRAMS \
+mostlyclean-noinstPROGRAMS distclean-noinstPROGRAMS \
+clean-noinstPROGRAMS maintainer-clean-noinstPROGRAMS \
 mostlyclean-sbinPROGRAMS distclean-sbinPROGRAMS clean-sbinPROGRAMS \
 maintainer-clean-sbinPROGRAMS uninstall-sbinPROGRAMS \
 install-sbinPROGRAMS mostlyclean-compile distclean-compile \
 clean-compile maintainer-clean-compile mostlyclean-libtool \
-distclean-libtool clean-libtool maintainer-clean-libtool tags \
-mostlyclean-tags distclean-tags clean-tags maintainer-clean-tags \
-distdir info-am info dvi-am dvi check-local check check-am \
-installcheck-am installcheck install-exec-am install-exec \
-install-data-local install-data-am install-data install-am install \
-uninstall-am uninstall all-local all-redirect all-am all installdirs \
-mostlyclean-generic distclean-generic clean-generic \
-maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+distclean-libtool clean-libtool maintainer-clean-libtool install-man8 \
+uninstall-man8 install-man uninstall-man tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
 
 
 install-suid-programs:
@@ -498,7 +631,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -510,8 +646,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -580,87 +716,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/kadmin/add-random-users.c b/crypto/heimdal/kadmin/add-random-users.c
new file mode 100644
index 0000000..24cde70
--- /dev/null
+++ b/crypto/heimdal/kadmin/add-random-users.c
@@ -0,0 +1,157 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+
+RCSID("$Id: add-random-users.c,v 1.2 2000/12/31 07:43:39 assar Exp $");
+
+#define WORDS_FILENAME "/usr/share/dict/words"
+
+#define NUSERS 1000
+
+static unsigned
+read_words (const char *filename, char ***ret_w)
+{
+    unsigned n, alloc;
+    FILE *f;
+    char buf[256];
+    char **w = NULL;
+
+    f = fopen (filename, "r");
+    if (f == NULL)
+	err (1, "cannot open %s", filename);
+    alloc = n = 0;
+    while (fgets (buf, sizeof(buf), f) != NULL) {
+	if (buf[strlen (buf) - 1] == '\n')
+	    buf[strlen (buf) - 1] = '\0';
+	if (n >= alloc) {
+	    alloc += 16;
+	    w = erealloc (w, alloc * sizeof(char **));
+	}
+	w[n++] = estrdup (buf);
+    }
+    *ret_w = w;
+    return n;
+}
+
+static void
+add_user (krb5_context context, void *kadm_handle,
+	  unsigned nwords, char **words)
+{
+    kadm5_principal_ent_rec princ;
+    char name[64];
+    int r1, r2;
+    krb5_error_code ret;
+    int mask;
+
+    r1 = rand();
+    r2 = rand();
+
+    snprintf (name, sizeof(name), "%s%d", words[r1 % nwords], r2 % 1000);
+
+    mask = KADM5_PRINCIPAL;
+
+    memset(&princ, 0, sizeof(princ));
+    ret = krb5_parse_name(context, name, &princ.principal);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+
+    ret = kadm5_create_principal (kadm_handle, &princ, mask, name);
+    if (ret)
+	krb5_err (context, 1, ret, "kadm5_create_principal");
+    kadm5_free_principal_ent(kadm_handle, &princ);
+    printf ("%s\n", name);
+}
+
+static void
+add_users (unsigned n)
+{
+    krb5_error_code ret;
+    int i;
+    void *kadm_handle;
+    krb5_context context;
+    unsigned nwords;
+    char **words;
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+    ret = kadm5_s_init_with_password_ctx(context, 
+					 KADM5_ADMIN_SERVICE,
+					 NULL,
+					 KADM5_ADMIN_SERVICE,
+					 NULL, 0, 0, 
+					 &kadm_handle);
+    if(ret)
+	krb5_err(context, 1, ret, "kadm5_init_with_password");
+
+    nwords = read_words (WORDS_FILENAME, &words);
+    
+    for (i = 0; i < n; ++i)
+	add_user (context, kadm_handle, nwords, words);
+    kadm5_destroy(kadm_handle);
+    krb5_free_context(context);
+}
+
+static int version_flag	= 0;
+static int help_flag	= 0;
+
+static struct getargs args[] = {
+    { "version", 	0,   arg_flag, &version_flag },
+    { "help",		0,   arg_flag, &help_flag }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args)/sizeof(*args),
+		    NULL,
+		    NULL);
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    int optind = 0;
+
+    set_progname(argv[0]);
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+	usage(1);
+    if (help_flag)
+	usage (0);
+    srand (0);
+    add_users (NUSERS);
+    return 0;
+}
diff --git a/crypto/heimdal/kadmin/ank.c b/crypto/heimdal/kadmin/ank.c
index 7068912..129ee66 100644
--- a/crypto/heimdal/kadmin/ank.c
+++ b/crypto/heimdal/kadmin/ank.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kadmin_locl.h"
 
-RCSID("$Id: ank.c,v 1.19 1999/12/02 17:04:57 joda Exp $");
+RCSID("$Id: ank.c,v 1.21 2000/09/10 19:16:39 joda Exp $");
 
 /*
  * fetch the default principal corresponding to `princ'
@@ -68,6 +68,7 @@ add_one_principal (const char *name,
 		   int rand_key,
 		   int rand_password,
 		   char *password,
+		   krb5_key_data *key_data,
 		   const char *max_ticket_life,
 		   const char *max_renewable_life,
 		   const char *attributes,
@@ -108,7 +109,7 @@ add_one_principal (const char *name,
     }
 
     edit_entry(&princ, &mask, default_ent, default_mask);
-    if(rand_key) {
+    if(rand_key || key_data) {
 	princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
 	mask |= KADM5_ATTRIBUTES;
 	strlcpy (pwbuf, "hemlig", sizeof(pwbuf));
@@ -152,6 +153,17 @@ add_one_principal (const char *name,
 	kadm5_modify_principal(kadm_handle, &princ, 
 			       KADM5_ATTRIBUTES | KADM5_KVNO);
 	kadm5_free_principal_ent(kadm_handle, &princ);
+    } else if (key_data) {
+	ret = kadm5_chpass_principal_with_key (kadm_handle, princ_ent,
+					       3, key_data);
+	if (ret) {
+	    krb5_warn(context, ret, "kadm5_chpass_principal_with_key");
+	}
+	kadm5_get_principal(kadm_handle, princ_ent, &princ, 
+			    KADM5_PRINCIPAL | KADM5_ATTRIBUTES);
+	princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX);
+	kadm5_modify_principal(kadm_handle, &princ, KADM5_ATTRIBUTES);
+	kadm5_free_principal_ent(kadm_handle, &princ);
     } else if (rand_password) {
 	char *princ_name;
 
@@ -170,6 +182,10 @@ out:
 }
 
 /*
+ * parse the string `key_string' into `key', returning 0 iff succesful.
+ */
+
+/*
  * the ank command
  */
 
@@ -177,6 +193,7 @@ static struct getargs args[] = {
     { "random-key",	'r',	arg_flag,	NULL, "set random key" },
     { "random-password", 0,	arg_flag,	NULL, "set random password" },
     { "password",	'p',	arg_string,	NULL, "princial's password" },
+    { "key",		0,	arg_string,	NULL, "DES-key in hex" },
     { "max-ticket-life",  0,	arg_string,	NULL, "max ticket lifetime",
       "lifetime"},
     { "max-renewable-life",  0,	arg_string,	NULL,
@@ -194,7 +211,7 @@ static int num_args = sizeof(args) / sizeof(args[0]);
 static void
 usage(void)
 {
-    arg_printusage (args, num_args, "ank", "principal");
+    arg_printusage (args, num_args, "add", "principal...");
 }
 
 /*
@@ -205,6 +222,7 @@ int
 add_new_key(int argc, char **argv)
 {
     char *password = NULL;
+    char *key = NULL;
     int random_key = 0;
     int random_password = 0;
     int optind = 0;
@@ -216,15 +234,18 @@ add_new_key(int argc, char **argv)
     char *pw_expiration		= NULL;
     int i;
     int num;
+    krb5_key_data key_data[3];
+    krb5_key_data *kdp = NULL;
 
     args[0].value = &random_key;
     args[1].value = &random_password;
     args[2].value = &password;
-    args[3].value = &max_ticket_life;
-    args[4].value = &max_renewable_life;
-    args[5].value = &attributes;
-    args[6].value = &expiration;
-    args[7].value = &pw_expiration;
+    args[3].value = &key;
+    args[4].value = &max_ticket_life;
+    args[5].value = &max_renewable_life;
+    args[6].value = &attributes;
+    args[7].value = &expiration;
+    args[8].value = &pw_expiration;
     
     if(getarg(args, num_args, argc, argv, &optind)) {
 	usage ();
@@ -242,16 +263,29 @@ add_new_key(int argc, char **argv)
 	++num;
     if (password)
 	++num;
+    if (key)
+	++num;
 
     if (num > 1) {
 	printf ("give only one of "
-		"--random-key, --random-password, --password\n");
+		"--random-key, --random-password, --password, --key\n");
 	return 0;
     }
 
+    if (key) {
+	const char *error;
+
+	if (parse_des_key (key, key_data, &error)) {
+	    printf ("failed parsing key `%s': %s\n", key, error);
+	    return 0;
+	}
+	kdp = key_data;
+    }
+
     for (i = optind; i < argc; ++i) {
 	ret = add_one_principal (argv[i], random_key, random_password,
 				 password,
+				 kdp,
 				 max_ticket_life,
 				 max_renewable_life,
 				 attributes,
@@ -262,5 +296,9 @@ add_new_key(int argc, char **argv)
 	    break;
 	}
     }
+    if (kdp) {
+	int16_t dummy = 3;
+	kadm5_free_key_data (kadm_handle, &dummy, key_data);
+    }
     return 0;
 }
diff --git a/crypto/heimdal/kadmin/cpw.c b/crypto/heimdal/kadmin/cpw.c
index 2bd71a7..3abc1d1 100644
--- a/crypto/heimdal/kadmin/cpw.c
+++ b/crypto/heimdal/kadmin/cpw.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,18 +33,20 @@
 
 #include "kadmin_locl.h"
 
-RCSID("$Id: cpw.c,v 1.9 1999/12/02 17:04:57 joda Exp $");
+RCSID("$Id: cpw.c,v 1.11 2000/04/12 10:45:54 assar Exp $");
 
 struct cpw_entry_data {
     int random_key;
     int random_password;
     char *password;
+    krb5_key_data *key_data;
 };
 
 static struct getargs args[] = {
     { "random-key",	'r',	arg_flag,	NULL, "set random key" },
     { "random-password", 0,	arg_flag,	NULL, "set random password" },
     { "password",	'p',	arg_string,	NULL, "princial's password" },
+    { "key",		 0,	arg_string,	NULL, "DES key in hex" }
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);
@@ -119,6 +121,16 @@ set_password (krb5_principal principal, char *password)
 }
 
 static int
+set_key_data (krb5_principal principal, krb5_key_data *key_data)
+{
+    krb5_error_code ret;
+
+    ret = kadm5_chpass_principal_with_key (kadm_handle, principal,
+					   3, key_data);
+    return ret;
+}
+
+static int
 do_cpw_entry(krb5_principal principal, void *data)
 {
     struct cpw_entry_data *e = data;
@@ -127,6 +139,8 @@ do_cpw_entry(krb5_principal principal, void *data)
 	return set_random_key (principal);
     else if (e->random_password)
 	return set_random_password (principal);
+    else if (e->key_data)
+	return set_key_data (principal, e->key_data);
     else
 	return set_password (principal, e->password);
 }
@@ -139,14 +153,20 @@ cpw_entry(int argc, char **argv)
     int optind = 0;
     struct cpw_entry_data data;
     int num;
+    char *key_string;
+    krb5_key_data key_data[3];
 
     data.random_key      = 0;
     data.random_password = 0;
     data.password        = NULL;
+    data.key_data	 = NULL;
+
+    key_string = NULL;
 
     args[0].value = &data.random_key;
     args[1].value = &data.random_password;
     args[2].value = &data.password;
+    args[3].value = &key_string;
     if(getarg(args, num_args, argc, argv, &optind)){
 	usage();
 	return 0;
@@ -159,19 +179,35 @@ cpw_entry(int argc, char **argv)
 	++num;
     if (data.password)
 	++num;
+    if (key_string)
+	++num;
 
     if (num > 1) {
 	printf ("give only one of "
-		"--random-key, --random-password, --password\n");
+		"--random-key, --random-password, --password, --key\n");
 	return 0;
     }
 	
+    if (key_string) {
+	const char *error;
+
+	if (parse_des_key (key_string, key_data, &error)) {
+	    printf ("failed parsing key `%s': %s\n", key_string, error);
+	    return 0;
+	}
+	data.key_data = key_data;
+    }
+
     argc -= optind;
     argv += optind;
 
     for(i = 0; i < argc; i++)
 	ret = foreach_principal(argv[i], do_cpw_entry, &data);
 
+    if (data.key_data) {
+	int16_t dummy;
+	kadm5_free_key_data (kadm_handle, &dummy, key_data);
+    }
+
     return 0;
 }
-
diff --git a/crypto/heimdal/kadmin/del.c b/crypto/heimdal/kadmin/del.c
index 39ee24e..9d7e91b 100644
--- a/crypto/heimdal/kadmin/del.c
+++ b/crypto/heimdal/kadmin/del.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997, 1998, 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kadmin_locl.h"
 
-RCSID("$Id: del.c,v 1.4 1999/12/02 17:04:58 joda Exp $");
+RCSID("$Id: del.c,v 1.5 2000/09/10 19:17:00 joda Exp $");
 
 static int
 do_del_entry(krb5_principal principal, void *data)
@@ -41,12 +41,39 @@ do_del_entry(krb5_principal principal, void *data)
     return kadm5_delete_principal(kadm_handle, principal);
 }
 
+static struct getargs args[] = {
+    { "help", 'h', arg_flag, NULL }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(void)
+{
+    arg_printusage (args, num_args, "delete", "principal...");
+}
+
+
 int
 del_entry(int argc, char **argv)
 {
+    int optind = 0;
+    int help_flag = 0;
+
     int i;
     krb5_error_code ret;
 
+    args[0].value = &help_flag;
+
+    if(getarg(args, num_args, argc, argv, &optind)) {
+	usage ();
+	return 0;
+    }
+    if(optind == argc || help_flag) {
+	usage ();
+	return 0;
+    }
+
     for(i = 1; i < argc; i++)
 	ret = foreach_principal(argv[i], do_del_entry, NULL);
     return 0;
diff --git a/crypto/heimdal/kadmin/del_enctype.c b/crypto/heimdal/kadmin/del_enctype.c
index d772b65..1333a4d 100644
--- a/crypto/heimdal/kadmin/del_enctype.c
+++ b/crypto/heimdal/kadmin/del_enctype.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1999-2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,21 +33,31 @@
 
 #include "kadmin_locl.h"
 
-RCSID("$Id: del_enctype.c,v 1.4 1999/12/14 02:37:49 assar Exp $");
+RCSID("$Id: del_enctype.c,v 1.6 2000/09/10 19:17:23 joda Exp $");
+
+/*
+ * del_enctype principal enctypes...
+ */
+
+static struct getargs args[] = {
+    { "help", 'h', arg_flag, NULL }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
 
 static void
 usage(void)
 {
-    fprintf (stderr, "Usage: del_enctype principal enctypes...\n");
+    arg_printusage (args, num_args, "del_enctype", "principal enctypes...");
 }
 
-/*
- * del_enctype principal enctypes...
- */
 
 int
 del_enctype(int argc, char **argv)
 {
+    int optind = 0;
+    int help_flag = 0;
+
     kadm5_principal_ent_rec princ;
     krb5_principal princ_ent = NULL;
     krb5_error_code ret;
@@ -57,7 +67,13 @@ del_enctype(int argc, char **argv)
     int n_etypes;
     krb5_enctype *etypes;
 
-    if (argc < 3) {
+    args[0].value = &help_flag;
+
+    if(getarg(args, num_args, argc, argv, &optind)) {
+	usage ();
+	return 0;
+    }
+    if(argc - optind < 3 || help_flag) {
 	usage ();
 	return 0;
     }
@@ -110,7 +126,7 @@ del_enctype(int argc, char **argv)
 	if (docopy) {
 	    new_key_data[j++] = *key;
 	} else {
-	    int16_t ignore;
+	    int16_t ignore = 1;
 
 	    kadm5_free_key_data (kadm_handle, &ignore, key);
 	}
diff --git a/crypto/heimdal/kadmin/get.c b/crypto/heimdal/kadmin/get.c
index 1492ca9..7ecea7c 100644
--- a/crypto/heimdal/kadmin/get.c
+++ b/crypto/heimdal/kadmin/get.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -34,7 +34,7 @@
 #include "kadmin_locl.h"
 #include <parse_units.h>
 
-RCSID("$Id: get.c,v 1.8 1999/12/02 17:04:58 joda Exp $");
+RCSID("$Id: get.c,v 1.12 2000/12/15 14:24:24 joda Exp $");
 
 struct get_entry_data {
     void (*header)(void);
@@ -102,11 +102,27 @@ print_entry_short(kadm5_principal_ent_t princ)
     printf("\n");
 }
 
+/*
+ * return 0 iff `salt' actually is the same as the current salt in `k'
+ */
+
+static int
+cmp_salt (const krb5_salt *salt, const krb5_key_data *k)
+{
+    if (salt->salttype != k->key_data_type[1])
+	return 1;
+    if (salt->saltvalue.length != k->key_data_length[1])
+	return 1;
+    return memcmp (salt->saltvalue.data, k->key_data_contents[1],
+		   salt->saltvalue.length);
+}
+
 static void
 print_entry_long(kadm5_principal_ent_t princ)
 {
     char buf[1024];
     int i;
+    krb5_salt def_salt;
     
     krb5_unparse_name_fixed(context, princ->principal, buf, sizeof(buf));
     printf("%24s: %s\n", "Principal", buf);
@@ -134,17 +150,21 @@ print_entry_long(kadm5_principal_ent_t princ)
     printf("%24s: %d\n", "Failed login count", princ->fail_auth_count);
     time_t2str(princ->mod_date, buf, sizeof(buf), 1);
     printf("%24s: %s\n", "Last modified", buf);
-    krb5_unparse_name_fixed(context, princ->mod_name, buf, sizeof(buf));
-    printf("%24s: %s\n", "Modifier", buf);
+    if(princ->mod_name != NULL) {
+	krb5_unparse_name_fixed(context, princ->mod_name, buf, sizeof(buf));
+	printf("%24s: %s\n", "Modifier", buf);
+    }
     attributes2str (princ->attributes, buf, sizeof(buf));
     printf("%24s: %s\n", "Attributes", buf);
 
-    printf("%24s: ", "Keytypes(salts)");
+    printf("%24s: ", "Keytypes(salttype[(salt-value)])");
+
+    krb5_get_pw_salt (context, princ->principal, &def_salt);
 
     for (i = 0; i < princ->n_key_data; ++i) {
 	krb5_key_data *k = &princ->key_data[i];
 	krb5_error_code ret;
-	char *e_string, *s_string;
+	char *e_string, *s_string, *salt;
 
 	ret = krb5_enctype_to_string (context,
 				      k->key_data_type[0],
@@ -159,10 +179,21 @@ print_entry_long(kadm5_principal_ent_t princ)
 	if (ret)
 	    asprintf (&s_string, "unknown(%d)", k->key_data_type[1]);
 
-	printf ("%s%s(%s)", (i != 0) ? ", " : "", e_string, s_string);
+	if (cmp_salt(&def_salt, k) == 0)
+	    salt = strdup("");
+	else if(k->key_data_length[1] == 0)
+	    salt = strdup("()");
+	else
+	    asprintf (&salt, "(%.*s)", k->key_data_length[1],
+		      (char *)k->key_data_contents[1]);
+
+
+	printf ("%s%s(%s%s)", (i != 0) ? ", " : "", e_string, s_string, salt);
 	free (e_string);
 	free (s_string);
+	free (salt);
     }
+    krb5_free_salt (context, def_salt);
     printf("\n\n");
 }
 
@@ -190,37 +221,49 @@ do_get_entry(krb5_principal principal, void *data)
     return 0;
 }
 
-int
-get_entry(int argc, char **argv)
+static int
+getit(const char *name, int terse_flag, int argc, char **argv)
 {
     int i;
     krb5_error_code ret;
     struct get_entry_data data;
     struct getargs args[] = {
 	{ "long",	'l',	arg_flag,	NULL, "long format" },
+	{ "short",	's',	arg_flag,	NULL, "short format" },
 	{ "terse",	't',	arg_flag,	NULL, "terse format" },
     };
     int num_args = sizeof(args) / sizeof(args[0]);
     int optind = 0;
-    int long_flag = 0;
-    int terse_flag = 0;
+    int long_flag = -1;
+    int short_flag = -1;
     
     args[0].value = &long_flag;
-    args[1].value = &terse_flag;
+    args[1].value = &short_flag;
+    args[2].value = &terse_flag;
+
     if(getarg(args, num_args, argc, argv, &optind))
 	goto usage;
     if(optind == argc)
 	goto usage;
 
+    if(long_flag == -1 && (short_flag == 1 || terse_flag == 1))
+	long_flag = 0;
+    if(short_flag == -1 && (long_flag == 1 || terse_flag == 1))
+	short_flag = 0;
+    if(terse_flag == -1 && (long_flag == 1 || short_flag == 1))
+	terse_flag = 0;
+    if(long_flag == 0 && short_flag == 0 && terse_flag == 0)
+	short_flag = 1;
+
     if(long_flag) {
 	data.format = print_entry_long;
 	data.header = NULL;
+    } else if(short_flag){
+	data.format = print_entry_short;
+	data.header = print_header_short;
     } else if(terse_flag) {
 	data.format = print_entry_terse;
 	data.header = NULL;
-    } else {
-	data.format = print_entry_short;
-	data.header = print_header_short;
     }
 
     argc -= optind;
@@ -230,21 +273,18 @@ get_entry(int argc, char **argv)
 	ret = foreach_principal(argv[i], do_get_entry, &data);
     return 0;
 usage:
-    arg_printusage (args, num_args, "get", "principal...");
+    arg_printusage (args, num_args, name, "principal...");
     return 0;
 }
 
 int
-list_princs(int argc, char **argv)
+get_entry(int argc, char **argv)
 {
-    int i;
-    krb5_error_code ret;
-    struct get_entry_data data;
+    return getit("get", 0, argc, argv);
+}
 
-    data.format = print_entry_terse;
-    data.header = NULL;
-    
-    for(i = 1; i < argc; i++)
-	ret = foreach_principal(argv[i], do_get_entry, &data);
-    return 0;
+int
+list_princs(int argc, char **argv)
+{
+    return getit("list", 1, argc, argv);
 }
diff --git a/crypto/heimdal/kadmin/init.c b/crypto/heimdal/kadmin/init.c
index b889131..2391a08 100644
--- a/crypto/heimdal/kadmin/init.c
+++ b/crypto/heimdal/kadmin/init.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -34,7 +34,7 @@
 #include "kadmin_locl.h"
 #include <kadm5/private.h>
 
-RCSID("$Id: init.c,v 1.23 1999/12/02 17:04:58 joda Exp $");
+RCSID("$Id: init.c,v 1.27 2000/09/10 19:20:16 joda Exp $");
 
 static kadm5_ret_t
 create_random_entry(krb5_principal princ,
@@ -97,7 +97,7 @@ static int num_args = sizeof(args) / sizeof(args[0]);
 static void
 usage(void)
 {
-    arg_printusage (args, num_args, "ank", "principal");
+    arg_printusage (args, num_args, "init", "realm...");
 }
 
 int
@@ -119,6 +119,11 @@ init(int argc, char **argv)
 	return 0;
     }
 
+    if(argc - optind < 1) {
+	usage();
+	return 0;
+    }
+
     if (realm_max_life) {
 	if (str2deltat (realm_max_life, &max_life) != 0) {
 	    krb5_warnx (context, "unable to parse `%s'", realm_max_life);
@@ -145,7 +150,8 @@ init(int argc, char **argv)
 	const char *realm = argv[i];
 
 	/* Create `krbtgt/REALM' */
-	krb5_make_principal(context, &princ, realm, "krbtgt", realm, NULL);
+	krb5_make_principal(context, &princ, realm,
+			    KRB5_TGS_NAME, realm, NULL);
 	if (realm_max_life == NULL) {
 	    max_life = 0;
 	    edit_deltat ("Realm max ticket life", &max_life, NULL, 0);
@@ -180,7 +186,18 @@ init(int argc, char **argv)
 	/* Create `changepw/kerberos' (for v4 compat) */
 	krb5_make_principal(context, &princ, realm,
 			    "changepw", "kerberos", NULL);
-	create_random_entry(princ, 60*60, 60*60, 0);
+	create_random_entry(princ, 60*60, 60*60,
+			    KRB5_KDB_DISALLOW_TGT_BASED|
+			    KRB5_KDB_PWCHANGE_SERVICE);
+
+	krb5_free_principal(context, princ);
+
+	/* Create `kadmin/hprop' for database propagation */
+	krb5_make_principal(context, &princ, realm,
+			    "kadmin", "hprop", NULL);
+	create_random_entry(princ, 60*60, 60*60,
+			    KRB5_KDB_REQUIRES_PRE_AUTH|
+			    KRB5_KDB_DISALLOW_TGT_BASED);
 	krb5_free_principal(context, princ);
 
 	/* Create `default' */
diff --git a/crypto/heimdal/kadmin/kadm_conn.c b/crypto/heimdal/kadmin/kadm_conn.c
new file mode 100644
index 0000000..28bf177
--- /dev/null
+++ b/crypto/heimdal/kadmin/kadm_conn.c
@@ -0,0 +1,288 @@
+/*
+ * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+
+RCSID("$Id: kadm_conn.c,v 1.11 2001/01/29 08:43:01 assar Exp $");
+
+struct kadm_port {
+    char *port;
+    unsigned short def_port;
+    struct kadm_port *next;
+} *kadm_ports;
+
+static void
+add_kadm_port(krb5_context context, const char *service, unsigned int port)
+{
+    struct kadm_port *p;
+    p = malloc(sizeof(*p));
+    if(p == NULL) {
+	krb5_warnx(context, "failed to allocate %lu bytes\n", 
+		   (unsigned long)sizeof(*p));
+	return;
+    }
+    
+    p->port = strdup(service);
+    p->def_port = port;
+
+    p->next = kadm_ports;
+    kadm_ports = p;
+}
+
+static void
+add_standard_ports (krb5_context context)
+{
+    add_kadm_port(context, "kerberos-adm", 749);
+#ifdef KRB4
+    add_kadm_port(context, "kerberos-master", 751);
+#endif
+}
+
+/*
+ * parse the set of space-delimited ports in `str' and add them.
+ * "+" => all the standard ones
+ * otherwise it's port|service[/protocol]
+ */
+
+void
+parse_ports(krb5_context context, const char *str)
+{
+    char p[128];
+
+    while(strsep_copy(&str, " \t", p, sizeof(p)) != -1) {
+	if(strcmp(p, "+") == 0)
+	    add_standard_ports(context);
+	else
+	    add_kadm_port(context, p, 0);
+    }
+}
+
+static pid_t pgrp;
+sig_atomic_t term_flag, doing_useful_work;
+
+static RETSIGTYPE
+sigchld(int sig)
+{
+    int status;
+    waitpid(-1, &status, 0);
+    SIGRETURN(0);
+}
+
+static RETSIGTYPE
+terminate(int sig)
+{
+    if(getpid() == pgrp) {
+	/* parent */
+	term_flag = 1;
+	signal(sig, SIG_IGN);
+	killpg(pgrp, sig);
+    } else {
+	/* child */
+	if(doing_useful_work)
+	    term_flag = 1;
+	else
+	    exit(0);
+    }
+    SIGRETURN(0);
+}
+
+static int
+spawn_child(krb5_context context, int *socks, int num_socks, int this_sock)
+{
+    int e, i;
+    struct sockaddr_storage __ss;
+    struct sockaddr *sa = (struct sockaddr *)&__ss;
+    socklen_t sa_size = sizeof(__ss);
+    int s;
+    pid_t pid;
+    krb5_address addr;
+    char buf[128];
+    size_t buf_len;
+
+    s = accept(socks[this_sock], sa, &sa_size);
+    if(s < 0) {
+	krb5_warn(context, errno, "accept");
+	return 1;
+    }
+    e = krb5_sockaddr2address(sa, &addr);
+    if(e)
+	krb5_warn(context, e, "krb5_sockaddr2address");
+    else {
+	e = krb5_print_address (&addr, buf, sizeof(buf), 
+				&buf_len);
+	if(e) 
+	    krb5_warn(context, e, "krb5_sockaddr2address");
+	else
+	    krb5_warnx(context, "connection from %s", buf);
+	krb5_free_address(context, &addr);
+    }
+    
+    pid = fork();
+    if(pid == 0) {
+	for(i = 0; i < num_socks; i++)
+	    close(socks[i]);
+	dup2(s, STDIN_FILENO);
+	dup2(s, STDOUT_FILENO);
+	if(s != STDIN_FILENO && s != STDOUT_FILENO)
+	    close(s);
+	return 0;
+    } else {
+	close(s);
+    }
+    return 1;
+}
+
+static int
+wait_for_connection(krb5_context context,
+		    int *socks, int num_socks)
+{
+    int i, e;
+    fd_set orig_read_set, read_set;
+    int max_fd = -1;
+    
+    FD_ZERO(&orig_read_set);
+    
+    for(i = 0; i < num_socks; i++) {
+	if (socks[i] >= FD_SETSIZE)
+	    errx (1, "fd too large");
+	FD_SET(socks[i], &orig_read_set);
+	max_fd = max(max_fd, socks[i]);
+    }
+    
+    pgrp = getpid();
+
+    if(setpgid(0, pgrp) < 0)
+	err(1, "setpgid");
+
+    signal(SIGTERM, terminate);
+    signal(SIGINT, terminate);
+    signal(SIGCHLD, sigchld);
+
+    while (term_flag == 0) {
+	read_set = orig_read_set;
+	e = select(max_fd + 1, &read_set, NULL, NULL, NULL);
+	if(e < 0) {
+	    if(errno != EINTR)
+		krb5_warn(context, errno, "select");
+	} else if(e == 0)
+	    krb5_warnx(context, "select returned 0");
+	else {
+	    for(i = 0; i < num_socks; i++) {
+		if(FD_ISSET(socks[i], &read_set))
+		    if(spawn_child(context, socks, num_socks, i) == 0)
+			return 0;
+	    }
+	}
+    }
+    signal(SIGCHLD, SIG_IGN);
+    while(1) {
+	int status;
+	pid_t pid;
+	pid = waitpid(-1, &status, 0);
+	if(pid == -1 && errno == ECHILD)
+	    break;
+    }
+    exit(0);
+}
+
+
+int
+start_server(krb5_context context)
+{
+    int e;
+    struct kadm_port *p;
+
+    int *socks = NULL, *tmp;
+    int num_socks = 0;
+    int i;
+
+    for(p = kadm_ports; p; p = p->next) {
+	struct addrinfo hints, *ai, *ap;
+	char portstr[32];
+	memset (&hints, 0, sizeof(hints));
+	hints.ai_flags    = AI_PASSIVE;
+	hints.ai_socktype = SOCK_STREAM;
+
+	e = getaddrinfo(NULL, p->port, &hints, &ai);
+	if(e) {
+	    snprintf(portstr, sizeof(portstr), "%u", p->def_port);
+	    e = getaddrinfo(NULL, portstr, &hints, &ai);
+	}
+
+	if(e) {
+	    krb5_warn(context, krb5_eai_to_heim_errno(e), "%s", portstr);
+	    continue;
+	}
+	i = 0;
+	for(ap = ai; ap; ap = ap->ai_next) 
+	    i++;
+	tmp = realloc(socks, (num_socks + i) * sizeof(*socks));
+	if(tmp == NULL) {
+	    krb5_warnx(context, "failed to reallocate %lu bytes", 
+		       (unsigned long)(num_socks + i) * sizeof(*socks));
+	    continue;
+	}
+	socks = tmp;
+	for(ap = ai; ap; ap = ap->ai_next) {
+	    int one = 1;
+	    int s = socket(ap->ai_family, ap->ai_socktype, ap->ai_protocol);
+	    if(s < 0) {
+		krb5_warn(context, errno, "socket");
+		continue;
+	    }
+#if defined(SO_REUSEADDR) && defined(HAVE_SETSOCKOPT)
+	    if(setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&one,
+			  sizeof(one)) < 0)
+		krb5_warn(context, errno, "setsockopt");
+#endif
+	    if (bind (s, ap->ai_addr, ap->ai_addrlen) < 0) {
+		krb5_warn(context, errno, "bind");
+		close(s);
+		continue;
+	    }
+	    if (listen (s, SOMAXCONN) < 0) {
+		krb5_warn(context, errno, "listen");
+		close(s);
+		continue;
+	    }
+	    socks[num_socks++] = s;
+	}
+	freeaddrinfo (ai);
+    }
+    if(num_socks == 0)
+	krb5_errx(context, 1, "no sockets to listen to - exiting");
+    return wait_for_connection(context, socks, num_socks);
+}
diff --git a/crypto/heimdal/kadmin/kadmin.8 b/crypto/heimdal/kadmin/kadmin.8
new file mode 100644
index 0000000..bfb4cfc
--- /dev/null
+++ b/crypto/heimdal/kadmin/kadmin.8
@@ -0,0 +1,239 @@
+.\" $Id: kadmin.8,v 1.2 2000/09/19 12:29:48 assar Exp $
+.\"
+.Dd September 10, 2000
+.Dt KADMIN 8
+.Os HEIMDAL
+.Sh NAME
+.Nm kadmin
+.Nd
+Kerberos administration utility
+.Sh SYNOPSIS
+.Nm
+.Oo Fl p Ar string \*(Ba Xo
+.Fl -principal= Ns Ar string Oc
+.Xc
+.Oo Fl c Ar file \*(Ba Xo
+.Fl -config-file= Ns Ar file Oc
+.Xc
+.Oo Fl k Ar file \*(Ba Xo
+.Fl -key-file= Ns Ar file Oc
+.Xc
+.Oo Fl r Ar realm \*(Ba Xo
+.Fl -realm= Ns Ar realm Oc
+.Xc
+.Oo Fl a Ar host \*(Ba Xo
+.Fl -admin-server= Ns Ar host Oc
+.Xc
+.Oo Fl s Ar port number \*(Ba Xo
+.Fl -server-port= Ns Ar port number Oc
+.Xc
+.Op Fl l | Fl -local
+.Op Fl h | Fl -help
+.Op Fl v | Fl -version
+.Op Ar command
+.Sh DESCRIPTION
+The
+.Nm
+program is used to make modification to the Kerberos database, either remotely via the 
+.Xr kadmind 8
+daemon, or locally (with the 
+.Fl l 
+option).
+.Pp
+Supported options:
+.Bl -tag -width Ds
+.It Xo
+.Fl p Ar string Ns ,
+.Fl -principal= Ns Ar string
+.Xc
+principal to authenticate as
+.It Xo
+.Fl c Ar file Ns ,
+.Fl -config-file= Ns Ar file
+.Xc
+location of config file
+.It Xo
+.Fl k Ar file Ns ,
+.Fl -key-file= Ns Ar file
+.Xc
+location of master key file
+.It Xo
+.Fl r Ar realm Ns ,
+.Fl -realm= Ns Ar realm
+.Xc
+realm to use
+.It Xo
+.Fl a Ar host Ns ,
+.Fl -admin-server= Ns Ar host
+.Xc
+server to contact
+.It Xo
+.Fl s Ar port number Ns ,
+.Fl -server-port= Ns Ar port number
+.Xc
+port to use
+.It Xo
+.Fl l Ns ,
+.Fl -local
+.Xc
+local admin mode
+.El
+.Pp
+If no 
+.Ar command
+is given on the command line,
+.Nm 
+will prompt for commands to process. Commands include:
+.\" not using a list here, since groff apparently gets confused 
+.\" with nested Xo/Xc
+.Bd -ragged -offset indent
+.Nm add
+.Op Fl r | Fl -random-key
+.Op Fl -random-password
+.Oo Fl p Ar string \*(Ba Xo
+.Fl -password= Ns Ar string Oc
+.Xc
+.Op Fl -key= Ns Ar string
+.Op Fl -max-ticket-life= Ns Ar lifetime
+.Op Fl -max-renewable-life= Ns Ar lifetime
+.Op Fl -attributes= Ns Ar attributes
+.Op Fl -expiration-time= Ns Ar time
+.Op Fl -pw-expiration-time= Ns Ar time
+.Ar principal...
+.Pp
+.Bd -filled -offset indent
+creates a new principal
+.Ed
+.Pp
+.Nm passwd
+.Op Fl r | Fl -random-key
+.Op Fl -random-password
+.Oo Fl p Ar string \*(Ba Xo
+.Fl -password= Ns Ar string Oc
+.Xc
+.Op Fl -key= Ns Ar string
+.Ar principal...
+.Pp
+.Bd -filled -offset indent
+changes the password of an existing principal
+.Ed
+.Pp
+.Nm delete
+.Ar principal...
+.Pp
+.Bd -filled -offset indent
+removes a principal
+.Ed
+.Pp
+.Nm del_enctype
+.Ar principal enctypes...
+.Pp
+.Bd -filled -offset indent
+removes some enctypes from a principal, this can be useful the service
+belonging to the principal is known to not handle certain enctypes
+.Ed
+.Pp
+.Nm ext_keytab
+.Oo Fl k Ar string \*(Ba Xo
+.Fl -keytab= Ns Ar string Oc
+.Xc
+.Ar principal...
+.Pp
+.Bd -filled -offset indent
+creates a keytab with the keys of the specified principals
+.Ed
+.Pp
+.Nm get
+.Op Fl l | Fl -long
+.Op Fl s | Fl -short
+.Op Fl t | Fl -terse
+.Ar expression...
+.Pp
+.Bd -filled -offset indent
+lists the principals that match the expressions (which are shell glob
+like), long format gives more information, and terse just prints the
+names
+.Ed
+.Pp
+.Nm rename
+.Ar from to
+.Pp
+.Bd -filled -offset indent
+renames a principal
+.Ed
+.Pp
+.Nm modify
+.Oo Fl a Ar attributes \*(Ba Xo
+.Fl -attributes= Ns Ar attributes Oc
+.Xc
+.Op Fl -max-ticket-life= Ns Ar lifetime
+.Op Fl -max-renewable-life= Ns Ar lifetime
+.Op Fl -expiration-time= Ns Ar time
+.Op Fl -pw-expiration-time= Ns Ar time
+.Op Fl -kvno= Ns Ar number
+.Ar principal
+.Pp
+.Bd -filled -offset indent
+modifies certain attributes of a principal
+.Ed
+.Pp
+.Nm privileges
+.Pp
+.Bd -filled -offset indent
+lists the operations you are allowd to perform
+.Ed
+.Pp
+.Ed
+
+When running in local mode, the following commands can also be used.
+
+.Bd -ragged -offset indent
+.Nm dump
+.Op Fl d | Fl -decrypt
+.Op Ar dump-file
+.Pp
+.Bd -filled -offset indent
+writes the database in
+.Dq human readable
+form to the specified file, or standard out
+.Ed
+.Pp
+.Nm init
+.Op Fl -realm-max-ticket-life= Ns Ar string
+.Op Fl -realm-max-renewable-life= Ns Ar string
+.Ar realm
+.Pp
+.Bd -filled -offset indent
+initialises the Kerberos database with entries for a new realm, it's
+possible to have more than one realm served by one server
+.Ed
+.Pp
+.Nm load
+.Ar file
+.Pp
+.Bd -filled -offset indent
+reads a previously dumped database, and re-creates that database from scratch
+.Ed
+.Pp
+.Nm merge
+.Ar file
+.Pp
+.Bd -filled -offset indent
+similar to 
+.Nm list
+but just modifies the database with the entries in the dump file
+.Ed
+.Pp
+.Ed
+
+.\".Sh ENVIRONMENT
+.\".Sh FILES
+.\".Sh EXAMPLES
+.\".Sh DIAGNOSTICS
+.Sh SEE ALSO
+.Xr kadmind 8 ,
+.Xr kdc 8
+.\".Sh STANDARDS
+.\".Sh HISTORY
+.\".Sh AUTHORS
+.\".Sh BUGS
diff --git a/crypto/heimdal/kadmin/kadmin.c b/crypto/heimdal/kadmin/kadmin.c
index 6d29d63..5a21ffb 100644
--- a/crypto/heimdal/kadmin/kadmin.c
+++ b/crypto/heimdal/kadmin/kadmin.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -34,7 +34,7 @@
 #include "kadmin_locl.h"
 #include <sl.h>
 
-RCSID("$Id: kadmin.c,v 1.27 2000/01/31 23:51:52 assar Exp $");
+RCSID("$Id: kadmin.c,v 1.34 2001/01/26 22:20:52 joda Exp $");
 
 static char *config_file;
 static char *keyfile;
@@ -141,6 +141,7 @@ static SL_cmd commands[] = {
 	"privileges",	get_privs,	"privileges",
 	"Shows which kinds of operations you are allowed to perform."
     },
+    { "privs" },
     { 
 	"list",		list_princs,	"list expression...", 
 	"Lists principals in a terse format. The same as `get -t'." 
@@ -148,16 +149,19 @@ static SL_cmd commands[] = {
     { "help",		help, "help"},
     { "?"},
     { "exit",		exit_kadmin, "exit"},
+    { "quit" },
     { NULL}
 };
 
 krb5_context context;
 void *kadm_handle;
 
+static SL_cmd *actual_cmds;
+
 int
 help(int argc, char **argv)
 {
-    sl_help(commands, argc, argv);
+    sl_help(actual_cmds, argc, argv);
     return 0;
 }
 
@@ -181,6 +185,24 @@ get_privs(int argc, char **argv)
     char str[128];
     kadm5_ret_t ret;
     
+    int help_flag = 0;
+    struct getargs args[] = {
+	{ "help",	'h',	arg_flag,	NULL }
+    };
+    int num_args = sizeof(args) / sizeof(args[0]);
+    int optind = 0;
+
+    args[0].value = &help_flag;
+
+    if(getarg(args, num_args, argc, argv, &optind)) {
+	arg_printusage (args, num_args, "privileges", NULL);
+	return 0;
+    }
+    if(help_flag) {
+	arg_printusage (args, num_args, "privileges", NULL);
+	return 0;
+    }
+
     ret = kadm5_get_privs(kadm_handle, &privs);
     if(ret)
 	krb5_warn(context, ret, "kadm5_get_privs");
@@ -199,14 +221,15 @@ main(int argc, char **argv)
     kadm5_config_params conf;
     int optind = 0;
     int e;
-    SL_cmd *cmd;
 
     set_progname(argv[0]);
 
-    krb5_init_context(&context);
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
 
     while((e = getarg(args, num_args, argc, argv, &optind)))
-	warnx("error at argument `%s'", argv[optind]);
+	errx(1, "error at argument `%s'", argv[optind]);
 
     if (help_flag)
 	usage (0);
@@ -254,7 +277,7 @@ main(int argc, char **argv)
 					     KADM5_ADMIN_SERVICE,
 					     &conf, 0, 0, 
 					     &kadm_handle);
-	cmd = commands;
+	actual_cmds = commands;
     } else {
 	ret = kadm5_c_init_with_password_ctx(context, 
 					     client_name,
@@ -262,17 +285,23 @@ main(int argc, char **argv)
 					     KADM5_ADMIN_SERVICE,
 					     &conf, 0, 0, 
 					     &kadm_handle);
-	cmd = commands + 4; /* XXX */
+	actual_cmds = commands + 4; /* XXX */
     }
     
     if(ret)
 	krb5_err(context, 1, ret, "kadm5_init_with_password");
+
+    signal(SIGINT, SIG_IGN); /* ignore signals for now, the sl command
+                                parser will handle SIGINT its own way;
+                                we should really take care of this in
+                                each function, f.i `get' might be
+                                interruptable, but not `create' */
     if (argc != 0) {
-	ret = sl_command (cmd, argc, argv);
+	ret = sl_command (actual_cmds, argc, argv);
 	if(ret == -1)
 	    krb5_warnx (context, "unrecognized command: %s", argv[0]);
     } else
-	ret = sl_loop (cmd, "kadmin> ") != 0;
+	ret = sl_loop (actual_cmds, "kadmin> ") != 0;
 
     kadm5_destroy(kadm_handle);
     krb5_config_file_free (context, cf);
diff --git a/crypto/heimdal/kadmin/kadmind.8 b/crypto/heimdal/kadmin/kadmind.8
new file mode 100644
index 0000000..67d5c9b
--- /dev/null
+++ b/crypto/heimdal/kadmin/kadmind.8
@@ -0,0 +1,133 @@
+.Dd June  7, 2000
+.Dt KADMIND 8
+.Os HEIMDAL
+.Sh NAME
+.Nm kadmind
+.Nd
+server for administrative access to kerberos database
+.Sh SYNOPSIS
+.Nm
+.Oo Fl c Ar file \*(Ba Xo
+.Fl -config-file= Ns Ar file Oc
+.Xc
+.Oo Fl k Ar file \*(Ba Xo
+.Fl -key-file= Ns Ar file Oc
+.Xc
+.Op Fl -keytab= Ns Ar keytab
+.Oo Fl r Ar realm \*(Ba Xo
+.Fl -realm= Ns Ar realm Oc
+.Xc
+.Op Fl d | Fl -debug
+.Oo Fl p Ar port \*(Ba Xo
+.Fl -ports= Ns Ar port Oc
+.Xc
+.Sh DESCRIPTION
+.Nm
+listens for requests for changes to the Kerberos database and performs
+these, subject to permissions.  When starting, if stdin is a socket it assumes that it has been started by 
+.Xr inetd 8 ,
+otherwise it behaves as a daemon, forking processes for each new
+connection. The 
+.Fl -debug
+option causes 
+.Nm
+to accept exactly one connection, which is useful for debugging. 
+
+If built with krb4 support, it implements both the Heimdal Kerberos 5
+administrative protocol and the Kerberos 4 protocol. Password changes
+via the Kerberos 4 protocol are also performed by
+.Nm kadmind ,
+but the
+.Xr kpasswdd 8 
+daemon is responsible for the Kerberos 5 password changing protocol
+(used by
+.Xr kpasswd 1 ).
+.Pp
+This daemon should only be run on ther master server, and not on any
+slaves.
+.Pp
+Principals are always allowed to change their own password and list
+their own principals.  Apart from that, doing any operation requires
+permission explicitly added in the ACL file
+.Pa /var/heimdal/kadmind.acl .
+The format of this file is:
+.Bd -ragged
+.Va principal
+.Va rights
+.Op Va principal-pattern
+.Ed
+.Pp
+Where rights is any combination of:
+.Bl -bullet
+.It
+change-password | cpw
+.It
+list
+.It
+delete
+.It
+modify
+.It
+add
+.It
+get
+.It
+all
+.El
+.Pp
+And the optional
+.Ar principal-pattern
+restricts the rights to principals that match the glob-style pattern.
+.Pp
+Supported options:
+.Bl -tag -width Ds
+.It Xo
+.Fl c Ar file Ns ,
+.Fl -config-file= Ns Ar file
+.Xc
+location of config file
+.It Xo
+.Fl k Ar file Ns ,
+.Fl -key-file= Ns Ar file
+.Xc
+location of master key file
+.It Xo
+.Fl -keytab= Ns Ar keytab
+.Xc
+what keytab to use
+.It Xo
+.Fl r Ar realm Ns ,
+.Fl -realm= Ns Ar realm
+.Xc
+realm to use
+.It Xo
+.Fl d Ns ,
+.Fl -debug
+.Xc
+enable debugging
+.It Xo
+.Fl p Ar port Ns ,
+.Fl -ports= Ns Ar port
+.Xc
+ports to listen to. By default, if run as a daemon, it listen to ports
+749, and 751 (if built with Kerberos 4 support), but you can add any
+number of ports with this option. The port string is a whitespace
+separated list of port specifications, with the special string 
+.Dq +
+representing the default set of ports.
+.El
+.\".Sh ENVIRONMENT
+.Sh FILES
+.Pa /var/heimdal/kadmind.acl
+.Sh EXAMPLES
+This will cause kadmind to listen to port 4711 in addition to any
+compiled in defaults:
+.Bd -literal -offset indent
+# kadmind --ports="+ 4711" &
+.Ed
+.\".Sh DIAGNOSTICS
+.Sh SEE ALSO
+.Xr kdc 8 ,
+.Xr kadmin 1 ,
+.Xr kpasswdd 8 ,
+.Xr kpasswd 1
diff --git a/crypto/heimdal/kadmin/kadmind.c b/crypto/heimdal/kadmin/kadmind.c
index 4b4fb0d..7c1696b 100644
--- a/crypto/heimdal/kadmin/kadmind.c
+++ b/crypto/heimdal/kadmin/kadmind.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,15 +33,17 @@
 
 #include "kadmin_locl.h"
 
-RCSID("$Id: kadmind.c,v 1.16 1999/12/02 17:04:58 joda Exp $");
+RCSID("$Id: kadmind.c,v 1.24 2000/12/31 07:45:23 assar Exp $");
 
+static char *check_library  = NULL;
+static char *check_function = NULL;
 static char *config_file;
 static char *keyfile;
 static char *keytab_str = "HDB:";
 static int help_flag;
 static int version_flag;
 static int debug_flag;
-static int debug_port;
+static char *port_str;
 char *realm;
 
 static struct getargs args[] = {
@@ -60,11 +62,17 @@ static struct getargs args[] = {
     {	"realm",	'r',	arg_string,   &realm, 
 	"realm to use", "realm" 
     },
+#ifdef HAVE_DLOPEN
+    { "check-library", 0, arg_string, &check_library, 
+      "library to load password check function from", "library" },
+    { "check-function", 0, arg_string, &check_function,
+      "password check function to load", "function" },
+#endif
     {	"debug",	'd',	arg_flag,   &debug_flag, 
 	"enable debugging" 
     },
-    {	"debug-port",	'p',	arg_integer,&debug_port, 
-	"port to use with debug", "port" },
+    {	"ports",	'p',	arg_string, &port_str, 
+	"ports to listen to", "port" },
     {	"help",		'h',	arg_flag,   &help_flag },
     {	"version",	'v',	arg_flag,   &version_flag }
 };
@@ -80,9 +88,6 @@ usage(int ret)
     exit (ret);
 }
 
-krb5_error_code
-kadmind_loop (krb5_context, krb5_auth_context, krb5_keytab, int);
-
 int
 main(int argc, char **argv)
 {
@@ -95,7 +100,9 @@ main(int argc, char **argv)
 
     set_progname(argv[0]);
 
-    krb5_init_context(&context);
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
 
     ret = krb5_openlog(context, "kadmind", &logf);
     ret = krb5_set_warn_dest(context, logf);
@@ -132,16 +139,27 @@ main(int argc, char **argv)
     if(ret)
 	krb5_err(context, 1, ret, "krb5_kt_resolve");
 
+    kadm5_setup_passwd_quality_check (context, check_library, check_function);
+
     {
 	int fd = 0;
+	struct sockaddr sa;
+	socklen_t sa_size;
 	krb5_auth_context ac = NULL;
-	if(debug_flag){
-	    if(debug_port == 0)
+	int debug_port;
+	sa_size = sizeof(sa);
+	if(debug_flag) {
+	    if(port_str == NULL)
 		debug_port = krb5_getportbyname (context, "kerberos-adm", 
 						 "tcp", 749);
 	    else
-		debug_port = htons(debug_port);
+		debug_port = htons(atoi(port_str));
 	    mini_inetd(debug_port);
+	} else if(roken_getsockname(STDIN_FILENO, &sa, &sa_size) < 0 && 
+		   errno == ENOTSOCK) {
+	    parse_ports(context, port_str ? port_str : "+");
+	    pidfile(NULL);
+	    start_server(context);
 	}
 	if(realm)
 	    krb5_set_default_realm(context, realm); /* XXX */
diff --git a/crypto/heimdal/kadmin/load.c b/crypto/heimdal/kadmin/load.c
index 6a95887..c53a7ad 100644
--- a/crypto/heimdal/kadmin/load.c
+++ b/crypto/heimdal/kadmin/load.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -34,7 +34,7 @@
 #include "kadmin_locl.h"
 #include <kadm5/private.h>
 
-RCSID("$Id: load.c,v 1.36 2000/02/16 16:05:28 assar Exp $");
+RCSID("$Id: load.c,v 1.40 2001/01/04 15:59:26 assar Exp $");
 
 struct entry {
     char *principal;
@@ -324,6 +324,13 @@ doit(const char *filename, int merge)
 	krb5_warn(context, errno, "fopen(%s)", filename);
 	return 1;
     }
+    ret = kadm5_log_truncate (kadm_handle);
+    if (ret) {
+	fclose (f);
+	krb5_warn(context, ret, "kadm5_log_truncate");
+	return 1;
+    }
+
     if(!merge)
 	flags |= O_CREAT | O_TRUNC;
     ret = db->open(context, db, flags, 0600);
@@ -333,7 +340,9 @@ doit(const char *filename, int merge)
 	return 1;
     }
     line = 0;
-    while(fgets(s, sizeof(s), f)){
+    ret = 0;
+    while(fgets(s, sizeof(s), f) != NULL) {
+	ret = 0;
 	line++;
 	e.principal = s;
 	for(p = s; *p; p++){
@@ -454,32 +463,71 @@ doit(const char *filename, int merge)
 	}
 #endif
 
-	db->store(context, db, HDB_F_REPLACE, &ent);
+	ret = db->store(context, db, HDB_F_REPLACE, &ent);
 	hdb_free_entry (context, &ent);
+	if (ret) {
+	    krb5_warn(context, ret, "db_store");
+	    break;
+	}
     }
     db->close(context, db);
     fclose(f);
-    return 0;
+    return ret != 0;
+}
+
+
+static struct getargs args[] = {
+    { "help", 'h', arg_flag, NULL }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(const char *name)
+{
+    arg_printusage (args, num_args, name, "file");
 }
 
+
+
 int
 load(int argc, char **argv)
 {
-    if(argc < 2){
-	krb5_warnx(context, "Usage: load filename");
+    int optind = 0;
+    int help_flag = 0;
+
+    args[0].value = &help_flag;
+
+    if(getarg(args, num_args, argc, argv, &optind)) {
+	usage ("load");
+	return 0;
+    }
+    if(argc - optind != 1 || help_flag) {
+	usage ("load");
 	return 0;
     }
-    doit(argv[1], 0);
+
+    doit(argv[optind], 0);
     return 0;
 }
 
 int
 merge(int argc, char **argv)
 {
-    if(argc < 2){
-	krb5_warnx(context, "Usage: merge filename");
+    int optind = 0;
+    int help_flag = 0;
+
+    args[0].value = &help_flag;
+
+    if(getarg(args, num_args, argc, argv, &optind)) {
+	usage ("merge");
 	return 0;
     }
-    doit(argv[1], 1);
+    if(argc - optind != 1 || help_flag) {
+	usage ("merge");
+	return 0;
+    }
+
+    doit(argv[optind], 1);
     return 0;
 }
diff --git a/crypto/heimdal/kadmin/mod.c b/crypto/heimdal/kadmin/mod.c
index 48d00a6..1ea9c86 100644
--- a/crypto/heimdal/kadmin/mod.c
+++ b/crypto/heimdal/kadmin/mod.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kadmin_locl.h"
 
-RCSID("$Id: mod.c,v 1.7 1999/12/02 17:04:58 joda Exp $");
+RCSID("$Id: mod.c,v 1.10 2000/07/11 14:34:56 joda Exp $");
 
 static int parse_args (krb5_context context, kadm5_principal_ent_t ent,
 		       int argc, char **argv, int *optind, char *name,
@@ -49,6 +49,7 @@ parse_args(krb5_context context, kadm5_principal_ent_t ent,
     char *max_rlife_str = NULL;
     char *expiration_str = NULL;
     char *pw_expiration_str = NULL;
+    int new_kvno = -1;
     int ret, i;
 
     struct getargs args[] = {
@@ -62,6 +63,8 @@ parse_args(krb5_context context, kadm5_principal_ent_t ent,
 	 NULL, "Expiration time", "time"},
 	{"pw-expiration-time",  0,	arg_string, 
 	 NULL, "Password expiration time", "time"},
+	{"kvno",  0,	arg_integer, 
+	 NULL, "Key version number", "number"},
     };
 
     i = 0;
@@ -70,6 +73,7 @@ parse_args(krb5_context context, kadm5_principal_ent_t ent,
     args[i++].value = &max_rlife_str;
     args[i++].value = &expiration_str;
     args[i++].value = &pw_expiration_str;
+    args[i++].value = &new_kvno;
 
     *optind = 0; /* XXX */
 
@@ -86,6 +90,11 @@ parse_args(krb5_context context, kadm5_principal_ent_t ent,
 		    expiration_str, pw_expiration_str, attr_str);
     if (ret)
 	return ret;
+
+    if(new_kvno != -1) {
+	ent->kvno = new_kvno;
+	*mask |= KADM5_KVNO;
+    }
     return 0;
 }
 
@@ -122,13 +131,12 @@ mod_entry(int argc, char **argv)
 				  KADM5_MAX_LIFE | KADM5_MAX_RLIFE |
 				  KADM5_PRINC_EXPIRE_TIME |
 				  KADM5_PW_EXPIRATION);
+	krb5_free_principal (context, princ_ent);
 	if (ret) {
 	    printf ("no such principal: %s\n", argv[0]);
-	    krb5_free_principal (context, princ_ent);
 	    return 0;
 	}
 	edit_entry(&princ, &mask, NULL, 0);
-
     } else {
 	princ.principal = princ_ent;
     }
@@ -136,8 +144,6 @@ mod_entry(int argc, char **argv)
     ret = kadm5_modify_principal(kadm_handle, &princ, mask);
     if(ret)
 	krb5_warn(context, ret, "kadm5_modify_principal");
-    if(princ_ent)
-	krb5_free_principal(context, princ_ent);
     kadm5_free_principal_ent(kadm_handle, &princ);
     return 0;
 }
diff --git a/crypto/heimdal/kadmin/rename.c b/crypto/heimdal/kadmin/rename.c
index 4d8a48e..0ba2a58 100644
--- a/crypto/heimdal/kadmin/rename.c
+++ b/crypto/heimdal/kadmin/rename.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,18 +33,40 @@
 
 #include "kadmin_locl.h"
 
-RCSID("$Id: rename.c,v 1.2 1999/12/02 17:04:58 joda Exp $");
+RCSID("$Id: rename.c,v 1.3 2000/09/10 19:19:20 joda Exp $");
+
+static struct getargs args[] = {
+    { "help", 'h', arg_flag, NULL }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(void)
+{
+    arg_printusage (args, num_args, "rename", "from to");
+}
 
 int
 rename_entry(int argc, char **argv)
 {
+    int optind = 0;
+    int help_flag = 0;
+
     krb5_error_code ret;
     krb5_principal princ1, princ2;
 
-    if(argc != 3){
-	krb5_warnx(context, "rename source target");
+    args[0].value = &help_flag;
+
+    if(getarg(args, num_args, argc, argv, &optind)) {
+	usage ();
 	return 0;
     }
+    if(argc - optind < 3 || help_flag) {
+	usage ();
+	return 0;
+    }
+
     ret = krb5_parse_name(context, argv[1], &princ1);
     if(ret){
 	krb5_warn(context, ret, "krb5_parse_name(%s)", argv[1]);
diff --git a/crypto/heimdal/kadmin/server.c b/crypto/heimdal/kadmin/server.c
index d491e46..add1dde 100644
--- a/crypto/heimdal/kadmin/server.c
+++ b/crypto/heimdal/kadmin/server.c
@@ -34,7 +34,7 @@
 #include "kadmin_locl.h"
 #include <krb5-private.h>
 
-RCSID("$Id: server.c,v 1.24 2000/01/02 03:58:45 assar Exp $");
+RCSID("$Id: server.c,v 1.32 2000/09/19 12:46:01 assar Exp $");
 
 static kadm5_ret_t
 kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
@@ -73,7 +73,7 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 	}
 	krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
 	krb5_warnx(context->context, "%s: %s %s", client, op, name);
-	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_GET);
+	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_GET, princ);
 	if(ret){
 	    krb5_free_principal(context->context, princ);
 	    goto fail;
@@ -96,7 +96,7 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 	    goto fail;
 	krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
 	krb5_warnx(context->context, "%s: %s %s", client, op, name);
-	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_DELETE);
+	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_DELETE, princ);
 	if(ret){
 	    krb5_free_principal(context->context, princ);
 	    goto fail;
@@ -126,7 +126,8 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 	krb5_unparse_name_fixed(context->context, ent.principal, 
 				name, sizeof(name));
 	krb5_warnx(context->context, "%s: %s %s", client, op, name);
-	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_ADD);
+	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_ADD,
+					  ent.principal);
 	if(ret){
 	    kadm5_free_principal_ent(context->context, &ent);
 	    memset(password, 0, strlen(password));
@@ -156,7 +157,8 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 	krb5_unparse_name_fixed(context->context, ent.principal, 
 				name, sizeof(name));
 	krb5_warnx(context->context, "%s: %s %s", client, op, name);
-	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_MODIFY);
+	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_MODIFY,
+					  ent.principal);
 	if(ret){
 	    kadm5_free_principal_ent(context, &ent);
 	    goto fail;
@@ -183,7 +185,11 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 	krb5_warnx(context->context, "%s: %s %s -> %s", 
 		   client, op, name, name2);
 	ret = _kadm5_acl_check_permission(context, 
-					  KADM5_PRIV_ADD|KADM5_PRIV_DELETE);
+					  KADM5_PRIV_ADD,
+					  princ2)
+	    || _kadm5_acl_check_permission(context, 
+					   KADM5_PRIV_DELETE,
+					   princ);
 	if(ret){
 	    krb5_free_principal(context->context, princ);
 	    goto fail;
@@ -220,7 +226,7 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 				       princ))
 	    ret = 0;
 	else
-	    ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW);
+	    ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ);
 
 	if(ret) {
 	    krb5_free_principal(context->context, princ);
@@ -235,6 +241,77 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 	krb5_store_int32(sp, ret);
 	break;
     }
+    case kadm_chpass_with_key:{
+	int i;
+	krb5_key_data *key_data;
+	int n_key_data;
+
+	op = "CHPASS_WITH_KEY";
+	ret = krb5_ret_principal(sp, &princ);
+	if(ret)
+	    goto fail;
+	ret = krb5_ret_int32(sp, &n_key_data);
+	if (ret) {
+	    krb5_free_principal(context->context, princ);
+	    goto fail;
+	}
+
+	key_data = malloc (n_key_data * sizeof(*key_data));
+	if (key_data == NULL) {
+	    ret = ENOMEM;
+	    krb5_free_principal(context->context, princ);
+	    goto fail;
+	}
+
+	for (i = 0; i < n_key_data; ++i) {
+	    ret = kadm5_ret_key_data (sp, &key_data[i]);
+	    if (ret) {
+		int16_t dummy = i;
+
+		kadm5_free_key_data (context, &dummy, key_data);
+		free (key_data);
+		krb5_free_principal(context->context, princ);
+		goto fail;
+	    }
+	}
+
+	krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
+	krb5_warnx(context->context, "%s: %s %s", client, op, name);
+
+	/*
+	 * The change is allowed if at least one of:
+	 * a) it's for the principal him/herself and this was an initial ticket
+	 * b) the user is on the CPW ACL.
+	 */
+
+	if (initial
+	    && krb5_principal_compare (context->context, context->caller,
+				       princ))
+	    ret = 0;
+	else
+	    ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ);
+
+	if(ret) {
+	    int16_t dummy = n_key_data;
+
+	    kadm5_free_key_data (context, &dummy, key_data);
+	    free (key_data);
+	    krb5_free_principal(context->context, princ);
+	    goto fail;
+	}
+	ret = kadm5_chpass_principal_with_key(kadm_handle, princ,
+					      n_key_data, key_data);
+	{
+	    int16_t dummy = n_key_data;
+	    kadm5_free_key_data (context, &dummy, key_data);
+	}
+	free (key_data);
+	krb5_free_principal(context->context, princ);
+	krb5_storage_free(sp);
+	sp = krb5_storage_emem();
+	krb5_store_int32(sp, ret);
+	break;
+    }
     case kadm_randkey:{
 	op = "RANDKEY";
 	ret = krb5_ret_principal(sp, &princ);
@@ -253,7 +330,7 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 				       princ))
 	    ret = 0;
 	else
-	    ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW);
+	    ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ);
 
 	if(ret) {
 	    krb5_free_principal(context->context, princ);
@@ -296,7 +373,7 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 	}else
 	    exp = NULL;
 	krb5_warnx(context->context, "%s: %s %s", client, op, exp ? exp : "*");
-	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_LIST);
+	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_LIST, NULL);
 	if(ret){
 	    free(exp);
 	    goto fail;
@@ -342,52 +419,23 @@ v5_loop (krb5_context context,
 	 int fd)
 {
     krb5_error_code ret;
-    ssize_t n;
-    unsigned long len;
-    u_char tmp[4];
-    struct iovec iov[2];
-    krb5_data in, out, msg, reply;
+    krb5_data in, out;
 
     for (;;) {
-	n = krb5_net_read(context, &fd, tmp, 4);
-	if (n < 0)
-	    krb5_err (context, 1, errno, "krb5_net_read");
-	if (n == 0)
-	    exit (0);
-	_krb5_get_int (tmp, &len, 4);
-
-	ret = krb5_data_alloc(&in, len);
-	if (ret)
-	    krb5_err (context, 1, ret, "krb5_data_alloc");
-
-	n = krb5_net_read(context, &fd, in.data, in.length);
-	if (n == 0)
-	    exit (0);
-	if(n < 0)
-	    krb5_errx(context, 1, "read error: %d", errno);
-	ret = krb5_rd_priv(context, ac, &in, &out, NULL);
-	if (ret)
-	    krb5_err(context, 1, ret, "krb5_rd_priv");
+	doing_useful_work = 0;
+	if(term_flag)
+	    exit(0);
+	ret = krb5_read_priv_message(context, ac, &fd, &in);
+	if(ret == HEIM_ERR_EOF)
+	    exit(0);
+	if(ret)
+	    krb5_err(context, 1, ret, "krb5_read_priv_message");
+	doing_useful_work = 1;
+	kadmind_dispatch(kadm_handle, initial, &in, &out);
 	krb5_data_free(&in);
-	kadmind_dispatch(kadm_handle, initial, &out, &msg);
-	krb5_data_free(&out);
-	ret = krb5_mk_priv(context, ac, &msg, &reply, NULL);
-	krb5_data_free(&msg);
-	if(ret) 
-	    krb5_err(context, 1, ret, "krb5_mk_priv");
-
-	_krb5_put_int(tmp, reply.length, 4);
-
-	iov[0].iov_base = tmp;
-	iov[0].iov_len  = 4;
-	iov[1].iov_base = reply.data;
-	iov[1].iov_len  = reply.length;
-	n = writev(fd, iov, 2);
-	krb5_data_free(&reply);
-	if(n < 0)
-	    krb5_err(context, 1, errno, "writev");
-	if(n < iov[0].iov_len + iov[1].iov_len)
-	    krb5_errx(context, 1, "short write");
+	ret = krb5_write_priv_message(context, ac, &fd, &out);
+	if(ret)
+	    krb5_err(context, 1, ret, "krb5_write_priv_message");
     }
 }
 
@@ -411,7 +459,7 @@ handle_v5(krb5_context context,
     krb5_error_code ret;
     u_char version[sizeof(KRB5_SENDAUTH_VERSION)];
     krb5_ticket *ticket;
-    krb5_principal server;
+    char *server_name;
     char *client;
     void *kadm_handle;
     ssize_t n;
@@ -430,32 +478,33 @@ handle_v5(krb5_context context,
     if(memcmp(version, KRB5_SENDAUTH_VERSION, len) != 0)
 	krb5_errx(context, 1, "bad sendauth version %.8s", version);
 	
-    ret = krb5_parse_name(context, KADM5_ADMIN_SERVICE, &server);
-    if (ret)
-	krb5_err (context, 1, ret, "krb5_parse_name %s", KADM5_ADMIN_SERVICE);
     ret = krb5_recvauth_match_version(context, &ac, &fd, 
 				      match_appl_version, &kadm_version,
-				      server, KRB5_RECVAUTH_IGNORE_VERSION, 
+				      NULL, KRB5_RECVAUTH_IGNORE_VERSION, 
 				      keytab, &ticket);
-    if(ret == KRB5_KT_NOTFOUND) {
-	char *name;
-	krb5_unparse_name(context, server, &name);
-	krb5_errx(context, 1, "krb5_recvauth: %s (%s)", 
-		  krb5_get_err_text(context, ret),
-		  name);
-    }
-    krb5_free_principal(context, server);
-	    
+    if(ret == KRB5_KT_NOTFOUND)
+	krb5_errx(context, 1, "krb5_recvauth: key no found");
     if(ret)
 	krb5_err(context, 1, ret, "krb5_recvauth");
 
+    ret = krb5_unparse_name (context, ticket->server, &server_name);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_unparse_name");
+
+    if (strncmp (server_name, KADM5_ADMIN_SERVICE,
+		 strlen(KADM5_ADMIN_SERVICE)) != 0)
+	krb5_errx (context, 1, "ticket for strange principal (%s)",
+		   server_name);
+
+    free (server_name);
+
     memset(&realm_params, 0, sizeof(realm_params));
 
     if(kadm_version == 1) {
-	krb5_data enc_data, params;
-	ret = krb5_read_message(context, &fd, &enc_data);
-	ret = krb5_rd_priv(context, ac, &enc_data, &params, NULL);
-	krb5_data_free(&enc_data);
+	krb5_data params;
+	ret = krb5_read_priv_message(context, ac, &fd, &params);
+	if(ret)
+	    krb5_err(context, 1, ret, "krb5_read_priv_message");
 	_kadm5_unmarshal_params(context, &params, &realm_params);
     }
 
@@ -490,12 +539,12 @@ kadmind_loop(krb5_context context,
     if(n == 0)
 	exit(0);
     if(n < 0)
-	krb5_errx(context, 1, "read error: %d", errno);
+	krb5_err(context, 1, errno, "read");
     _krb5_get_int(tmp, &len, 4);
     if(len > 0xffff && (len & 0xffff) == ('K' << 8) + 'A') {
 	len >>= 16;
 #ifdef KRB4
-	handle_v4(context, len, fd);
+	handle_v4(context, keytab, len, fd);
 #else
 	krb5_errx(context, 1, "packet appears to be version 4");
 #endif
diff --git a/crypto/heimdal/kadmin/util.c b/crypto/heimdal/kadmin/util.c
index f30c8c5..8d7abc3 100644
--- a/crypto/heimdal/kadmin/util.c
+++ b/crypto/heimdal/kadmin/util.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -34,7 +34,7 @@
 #include "kadmin_locl.h"
 #include <parse_units.h>
 
-RCSID("$Id: util.c,v 1.23 1999/12/02 17:04:58 joda Exp $");
+RCSID("$Id: util.c,v 1.30 2001/01/11 23:07:29 assar Exp $");
 
 /*
  * util.c - functions for parsing, unparsing, and editing different
@@ -103,9 +103,7 @@ parse_attributes (const char *resp, krb5_flags *attr, int *mask, int bit)
 {
     krb5_flags tmp = *attr;
 
-    if (resp[0] == '\0')
-	return 0;
-    else if (str2attributes(resp, &tmp) == 0) {
+    if (str2attributes(resp, &tmp) == 0) {
 	*attr = tmp;
 	if (mask)
 	    *mask |= bit;
@@ -133,6 +131,8 @@ edit_attributes (const char *prompt, krb5_flags *attr, int *mask, int bit)
     attributes2str(*attr, buf, sizeof(buf));
     for (;;) {
 	get_response("Attributes", buf, resp, sizeof(resp));
+	if (resp[0] == '\0')
+	    break;
 	if (parse_attributes (resp, attr, mask, bit) == 0)
 	    break;
     }
@@ -168,15 +168,20 @@ time_t2str(time_t t, char *str, size_t len, int include_time)
  */
 
 int
-str2time_t (const char *str, time_t *time)
+str2time_t (const char *str, time_t *t)
 {
     const char *p;
-    struct tm tm;
+    struct tm tm, tm2;
 
     memset (&tm, 0, sizeof (tm));
 
     if(strcasecmp(str, "never") == 0) {
-	*time = 0;
+	*t = 0;
+	return 0;
+    }
+
+    if(strcasecmp(str, "now") == 0) {
+	*t = time(NULL);
 	return 0;
     }
 
@@ -186,13 +191,17 @@ str2time_t (const char *str, time_t *time)
 	return -1;
 
     /* Do it on the end of the day */
-    tm.tm_hour = 23;
-    tm.tm_min  = 59;
-    tm.tm_sec  = 59;
-
-    strptime (p, "%H:%M:%S", &tm);
+    tm2.tm_hour = 23;
+    tm2.tm_min  = 59;
+    tm2.tm_sec  = 59;
+
+    if(strptime (p, "%H:%M:%S", &tm2) != NULL) {
+	tm.tm_hour = tm2.tm_hour;
+	tm.tm_min  = tm2.tm_min;
+	tm.tm_sec  = tm2.tm_sec;
+    }
 
-    *time = tm2time (tm, 0);
+    *t = tm2time (tm, 0);
     return 0;
 }
 
@@ -252,10 +261,10 @@ edit_timet (const char *prompt, krb5_timestamp *value, int *mask, int bit)
 void
 deltat2str(unsigned t, char *str, size_t len)
 {
-    if(t)
-	unparse_time(t, str, len);
-    else
+    if(t == 0 || t == INT_MAX)
 	snprintf(str, len, "unlimited");
+    else
+	unparse_time(t, str, len);
 }
 
 /*
@@ -333,27 +342,37 @@ int
 edit_entry(kadm5_principal_ent_t ent, int *mask,
 	   kadm5_principal_ent_t default_ent, int default_mask)
 {
-    if (default_ent && (default_mask & KADM5_MAX_LIFE))
+    if (default_ent
+	&& (default_mask & KADM5_MAX_LIFE)
+	&& !(*mask & KADM5_MAX_LIFE))
 	ent->max_life = default_ent->max_life;
     edit_deltat ("Max ticket life", &ent->max_life, mask,
 		 KADM5_MAX_LIFE);
 
-    if (default_ent && (default_mask & KADM5_MAX_RLIFE))
+    if (default_ent
+	&& (default_mask & KADM5_MAX_RLIFE)
+	&& !(*mask & KADM5_MAX_RLIFE))
 	ent->max_renewable_life = default_ent->max_renewable_life;
     edit_deltat ("Max renewable life", &ent->max_renewable_life, mask,
 		 KADM5_MAX_RLIFE);
 
-    if (default_ent && (default_mask & KADM5_PRINC_EXPIRE_TIME))
+    if (default_ent
+	&& (default_mask & KADM5_PRINC_EXPIRE_TIME)
+	&& !(*mask & KADM5_PRINC_EXPIRE_TIME))
 	ent->princ_expire_time = default_ent->princ_expire_time;
     edit_timet ("Principal expiration time", &ent->princ_expire_time, mask,
 	       KADM5_PRINC_EXPIRE_TIME);
 
-    if (default_ent && (default_mask & KADM5_PW_EXPIRATION))
+    if (default_ent
+	&& (default_mask & KADM5_PW_EXPIRATION)
+	&& !(*mask & KADM5_PW_EXPIRATION))
 	ent->pw_expiration = default_ent->pw_expiration;
     edit_timet ("Password expiration time", &ent->pw_expiration, mask,
 	       KADM5_PW_EXPIRATION);
 
-    if (default_ent && (default_mask & KADM5_ATTRIBUTES))
+    if (default_ent
+	&& (default_mask & KADM5_ATTRIBUTES)
+	&& !(*mask & KADM5_ATTRIBUTES))
 	ent->attributes = default_ent->attributes & ~KRB5_KDB_DISALLOW_ALL_TIX;
     edit_attributes ("Attributes", &ent->attributes, mask,
 		     KADM5_ATTRIBUTES);
@@ -518,3 +537,66 @@ get_response(const char *prompt, const char *def, char *buf, size_t len)
 	strncpy(buf, def, len);
     buf[len-1] = 0;
 }
+
+/*
+ * return [0, 16) or -1
+ */
+
+static int
+hex2n (char c)
+{
+    static char hexdigits[] = "0123456789abcdef";
+    const char *p;
+
+    p = strchr (hexdigits, tolower((int)c));
+    if (p == NULL)
+	return -1;
+    else
+	return p - hexdigits;
+}
+
+/*
+ * convert a key in a readable format into a keyblock.
+ * return 0 iff succesful, otherwise `err' should point to an error message
+ */
+
+int
+parse_des_key (const char *key_string, krb5_key_data *key_data,
+	       const char **err)
+{
+    const char *p = key_string;
+    unsigned char bits[8];
+    int i;
+
+    if (strlen (key_string) != 16) {
+	*err = "bad length, should be 16 for DES key";
+	return 1;
+    }
+    for (i = 0; i < 8; ++i) {
+	int d1, d2;
+
+	d1 = hex2n(p[2 * i]);
+	d2 = hex2n(p[2 * i + 1]);
+	if (d1 < 0 || d2 < 0) {
+	    *err = "non-hex character";
+	    return 1;
+	}
+	bits[i] = (d1 << 4) | d2;
+    }
+    for (i = 0; i < 3; ++i) {
+	key_data[i].key_data_ver  = 2;
+	key_data[i].key_data_kvno = 0;
+	/* key */
+	key_data[i].key_data_type[0]     = ETYPE_DES_CBC_CRC;
+	key_data[i].key_data_length[0]   = 8;
+	key_data[i].key_data_contents[0] = malloc(8);
+	memcpy (key_data[i].key_data_contents[0], bits, 8);
+	/* salt */
+	key_data[i].key_data_type[1]     = KRB5_PW_SALT;
+	key_data[i].key_data_length[1]   = 0;
+	key_data[i].key_data_contents[1] = NULL;
+    }
+    key_data[0].key_data_type[0] = ETYPE_DES_CBC_MD5;
+    key_data[1].key_data_type[0] = ETYPE_DES_CBC_MD4;
+    return 0;
+}
diff --git a/crypto/heimdal/kadmin/version4.c b/crypto/heimdal/kadmin/version4.c
index 77ac029..e4ebce7 100644
--- a/crypto/heimdal/kadmin/version4.c
+++ b/crypto/heimdal/kadmin/version4.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -41,7 +41,7 @@
 #include <krb_err.h>
 #include <kadm_err.h>
 
-RCSID("$Id: version4.c,v 1.16 1999/11/25 22:32:47 assar Exp $");
+RCSID("$Id: version4.c,v 1.24 2001/01/29 08:40:45 assar Exp $");
 
 #define KADM_NO_OPCODE -1
 #define KADM_NO_ENCRYPT -2
@@ -196,7 +196,7 @@ flags_4_to_5(char *flags)
 	    case KADM_INST:
 		mask |= KADM5_PRINCIPAL;
 	    case KADM_EXPDATE:
-		mask |= KADM5_PW_EXPIRATION;
+		mask |= KADM5_PRINC_EXPIRE_TIME;
 	    case KADM_MAXLIFE:
 		mask |= KADM5_MAX_LIFE;
 #ifdef EXTENDED_KADM
@@ -221,6 +221,7 @@ ent_to_values(krb5_context context,
 {
     krb5_error_code ret;
     char realm[REALM_SZ];
+    time_t exp = 0;
 
     memset(vals, 0, sizeof(*vals));
     if(mask & KADM5_PRINCIPAL) {
@@ -229,16 +230,17 @@ ent_to_values(krb5_context context,
 	SET_FIELD(KADM_NAME, vals->fields);
 	SET_FIELD(KADM_INST, vals->fields);
     }
-    if(mask & KADM5_PW_EXPIRATION) {
-	time_t exp = 0;
+    if(mask & KADM5_PRINC_EXPIRE_TIME) {
 	if(ent->princ_expire_time != 0)
 	    exp = ent->princ_expire_time;
+    }
+    if(mask & KADM5_PW_EXPIRATION) {
 	if(ent->pw_expiration != 0 && (exp == 0 || exp > ent->pw_expiration))
 	    exp = ent->pw_expiration;
-	if(exp) {
-	    vals->exp_date = exp;
-	    SET_FIELD(KADM_EXPDATE, vals->fields);
-	}
+    }
+    if(exp) {
+	vals->exp_date = exp;
+	SET_FIELD(KADM_EXPDATE, vals->fields);
     }
     if(mask & KADM5_MAX_LIFE) {
 	if(ent->max_life == 0)
@@ -298,8 +300,8 @@ values_to_ent(krb5_context context,
 	*mask |= KADM5_PRINCIPAL;
     }
     if(IS_FIELD(KADM_EXPDATE, vals->fields)) {
-	ent->pw_expiration = vals->exp_date;
-	*mask |= KADM5_PW_EXPIRATION;
+	ent->princ_expire_time = vals->exp_date;
+	*mask |= KADM5_PRINC_EXPIRE_TIME;
     }
     if(IS_FIELD(KADM_MAXLIFE, vals->fields)) {
 	ent->max_life = krb_life_to_time(0, vals->max_life);
@@ -465,7 +467,7 @@ kadm_ser_cpw(krb5_context context,
     char *password = NULL;
     krb5_error_code ret;
     
-    krb5_warnx(context, "v4-compat %s: cpw %s",
+    krb5_warnx(context, "v4-compat %s: CHPASS %s",
 	       principal_string, principal_string); 
 
     ret = message->fetch(message, key + 4, 4);
@@ -515,7 +517,7 @@ kadm_ser_cpw(krb5_context context,
     }
     return 0;
 fail:
-    krb5_warn(context, ret, "v4-compat cpw");
+    krb5_warn(context, ret, "v4-compat CHPASS");
     return error_code(ret);
 }
 
@@ -540,10 +542,11 @@ kadm_ser_add(krb5_context context,
 	goto fail;
 
     krb5_unparse_name_fixed(context, ent.principal, name, sizeof(name));
-    krb5_warnx(context, "v4-compat %s: add %s",
+    krb5_warnx(context, "v4-compat %s: ADD %s",
 	       principal_string, name);
 
-    ret = _kadm5_acl_check_permission (kadm_handle, KADM5_PRIV_ADD);
+    ret = _kadm5_acl_check_permission (kadm_handle, KADM5_PRIV_ADD,
+				       ent.principal);
     if (ret)
 	goto fail;
 
@@ -553,7 +556,7 @@ kadm_ser_add(krb5_context context,
 	goto fail;
     }
 
-    mask = KADM5_PRINCIPAL | KADM5_PW_EXPIRATION | KADM5_MAX_LIFE |
+    mask = KADM5_PRINCIPAL | KADM5_PRINC_EXPIRE_TIME | KADM5_MAX_LIFE |
 	KADM5_KEY_DATA | KADM5_MOD_TIME | KADM5_MOD_NAME;
     
     kadm5_get_principal(kadm_handle, ent.principal, &out, mask);
@@ -563,7 +566,7 @@ kadm_ser_add(krb5_context context,
     store_vals(reply, &values);
     return 0;
 fail:
-    krb5_warn(context, ret, "v4-compat add");
+    krb5_warn(context, ret, "v4-compat ADD");
     return error_code(ret);
 }
 
@@ -594,10 +597,11 @@ kadm_ser_get(krb5_context context,
 	goto fail;
 
     krb5_unparse_name_fixed(context, ent.principal, name, sizeof(name));
-    krb5_warnx(context, "v4-compat %s: get %s",
+    krb5_warnx(context, "v4-compat %s: GET %s",
 	       principal_string, name);
 
-    ret = _kadm5_acl_check_permission (kadm_handle, KADM5_PRIV_GET);
+    ret = _kadm5_acl_check_permission (kadm_handle, KADM5_PRIV_GET,
+				       ent.principal);
     if (ret)
 	goto fail;
 
@@ -616,7 +620,7 @@ kadm_ser_get(krb5_context context,
     store_vals(reply, &values);
     return 0;
 fail:
-    krb5_warn(context, ret, "v4-compat get");
+    krb5_warn(context, ret, "v4-compat GET");
     return error_code(ret);
 }
 
@@ -644,10 +648,11 @@ kadm_ser_mod(krb5_context context,
 	goto fail;
 
     krb5_unparse_name_fixed(context, ent.principal, name, sizeof(name));
-    krb5_warnx(context, "v4-compat %s: mod %s",
+    krb5_warnx(context, "v4-compat %s: MOD %s",
 	       principal_string, name);
 
-    ret = _kadm5_acl_check_permission (kadm_handle, KADM5_PRIV_MODIFY);
+    ret = _kadm5_acl_check_permission (kadm_handle, KADM5_PRIV_MODIFY,
+				       ent.principal);
     if (ret)
 	goto fail;
 
@@ -673,7 +678,7 @@ kadm_ser_mod(krb5_context context,
     store_vals(reply, &values1);
     return 0;
 fail:
-    krb5_warn(context, ret, "v4-compat mod");
+    krb5_warn(context, ret, "v4-compat MOD");
     return error_code(ret);
 }
 
@@ -698,10 +703,11 @@ kadm_ser_del(krb5_context context,
 	goto fail;
     
     krb5_unparse_name_fixed(context, ent.principal, name, sizeof(name));
-    krb5_warnx(context, "v4-compat %s: del %s",
+    krb5_warnx(context, "v4-compat %s: DEL %s",
 	       principal_string, name);
 
-    ret = _kadm5_acl_check_permission (kadm_handle, KADM5_PRIV_DELETE);
+    ret = _kadm5_acl_check_permission (kadm_handle, KADM5_PRIV_DELETE,
+				       ent.principal);
     if (ret)
 	goto fail;
 
@@ -714,7 +720,7 @@ kadm_ser_del(krb5_context context,
 
     return 0;
 fail:
-    krb5_warn(context, ret, "v4-compat add");
+    krb5_warn(context, ret, "v4-compat ADD");
     return error_code(ret);
 }
 
@@ -785,6 +791,7 @@ dispatch(krb5_context context,
 
 static void
 decode_packet(krb5_context context,
+	      krb5_keytab keytab,
 	      struct sockaddr_in *admin_addr,
 	      struct sockaddr_in *client_addr,
 	      krb5_data message,
@@ -803,6 +810,7 @@ decode_packet(krb5_context context,
     void *kadm_handle;
     krb5_principal client;
     char *client_str;
+    krb5_keytab_entry entry;
     
     if(message.length < KADM_VERSIZE
        || strncmp(msg, KADM_VERSTR, KADM_VERSIZE) != 0) {
@@ -828,13 +836,16 @@ decode_packet(krb5_context context,
 	    make_you_loose_packet (KADM_NOMEM, reply);
 	    return;
 	}
-	ret = krb5_kt_read_service_key(context, 
-				       "HDB:",
-				       principal,
-				       0,
-/*				       ETYPE_DES_CBC_CRC,*/
-				       ETYPE_DES_CBC_MD5,
-				       &key);
+	ret = krb5_kt_get_entry (context, keytab, principal, 0,
+				 ETYPE_DES_CBC_MD5, &entry);
+	krb5_kt_close (context, keytab);
+	if (ret) {
+	    krb5_free_principal(context, principal);
+	    make_you_loose_packet (KADM_NO_AUTH, reply);
+	    return;
+	}
+	ret = krb5_copy_keyblock (context, &entry.keyblock,& key);
+	krb5_kt_free_entry(context, &entry);
 	krb5_free_principal(context, principal);
 	if(ret) {
 	    if(ret == KRB5_KT_NOTFOUND)
@@ -862,8 +873,14 @@ decode_packet(krb5_context context,
 	return;
     }
 
-    krb5_425_conv_principal(context, ad.pname, ad.pinst, ad.prealm,
-			    &client);
+    ret = krb5_425_conv_principal(context, ad.pname, ad.pinst, ad.prealm,
+				  &client);
+    if (ret) {
+	krb5_warnx (context, "krb5_425_conv_principal: %d", ret);
+	make_you_loose_packet (KADM_NOMEM, reply);
+	return;
+    }
+
     krb5_unparse_name(context, client, &client_str);
 
     ret = kadm5_init_with_password_ctx(context, 
@@ -878,8 +895,7 @@ decode_packet(krb5_context context,
 	goto out;
     }
     
-    checksum = des_quad_cksum((des_cblock*)(msg + off), NULL, rlen, 
-			      0, &ad.session);
+    checksum = des_quad_cksum((void *)(msg + off), NULL, rlen, 0, &ad.session);
     if(checksum != ad.checksum) {
 	krb5_warnx(context, "decode_packet: bad checksum");
 	make_you_loose_packet (KADM_BAD_CHK, reply);
@@ -919,12 +935,13 @@ out:
 
 void
 handle_v4(krb5_context context,
+	  krb5_keytab keytab,
 	  int len,
 	  int fd)
 {
     int first = 1;
     struct sockaddr_in admin_addr, client_addr;
-    int addr_len;
+    socklen_t addr_len;
     krb5_data message, reply;
     ssize_t n;
 
@@ -936,6 +953,9 @@ handle_v4(krb5_context context,
 	krb5_errx (context, 1, "getpeername");
 
     while(1) {
+	doing_useful_work = 0;
+	if(term_flag)
+	    exit(0);
 	if(first) {
 	    /* first time around, we have already read len, and two
                bytes of the version string */
@@ -966,7 +986,8 @@ handle_v4(krb5_context context,
 	    if (n < 0)
 		krb5_err (context, 1, errno, "krb5_net_read");
 	}
-	decode_packet(context, &admin_addr, &client_addr, 
+	doing_useful_work = 1;
+	decode_packet(context, keytab, &admin_addr, &client_addr, 
 		      message, &reply);
 	krb5_data_free(&message);
 	{
diff --git a/crypto/heimdal/kdc/524.c b/crypto/heimdal/kdc/524.c
index fb188de..df70988 100644
--- a/crypto/heimdal/kdc/524.c
+++ b/crypto/heimdal/kdc/524.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,17 +33,158 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: 524.c,v 1.10 1999/12/02 17:04:58 joda Exp $");
+RCSID("$Id: 524.c,v 1.19 2001/01/30 01:44:07 assar Exp $");
 
 #ifdef KRB4
 
+/*
+ * fetch the server from `t', returning the name in malloced memory in
+ * `spn' and the entry itself in `server'
+ */
+
+static krb5_error_code
+fetch_server (const Ticket *t,
+	      char **spn,
+	      hdb_entry **server,
+	      const char *from)
+{
+    krb5_error_code ret;
+    krb5_principal sprinc;
+
+    ret = principalname2krb5_principal(&sprinc, t->sname, t->realm);
+    if (ret) {
+	kdc_log(0, "principalname2krb5_principal: %s",
+		krb5_get_err_text(context, ret));
+	return ret;
+    }
+    ret = krb5_unparse_name(context, sprinc, spn);
+    if (ret) {
+	krb5_free_principal(context, sprinc);
+	kdc_log(0, "krb5_unparse_name: %s", krb5_get_err_text(context, ret));
+	return ret;
+    }
+    ret = db_fetch(sprinc, server);
+    krb5_free_principal(context, sprinc);
+    if (ret) {
+	kdc_log(0,
+	"Request to convert ticket from %s for unknown principal %s: %s",
+		from, *spn, krb5_get_err_text(context, ret));
+	if (ret == ENOENT)
+	    ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+	return ret;
+    }
+    return 0;
+}
+
+static krb5_error_code
+log_524 (const EncTicketPart *et,
+	 const char *from,
+	 const char *spn)
+{
+    krb5_principal client;
+    char *cpn;
+    krb5_error_code ret;
+
+    ret = principalname2krb5_principal(&client, et->cname, et->crealm);
+    if (ret) {
+	kdc_log(0, "principalname2krb5_principal: %s",
+		krb5_get_err_text (context, ret));
+	return ret;
+    }
+    ret = krb5_unparse_name(context, client, &cpn);
+    if (ret) {
+	krb5_free_principal(context, client);
+	kdc_log(0, "krb5_unparse_name: %s",
+		krb5_get_err_text (context, ret));
+	return ret;
+    }
+    kdc_log(1, "524-REQ %s from %s for %s", cpn, from, spn);
+    free(cpn);
+    krb5_free_principal(context, client);
+    return 0;
+}
+
+static krb5_error_code
+verify_flags (const EncTicketPart *et,
+	      const char *spn)
+{
+    if(et->endtime < kdc_time){
+	kdc_log(0, "Ticket expired (%s)", spn);
+	return KRB5KRB_AP_ERR_TKT_EXPIRED;
+    }
+    if(et->flags.invalid){
+	kdc_log(0, "Ticket not valid (%s)", spn);
+	return KRB5KRB_AP_ERR_TKT_NYV;
+    }
+    return 0;
+}
+
+/*
+ * set the `et->caddr' to the most appropriate address to use, where
+ * `addr' is the address the request was received from.
+ */
+
+static krb5_error_code
+set_address (EncTicketPart *et,
+	     struct sockaddr *addr,
+	     const char *from)
+{
+    krb5_error_code ret;
+    krb5_address *v4_addr;
+
+    v4_addr = malloc (sizeof(*v4_addr));
+    if (v4_addr == NULL)
+	return ENOMEM;
+
+    ret = krb5_sockaddr2address(addr, v4_addr);
+    if(ret) {
+	free (v4_addr);
+	kdc_log(0, "Failed to convert address (%s)", from);
+	return ret;
+    }
+	    
+    if (et->caddr && !krb5_address_search (context, v4_addr, et->caddr)) {
+	kdc_log(0, "Incorrect network address (%s)", from);
+	krb5_free_address(context, v4_addr);
+	free (v4_addr);
+	return KRB5KRB_AP_ERR_BADADDR;
+    }
+    if(v4_addr->addr_type == KRB5_ADDRESS_INET) {
+	/* we need to collapse the addresses in the ticket to a
+	   single address; best guess is to use the address the
+	   connection came from */
+	
+	if (et->caddr != NULL) {
+	    free_HostAddresses(et->caddr);
+	} else {
+	    et->caddr = malloc (sizeof (*et->caddr));
+	    if (et->caddr == NULL) {
+		krb5_free_address(context, v4_addr);
+		free(v4_addr);
+		return ENOMEM;
+	    }
+	}
+	et->caddr->val = v4_addr;
+	et->caddr->len = 1;
+    } else {
+	krb5_free_address(context, v4_addr);
+	free(v4_addr);
+    }
+    return 0;
+}
+
+/*
+ * process a 5->4 request, based on `t', and received `from, addr',
+ * returning the reply in `reply'
+ */
+
 krb5_error_code
-do_524(Ticket *t, krb5_data *reply, const char *from, struct sockaddr *addr)
+do_524(const Ticket *t, krb5_data *reply,
+       const char *from, struct sockaddr *addr)
 {
     krb5_error_code ret = 0;
-    krb5_principal sprinc = NULL;
     krb5_crypto crypto;
-    hdb_entry *server;
+    hdb_entry *server = NULL;
     Key *skey;
     krb5_data et_data;
     EncTicketPart et;
@@ -53,21 +194,28 @@ do_524(Ticket *t, krb5_data *reply, const char *from, struct sockaddr *addr)
     unsigned char buf[MAX_KTXT_LEN + 4 * 4];
     size_t len;
     
-    principalname2krb5_principal(&sprinc, t->sname, t->realm);
-    krb5_unparse_name(context, sprinc, &spn);
-    server = db_fetch(sprinc);
-    if(server == NULL){
-	kdc_log(0, "Request to convert ticket from %s for unknown principal %s",
-		from, spn);
+    if(!enable_524) {
+	ret = KRB5KDC_ERR_POLICY;
+	kdc_log(0, "Rejected ticket conversion request from %s", from);
 	goto out;
     }
+
+    ret = fetch_server (t, &spn, &server, from);
+    if (ret) {
+	goto out;
+    }
+
     ret = hdb_enctype2key(context, server, t->enc_part.etype, &skey);
     if(ret){
-	kdc_log(0, "No suitable key found for server (%s) "
-		"when converting ticket from ", spn, from);
+	kdc_log(0, "No suitable key found for server (%s) from %s", spn, from);
+	goto out;
+    }
+    ret = krb5_crypto_init(context, &skey->key, 0, &crypto);
+    if (ret) {
+	kdc_log(0, "krb5_crypto_init failed: %s",
+		krb5_get_err_text(context, ret));
 	goto out;
     }
-    krb5_crypto_init(context, &skey->key, 0, &crypto);
     ret = krb5_decrypt_EncryptedData (context,
 				      crypto,
 				      KRB5_KU_TICKET,
@@ -85,66 +233,32 @@ do_524(Ticket *t, krb5_data *reply, const char *from, struct sockaddr *addr)
 	kdc_log(0, "Failed to decode ticket from %s for %s", from, spn);
 	goto out;
     }
-    {
-	krb5_principal client;
-	char *cpn;
-	principalname2krb5_principal(&client, et.cname, et.crealm);
-	krb5_unparse_name(context, client, &cpn);
-	kdc_log(1, "524-REQ %s from %s for %s", cpn, from, spn);
-	free(cpn);
-	krb5_free_principal(context, client);
-    }
 
-    if(et.endtime < kdc_time){
-	kdc_log(0, "Ticket expired (%s)", spn);
+    ret = log_524 (&et, from, spn);
+    if (ret) {
 	free_EncTicketPart(&et);
-	ret = KRB5KRB_AP_ERR_TKT_EXPIRED;
 	goto out;
     }
-    if(et.flags.invalid){
-	kdc_log(0, "Ticket not valid (%s)", spn);
+
+    ret = verify_flags (&et, spn);
+    if (ret) {
 	free_EncTicketPart(&et);
-	ret = KRB5KRB_AP_ERR_TKT_NYV;
 	goto out;
     }
-    {
-	krb5_addresses *save_caddr, new_addr;
-	krb5_address v4_addr;
 
-	ret = krb5_sockaddr2address(addr, &v4_addr);
-	if(ret) {
-	    kdc_log(0, "Failed to convert address (%s)", spn);
-	    free_EncTicketPart(&et);
-	    goto out;
-	}
-	    
-	if (et.caddr && !krb5_address_search (context, &v4_addr, et.caddr)) {
-	    kdc_log(0, "Incorrect network address (%s)", spn);
-	    free_EncTicketPart(&et);
-	    krb5_free_address(context, &v4_addr);
-	    ret = KRB5KRB_AP_ERR_BADADDR;
-	    goto out;
-	}
-	if(v4_addr.addr_type == KRB5_ADDRESS_INET) {
-	    /* we need to collapse the addresses in the ticket to a
-	       single address; best guess is to use the address the
-	       connection came from */
-	    save_caddr = et.caddr;
-	    new_addr.len = 1;
-	    new_addr.val = &v4_addr;
-	    et.caddr = &new_addr;
-	}
-	ret  = encode_v4_ticket(buf + sizeof(buf) - 1, sizeof(buf),
-				&et, &t->sname, &len);
-	if(v4_addr.addr_type == KRB5_ADDRESS_INET)
-	    et.caddr = save_caddr;
+    ret = set_address (&et, addr, from);
+    if (ret) {
+	free_EncTicketPart(&et);
+	goto out;
     }
+    ret = encode_v4_ticket(buf + sizeof(buf) - 1, sizeof(buf),
+			   &et, &t->sname, &len);
     free_EncTicketPart(&et);
     if(ret){
 	kdc_log(0, "Failed to encode v4 ticket (%s)", spn);
 	goto out;
     }
-    ret = get_des_key(server, &skey);
+    ret = get_des_key(server, FALSE, &skey);
     if(ret){
 	kdc_log(0, "No DES key for server (%s)", spn);
 	goto out;
@@ -173,11 +287,9 @@ out:
     
     if(spn)
 	free(spn);
-    if(sprinc)
-	krb5_free_principal(context, sprinc);
-    hdb_free_entry(context, server);
-    free(server);
+    if(server)
+	free_ent (server);
     return ret;
 }
 
-#endif
+#endif /* KRB4 */
diff --git a/crypto/heimdal/kdc/Makefile.am b/crypto/heimdal/kdc/Makefile.am
index 3e3df20..674ec4d 100644
--- a/crypto/heimdal/kdc/Makefile.am
+++ b/crypto/heimdal/kdc/Makefile.am
@@ -1,8 +1,8 @@
-# $Id: Makefile.am,v 1.33 1999/05/13 23:32:35 assar Exp $
+# $Id: Makefile.am,v 1.41 2000/11/15 22:51:12 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += $(INCLUDE_krb4)
+INCLUDES += $(INCLUDE_krb4) -I$(srcdir)/../lib/krb5
 
 bin_PROGRAMS = string2key
 
@@ -10,10 +10,10 @@ sbin_PROGRAMS = kstash
 
 libexec_PROGRAMS = hprop hpropd kdc
 
-man_MANS = kdc.8 kstash.8 hprop.8 hpropd.8
+man_MANS = kdc.8 kstash.8 hprop.8 hpropd.8 string2key.8
 
-hprop_SOURCES = hprop.c hprop-common.c hprop.h kadb.h 
-hpropd_SOURCES = hpropd.c hprop-common.c hprop.h
+hprop_SOURCES = hprop.c mit_dump.c v4_dump.c hprop.h kadb.h 
+hpropd_SOURCES = hpropd.c hprop.h
 
 kstash_SOURCES = kstash.c headers.h
 
@@ -36,27 +36,32 @@ kdc_SOURCES = \
 
 hprop_LDADD = \
 	$(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(LIB_kdb) $(LIB_krb4) \
-	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_des) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken) \
 	$(DBLIB) 
 
 hpropd_LDADD = \
 	$(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(LIB_kdb) $(LIB_krb4) \
-	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_des) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken) \
 	$(DBLIB) 
 
 LDADD = $(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(LIB_krb4) \
-	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_des) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken) \
 	$(DBLIB)
 
+kdc_LDADD = $(LDADD) $(LIB_pidfile)
+
diff --git a/crypto/heimdal/kdc/Makefile.in b/crypto/heimdal/kdc/Makefile.in
index 6ba90e1..d5c394d 100644
--- a/crypto/heimdal/kdc/Makefile.in
+++ b/crypto/heimdal/kdc/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.33 1999/05/13 23:32:35 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.41 2000/11/15 22:51:12 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4)
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) -I$(srcdir)/../lib/krb5
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,24 +170,20 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
@@ -179,26 +193,64 @@ sbin_PROGRAMS = kstash
 
 libexec_PROGRAMS = hprop hpropd kdc
 
-man_MANS = kdc.8 kstash.8 hprop.8 hpropd.8
+man_MANS = kdc.8 kstash.8 hprop.8 hpropd.8 string2key.8
 
-hprop_SOURCES = hprop.c hprop-common.c hprop.h kadb.h 
-hpropd_SOURCES = hpropd.c hprop-common.c hprop.h
+hprop_SOURCES = hprop.c mit_dump.c v4_dump.c hprop.h kadb.h 
+hpropd_SOURCES = hpropd.c hprop.h
 
 kstash_SOURCES = kstash.c headers.h
 
 string2key_SOURCES = string2key.c headers.h
 
-kdc_SOURCES =  	524.c			config.c		connect.c		kaserver.c		kdc_locl.h		kerberos4.c		kerberos4.h		kerberos5.c		log.c			main.c			misc.c			rx.h
-
-
-hprop_LDADD =  	$(top_builddir)/lib/hdb/libhdb.la 	$(top_builddir)/lib/krb5/libkrb5.la 	$(LIB_kdb) $(LIB_krb4) 	$(top_builddir)/lib/des/libdes.la 	$(top_builddir)/lib/asn1/libasn1.la 	$(LIB_roken) 	$(DBLIB) 
-
-
-hpropd_LDADD =  	$(top_builddir)/lib/hdb/libhdb.la 	$(top_builddir)/lib/krb5/libkrb5.la 	$(LIB_kdb) $(LIB_krb4) 	$(top_builddir)/lib/des/libdes.la 	$(top_builddir)/lib/asn1/libasn1.la 	$(LIB_roken) 	$(DBLIB) 
-
-
-LDADD = $(top_builddir)/lib/hdb/libhdb.la 	$(top_builddir)/lib/krb5/libkrb5.la 	$(LIB_krb4) 	$(top_builddir)/lib/des/libdes.la 	$(top_builddir)/lib/asn1/libasn1.la 	$(LIB_roken) 	$(DBLIB)
-
+kdc_SOURCES = \
+	524.c		\
+	config.c	\
+	connect.c	\
+	kaserver.c	\
+	kdc_locl.h	\
+	kerberos4.c	\
+	kerberos4.h	\
+	kerberos5.c	\
+	log.c		\
+	main.c		\
+	misc.c		\
+	rx.h
+
+
+hprop_LDADD = \
+	$(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_kdb) $(LIB_krb4) \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken) \
+	$(DBLIB) 
+
+
+hpropd_LDADD = \
+	$(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_kdb) $(LIB_krb4) \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken) \
+	$(DBLIB) 
+
+
+LDADD = $(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken) \
+	$(DBLIB)
+
+
+kdc_LDADD = $(LDADD) $(LIB_pidfile)
+subdir = kdc
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -211,61 +263,61 @@ PROGRAMS =  $(bin_PROGRAMS) $(libexec_PROGRAMS) $(sbin_PROGRAMS)
 DEFS = @DEFS@ -I. -I$(srcdir) -I../include
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
-LIBS = @LIBS@
 X_CFLAGS = @X_CFLAGS@
 X_LIBS = @X_LIBS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
-string2key_OBJECTS =  string2key.$(OBJEXT)
-string2key_LDADD = $(LDADD)
-string2key_DEPENDENCIES =  $(top_builddir)/lib/hdb/libhdb.la \
-$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/des/libdes.la \
-$(top_builddir)/lib/asn1/libasn1.la
-string2key_LDFLAGS = 
-hprop_OBJECTS =  hprop.$(OBJEXT) hprop-common.$(OBJEXT)
+am_hprop_OBJECTS =  hprop.$(OBJEXT) mit_dump.$(OBJEXT) v4_dump.$(OBJEXT)
+hprop_OBJECTS =  $(am_hprop_OBJECTS)
 hprop_DEPENDENCIES =  $(top_builddir)/lib/hdb/libhdb.la \
-$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/des/libdes.la \
-$(top_builddir)/lib/asn1/libasn1.la
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/asn1/libasn1.la
 hprop_LDFLAGS = 
-hpropd_OBJECTS =  hpropd.$(OBJEXT) hprop-common.$(OBJEXT)
+am_hpropd_OBJECTS =  hpropd.$(OBJEXT)
+hpropd_OBJECTS =  $(am_hpropd_OBJECTS)
 hpropd_DEPENDENCIES =  $(top_builddir)/lib/hdb/libhdb.la \
-$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/des/libdes.la \
-$(top_builddir)/lib/asn1/libasn1.la
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/asn1/libasn1.la
 hpropd_LDFLAGS = 
-kdc_OBJECTS =  524.$(OBJEXT) config.$(OBJEXT) connect.$(OBJEXT) \
+am_kdc_OBJECTS =  524.$(OBJEXT) config.$(OBJEXT) connect.$(OBJEXT) \
 kaserver.$(OBJEXT) kerberos4.$(OBJEXT) kerberos5.$(OBJEXT) \
 log.$(OBJEXT) main.$(OBJEXT) misc.$(OBJEXT)
-kdc_LDADD = $(LDADD)
+kdc_OBJECTS =  $(am_kdc_OBJECTS)
 kdc_DEPENDENCIES =  $(top_builddir)/lib/hdb/libhdb.la \
-$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/des/libdes.la \
-$(top_builddir)/lib/asn1/libasn1.la
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/asn1/libasn1.la
 kdc_LDFLAGS = 
-kstash_OBJECTS =  kstash.$(OBJEXT)
+am_kstash_OBJECTS =  kstash.$(OBJEXT)
+kstash_OBJECTS =  $(am_kstash_OBJECTS)
 kstash_LDADD = $(LDADD)
 kstash_DEPENDENCIES =  $(top_builddir)/lib/hdb/libhdb.la \
-$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/des/libdes.la \
-$(top_builddir)/lib/asn1/libasn1.la
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/asn1/libasn1.la
 kstash_LDFLAGS = 
-CFLAGS = @CFLAGS@
+am_string2key_OBJECTS =  string2key.$(OBJEXT)
+string2key_OBJECTS =  $(am_string2key_OBJECTS)
+string2key_LDADD = $(LDADD)
+string2key_DEPENDENCIES =  $(top_builddir)/lib/hdb/libhdb.la \
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/asn1/libasn1.la
+string2key_LDFLAGS = 
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(hprop_SOURCES) $(hpropd_SOURCES) $(kdc_SOURCES) \
+$(kstash_SOURCES) $(string2key_SOURCES)
 man8dir = $(mandir)/man8
 MANS = $(man_MANS)
+depcomp = 
 DIST_COMMON =  Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
-SOURCES = $(string2key_SOURCES) $(hprop_SOURCES) $(hpropd_SOURCES) $(kdc_SOURCES) $(kstash_SOURCES)
-OBJECTS = $(string2key_OBJECTS) $(hprop_OBJECTS) $(hpropd_OBJECTS) $(kdc_OBJECTS) $(kstash_OBJECTS)
+SOURCES = $(hprop_SOURCES) $(hpropd_SOURCES) $(kdc_SOURCES) $(kstash_SOURCES) $(string2key_SOURCES)
+OBJECTS = $(am_hprop_OBJECTS) $(am_hpropd_OBJECTS) $(am_kdc_OBJECTS) $(am_kstash_OBJECTS) $(am_string2key_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign kdc/Makefile
 
@@ -288,15 +340,18 @@ install-binPROGRAMS: $(bin_PROGRAMS)
 	$(mkinstalldirs) $(DESTDIR)$(bindir)
 	@list='$(bin_PROGRAMS)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
 	  else :; fi; \
 	done
 
 uninstall-binPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	list='$(bin_PROGRAMS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
 	done
 
 mostlyclean-libexecPROGRAMS:
@@ -313,15 +368,18 @@ install-libexecPROGRAMS: $(libexec_PROGRAMS)
 	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
 	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f; \
 	  else :; fi; \
 	done
 
 uninstall-libexecPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	list='$(libexec_PROGRAMS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \
+	  rm -f $(DESTDIR)$(libexecdir)/$$f; \
 	done
 
 mostlyclean-sbinPROGRAMS:
@@ -338,31 +396,20 @@ install-sbinPROGRAMS: $(sbin_PROGRAMS)
 	$(mkinstalldirs) $(DESTDIR)$(sbindir)
 	@list='$(sbin_PROGRAMS)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(sbindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(sbindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(sbindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(sbindir)/$$f; \
 	  else :; fi; \
 	done
 
 uninstall-sbinPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	list='$(sbin_PROGRAMS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(sbindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	@list='$(sbin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(sbindir)/$$f"; \
+	  rm -f $(DESTDIR)$(sbindir)/$$f; \
 	done
 
-.c.o:
-	$(COMPILE) -c $<
-
-# FIXME: We should only use cygpath when building on Windows,
-# and only if it is available.
-.c.obj:
-	$(COMPILE) -c `cygpath -w $<`
-
-.s.o:
-	$(COMPILE) -c $<
-
-.S.o:
-	$(COMPILE) -c $<
-
 mostlyclean-compile:
 	-rm -f *.o core *.core
 	-rm -f *.$(OBJEXT)
@@ -374,15 +421,6 @@ distclean-compile:
 
 maintainer-clean-compile:
 
-.c.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.s.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.S.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -393,10 +431,6 @@ distclean-libtool:
 
 maintainer-clean-libtool:
 
-string2key$(EXEEXT): $(string2key_OBJECTS) $(string2key_DEPENDENCIES)
-	@rm -f string2key$(EXEEXT)
-	$(LINK) $(string2key_LDFLAGS) $(string2key_OBJECTS) $(string2key_LDADD) $(LIBS)
-
 hprop$(EXEEXT): $(hprop_OBJECTS) $(hprop_DEPENDENCIES)
 	@rm -f hprop$(EXEEXT)
 	$(LINK) $(hprop_LDFLAGS) $(hprop_OBJECTS) $(hprop_LDADD) $(LIBS)
@@ -413,6 +447,16 @@ kstash$(EXEEXT): $(kstash_OBJECTS) $(kstash_DEPENDENCIES)
 	@rm -f kstash$(EXEEXT)
 	$(LINK) $(kstash_LDFLAGS) $(kstash_OBJECTS) $(kstash_LDADD) $(LIBS)
 
+string2key$(EXEEXT): $(string2key_OBJECTS) $(string2key_DEPENDENCIES)
+	@rm -f string2key$(EXEEXT)
+	$(LINK) $(string2key_LDFLAGS) $(string2key_OBJECTS) $(string2key_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
 install-man8:
 	$(mkinstalldirs) $(DESTDIR)$(man8dir)
 	@list='$(man8_MANS)'; \
@@ -426,6 +470,7 @@ install-man8:
 	  else file=$$i; fi; \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
 	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
 	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \
 	  $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \
@@ -441,6 +486,7 @@ uninstall-man8:
 	for i in $$list; do \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
 	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
 	  echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \
 	  rm -f $(DESTDIR)$(man8dir)/$$inst; \
@@ -454,23 +500,27 @@ uninstall-man:
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -483,17 +533,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = kdc
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
@@ -524,7 +573,7 @@ uninstall: uninstall-am
 all-am: Makefile $(PROGRAMS) $(MANS) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
 	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(libexecdir) \
 		$(DESTDIR)$(sbindir) $(DESTDIR)$(mandir)/man8
@@ -539,6 +588,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-libexecPROGRAMS \
 		mostlyclean-sbinPROGRAMS mostlyclean-compile \
 		mostlyclean-libtool mostlyclean-tags \
@@ -585,7 +635,7 @@ distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
 dvi-am dvi check-local check check-am installcheck-am installcheck \
 install-exec-am install-exec install-data-local install-data-am \
 install-data install-am install uninstall-am uninstall all-local \
-all-redirect all-am all installdirs mostlyclean-generic \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
 distclean-generic clean-generic maintainer-clean-generic clean \
 mostlyclean distclean maintainer-clean
 
@@ -595,7 +645,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -607,8 +660,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -677,87 +730,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/kdc/config.c b/crypto/heimdal/kdc/config.c
index 3db7173..0621db1 100644
--- a/crypto/heimdal/kdc/config.c
+++ b/crypto/heimdal/kdc/config.c
@@ -35,7 +35,7 @@
 #include <getarg.h>
 #include <parse_bytes.h>
 
-RCSID("$Id: config.c,v 1.30 2000/02/11 17:47:19 assar Exp $");
+RCSID("$Id: config.c,v 1.33 2000/09/10 19:27:17 joda Exp $");
 
 static char *config_file;	/* location of kdc config file */
 
@@ -58,12 +58,15 @@ krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */
 
 krb5_boolean check_ticket_addresses;
 krb5_boolean allow_null_ticket_addresses;
+krb5_boolean allow_anonymous;
 
 static struct getarg_strings addresses_str;	/* addresses to listen on */
 krb5_addresses explicit_addresses;
 
 #ifdef KRB4
 char *v4_realm;
+int enable_v4 = -1;
+int enable_524 = -1;
 #endif
 #ifdef KASERVER
 krb5_boolean enable_kaserver = -1;
@@ -93,6 +96,12 @@ static struct getargs args[] = {
 #endif
     { "enable-http", 'H', arg_flag, &enable_http, "turn on HTTP support" },
 #ifdef KRB4
+    {	"kerberos4",	0, 	arg_negative_flag, &enable_v4,
+	"don't respond to kerberos 4 requests" 
+    },
+    {	"524",		0, 	arg_negative_flag, &enable_524,
+	"don't respond to 524 requests" 
+    },
     { 
 	"v4-realm",	'r',	arg_string, &v4_realm, 
 	"realm to serve v4-requests for"
@@ -239,7 +248,7 @@ configure(int argc, char **argv)
 	usage(1);
     
     if(config_file == NULL)
-	config_file = HDB_DB_DIR "/kdc.conf";
+	config_file = _PATH_KDC_CONF;
     
     if(krb5_config_parse_file(config_file, &cf))
 	cf = NULL;
@@ -288,6 +297,15 @@ configure(int argc, char **argv)
 	}
     }
 
+#ifdef KRB4
+    if(enable_v4 == -1)
+	enable_v4 = krb5_config_get_bool_default(context, cf, TRUE, "kdc", 
+					 "enable-kerberos4", NULL);
+    if(enable_524 == -1)
+	enable_524 = krb5_config_get_bool_default(context, cf, enable_v4, 
+						  "kdc", "enable-524", NULL);
+#endif
+
     if(enable_http == -1)
 	enable_http = krb5_config_get_bool(context, cf, "kdc", 
 					   "enable-http", NULL);
@@ -297,6 +315,10 @@ configure(int argc, char **argv)
     allow_null_ticket_addresses = 
 	krb5_config_get_bool(context, cf, "kdc", 
 			     "allow-null-ticket-addresses", NULL);
+
+    allow_anonymous = 
+	krb5_config_get_bool(context, cf, "kdc", 
+			     "allow-anonymous", NULL);
 #ifdef KRB4
     if(v4_realm == NULL){
 	p = krb5_config_get_string (context, cf, 
diff --git a/crypto/heimdal/kdc/connect.c b/crypto/heimdal/kdc/connect.c
index 0ce23b5..4533cea 100644
--- a/crypto/heimdal/kdc/connect.c
+++ b/crypto/heimdal/kdc/connect.c
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: connect.c,v 1.70 2000/02/19 18:41:24 assar Exp $");
+RCSID("$Id: connect.c,v 1.80 2000/10/08 21:36:29 assar Exp $");
 
 /*
  * a tuple describing on what to listen
@@ -129,10 +129,18 @@ add_standard_ports (int family)
     add_port_service(family, "kerberos", 88, "tcp");
     add_port_service(family, "kerberos-sec", 88, "udp");
     add_port_service(family, "kerberos-sec", 88, "tcp");
-    add_port_service(family, "kerberos-iv", 750, "udp");
-    add_port_service(family, "kerberos-iv", 750, "tcp");
     if(enable_http)
 	add_port_service(family, "http", 80, "tcp");
+#ifdef KRB4
+    if(enable_v4) {
+	add_port_service(family, "kerberos-iv", 750, "udp");
+	add_port_service(family, "kerberos-iv", 750, "tcp");
+    }
+    if(enable_524) {
+	add_port_service(family, "krb524", 4444, "udp");
+	add_port_service(family, "krb524", 4444, "tcp");
+    }
+#endif
 #ifdef KASERVER
     if (enable_kaserver)
 	add_port_service(family, "afs3-kaserver", 7004, "udp");
@@ -195,10 +203,31 @@ struct descr {
     time_t timeout;
     struct sockaddr_storage __ss;
     struct sockaddr *sa;
-    int sock_len;
+    socklen_t sock_len;
     char addr_string[128];
 };
 
+static void
+init_descr(struct descr *d)
+{
+    memset(d, 0, sizeof(*d));
+    d->sa = (struct sockaddr *)&d->__ss;
+    d->s = -1;
+}
+
+/*
+ * re-intialize all `n' ->sa in `d'.
+ */
+
+static void
+reinit_descrs (struct descr *d, int n)
+{
+    int i;
+
+    for (i = 0; i < n; ++i)
+	d[i].sa = (struct sockaddr *)&d[i].__ss;
+}
+
 /*
  * Create the socket (family, type, port) in `d'
  */
@@ -211,9 +240,7 @@ init_socket(struct descr *d, krb5_address *a, int family, int type, int port)
     struct sockaddr *sa = (struct sockaddr *)&__ss;
     int sa_size;
 
-    memset(d, 0, sizeof(*d));
-    d->sa = (struct sockaddr *)&d->__ss;
-    d->s = -1;
+    init_descr (d);
 
     ret = krb5_addr2sockaddr (a, sa, &sa_size, port);
     if (ret) {
@@ -286,7 +313,8 @@ init_sockets(struct descr **desc)
     parse_ports(port_str);
     d = malloc(addresses.len * num_ports * sizeof(*d));
     if (d == NULL)
-	krb5_errx(context, 1, "malloc(%u) failed", num_ports * sizeof(*d));
+	krb5_errx(context, 1, "malloc(%lu) failed",
+		  (unsigned long)num_ports * sizeof(*d));
 
     for (i = 0; i < num_ports; i++){
 	for (j = 0; j < addresses.len; ++j) {
@@ -311,7 +339,9 @@ init_sockets(struct descr **desc)
     krb5_free_addresses (context, &addresses);
     d = realloc(d, num * sizeof(*d));
     if (d == NULL && num != 0)
-	krb5_errx(context, 1, "realloc(%u) failed", num * sizeof(*d));
+	krb5_errx(context, 1, "realloc(%lu) failed",
+		  (unsigned long)num * sizeof(*d));
+    reinit_descrs (d, num);
     *desc = d;
     return num;
 }
@@ -482,30 +512,35 @@ de_http(char *buf)
 #define TCP_TIMEOUT 4
 
 /*
- * accept a new TCP connection on `d[index]'
+ * accept a new TCP connection on `d[parent]' and store it in `d[child]'
  */
 
 static void
-add_new_tcp (struct descr *d, int index, int min_free)
+add_new_tcp (struct descr *d, int parent, int child)
 {
     int s;
 
-    d->sock_len = sizeof(d->__ss);
-    s = accept(d[index].s, d->sa, &d->sock_len);
+    if (child == -1)
+	return;
+
+    d[child].sock_len = sizeof(d[child].__ss);
+    s = accept(d[parent].s, d[child].sa, &d[child].sock_len);
     if(s < 0) {
 	krb5_warn(context, errno, "accept");
 	return;
     }
-    if(min_free == -1){
-	close(s);
+	    
+    if (s >= FD_SETSIZE) {
+	krb5_warnx(context, "socket FD too large");
+	close (s);
 	return;
     }
-	    
-    d[min_free].s = s;
-    d[min_free].timeout = time(NULL) + TCP_TIMEOUT;
-    d[min_free].type = SOCK_STREAM;
-    addr_to_string (d[min_free].sa, d[min_free].sock_len,
-		    d[min_free].addr_string, sizeof(d[min_free].addr_string));
+
+    d[child].s = s;
+    d[child].timeout = time(NULL) + TCP_TIMEOUT;
+    d[child].type = SOCK_STREAM;
+    addr_to_string (d[child].sa, d[child].sock_len,
+		    d[child].addr_string, sizeof(d[child].addr_string));
 }
 
 /*
@@ -556,7 +591,7 @@ handle_vanilla_tcp (struct descr *d)
     krb5_ret_int32(sp, &len);
     krb5_storage_free(sp);
     if(d->len - 4 >= len) {
-	memcpy(d->buf, d->buf + 4, d->len - 4);
+	memmove(d->buf, d->buf + 4, d->len - 4);
 	return 1;
     }
     return 0;
@@ -709,8 +744,9 @@ loop(void)
 	int min_free = -1;
 	int max_fd = 0;
 	int i;
+
 	FD_ZERO(&fds);
-	for(i = 0; i < ndescr; i++){
+	for(i = 0; i < ndescr; i++) {
 	    if(d[i].s >= 0){
 		if(d[i].type == SOCK_STREAM && 
 		   d[i].timeout && d[i].timeout < time(NULL)) {
@@ -721,8 +757,10 @@ loop(void)
 		}
 		if(max_fd < d[i].s)
 		    max_fd = d[i].s;
+		if (max_fd >= FD_SETSIZE)
+		    krb5_errx(context, 1, "fd too large");
 		FD_SET(d[i].s, &fds);
-	    }else if(min_free < 0 || i < min_free)
+	    } else if(min_free < 0 || i < min_free)
 		min_free = i;
 	}
 	if(min_free == -1){
@@ -730,11 +768,12 @@ loop(void)
 	    tmp = realloc(d, (ndescr + 4) * sizeof(*d));
 	    if(tmp == NULL)
 		krb5_warnx(context, "No memory");
-	    else{
+	    else {
 		d = tmp;
+		reinit_descrs (d, ndescr);
 		memset(d + ndescr, 0, 4 * sizeof(*d));
 		for(i = ndescr; i < ndescr + 4; i++)
-		    d[i].s = -1;
+		    init_descr (&d[i]);
 		min_free = ndescr;
 		ndescr += 4;
 	    }
diff --git a/crypto/heimdal/kdc/hprop.8 b/crypto/heimdal/kdc/hprop.8
index d700577..441b14d 100644
--- a/crypto/heimdal/kdc/hprop.8
+++ b/crypto/heimdal/kdc/hprop.8
@@ -1,6 +1,6 @@
-.\" $Id: hprop.8,v 1.3 1997/09/03 20:33:04 joda Exp $
+.\" $Id: hprop.8,v 1.8 2001/01/30 04:18:41 assar Exp $
 .\"
-.Dd September 3, 1997
+.Dd June 19, 2000
 .Dt HPROP 8
 .Os HEIMDAL
 .Sh NAME
@@ -9,58 +9,159 @@
 propagate the KDC database
 .Sh SYNOPSIS
 .Nm
-.Op Fl 4DEhnv
-.Op Fl d Ar file
-.Op Fl -database= Ns Ar file
-.Op Fl -decrypt
-.Op Fl -encrypt
-.Op Fl -help
-.Op Fl k
-.Op Fl -keytab= Ns Ar file
-.Op Fl m Ar file
-.Op Fl -master-key= Ns Ar file
-.Op Fl -stdout
-.Op Fl -v4-db
-.Op Fl -verbose
+.Oo Fl m Ar file \*(Ba Xo
+.Fl -master-key= Ns Pa file Oc
+.Xc
+.Oo Fl d Ar file \*(Ba Xo
+.Fl -database= Ns Pa file Oc
+.Xc
+.Op Fl -source= Ns Ar heimdal|mit-dump|krb4-db|krb4-dump
+.Op Fl 4 | Fl -v4-db
+.Op Fl K | Fl -ka-db
+.Oo Fl c Ar cell \*(Ba Xo
+.Fl -cell= Ns Ar cell Oc
+.Xc
+.Op Fl S | Fl -kaspecials
+.Oo Fl r Ar string \*(Ba Xo
+.Fl -v4-realm= Ns Ar string Oc
+.Xc
+.Oo Fl k Ar keytab \*(Ba Xo
+.Fl -keytab= Ns Ar keytab Oc
+.Xc
+.Oo Fl R Ar string \*(Ba Xo
+.Fl -v5-realm= Ns Ar string Oc
+.Xc
+.Op Fl D | Fl -decrypt
+.Op Fl E | Fl -encrypt
+.Op Fl n | Fl -stdout
+.Op Fl v | Fl -verbose
 .Op Fl -version
-.Ar host ...
+.Op Fl h | Fl -help
+.Ar host Ns Op :port
+...
 .Sh DESCRIPTION
 .Nm
-propagates the database from a master KDC to a slave. It connects to
-all
+takes a principal database in a specified format and converts it into
+a stream of Heimdal database records. This stream can either be
+written to standard out, or (more commonly) be propagated to a
+.Xr hpropd 8
+server running on a different machine.
+.Pp
+If propagating, it connects to all
 .Ar hosts
 specified on the command by opening a TCP connection to port 754
 (service hprop) and sends the database in encrypted form.
 .Pp
-Options supported:
+Supported options:
 .Bl -tag -width Ds
-.It Fl d Ar file
-.It Fl -database= Ns Ar file
+.It Xo
+.Fl m Ar file Ns ,
+.Fl -master-key= Ns Pa file
+.Xc
+Where to find the master key to encrypt or decrypt keys with.
+.It Xo
+.Fl d Ar file Ns ,
+.Fl -database= Ns Pa file
+.Xc
 The database to be propagated.
-.It Fl D
-.It Fl -decrypt
+.It Xo
+.Fl -source= Ns Ar heimdal|mit-dump|krb4-db|krb4-dump
+.Xc
+Specifies the type of the source database. Alternatives include: 
+.Bl -tag -width krb4-dump
+.It heimdal
+a Heimdal database
+.It mit-dump
+a MIT Kerberos 5 dump file
+.It krb4-db
+a Kerberos 4 database
+.It krb4-dump
+a Kerberos 4 dump file
+.It kaserver
+a Transarc kaserver database
+.El
+.It Xo
+.Fl k Ar keytab Ns ,
+.Fl -keytab= Ns Ar keytab
+.Xc
+The keytab to use for fetching the key to be used for authenticating
+to the propagation daemon(s). The key
+.Pa kadmin/hprop
+is used from this keytab.  The default is to fetch the key from the
+KDC database.
+.It Xo
+.Fl R Ar string Ns ,
+.Fl -v5-realm= Ns Ar string
+.Xc
+Local realm override.
+.It Xo
+.Fl D Ns ,
+.Fl -decrypt
+.Xc
 The encryption keys in the database can either be in clear, or
 encrypted with a master key. This option thansmits the database with
 unencrypted keys.
-.It Fl E
-.It Fl -encrypt
+.It Xo
+.Fl E Ns ,
+.Fl -encrypt
+.Xc
 This option thansmits the database with encrypted keys.
-.It Fl k
-.It Fl -keytab= Ns Ar file
-The keytab to use for fetching the key to be used for authenticating
-to the propagation daemon(s). The key
-.Pa kadmin/hprop
-is used from this keytab.
-.It Fl m Ar file
-.It Fl -master-key= Ns Ar file
-Where to find the master key to encrypt or decrypt keys with.
-.It Fl n
-.It Fl -stdout
+.It Xo
+.Fl n Ns ,
+.Fl -stdout
+.Xc
 Dump the database on stdout, in a format that can be fed to hpropd.
-.It Fl 4
-.It Fl -v4-db
-Use a version 4 database. This option is only available if the code is
-compiled with Kerberos 4 support.
 .El
+
+The following options are only valid if
+.Nm hprop
+is compiled with support for Kerberos 4 (kaserver).
+.Bl -tag -width Ds
+.It Xo
+.Fl r Ar string Ns ,
+.Fl -v4-realm= Ns Ar string
+.Xc
+v4 realm to use
+.It Xo
+.Fl c Ar cell Ns ,
+.Fl -cell= Ns Ar cell
+.Xc
+The AFS cell name, used if reading a kaserver database.
+.It Xo
+.Fl S Ns ,
+.Fl -kaspecials
+.Xc
+Also dump the principals marked as special in the kaserver database.
+.It Xo
+.Fl 4 Ns ,
+.Fl -v4-db
+.Xc
+Deprecated, identical to 
+.Sq --source=krb4-db .
+.It Xo
+.Fl K Ns ,
+.Fl -ka-db
+.Xc
+Deprecated, identical to 
+.Sq --source=kaserver .
+.El
+
+.Sh EXAMPLES
+The following will propagate a database to another machine (which
+should run
+.Xr hpropd 8):
+.Bd -literal -offset indent
+$ hprop slave-1 slave-2
+.Ed
+
+Copy a Kerberos 4 database to a Kerberos 5 slave:
+.Bd -literal -offset indent
+$ hprop --source=krb4-db -E krb5-slave
+.Ed
+
+Convert a Kerberos 4 dump-file for use with a Heimdal KDC:
+.Bd -literal -offset indent
+$ hprop -n --source=krb4-dump -d /var/kerberos/principal.dump -E | hpropd -n
+.Ed
 .Sh SEE ALSO
 .Xr hpropd 8
diff --git a/crypto/heimdal/kdc/hprop.c b/crypto/heimdal/kdc/hprop.c
index 3be6a6f..8ce9f10 100644
--- a/crypto/heimdal/kdc/hprop.c
+++ b/crypto/heimdal/kdc/hprop.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "hprop.h"
 
-RCSID("$Id: hprop.c,v 1.40 1999/12/04 18:02:18 assar Exp $");
+RCSID("$Id: hprop.c,v 1.60 2001/02/05 03:40:00 assar Exp $");
 
 static int version_flag;
 static int help_flag;
@@ -44,38 +44,40 @@ static int to_stdout;
 static int verbose_flag;
 static int encrypt_flag;
 static int decrypt_flag;
-static EncryptionKey mkey5;
-static krb5_data msched5;
+static hdb_master_key mkey5;
+
+static char *source_type;
 
-static int v4_db;
-static int ka_db;
 static char *afs_cell;
+static char *realm;
 
 #ifdef KRB4
-static char *realm;
+static int v4_db;
+
+static des_cblock mkey4;
+static des_key_schedule msched4;
 
 #ifdef KASERVER_DB
 static int kaspecials_flag;
+static int ka_db;
+static int ka_use_null_salt;
 #endif
 #endif
 
+static char *local_realm=NULL;
+
 static int
-open_socket(krb5_context context, const char *hostname)
+open_socket(krb5_context context, const char *hostname, const char *port)
 {
     struct addrinfo *ai, *a;
     struct addrinfo hints;
     int error;
-    char portstr[NI_MAXSERV];
 
     memset (&hints, 0, sizeof(hints));
     hints.ai_socktype = SOCK_STREAM;
     hints.ai_protocol = IPPROTO_TCP;
 
-    snprintf (portstr, sizeof(portstr),
-	      "%u",
-	      ntohs(krb5_getportbyname (context, "hprop", "tcp", HPROP_PORT)));
-
-    error = getaddrinfo (hostname, portstr, &hints, &ai);
+    error = getaddrinfo (hostname, port, &hints, &ai);
     if (error) {
 	warnx ("%s: %s", hostname, gai_strerror(error));
 	return -1;
@@ -100,44 +102,117 @@ open_socket(krb5_context context, const char *hostname)
     return -1;
 }
 
-struct prop_data{
-    krb5_context context;
-    krb5_auth_context auth_context;
-    int sock;
-};
-
-int hdb_entry2value(krb5_context, hdb_entry*, krb5_data*);
-
-static krb5_error_code
+krb5_error_code
 v5_prop(krb5_context context, HDB *db, hdb_entry *entry, void *appdata)
 {
     krb5_error_code ret;
     struct prop_data *pd = appdata;
     krb5_data data;
 
-    if(encrypt_flag)
-	_hdb_seal_keys_int(entry, 0, msched5);
-    if(decrypt_flag)
-	_hdb_unseal_keys_int(entry, 0, msched5);
+    if(encrypt_flag) {
+	ret = hdb_seal_keys_mkey(context, entry, mkey5);
+	if (ret) {
+	    krb5_warn(context, ret, "hdb_seal_keys_mkey");
+	    return ret;
+	}
+    }
+    if(decrypt_flag) {
+	ret = hdb_unseal_keys_mkey(context, entry, mkey5);
+	if (ret) {
+	    krb5_warn(context, ret, "hdb_unseal_keys_mkey");
+	    return ret;
+	}
+    }	
 
     ret = hdb_entry2value(context, entry, &data);
-    if(ret) return ret;
+    if(ret) {
+	krb5_warn(context, ret, "hdb_entry2value");
+	return ret;
+    }
 
     if(to_stdout)
-	ret = send_clear(context, STDOUT_FILENO, data);
+	ret = krb5_write_message(context, &pd->sock, &data);
     else
-	ret = send_priv(context, pd->auth_context, &data, pd->sock);
+	ret = krb5_write_priv_message(context, pd->auth_context, 
+				      &pd->sock, &data);
     krb5_data_free(&data);
     return ret;
 }
 
 #ifdef KRB4
-static des_cblock mkey4;
-static des_key_schedule msched4;
+
 static char realm_buf[REALM_SZ];
 
 static int
-v4_prop(void *arg, Principal *p)
+kdb_prop(void *arg, Principal *p)
+{
+    int ret;
+    struct v4_principal pr;
+
+    memset(&pr, 0, sizeof(pr));
+
+    if(p->attributes != 0) {
+	warnx("%s.%s has non-zero attributes - skipping", 
+	      p->name, p->instance);
+	    return 0;
+    }
+    strlcpy(pr.name, p->name, sizeof(pr.name));
+    strlcpy(pr.instance, p->instance, sizeof(pr.instance));
+
+    copy_to_key(&p->key_low, &p->key_high, pr.key);
+    kdb_encrypt_key(&pr.key, &pr.key, &mkey4, msched4, DES_DECRYPT);
+    pr.exp_date = p->exp_date;
+    pr.mod_date = p->mod_date;
+    strlcpy(pr.mod_name, p->mod_name, sizeof(pr.mod_name));
+    strlcpy(pr.mod_instance, p->mod_instance, sizeof(pr.mod_instance));
+    pr.max_life = p->max_life;
+    pr.mkvno = -1; /* p->kdc_key_ver; */
+    pr.kvno = p->key_version;
+    
+    ret = v4_prop(arg, &pr);
+    memset(&pr, 0, sizeof(pr));
+    return ret;
+}
+
+#endif /* KRB4 */
+
+#ifndef KRB4
+static time_t
+krb_life_to_time(time_t start, int life)
+{
+    static int lifetimes[] = {
+	  38400,   41055,   43894,   46929,   50174,   53643,   57352,   61318,
+	  65558,   70091,   74937,   80119,   85658,   91581,   97914,  104684,
+	 111922,  119661,  127935,  136781,  146239,  156350,  167161,  178720,
+	 191077,  204289,  218415,  233517,  249664,  266926,  285383,  305116,
+	 326213,  348769,  372885,  398668,  426234,  455705,  487215,  520904,
+	 556921,  595430,  636601,  680618,  727680,  777995,  831789,  889303,
+	 950794, 1016537, 1086825, 1161973, 1242318, 1328218, 1420057, 1518247,
+	1623226, 1735464, 1855462, 1983758, 2120925, 2267576, 2424367, 2592000
+    };
+
+#if 0
+    int i;
+    double q = exp((log(2592000.0) - log(38400.0)) / 63);
+    double x = 38400;
+    for(i = 0; i < 64; i++) {
+	lifetimes[i] = (int)x;
+	x *= q;
+    }
+#endif
+
+    if(life == 0xff)
+	return NEVERDATE;
+    if(life < 0x80)
+	return start + life * 5 * 60;
+    if(life > 0xbf)
+	life = 0xbf;
+    return start + lifetimes[life - 0x80];
+}
+#endif /* !KRB4 */
+
+int
+v4_prop(void *arg, struct v4_principal *p)
 {
     struct prop_data *pd = arg;
     hdb_entry ent;
@@ -161,46 +236,47 @@ v4_prop(void *arg, Principal *p)
 	free(s);
     }
 
-    ent.kvno = p->key_version;
+    ent.kvno = p->kvno;
     ent.keys.len = 3;
     ent.keys.val = malloc(ent.keys.len * sizeof(*ent.keys.val));
-    ent.keys.val[0].mkvno = NULL;
+    if(p->mkvno != -1) {
+	ent.keys.val[0].mkvno = malloc (sizeof(*ent.keys.val[0].mkvno));
 #if 0
-    ent.keys.val[0].mkvno = malloc (sizeof(*ent.keys.val[0].mkvno));
-    *(ent.keys.val[0].mkvno) = p->kdc_key_ver; /* XXX */
+	*(ent.keys.val[0].mkvno) = p->mkvno; /* XXX */
+#else
+	*(ent.keys.val[0].mkvno) = 0;
 #endif
+    } else
+	ent.keys.val[0].mkvno = NULL;
     ent.keys.val[0].salt = calloc(1, sizeof(*ent.keys.val[0].salt));
-    ent.keys.val[0].salt->type = pa_pw_salt;
+    ent.keys.val[0].salt->type = KRB5_PADATA_PW_SALT;
     ent.keys.val[0].key.keytype = ETYPE_DES_CBC_MD5;
     krb5_data_alloc(&ent.keys.val[0].key.keyvalue, sizeof(des_cblock));
-    
-    {
-	unsigned char *key = ent.keys.val[0].key.keyvalue.data;
-	unsigned char null_key[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
-	memcpy(key, &p->key_low, 4);
-	memcpy(key + 4, &p->key_high, 4);
-	kdb_encrypt_key((des_cblock*)key, (des_cblock*)key,
-			&mkey4, msched4, DES_DECRYPT);
-	if(memcmp(key, null_key, sizeof(null_key)) == 0) {
-	    free_Key(&ent.keys.val[0]);
-	    ent.keys.val = 0;
-	    ent.flags.invalid = 1;
-	}
-    }
+    memcpy(ent.keys.val[0].key.keyvalue.data, p->key, 8);
+
     copy_Key(&ent.keys.val[0], &ent.keys.val[1]);
     ent.keys.val[1].key.keytype = ETYPE_DES_CBC_MD4;
     copy_Key(&ent.keys.val[0], &ent.keys.val[2]);
     ent.keys.val[2].key.keytype = ETYPE_DES_CBC_CRC;
 
-    ALLOC(ent.max_life);
-    *ent.max_life = krb_life_to_time(0, p->max_life);
-    if(*ent.max_life == NEVERDATE){
-	free(ent.max_life);
-	ent.max_life = NULL;
+    {
+	int life = krb_life_to_time(0, p->max_life);
+	if(life == NEVERDATE){
+	    ent.max_life = NULL;
+	} else {
+	    /* clean up lifetime a bit */
+	    if(life > 86400)
+		life = (life + 86399) / 86400 * 86400;
+	    else if(life > 3600)
+		life = (life + 3599) / 3600 * 3600;
+	    ALLOC(ent.max_life);
+	    *ent.max_life = life;
+	}
     }
 
-    ALLOC(ent.pw_end);
-    *ent.pw_end = p->exp_date;
+    ALLOC(ent.valid_end);
+    *ent.valid_end = p->exp_date;
+
     ret = krb5_make_principal(pd->context, &ent.created_by.principal,
 			      realm,
 			      "kadmin",
@@ -253,11 +329,12 @@ v4_prop(void *arg, Principal *p)
 	    ret = v5_prop (pd->context, NULL, &ent, pd);
     }
 
-out:
+  out:
     hdb_free_entry(pd->context, &ent);
     return ret;
 }
 
+#ifdef KRB4
 #ifdef KASERVER_DB
 
 #include "kadb.h"
@@ -301,9 +378,15 @@ ka_convert(struct prop_data *pd, int fd, struct ka_entry *ent,
     hdb.keys.val = malloc(hdb.keys.len * sizeof(*hdb.keys.val));
     hdb.keys.val[0].mkvno = NULL;
     hdb.keys.val[0].salt = calloc(1, sizeof(*hdb.keys.val[0].salt));
-    hdb.keys.val[0].salt->type = hdb_afs3_salt;
-    hdb.keys.val[0].salt->salt.data = strdup(cell);
-    hdb.keys.val[0].salt->salt.length = strlen(cell);
+    if (ka_use_null_salt) {
+	hdb.keys.val[0].salt->type = hdb_pw_salt;
+	hdb.keys.val[0].salt->salt.data = NULL;
+	hdb.keys.val[0].salt->salt.length = 0;
+    } else {
+	hdb.keys.val[0].salt->type = hdb_afs3_salt;
+	hdb.keys.val[0].salt->salt.data = strdup(cell);
+	hdb.keys.val[0].salt->salt.length = strlen(cell);
+    }
     
     hdb.keys.val[0].key.keytype = ETYPE_DES_CBC_MD5;
     krb5_data_copy(&hdb.keys.val[0].key.keyvalue, ent->key, sizeof(ent->key));
@@ -315,11 +398,19 @@ ka_convert(struct prop_data *pd, int fd, struct ka_entry *ent,
     ALLOC(hdb.max_life);
     *hdb.max_life = ntohl(ent->max_life);
 
-    if(ntohl(ent->pw_end) != NEVERDATE && ntohl(ent->pw_end) != -1){
-	ALLOC(hdb.pw_end);
-	*hdb.pw_end = ntohl(ent->pw_end);
+    if(ntohl(ent->valid_end) != NEVERDATE && ntohl(ent->valid_end) != -1){
+	ALLOC(hdb.valid_end);
+	*hdb.valid_end = ntohl(ent->valid_end);
     }
     
+    if (ntohl(ent->pw_change) != NEVERDATE && 
+	ent->pw_expire != 255 &&
+	ent->pw_expire != 0) {
+	ALLOC(hdb.pw_end);
+	*hdb.pw_end = ntohl(ent->pw_change)
+	    + 24 * 60 * 60 * ent->pw_expire;
+    }
+
     ret = krb5_make_principal(pd->context, &hdb.created_by.principal,
 			      realm,
 			      "kadmin",
@@ -390,19 +481,30 @@ ka_dump(struct prop_data *pd, const char *file, const char *cell)
 
 struct getargs args[] = {
     { "master-key", 'm', arg_string, &mkeyfile, "v5 master key file", "file" },
+    { "database", 'd',	arg_string, &database, "database", "file" },
+    { "source",   0,	arg_string, &source_type, "type of database to read", 
+      "heimdal"
+      "|mit-dump"
+      "|krb4-dump"
 #ifdef KRB4
+      "|krb4-db"
+#ifdef KASERVER_DB
+      "|kaserver"
 #endif
-    { "database", 'd',	arg_string, &database, "database", "file" },
+#endif
+    },
+      
 #ifdef KRB4
-    { "v4-db",    '4',	arg_flag, &v4_db, "use version 4 database" },
-    { "v4-realm", 'r',  arg_string, &realm, "v4 realm to use" },
+    { "v4-db",    '4',	arg_flag, &v4_db },
 #endif
+    { "v4-realm", 'r',  arg_string, &realm, "v4 realm to use" },
 #ifdef KASERVER_DB
-    { "ka-db",	  'K',  arg_flag, &ka_db, "use kaserver database" },
+    { "ka-db",	  'K',  arg_flag, &ka_db },
     { "cell",	  'c',  arg_string, &afs_cell, "name of AFS cell" },
     { "kaspecials", 'S', arg_flag,   &kaspecials_flag, "dump KASPECIAL keys"},
 #endif
     { "keytab",   'k',	arg_string, &ktname, "keytab to use for authentication", "keytab" },
+    { "v5-realm", 'R',  arg_string, &local_realm, "v5 realm to use" },
     { "decrypt",  'D',  arg_flag,   &decrypt_flag,   "decrypt keys" },
     { "encrypt",  'E',  arg_flag,   &encrypt_flag,   "encrypt keys" },
     { "stdout",	  'n',  arg_flag,   &to_stdout, "dump to stdout" },
@@ -430,6 +532,9 @@ get_creds(krb5_context context, krb5_ccache *cache)
     krb5_preauthtype preauth = KRB5_PADATA_ENC_TIMESTAMP;
     krb5_creds creds;
     
+    ret = krb5_kt_register(context, &hdb_kt_ops);
+    if(ret) krb5_err(context, 1, ret, "krb5_kt_register");
+
     ret = krb5_kt_resolve(context, ktname, &keytab);
     if(ret) krb5_err(context, 1, ret, "krb5_kt_resolve");
     
@@ -456,53 +561,109 @@ get_creds(krb5_context context, krb5_ccache *cache)
     if(ret) krb5_err(context, 1, ret, "krb5_cc_store_cred");
 }
 
+enum hprop_source {
+    HPROP_HEIMDAL = 1,
+    HPROP_KRB4_DB,
+    HPROP_KRB4_DUMP,
+    HPROP_KASERVER,
+    HPROP_MIT_DUMP
+};
+
+#define IS_TYPE_V4(X) ((X) == HPROP_KRB4_DB || (X) == HPROP_KRB4_DUMP || (X) == HPROP_KASERVER)
+
+struct {
+    int type;
+    const char *name;
+} types[] = {
+    { HPROP_HEIMDAL,	"heimdal" },
+    { HPROP_KRB4_DUMP,	"krb4-dump" },
+#ifdef KRB4
+    { HPROP_KRB4_DB,	"krb4-db" },
+#ifdef KASERVER_DB
+    { HPROP_KASERVER, 	"kaserver" },
+#endif
+#endif
+    { HPROP_MIT_DUMP,	"mit-dump" }
+};
+
+static int
+parse_source_type(const char *s)
+{
+    int i;
+    for(i = 0; i < sizeof(types) / sizeof(types[0]); i++) {
+	if(strstr(types[i].name, s) == types[i].name)
+	    return types[i].type;
+    }
+    return 0;
+}
+
 static void
 iterate (krb5_context context,
 	 const char *database,
 	 const char *afs_cell,
 	 HDB *db,
-	 int v4_db, int ka_db,
+	 int type,
 	 struct prop_data *pd)
 {
+    int ret;
+
+    switch(type) {
+    case HPROP_KRB4_DUMP:
+	ret = v4_prop_dump(pd, database);
+	break;
 #ifdef KRB4
-    if(v4_db) {
-	int e = kerb_db_iterate ((k_iter_proc_t)v4_prop, pd);
-	if(e)
+    case HPROP_KRB4_DB:
+	ret = kerb_db_iterate ((k_iter_proc_t)kdb_prop, pd);
+	if(ret)
 	    krb5_errx(context, 1, "kerb_db_iterate: %s", 
-		      krb_get_err_text(e));
+		      krb_get_err_text(ret));
+	break;
 #ifdef KASERVER_DB
-    } else if(ka_db) {
-	int e = ka_dump(pd, database, afs_cell);
-	if(e)
-	    krb5_errx(context, 1, "ka_dump: %s", krb_get_err_text(e));
-#endif
-    } else
+    case HPROP_KASERVER:
+	ret = ka_dump(pd, database, afs_cell);
+	if(ret)
+	    krb5_errx(context, 1, "ka_dump: %s", krb_get_err_text(ret));
+	break;
 #endif
-    {
-	krb5_error_code ret = hdb_foreach(context, db, HDB_F_DECRYPT,
-					  v5_prop, pd);
+#endif /* KRB4 */
+    case HPROP_MIT_DUMP:
+	ret = mit_prop_dump(pd, database);
+	if (ret)
+	    krb5_errx(context, 1, "mit_prop_dump: %s",
+		      krb5_get_err_text(context, ret));
+	break;
+    case HPROP_HEIMDAL:
+	ret = hdb_foreach(context, db, HDB_F_DECRYPT, v5_prop, pd);
 	if(ret)
 	    krb5_err(context, 1, ret, "hdb_foreach");
+	break;
     }
 }
 
 static int
-dump_database (krb5_context context, int v4_db, int ka_db,
+dump_database (krb5_context context, int type,
 	       const char *database, const char *afs_cell,
 	       HDB *db)
 {
+    krb5_error_code ret;
     struct prop_data pd;
+    krb5_data data;
 
     pd.context      = context;
     pd.auth_context = NULL;
     pd.sock         = STDOUT_FILENO;
 	
-    iterate (context, database, afs_cell, db, v4_db, ka_db, &pd);
+    iterate (context, database, afs_cell, db, type, &pd);
+    krb5_data_zero (&data);
+    ret = krb5_write_message (context, &pd.sock, &data);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_write_message");
+
     return 0;
 }
 
 static int
-propagate_database (krb5_context context, int v4_db, int ka_db,
+propagate_database (krb5_context context, int type,
 		    const char *database, const char *afs_cell,
 		    HDB *db, krb5_ccache ccache,
 		    int optind, int argc, char **argv)
@@ -517,7 +678,18 @@ propagate_database (krb5_context context, int v4_db, int ka_db,
 	struct prop_data pd;
 	krb5_data data;
 
-	fd = open_socket(context, argv[i]);
+	char *port, portstr[NI_MAXSERV];
+	
+	port = strchr(argv[i], ':');
+	if(port == NULL) {
+	    snprintf(portstr, sizeof(portstr), "%u", 
+		     ntohs(krb5_getportbyname (context, "hprop", "tcp", 
+					       HPROP_PORT)));
+	    port = portstr;
+	} else
+	    *port++ = '\0';
+
+	fd = open_socket(context, argv[i], port);
 	if(fd < 0) {
 	    krb5_warn (context, errno, "connect %s", argv[i]);
 	    continue;
@@ -530,6 +702,13 @@ propagate_database (krb5_context context, int v4_db, int ka_db,
 	    close(fd);
 	    continue;
 	}
+
+        if (local_realm) {
+            krb5_realm my_realm;
+            krb5_get_default_realm(context,&my_realm);
+
+            krb5_princ_set_realm(context,server,&my_realm);
+        }
     
 	auth_context = NULL;
 	ret = krb5_sendauth(context,
@@ -556,18 +735,16 @@ propagate_database (krb5_context context, int v4_db, int ka_db,
 	pd.auth_context = auth_context;
 	pd.sock         = fd;
 
-	iterate (context, database, afs_cell, db,
-		 v4_db, ka_db, &pd);
+	iterate (context, database, afs_cell, db, type, &pd);
 
-	data.data = NULL;
-	data.length = 0;
-	ret = send_priv(context, auth_context, &data, fd);
+	krb5_data_zero (&data);
+	ret = krb5_write_priv_message(context, auth_context, &fd, &data);
 	if(ret)
-	    krb5_warn(context, ret, "send_priv");
+	    krb5_warn(context, ret, "krb5_write_priv_message");
 
-	ret = recv_priv(context, auth_context, fd, &data);
+	ret = krb5_read_priv_message(context, auth_context, &fd, &data);
 	if(ret)
-	    krb5_warn(context, ret, "recv_priv");
+	    krb5_warn(context, ret, "krb5_read_priv_message");
 	else
 	    krb5_data_free (&data);
 	
@@ -577,6 +754,28 @@ propagate_database (krb5_context context, int v4_db, int ka_db,
     return 0;
 }
 
+#ifdef KRB4
+
+static void
+v4_get_masterkey (krb5_context context, char *database)
+{
+    int e;
+
+    e = kerb_db_set_name (database);
+    if(e)
+	krb5_errx(context, 1, "kerb_db_set_name: %s",
+		  krb_get_err_text(e));
+    e = kdb_get_master_key(0, &mkey4, msched4);
+    if(e)
+	krb5_errx(context, 1, "kdb_get_master_key: %s",
+		  krb_get_err_text(e));
+    e = kdb_verify_master_key(&mkey4, msched4, NULL);
+    if (e < 0)
+	krb5_errx(context, 1, "kdb_verify_master_key failed");
+}
+
+#endif
+
 int
 main(int argc, char **argv)
 {
@@ -586,6 +785,8 @@ main(int argc, char **argv)
     HDB *db;
     int optind = 0;
 
+    int type = 0;
+
     set_progname(argv[0]);
 
     if(getarg(args, num_args, argc, argv, &optind))
@@ -603,31 +804,51 @@ main(int argc, char **argv)
     if(ret)
 	exit(1);
 
+    if(local_realm)
+	krb5_set_default_realm(context, local_realm);
+
+
     if(encrypt_flag && decrypt_flag)
 	krb5_errx(context, 1, 
-		  "Only one of `--encrypt' and `--decrypt' is meaningful");
+		  "only one of `--encrypt' and `--decrypt' is meaningful");
+
+#ifdef KRB4
+    if(v4_db) {
+	if(type != 0)
+	    krb5_errx(context, 1, "more than one database type specified");
+	type = HPROP_KRB4_DB;
+    }
+#ifdef KASERVER_DB
+    if(ka_db) {
+	if(type != 0)
+	    krb5_errx(context, 1, "more than one database type specified");
+	type = HPROP_KASERVER;
+    }
+#endif
+#endif
+
+    if(source_type != NULL) {
+	if(type != 0)
+	    krb5_errx(context, 1, "more than one database type specified");
+	type = parse_source_type(source_type);
+	if(type == 0)
+	    krb5_errx(context, 1, "unknown source type `%s'", source_type);
+    } else if(type == 0)
+	type = HPROP_HEIMDAL;
 
     if(!to_stdout)
 	get_creds(context, &ccache);
     
-    ret = hdb_read_master_key(context, mkeyfile, &mkey5);
-    if(ret && ret != ENOENT)
-	krb5_err(context, 1, ret, "hdb_read_master_key");
-    if(ret) {
-	if(encrypt_flag || decrypt_flag)
-	    krb5_errx(context, 1, "No master key file found");
-    } else {
-	ret = hdb_process_master_key(context, mkey5, &msched5);
+    if(decrypt_flag || encrypt_flag) {
+	ret = hdb_read_master_key(context, mkeyfile, &mkey5);
+	if(ret && ret != ENOENT)
+	    krb5_err(context, 1, ret, "hdb_read_master_key");
 	if(ret)
-	    krb5_err(context, 1, ret, "hdb_process_master_key");
+	    krb5_errx(context, 1, "No master key file found");
     }
     
 #ifdef KRB4
-    if (v4_db
-#ifdef KASERVER_DB
- || ka_db
-#endif
-) {
+    if (IS_TYPE_V4(type)) {
 	int e;
 
 	if (realm == NULL) {
@@ -638,39 +859,55 @@ main(int argc, char **argv)
 	    realm = realm_buf;
 	}
     }
+#endif
 
-    if(v4_db) {
-	int e = kerb_db_set_name (database);
-	if(e)
-	    krb5_errx(context, 1, "kerb_db_set_name: %s",
-		      krb_get_err_text(e));
-	e = kdb_get_master_key(0, &mkey4, msched4);
-	if(e)
-	    krb5_errx(context, 1, "kdb_get_master_key: %s",
-		      krb_get_err_text(e));
-    } else
+    switch(type) {
+#ifdef KRB4
+    case HPROP_KRB4_DB:
+	if (database == NULL)
+	    krb5_errx(context, 1, "no database specified");
+	v4_get_masterkey (context, database);
+	break;
 #ifdef KASERVER_DB
-	if (ka_db) {
-				/* no preparation required */
-	} else
+    case HPROP_KASERVER:
+	if (database == NULL)
+	    database = DEFAULT_DATABASE;
+	ka_use_null_salt = krb5_config_get_bool_default(context, NULL, FALSE, 
+							"hprop", 
+							"afs_uses_null_salt", 
+							NULL);
+
+	break;
 #endif
 #endif /* KRB4 */
-	{
-	    ret = hdb_create (context, &db, database);
-	    if(ret)
-		krb5_err(context, 1, ret, "hdb_create: %s", database);
-	    ret = db->open(context, db, O_RDONLY, 0);
-	    if(ret)
-		krb5_err(context, 1, ret, "db->open");
-	}
+    case HPROP_KRB4_DUMP:
+	if (database == NULL)
+	    krb5_errx(context, 1, "no dump file specified");
+#ifdef KRB4
+	v4_get_masterkey (context, database);
+#endif
+	break;
+    case HPROP_MIT_DUMP:
+	if (database == NULL)
+	    krb5_errx(context, 1, "no dump file specified");
+	break;
+    case HPROP_HEIMDAL:
+	ret = hdb_create (context, &db, database);
+	if(ret)
+	    krb5_err(context, 1, ret, "hdb_create: %s", database);
+	ret = db->open(context, db, O_RDONLY, 0);
+	if(ret)
+	    krb5_err(context, 1, ret, "db->open");
+	break;
+    default:
+	krb5_errx(context, 1, "unknown dump type `%d'", type);
+	break;
+    }
 
     if (to_stdout)
-	dump_database (context, v4_db, ka_db,
-		       database, afs_cell, db);
+	dump_database (context, type, database, afs_cell, db);
     else
-	propagate_database (context, v4_db, ka_db,
-			    database, afs_cell,
-			    db, ccache,
-			    optind, argc, argv);
+	propagate_database (context, type, database, afs_cell,
+			    db, ccache, optind, argc, argv);
     return 0;
 }
diff --git a/crypto/heimdal/kdc/hprop.h b/crypto/heimdal/kdc/hprop.h
index 3802c5d..0bcab88 100644
--- a/crypto/heimdal/kdc/hprop.h
+++ b/crypto/heimdal/kdc/hprop.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,25 +31,45 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: hprop.h,v 1.7 1999/12/02 17:04:59 joda Exp $ */
+/* $Id: hprop.h,v 1.13 2001/01/26 15:54:19 joda Exp $ */
 
 #ifndef __HPROP_H__
 #define __HPROP_H__
 
 #include "headers.h"
 
+struct prop_data{
+    krb5_context context;
+    krb5_auth_context auth_context;
+    int sock;
+};
+
 #define HPROP_VERSION "hprop-0.0"
 #define HPROP_NAME "hprop"
-#define HPROP_KEYTAB "FILE:/etc/hprop.keytab"
+#define HPROP_KEYTAB "HDB:"
 #define HPROP_PORT 754
 
 #ifndef NEVERDATE
 #define NEVERDATE ((1U << 31) - 1)
 #endif
 
-krb5_error_code send_priv(krb5_context, krb5_auth_context, krb5_data*, int);
-krb5_error_code recv_priv(krb5_context, krb5_auth_context, int, krb5_data*);
-krb5_error_code send_clear(krb5_context context, int fd, krb5_data data);
-krb5_error_code recv_clear(krb5_context context, int fd, krb5_data *out);
+krb5_error_code v5_prop(krb5_context, HDB*, hdb_entry*, void*);
+int mit_prop_dump(void*, const char*);
+
+struct v4_principal {
+    char name[64];
+    char instance[64];
+    des_cblock key;
+    int kvno;
+    int mkvno;
+    time_t exp_date;
+    time_t mod_date;
+    char mod_name[64];
+    char mod_instance[64];
+    int max_life;
+};
+
+int v4_prop(void*, struct v4_principal*);
+int v4_prop_dump(void *arg, const char*);
 
 #endif /* __HPROP_H__ */
diff --git a/crypto/heimdal/kdc/hpropd.8 b/crypto/heimdal/kdc/hpropd.8
index de4249a..687795e 100644
--- a/crypto/heimdal/kdc/hpropd.8
+++ b/crypto/heimdal/kdc/hpropd.8
@@ -1,4 +1,4 @@
-.\" $Id: hpropd.8,v 1.1 1997/08/27 23:42:34 assar Exp $
+.\" $Id: hpropd.8,v 1.5 2000/11/12 15:37:33 joda Exp $
 .\"
 .Dd Aug 27, 1997
 .Dt HPROPD 8
@@ -9,19 +9,65 @@
 receive a propagated database
 .Sh SYNOPSIS
 .Nm
-.Op Fl d Ar database
-.Op Fl -database= Ns Ar database
+.Oo Fl d Ar file \*(Ba Xo
+.Fl -database= Ns Ar file Oc
+.Xc
+.Op Fl n | Fl -stdin
+.Op Fl -print
+.Op Fl i | Fl -no-inetd
+.Oo Fl k Ar keytab \*(Ba Xo
+.Fl -keytab= Ns Ar keytab Oc
+.Xc
+.Op Fl 4 | Fl -v4dump
 .Sh DESCRIPTION
 .Nm
 receives databases sent by
 .Nm hprop .
 and writes it as a local database.
 .Pp
+By default,
+.Nm
+expects to be started from
+.Nm inetd
+if stdin is a socket and expects to receive the dumped database over
+stdin otherwise.
+If the database is sent over the network, it is authenticated and
+encrypted.
+Only connections from
+.Li kadmin/hprop
+are accepted.
+.Pp
 Options supported:
 .Bl -tag -width Ds
-.It Fl d Ar database
-.It Fl -database= Ns Ar database
-the database to create.
+.It Xo
+.Fl d Ar file Ns ,
+.Fl -database= Ns Ar file
+.Xc
+database
+.It Xo
+.Fl n Ns ,
+.Fl -stdin
+.Xc
+read from stdin
+.It Xo
+.Fl -print
+.Xc
+print dump to stdout
+.It Xo
+.Fl i Ns ,
+.Fl -no-inetd
+.Xc
+Not started from inetd
+.It Xo
+.Fl k Ar keytab Ns ,
+.Fl -keytab= Ns Ar keytab
+.Xc
+keytab to use for authentication
+.It Xo
+.Fl 4 Ns ,
+.Fl -v4dump
+.Xc
+create v4 type DB
 .El
 .Sh SEE ALSO
 .Xr hprop 8
diff --git a/crypto/heimdal/kdc/hpropd.c b/crypto/heimdal/kdc/hpropd.c
index df29240..2cfdd15 100644
--- a/crypto/heimdal/kdc/hpropd.c
+++ b/crypto/heimdal/kdc/hpropd.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "hprop.h"
 
-RCSID("$Id: hpropd.c,v 1.22 2000/01/06 21:39:24 assar Exp $");
+RCSID("$Id: hpropd.c,v 1.31 2001/01/25 12:37:39 assar Exp $");
 
 #ifdef KRB4
 static des_cblock mkey4;
@@ -127,10 +127,10 @@ dump_krb4(krb5_context context, hdb_entry *ent, int fd)
 	free(p);
     }
  
-    if (ent->pw_end == NULL)
-	strcat(buf, time2str(60*60*24*365*50)); /* passwd will never expire */
+    if (ent->valid_end == NULL)
+	strcat(buf, time2str(60*60*24*365*50)); /* no expiration */
     else
-	strcat(buf, time2str(*ent->pw_end));
+	strcat(buf, time2str(*ent->valid_end));
     strcat(buf, " ");
 
     if (ent->modified_by == NULL) 
@@ -168,6 +168,7 @@ static int from_stdin;
 #ifdef KRB4
 static int v4dump;
 #endif
+static char *ktname = NULL;
 
 struct getargs args[] = {
     { "database", 'd', arg_string, &database, "database", "file" },
@@ -175,6 +176,7 @@ struct getargs args[] = {
     { "print",	    0, arg_flag, &print_dump, "print dump to stdout" },
     { "inetd",	   'i',	arg_negative_flag,	&inetd_flag,
       "Not started from inetd" },
+    { "keytab",   'k',	arg_string, &ktname,	"keytab to use for authentication", "keytab" },
 #ifdef KRB4
     { "v4dump",       '4',  arg_flag, &v4dump, "create v4 type DB" },
 #endif
@@ -197,20 +199,18 @@ main(int argc, char **argv)
     krb5_error_code ret;
     krb5_context context;
     krb5_auth_context ac = NULL;
-    krb5_principal server;
     krb5_principal c1, c2;
     krb5_authenticator authent;
     krb5_keytab keytab;
     int fd;
     HDB *db;
-    char hostname[128];
     int optind = 0;
     char *tmp_db;
     krb5_log_facility *fac;
     int nprincs;
 #ifdef KRB4
     int e;
-    int fd_out;
+    int fd_out = -1;
 #endif
 
     set_progname(argv[0]);
@@ -250,8 +250,10 @@ main(int argc, char **argv)
     else {
 	struct sockaddr_storage ss;
 	struct sockaddr *sa = (struct sockaddr *)&ss;
-	int sin_len = sizeof(ss);
+	socklen_t sin_len = sizeof(ss);
 	char addr_name[256];
+	krb5_ticket *ticket;
+	char *server;
 
 	fd = STDIN_FILENO;
 	if (inetd_flag == -1) {
@@ -277,21 +279,34 @@ main(int argc, char **argv)
 
 	krb5_log(context, fac, 0, "Connection from %s", addr_name);
     
-	gethostname(hostname, sizeof(hostname));
-	ret = krb5_sname_to_principal(context, hostname, HPROP_NAME,
-				      KRB5_NT_SRV_HST, &server);
+	ret = krb5_kt_register(context, &hdb_kt_ops);
 	if(ret)
-	    krb5_err(context, 1, ret, "krb5_sname_to_principal");
-	
-	ret = krb5_kt_default(context, &keytab);
-	if(ret)
-	    krb5_err(context, 1, ret, "krb5_kt_default");
-	
-	ret = krb5_recvauth(context, &ac, &fd, HPROP_VERSION,
-			    server, 0, keytab, NULL);
+	    krb5_err(context, 1, ret, "krb5_kt_register");
+
+	if (ktname != NULL) {
+	    ret = krb5_kt_resolve(context, ktname, &keytab);
+	    if (ret)
+		krb5_err (context, 1, ret, "krb5_kt_resolve %s", ktname);
+	} else {
+	    ret = krb5_kt_default (context, &keytab);
+	    if (ret)
+		krb5_err (context, 1, ret, "krb5_kt_default");
+	}
+
+	ret = krb5_recvauth(context, &ac, &fd, HPROP_VERSION, NULL,
+			    0, keytab, &ticket);
 	if(ret)
 	    krb5_err(context, 1, ret, "krb5_recvauth");
 	
+	ret = krb5_unparse_name(context, ticket->server, &server);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_unparse_name");
+	if (strncmp(server, "hprop/", 5) != 0)
+	    krb5_errx(context, 1, "ticket not for hprop (%s)", server);
+
+	free(server);
+	krb5_free_ticket (context, ticket);
+
 	ret = krb5_auth_getauthenticator(context, ac, &authent);
 	if(ret)
 	    krb5_err(context, 1, ret, "krb5_auth_getauthenticator");
@@ -347,21 +362,21 @@ main(int argc, char **argv)
 	krb5_data data;
 	hdb_entry entry;
 
-	if(from_stdin){
-	    ret = recv_clear(context, fd, &data);
-	    if(ret)
-		krb5_err(context, 1, ret, "recv_clear");
-	}else{
-	    ret = recv_priv(context, ac, fd, &data);
+	if(from_stdin) {
+	    ret = krb5_read_message(context, &fd, &data);
+	    if(ret != 0 && ret != HEIM_ERR_EOF)
+		krb5_err(context, 1, ret, "krb5_read_message");
+	} else {
+	    ret = krb5_read_priv_message(context, ac, &fd, &data);
 	    if(ret)
-		krb5_err(context, 1, ret, "recv_priv");
+		krb5_err(context, 1, ret, "krb5_read_priv_message");
 	}
 
-	if(data.length == 0) {
+	if(ret == HEIM_ERR_EOF || data.length == 0) {
 	    if(!from_stdin) {
 		data.data = NULL;
 		data.length = 0;
-		send_priv(context, ac, &data, fd);
+		krb5_write_priv_message(context, ac, &fd, &data);
 	    }
 	    if(!print_dump) {
 #ifdef KRB4
diff --git a/crypto/heimdal/kdc/kadb.h b/crypto/heimdal/kdc/kadb.h
index e85dbe2..5c98ccc 100644
--- a/crypto/heimdal/kdc/kadb.h
+++ b/crypto/heimdal/kdc/kadb.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: kadb.h,v 1.2 1999/12/02 17:04:59 joda Exp $ */
+/* $Id: kadb.h,v 1.3 2000/03/03 12:36:26 assar Exp $ */
 
 #ifndef __kadb_h__
 #define __kadb_h__
@@ -56,7 +56,7 @@ struct ka_header {
 struct ka_entry {
     int32_t flags;			/* see below */
     int32_t next;			/* next in hash list */
-    int32_t pw_end;			/* expiration date */
+    int32_t valid_end;			/* expiration date */
     int32_t mod_time;			/* time last modified */
     int32_t mod_ptr;			/* pointer to modifier */
     int32_t pw_change;			/* last pw change */
@@ -66,6 +66,10 @@ struct ka_entry {
     char name[64];
     char instance[64];
     char key[8];
+    u_char pw_expire;			/* # days before password expires  */
+    u_char spare;
+    u_char attempts;
+    u_char locktime;
 };
 
 #define KAFNORMAL	(1<<0)
@@ -75,4 +79,6 @@ struct ka_entry {
 #define KAFNOCPW        (1<<6)	/* ! allow principal to change its own key */
 #define KAFSPECIAL      (1<<8)	/* set if special AuthServer principal */
 
+#define DEFAULT_DATABASE "/usr/afs/db/kaserver.DB0"
+
 #endif /* __kadb_h__ */
diff --git a/crypto/heimdal/kdc/kaserver.c b/crypto/heimdal/kdc/kaserver.c
index 64121eb..175ddb6 100644
--- a/crypto/heimdal/kdc/kaserver.c
+++ b/crypto/heimdal/kdc/kaserver.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: kaserver.c,v 1.10 2000/02/13 19:21:22 assar Exp $");
+RCSID("$Id: kaserver.c,v 1.15 2001/01/28 21:51:05 assar Exp $");
 
 #ifdef KASERVER
 
@@ -277,9 +277,6 @@ create_reply_ticket (struct rx_header *hdr,
     krb5_generate_random_block(&fyrtiosjuelva, sizeof(fyrtiosjuelva));
     fyrtiosjuelva &= 0xffffffff;
     krb5_store_int32 (sp, fyrtiosjuelva);
-#if 0
-    krb5_store_int32 (sp, 4711); /* XXX */
-#endif
     krb5_store_int32 (sp, challenge);
     sp->store  (sp, session, 8);
     memset (&session, 0, sizeof(session));
@@ -398,30 +395,45 @@ do_authenticate (struct rx_header *hdr,
     time_t max_life;
     u_int8_t life;
     int32_t chal;
+    char client_name[256];
+    char server_name[256];
 	
     krb5_data_zero (&request);
 
     unparse_auth_args (sp, &name, &instance, &start_time, &end_time,
 		       &request, &max_seq_len);
 
+    snprintf (client_name, sizeof(client_name), "%s.%s@%s",
+	      name, instance, v4_realm);
+
     client_entry = db_fetch4 (name, instance, v4_realm);
     if (client_entry == NULL) {
-	kdc_log(0, "Client not found in database: %s.%s@%s",
-		name, instance, v4_realm);
+	kdc_log(0, "Client not found in database: %s",
+		client_name);
 	make_error_reply (hdr, KANOENT, reply);
 	goto out;
     }
 
+    snprintf (server_name, sizeof(server_name), "%s.%s@%s",
+	      "krbtgt", v4_realm, v4_realm);
+
     server_entry = db_fetch4 ("krbtgt", v4_realm, v4_realm);
     if (server_entry == NULL) {
-	kdc_log(0, "Server not found in database: %s.%s@%s",
-		"krbtgt", v4_realm, v4_realm);
+	kdc_log(0, "Server not found in database: %s", server_name);
 	make_error_reply (hdr, KANOENT, reply);
 	goto out;
     }
 
+    ret = check_flags (client_entry, client_name,
+		       server_entry, server_name,
+		       TRUE);
+    if (ret) {
+	make_error_reply (hdr, KAPWEXPIRED, reply);
+	goto out;
+    }
+
     /* find a DES key */
-    ret = get_des_key(client_entry, &ckey);
+    ret = get_des_key(client_entry, TRUE, &ckey);
     if(ret){
 	kdc_log(0, "%s", krb5_get_err_text(context, ret));
 	make_error_reply (hdr, KANOKEYS, reply);
@@ -429,7 +441,7 @@ do_authenticate (struct rx_header *hdr,
     }
 
     /* find a DES key */
-    ret = get_des_key(server_entry, &skey);
+    ret = get_des_key(server_entry, TRUE, &skey);
     if(ret){
 	kdc_log(0, "%s", krb5_get_err_text(context, ret));
 	make_error_reply (hdr, KANOKEYS, reply);
@@ -457,6 +469,11 @@ do_authenticate (struct rx_header *hdr,
     krb5_ret_int32 (reply_sp, &chal);
     krb5_storage_free (reply_sp);
 
+    if (abs(chal - kdc_time) > context->max_skew) {
+	make_error_reply (hdr, KACLOCKSKEW, reply);
+	goto out;
+    }
+
     /* life */
     max_life = end_time - kdc_time;
     if (client_entry->max_life)
@@ -484,14 +501,10 @@ out:
 	free (name);
     if (instance)
 	free (instance);
-    if (client_entry) {
-	hdb_free_entry (context, client_entry);
-	free (client_entry);
-    }
-    if (server_entry) {
-	hdb_free_entry (context, server_entry);
-	free (server_entry);
-    }
+    if (client_entry)
+	free_ent (client_entry);
+    if (server_entry)
+	free_ent (server_entry);
 }
 
 static krb5_error_code
@@ -575,6 +588,7 @@ do_getticket (struct rx_header *hdr,
     char pname[ANAME_SZ];
     char pinst[INST_SZ];
     char prealm[REALM_SZ];
+    char server_name[256];
 
     krb5_data_zero (&aticket);
     krb5_data_zero (&times);
@@ -582,14 +596,24 @@ do_getticket (struct rx_header *hdr,
     unparse_getticket_args (sp, &kvno, &auth_domain, &aticket,
 			    &name, &instance, &times, &max_seq_len);
 
+    snprintf (server_name, sizeof(server_name),
+	      "%s.%s@%s", name, instance, v4_realm);
+
     server_entry = db_fetch4 (name, instance, v4_realm);
     if (server_entry == NULL) {
-	kdc_log(0, "Server not found in database: %s.%s@%s",
-		name, instance, v4_realm);
+	kdc_log(0, "Server not found in database: %s", server_name);
 	make_error_reply (hdr, KANOENT, reply);
 	goto out;
     }
 
+    ret = check_flags (NULL, NULL,
+		       server_entry, server_name,
+		       FALSE);
+    if (ret) {
+	make_error_reply (hdr, KAPWEXPIRED, reply);
+	goto out;
+    }
+
     krbtgt_entry = db_fetch4 ("krbtgt", v4_realm, v4_realm);
     if (krbtgt_entry == NULL) {
 	kdc_log(0, "Server not found in database: %s.%s@%s",
@@ -599,7 +623,7 @@ do_getticket (struct rx_header *hdr,
     }
 
     /* find a DES key */
-    ret = get_des_key(krbtgt_entry, &kkey);
+    ret = get_des_key(krbtgt_entry, TRUE, &kkey);
     if(ret){
 	kdc_log(0, "%s", krb5_get_err_text(context, ret));
 	make_error_reply (hdr, KANOKEYS, reply);
@@ -607,7 +631,7 @@ do_getticket (struct rx_header *hdr,
     }
 
     /* find a DES key */
-    ret = get_des_key(server_entry, &skey);
+    ret = get_des_key(server_entry, TRUE, &skey);
     if(ret){
 	kdc_log(0, "%s", krb5_get_err_text(context, ret));
 	make_error_reply (hdr, KANOKEYS, reply);
@@ -627,6 +651,14 @@ do_getticket (struct rx_header *hdr,
 	char sinstance[SNAME_SZ];
 	u_int32_t paddress;
 
+	if (aticket.length > sizeof(ticket.dat)) {
+	    kdc_log(0, "ticket too long (%u > %u)",
+		    (unsigned)aticket.length,
+		    (unsigned)sizeof(ticket.dat));
+	    make_error_reply (hdr, KABADTICKET, reply);
+	    goto out;
+	}
+
 	ticket.length = aticket.length;
 	memcpy (ticket.dat, aticket.data, ticket.length);
 
@@ -707,14 +739,10 @@ out:
 	free (name);
     if (instance)
 	free (instance);
-    if (krbtgt_entry) {
-	hdb_free_entry (context, krbtgt_entry);
-	free (krbtgt_entry);
-    }
-    if (server_entry) {
-	hdb_free_entry (context, server_entry);
-	free (server_entry);
-    }
+    if (krbtgt_entry)
+	free_ent (krbtgt_entry);
+    if (server_entry)
+	free_ent (server_entry);
 }
 
 krb5_error_code
diff --git a/crypto/heimdal/kdc/kdc.8 b/crypto/heimdal/kdc/kdc.8
index 181a3ce..359c17d 100644
--- a/crypto/heimdal/kdc/kdc.8
+++ b/crypto/heimdal/kdc/kdc.8
@@ -1,4 +1,4 @@
-.\" $Id: kdc.8,v 1.5 2000/02/13 21:04:32 assar Exp $
+.\" $Id: kdc.8,v 1.11 2001/01/26 22:46:28 assar Exp $
 .\"
 .Dd July 27, 1997
 .Dt KDC 8
@@ -9,11 +9,15 @@
 Kerberos 5 server
 .Sh SYNOPSIS
 .Nm
-.Op Fl c Ar file
-.Op Fl -config-file= Ns Ar file
+.Oo Fl c Ar file \*(Ba Xo
+.Fl -config-file= Ns Ar file Oc
+.Xc
 .Op Fl p | Fl -no-require-preauth
 .Op Fl -max-request= Ns Ar size
 .Op Fl H | Fl -enable-http
+.Oo Fl r Ar string \*(Ba Xo
+.Fl -v4-realm= Ns Ar string Oc
+.Xc
 .Op Fl K | Fl -no-kaserver
 .Op Fl r Ar realm
 .Op Fl -v4-realm= Ns Ar realm
@@ -21,7 +25,6 @@ Kerberos 5 server
 .Fl -ports= Ns Ar string Oc
 .Xc
 .Op Fl -addresses= Ns Ar list of addresses
-
 .Sh DESCRIPTION
 .Nm
 serves requests for tickets. When it starts, it first checks the flags
@@ -99,8 +102,8 @@ and then start the KDC with
 .Fl -config-file= Ns Ar /etc/krb5.conf ) .
 All options should be in a section called
 .Dq kdc .
-Options are called the same as the long option name, and takes the
-same arguments. The only difference is the pre-authentication flag,
+All the command-line options can preferably be added in the
+configuration file.  The only difference is the pre-authentication flag,
 that has to be specified as:
 .Pp
 .Dl require-preauth = no
@@ -108,6 +111,25 @@ that has to be specified as:
 (in fact you can specify the option as
 .Fl -require-preauth=no ) .
 .Pp
+And there are some configuration options which do not have
+command-line equivalents:
+.Bl -tag -width "xxx" -offset indent
+.It Li check-ticket-addresses = Va boolean
+Check the addresses in the ticket when processing TGS requests.  The
+default is FALSE.
+.It Li allow-null-ticket-addresses = Va boolean
+Permit tickets with no addresses.  This option is only relevant when
+check-ticket-addresses is TRUE.
+.It Li allow-anonymous = Va boolean
+Permit anonymous tickets with no addresses.
+.It encode_as_rep_as_tgs_rep = Va boolean
+Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code.  The
+Heimdal clients allow both.
+.It kdc_warn_pwexpire = Va time
+How long before password/principal expiration the KDC should start
+sending out warning messages.
+.El
+.Pp
 An example of a config file:
 .Bd -literal -offset indent
 [kdc]
diff --git a/crypto/heimdal/kdc/kdc_locl.h b/crypto/heimdal/kdc/kdc_locl.h
index c703030..2cc753c 100644
--- a/crypto/heimdal/kdc/kdc_locl.h
+++ b/crypto/heimdal/kdc/kdc_locl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,7 +32,7 @@
  */
 
 /* 
- * $Id: kdc_locl.h,v 1.40 2000/02/11 17:46:29 assar Exp $ 
+ * $Id: kdc_locl.h,v 1.48 2001/01/30 01:44:07 assar Exp $ 
  */
 
 #ifndef __KDC_LOCL_H__
@@ -61,38 +61,52 @@ extern int enable_http;
 extern krb5_boolean encode_as_rep_as_tgs_rep;
 extern krb5_boolean check_ticket_addresses;
 extern krb5_boolean allow_null_ticket_addresses;
+extern krb5_boolean allow_anonymous;
 
 #ifdef KRB4
 extern char *v4_realm;
+extern int enable_v4;
+extern int enable_524;
 #endif
 #ifdef KASERVER
 extern krb5_boolean enable_kaserver;
 #endif
 
+#define _PATH_KDC_CONF		HDB_DB_DIR "/kdc.conf"
+#define DEFAULT_LOG_DEST	"0-1/FILE:" HDB_DB_DIR "/kdc.log"
+
 extern struct timeval now;
 #define kdc_time (now.tv_sec)
 
 krb5_error_code as_rep (KDC_REQ*, krb5_data*, const char*, struct sockaddr*);
 void configure (int, char**);
-hdb_entry* db_fetch (krb5_principal);
-void kdc_log (int, const char*, ...);
-char* kdc_log_msg (int, const char*, ...);
-char* kdc_log_msg_va (int, const char*, va_list);
+krb5_error_code db_fetch (krb5_principal, hdb_entry**);
+void free_ent(hdb_entry *);
+void kdc_log (int, const char*, ...)
+    __attribute__ ((format (printf, 2,3)));
+
+char* kdc_log_msg (int, const char*, ...)
+    __attribute__ ((format (printf, 2,3)));
+char* kdc_log_msg_va (int, const char*, va_list)
+    __attribute__ ((format (printf, 2,0)));
 void kdc_openlog (krb5_config_section*);
 void loop (void);
 void set_master_key (EncryptionKey);
 krb5_error_code tgs_rep (KDC_REQ*, krb5_data*, const char*, struct sockaddr *);
 Key* unseal_key (Key*);
+krb5_error_code check_flags(hdb_entry *client, const char *client_name,
+			    hdb_entry *server, const char *server_name,
+			    krb5_boolean is_as_req);
 
 #ifdef KRB4
-hdb_entry* db_fetch4 (const char*, const char*, const char*);
-krb5_error_code do_524 (Ticket*, krb5_data*, const char*, struct sockaddr*);
+krb5_error_code db_fetch4 (const char*, const char*, const char*, hdb_entry**);
+krb5_error_code do_524 (const Ticket*, krb5_data*, const char*, struct sockaddr*);
 krb5_error_code do_version4 (unsigned char*, size_t, krb5_data*, const char*, 
 			     struct sockaddr_in*);
-krb5_error_code encode_v4_ticket (void*, size_t, EncTicketPart*, 
-				  PrincipalName*, size_t*);
+krb5_error_code encode_v4_ticket (void*, size_t, const EncTicketPart*, 
+				  const PrincipalName*, size_t*);
 krb5_error_code encrypt_v4_ticket (void*, size_t, des_cblock*, EncryptedData*);
-krb5_error_code get_des_key(hdb_entry*, Key**);
+krb5_error_code get_des_key(hdb_entry*, krb5_boolean, Key**);
 int maybe_version4 (unsigned char*, int);
 #endif
 
diff --git a/crypto/heimdal/kdc/kerberos4.c b/crypto/heimdal/kdc/kerberos4.c
index 23d59dd..111bd9f 100644
--- a/crypto/heimdal/kdc/kerberos4.c
+++ b/crypto/heimdal/kdc/kerberos4.c
@@ -33,12 +33,10 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: kerberos4.c,v 1.27 2000/02/13 19:27:36 assar Exp $");
+RCSID("$Id: kerberos4.c,v 1.36 2001/01/30 01:44:08 assar Exp $");
 
 #ifdef KRB4
 
-#include "kerberos4.h"
-
 #ifndef swap32
 static u_int32_t
 swap32(u_int32_t x)
@@ -61,7 +59,7 @@ make_err_reply(krb5_data *reply, int code, const char *msg)
 {
     KTEXT_ST er;
 
-    /* name, instance and realm is not checked in most (all?) version
+    /* name, instance and realm are not checked in most (all?)
        implementations; msg is also never used, but we send it anyway
        (for debugging purposes) */
 
@@ -74,51 +72,92 @@ make_err_reply(krb5_data *reply, int code, const char *msg)
 static krb5_boolean
 valid_princ(krb5_context context, krb5_principal princ)
 {
+    krb5_error_code ret;
     char *s;
     hdb_entry *ent;
-    krb5_unparse_name(context, princ, &s);
-    ent = db_fetch(princ);
-    if(ent == NULL){
-	kdc_log(7, "Lookup %s failed", s);
+
+    ret = krb5_unparse_name(context, princ, &s);
+    if (ret)
+	return 0;
+    ret = db_fetch(princ, &ent);
+    if (ret) {
+	kdc_log(7, "Lookup %s failed: %s", s,
+		krb5_get_err_text (context, ret));
 	free(s);
 	return 0;
     }
     kdc_log(7, "Lookup %s succeeded", s);
     free(s);
-    hdb_free_entry(context, ent);
-    free(ent);
+    free_ent(ent);
     return 1;
 }
 
-hdb_entry*
-db_fetch4(const char *name, const char *instance, const char *realm)
+krb5_error_code
+db_fetch4(const char *name, const char *instance, const char *realm,
+	  hdb_entry **ent)
 {
     krb5_principal p;
-    hdb_entry *ent;
     krb5_error_code ret;
     
     ret = krb5_425_conv_principal_ext(context, name, instance, realm, 
 				      valid_princ, 0, &p);
     if(ret)
-	return NULL;
-    ent = db_fetch(p);
+	return ret;
+    ret = db_fetch(p, ent);
     krb5_free_principal(context, p);
-    return ent;
+    return ret;
 }
 
 krb5_error_code
-get_des_key(hdb_entry *principal, Key **key)
+get_des_key(hdb_entry *principal, krb5_boolean prefer_afs_key, Key **ret_key)
 {
-    krb5_error_code ret;
+    Key *v5_key = NULL, *v4_key = NULL, *afs_key = NULL;
+    int i;
+    krb5_enctype etypes[] = { ETYPE_DES_CBC_MD5, 
+			      ETYPE_DES_CBC_MD4, 
+			      ETYPE_DES_CBC_CRC };
+
+    for(i = 0;
+	i < sizeof(etypes)/sizeof(etypes[0])
+	    && (v5_key == NULL || v4_key == NULL || afs_key == NULL);
+	++i) {
+	Key *key = NULL;
+	while(hdb_next_enctype2key(context, principal, etypes[i], &key) == 0) {
+	    if(key->salt == NULL) {
+		if(v5_key == NULL)
+		    v5_key = key;
+	    } else if(key->salt->type == hdb_pw_salt && 
+		      key->salt->salt.length == 0) {
+		if(v4_key == NULL)
+		    v4_key = key;
+	    } else if(key->salt->type == hdb_afs3_salt) {
+		if(afs_key == NULL)
+		    afs_key = key;
+	    }
+	}
+    }
 
-    ret = hdb_enctype2key(context, principal, ETYPE_DES_CBC_MD5, key);
-    if(ret)
-	ret = hdb_enctype2key(context, principal, ETYPE_DES_CBC_MD4, key);
-    if(ret)
-	ret = hdb_enctype2key(context, principal, ETYPE_DES_CBC_CRC, key);
-    if(ret)
-	return ret;
-    if ((*key)->key.keyvalue.length == 0)
+    if(prefer_afs_key) {
+	if(afs_key)
+	    *ret_key = afs_key;
+	else if(v4_key)
+	    *ret_key = v4_key;
+	else if(v5_key)
+	    *ret_key = v5_key;
+	else
+	    return KERB_ERR_NULL_KEY;
+    } else {
+	if(v4_key)
+	    *ret_key = v4_key;
+	else if(afs_key)
+	    *ret_key = afs_key;
+	else  if(v5_key)
+	    *ret_key = v5_key;
+	else
+	    return KERB_ERR_NULL_KEY;
+    }
+
+    if((*ret_key)->key.keyvalue.length == 0)
 	return KERB_ERR_NULL_KEY;
     return 0;
 }
@@ -150,6 +189,14 @@ do_version4(unsigned char *buf,
     int32_t req_time;
     time_t max_life;
     u_int8_t life;
+    char client_name[256];
+    char server_name[256];
+
+    if(!enable_v4) {
+	kdc_log(0, "Rejected version 4 request from %s", from);
+	make_err_reply(reply, KDC_GEN_ERR, "function not enabled");
+	return 0;
+    }
 
     sp = krb5_storage_from_mem(buf, len);
     RCHECK(krb5_ret_int8(sp, &pvno), out);
@@ -172,24 +219,38 @@ do_version4(unsigned char *buf,
 	RCHECK(krb5_ret_int8(sp, &life), out1);
 	RCHECK(krb5_ret_stringz(sp, &sname), out1);
 	RCHECK(krb5_ret_stringz(sp, &sinst), out1);
-	kdc_log(0, "AS-REQ %s.%s@%s from %s for %s.%s", 
-		name, inst, realm, from, sname, sinst);
+	snprintf (client_name, sizeof(client_name),
+		  "%s.%s@%s", name, inst, realm);
+	snprintf (server_name, sizeof(server_name),
+		  "%s.%s@%s", sname, sinst, v4_realm);
+	
+	kdc_log(0, "AS-REQ %s from %s for %s",
+		client_name, from, server_name);
 
-	client = db_fetch4(name, inst, realm);
-	if(client == NULL){
-	    kdc_log(0, "Client not found in database: %s.%s@%s", 
-		    name, inst, realm);
+	ret = db_fetch4(name, inst, realm, &client);
+	if(ret) {
+	    kdc_log(0, "Client not found in database: %s: %s",
+		    client_name, krb5_get_err_text(context, ret));
 	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
 	    goto out1;
 	}
-	server = db_fetch4(sname, sinst, v4_realm);
-	if(server == NULL){
-	    kdc_log(0, "Server not found in database: %s.%s@%s", 
-		    sname, sinst, v4_realm);
+	ret = db_fetch4(sname, sinst, v4_realm, &server);
+	if(ret){
+	    kdc_log(0, "Server not found in database: %s: %s",
+		    server_name, krb5_get_err_text(context, ret));
 	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
 	    goto out1;
 	}
 
+	ret = check_flags (client, client_name,
+			   server, server_name,
+			   TRUE);
+	if (ret) {
+	    /* good error code? */
+	    make_err_reply(reply, KERB_ERR_NAME_EXP, NULL);
+	    goto out1;
+	}
+
 	/*
 	 * There's no way to do pre-authentication in v4 and thus no
 	 * good error code to return if preauthentication is required.
@@ -200,14 +261,13 @@ do_version4(unsigned char *buf,
 	    || server->flags.require_preauth) {
 	    kdc_log(0,
 		    "Pre-authentication required for v4-request: "
-		    "%s.%s@%s for %s.%s@%s", 
-		    name, inst, realm,
-		    sname, sinst, v4_realm);
+		    "%s for %s",
+		    client_name, server_name);
 	    make_err_reply(reply, KERB_ERR_NULL_KEY, NULL);
 	    goto out1;
 	}
 
-	ret = get_des_key(client, &ckey);
+	ret = get_des_key(client, FALSE, &ckey);
 	if(ret){
 	    kdc_log(0, "%s", krb5_get_err_text(context, ret));
 	    /* XXX */
@@ -230,7 +290,7 @@ do_version4(unsigned char *buf,
 	}
 #endif
 	
-	ret = get_des_key(server, &skey);
+	ret = get_des_key(server, FALSE, &skey);
 	if(ret){
 	    kdc_log(0, "%s", krb5_get_err_text(context, ret));
 	    /* XXX */
@@ -295,12 +355,13 @@ do_version4(unsigned char *buf,
 	    goto out2;
 	}
 
-	tgt = db_fetch(tgt_princ);
-	if(tgt == NULL){
+	ret = db_fetch(tgt_princ, &tgt);
+	if(ret){
 	    char *s;
 	    s = kdc_log_msg(0, "Ticket-granting ticket not "
-			    "found in database: krbtgt.%s@%s", 
-			    realm, v4_realm);
+			    "found in database: krbtgt.%s@%s: %s", 
+			    realm, v4_realm,
+			    krb5_get_err_text(context, ret));
 	    make_err_reply(reply, KFAILURE, s);
 	    free(s);
 	    goto out2;
@@ -314,7 +375,7 @@ do_version4(unsigned char *buf,
 	    goto out2;
 	}
 
-	ret = get_des_key(tgt, &tkey);
+	ret = get_des_key(tgt, FALSE, &tkey);
 	if(ret){
 	    kdc_log(0, "%s", krb5_get_err_text(context, ret));
 	    /* XXX */
@@ -349,8 +410,12 @@ do_version4(unsigned char *buf,
 	RCHECK(krb5_ret_int8(sp, &life), out2);
 	RCHECK(krb5_ret_stringz(sp, &sname), out2);
 	RCHECK(krb5_ret_stringz(sp, &sinst), out2);
-	kdc_log(0, "TGS-REQ %s.%s@%s from %s for %s.%s", 
-		ad.pname, ad.pinst, ad.prealm, from, sname, sinst);
+	snprintf (server_name, sizeof(server_name),
+		  "%s.%s@%s",
+		  sname, sinst, v4_realm);
+
+	kdc_log(0, "TGS-REQ %s.%s@%s from %s for %s",
+		ad.pname, ad.pinst, ad.prealm, from, server_name);
 	
 	if(strcmp(ad.prealm, realm)){
 	    kdc_log(0, "Can't hop realms %s -> %s", realm, ad.prealm);
@@ -367,28 +432,38 @@ do_version4(unsigned char *buf,
 	}
 	
 #if 0
-	client = db_fetch4(ad.pname, ad.pinst, ad.prealm);
-	if(client == NULL){
+	ret = db_fetch4(ad.pname, ad.pinst, ad.prealm, &client);
+	if(ret){
 	    char *s;
-	    s = kdc_log_msg(0, "Client not found in database: %s.%s@%s", 
-			    ad.pname, ad.pinst, ad.prealm);
+	    s = kdc_log_msg(0, "Client not found in database: %s.%s@%s: %s", 
+			    ad.pname, ad.pinst, ad.prealm,
+			    krb5_get_err_text(context, ret));
 	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
 	    free(s);
 	    goto out2;
 	}
 #endif
 	
-	server = db_fetch4(sname, sinst, v4_realm);
-	if(server == NULL){
+	ret = db_fetch4(sname, sinst, v4_realm, &server);
+	if(ret){
 	    char *s;
-	    s = kdc_log_msg(0, "Server not found in database: %s.%s@%s", 
-			    sname, sinst, v4_realm);
+	    s = kdc_log_msg(0, "Server not found in database: %s: %s",
+			    server_name, krb5_get_err_text(context, ret));
 	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
 	    free(s);
 	    goto out2;
 	}
 
-	ret = get_des_key(server, &skey);
+	ret = check_flags (NULL, NULL,
+			   server, server_name,
+			   FALSE);
+	if (ret) {
+	    /* good error code? */
+	    make_err_reply(reply, KERB_ERR_NAME_EXP, NULL);
+	    goto out2;
+	}
+
+	ret = get_des_key(server, FALSE, &skey);
 	if(ret){
 	    kdc_log(0, "%s", krb5_get_err_text(context, ret));
 	    /* XXX */
@@ -433,11 +508,8 @@ do_version4(unsigned char *buf,
     out2:
 	if(tgt_princ)
 	    krb5_free_principal(context, tgt_princ);
-	if(tgt){
-	    hdb_free_entry(context, tgt);
-	    free(tgt);
-	}
-
+	if(tgt)
+	    free_ent(tgt);
 	break;
     }
     
@@ -460,14 +532,10 @@ out:
 	free(sname);
     if(sinst)
 	free(sinst);
-    if(client){
-	hdb_free_entry(context, client);
-	free(client);
-    }
-    if(server){
-	hdb_free_entry(context, server);
-	free(server);
-    }
+    if(client)
+	free_ent(client);
+    if(server)
+	free_ent(server);
     krb5_storage_free(sp);
     return 0;
 }
@@ -498,8 +566,8 @@ encrypt_v4_ticket(void *buf, size_t len, des_cblock *key, EncryptedData *reply)
 }
 
 krb5_error_code
-encode_v4_ticket(void *buf, size_t len, EncTicketPart *et, 
-		 PrincipalName *service, size_t *size)
+encode_v4_ticket(void *buf, size_t len, const EncTicketPart *et,
+		 const PrincipalName *service, size_t *size)
 {
     krb5_storage *sp;
     krb5_error_code ret;
diff --git a/crypto/heimdal/kdc/kerberos5.c b/crypto/heimdal/kdc/kerberos5.c
index 7100274..90cc49e 100644
--- a/crypto/heimdal/kdc/kerberos5.c
+++ b/crypto/heimdal/kdc/kerberos5.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: kerberos5.c,v 1.109 2000/01/18 03:13:00 assar Exp $");
+RCSID("$Id: kerberos5.c,v 1.123 2001/01/30 01:44:08 assar Exp $");
 
 #define MAX_TIME ((time_t)((1U << 31) - 1))
 
@@ -71,62 +71,34 @@ find_padata(KDC_REQ *req, int *start, int type)
     return NULL;
 }
 
-#if 0
-
-static krb5_error_code
-find_keys(hdb_entry *client, 
-	  hdb_entry *server, 
-	  Key **ckey, 
-	  krb5_enctype *cetype,
-	  Key **skey,
-	  krb5_enctype *setype,
-	  unsigned *etypes, 
-	  unsigned num_etypes)
-{
-    int i;
-    krb5_error_code ret;
-    for(i = 0; i < num_etypes; i++) {
-	if(client){
-	    ret = hdb_enctype2key(context, client, etypes[i], ckey);
-	    if(ret)
-		continue;
-	}
-	if(server){
-	    ret = hdb_enctype2key(context, server, etypes[i], skey);
-	    if(ret)
-		continue;
-	}
-	if(etype)
-	    *cetype = *setype = etypes[i];
-	return 0;
-    }
-    return KRB5KDC_ERR_ETYPE_NOSUPP;
-}
-
-#else
+/*
+ * return the first appropriate key of `princ' in `ret_key'.  Look for
+ * all the etypes in (`etypes', `len'), stopping as soon as we find
+ * one, but preferring one that has default salt
+ */
 
 static krb5_error_code
 find_etype(hdb_entry *princ, unsigned *etypes, unsigned len, 
-	   Key **key, int *index)
+	   Key **ret_key, krb5_enctype *ret_etype)
 {
     int i;
     krb5_error_code ret = KRB5KDC_ERR_ETYPE_NOSUPP;
 
-    for(i = 0; i < len ; i++) {
-	krb5_error_code tmp;
+    for(i = 0; ret != 0 && i < len ; i++) {
+	Key *key = NULL;
 
-	tmp = hdb_enctype2key(context, princ, etypes[i], key);
-	if (tmp == 0) {
-	    if ((*key)->key.keyvalue.length != 0) {
-		ret = 0;
-		break;
-	    } else {
+	while (hdb_next_enctype2key(context, princ, etypes[i], &key) == 0) {
+	    if (key->key.keyvalue.length == 0) {
 		ret = KRB5KDC_ERR_NULL_KEY;
+		continue;
 	    }
+	    *ret_key   = key;
+	    *ret_etype = etypes[i];
+	    ret = 0;
+	    if (key->salt == NULL)
+		return ret;
 	}
     }
-    if(index)
-	*index = i;
     return ret;
 }
 
@@ -140,30 +112,44 @@ find_keys(hdb_entry *client,
 	  int *etypes,
 	  unsigned num_etypes)
 {
-    int i;
     krb5_error_code ret;
+
     if(client){
 	/* find client key */
-	ret = find_etype(client, etypes, num_etypes, ckey, &i);
+	ret = find_etype(client, etypes, num_etypes, ckey, cetype);
 	if (ret) {
 	    kdc_log(0, "Client has no support for etypes");
 	    return ret;
 	}
-	*cetype = etypes[i];
     }
 
     if(server){
 	/* find server key */
-	ret = find_etype(server, etypes, num_etypes, skey, NULL);
+	ret = find_etype(server, etypes, num_etypes, skey, setype);
 	if (ret) {
 	    kdc_log(0, "Server has no support for etypes");
 	    return ret;
 	}
-	*setype = (*skey)->key.keytype;
     }
     return 0;
 }
-#endif
+
+static krb5_error_code
+make_anonymous_principalname (PrincipalName *pn)
+{
+    pn->name_type = KRB5_NT_PRINCIPAL;
+    pn->name_string.len = 1;
+    pn->name_string.val = malloc(sizeof(*pn->name_string.val));
+    if (pn->name_string.val == NULL)
+	return ENOMEM;
+    pn->name_string.val[0] = strdup("anonymous");
+    if (pn->name_string.val[0] == NULL) {
+	free(pn->name_string.val);
+	pn->name_string.val = NULL;
+	return ENOMEM;
+    }
+    return 0;
+}
 
 static krb5_error_code
 encode_reply(KDC_REP *rep, EncTicketPart *et, EncKDCRepPart *ek, 
@@ -185,7 +171,12 @@ encode_reply(KDC_REP *rep, EncTicketPart *et, EncKDCRepPart *ek,
     }
     
 
-    krb5_crypto_init(context, skey, etype, &crypto);
+    ret = krb5_crypto_init(context, skey, etype, &crypto);
+    if (ret) {
+	kdc_log(0, "krb5_crypto_init failed: %s",
+		krb5_get_err_text(context, ret));
+	return ret;
+    }
 
     krb5_encrypt_EncryptedData(context, 
 			       crypto,
@@ -208,7 +199,12 @@ encode_reply(KDC_REP *rep, EncTicketPart *et, EncKDCRepPart *ek,
 		krb5_get_err_text(context, ret));
 	return ret;
     }
-    krb5_crypto_init(context, ckey, 0, &crypto);
+    ret = krb5_crypto_init(context, ckey, 0, &crypto);
+    if (ret) {
+	kdc_log(0, "krb5_crypto_init failed: %s",
+		krb5_get_err_text(context, ret));
+	return ret;
+    }
     if(rep->msg_type == krb_as_rep) {
 	krb5_encrypt_EncryptedData(context,
 				   crypto,
@@ -266,8 +262,8 @@ get_pa_etype_info(METHOD_DATA *md, hdb_entry *client)
 	return ENOMEM;
     for(i = 0; i < client->keys.len; i++) {
 	pa.val[i].etype = client->keys.val[i].key.keytype;
-	ALLOC(pa.val[i].salttype);
 	if(client->keys.val[i].salt){
+	    ALLOC(pa.val[i].salttype);
 #if 0
 	    if(client->keys.val[i].salt->type == hdb_pw_salt)
 		*pa.val[i].salttype = 0; /* or 1? or NULL? */
@@ -290,19 +286,20 @@ get_pa_etype_info(METHOD_DATA *md, hdb_entry *client)
 	    krb5_copy_data(context, &client->keys.val[i].salt->salt,
 			   &pa.val[i].salt);
 	} else {
-#if 0
-	    *pa.val[i].salttype = 1; /* or 0 with salt? */
-#else
-	    *pa.val[i].salttype = pa_pw_salt;
-#endif
+	    /* we return no salt type at all, as that should indicate
+	     * the default salt type and make everybody happy.  some
+	     * systems (like w2k) dislike being told the salt type
+	     * here. */
+
+	    pa.val[i].salttype = NULL;
 	    pa.val[i].salt = NULL;
 	}
     }
     len = length_ETYPE_INFO(&pa);
     buf = malloc(len);
-    if (buf) {
+    if (buf == NULL) {
 	free_ETYPE_INFO(&pa);
-	return ret;
+	return ENOMEM;
     }
     ret = encode_ETYPE_INFO(buf + len - 1, len, &pa, &len);
     free_ETYPE_INFO(&pa);
@@ -315,13 +312,19 @@ get_pa_etype_info(METHOD_DATA *md, hdb_entry *client)
 	free(buf);
 	return ret;
     }
-    md->val[md->len - 1].padata_type = pa_etype_info;
+    md->val[md->len - 1].padata_type = KRB5_PADATA_ETYPE_INFO;
     md->val[md->len - 1].padata_value.length = len;
     md->val[md->len - 1].padata_value.data = buf;
     return 0;
 }
 
-static int
+/*
+ * verify the flags on `client' and `server', returning 0
+ * if they are OK and generating an error messages and returning
+ * and error code otherwise.
+ */
+
+krb5_error_code
 check_flags(hdb_entry *client, const char *client_name,
 	    hdb_entry *server, const char *server_name,
 	    krb5_boolean is_as_req)
@@ -393,11 +396,18 @@ check_flags(hdb_entry *client, const char *client_name,
     return 0;
 }
 
+/*
+ * Return TRUE if `from' is part of `addresses' taking into consideration
+ * the configuration variables that tells us how strict we should be about
+ * these checks
+ */
+
 static krb5_boolean
-check_addresses(HostAddresses *addresses, struct sockaddr *from)
+check_addresses(HostAddresses *addresses, const struct sockaddr *from)
 {
     krb5_error_code ret;
     krb5_address addr;
+    krb5_boolean result;
     
     if(check_ticket_addresses == 0)
 	return TRUE;
@@ -409,7 +419,9 @@ check_addresses(HostAddresses *addresses, struct sockaddr *from)
     if(ret)
 	return FALSE;
 
-    return krb5_address_search(context, &addr, addresses);
+    result = krb5_address_search(context, &addr, addresses);
+    krb5_free_address (context, &addr);
+    return result;
 }
 
 krb5_error_code
@@ -430,9 +442,10 @@ as_rep(KDC_REQ *req,
     krb5_error_code ret = 0;
     const char *e_text = NULL;
     krb5_crypto crypto;
-
     Key *ckey, *skey;
 
+    memset(&rep, 0, sizeof(rep));
+
     if(b->sname == NULL){
 	server_name = "<unknown server>";
 	ret = KRB5KRB_ERR_GENERIC;
@@ -456,17 +469,18 @@ as_rep(KDC_REQ *req,
     if(ret)
 	goto out;
 
-    client = db_fetch(client_princ);
-    if(client == NULL){
-	kdc_log(0, "UNKNOWN -- %s", client_name);
+    ret = db_fetch(client_princ, &client);
+    if(ret){
+	kdc_log(0, "UNKNOWN -- %s: %s", client_name,
+		krb5_get_err_text(context, ret));
 	ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
 	goto out;
     }
 
-    server = db_fetch(server_princ);
-
-    if(server == NULL){
-	kdc_log(0, "UNKNOWN -- %s", server_name);
+    ret = db_fetch(server_princ, &server);
+    if(ret){
+	kdc_log(0, "UNKNOWN -- %s: %s", server_name,
+		krb5_get_err_text(context, ret));
 	ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
 	goto out;
     }
@@ -483,7 +497,7 @@ as_rep(KDC_REQ *req,
 	PA_DATA *pa;
 	int found_pa = 0;
 	kdc_log(5, "Looking for pa-data -- %s", client_name);
-	while((pa = find_padata(req, &i, pa_enc_timestamp))){
+	while((pa = find_padata(req, &i, KRB5_PADATA_ENC_TIMESTAMP))){
 	    krb5_data ts_data;
 	    PA_ENC_TS_ENC p;
 	    time_t patime;
@@ -523,7 +537,14 @@ as_rep(KDC_REQ *req,
 		continue;
 	    }
 	    
-	    krb5_crypto_init(context, &pa_key->key, 0, &crypto);
+	    ret = krb5_crypto_init(context, &pa_key->key, 0, &crypto);
+	    if (ret) {
+		kdc_log(0, "krb5_crypto_init failed: %s",
+			krb5_get_err_text(context, ret));
+		free_EncryptedData(&enc_data);
+		continue;
+	    }
+
 	    ret = krb5_decrypt_EncryptedData (context,
 					      crypto,
 					      KRB5_KU_PA_ENC_TIMESTAMP,
@@ -586,7 +607,7 @@ as_rep(KDC_REQ *req,
 
 	ret = realloc_method_data(&method_data);
 	pa = &method_data.val[method_data.len-1];
-	pa->padata_type		= pa_enc_timestamp;
+	pa->padata_type		= KRB5_PADATA_ENC_TIMESTAMP;
 	pa->padata_value.length	= 0;
 	pa->padata_value.data	= NULL;
 
@@ -627,23 +648,19 @@ as_rep(KDC_REQ *req,
     {
 	char *cet;
 	char *set;
-	krb5_enctype_to_string(context, cetype, &cet);
-	krb5_enctype_to_string(context, setype, &set);
-	kdc_log(5, "Using %s/%s", cet, set);
-	free(cet);
-	free(set);
+
+	ret = krb5_enctype_to_string(context, cetype, &cet);
+	if(ret == 0) {
+	    ret = krb5_enctype_to_string(context, setype, &set);
+	    if (ret == 0) {
+		kdc_log(5, "Using %s/%s", cet, set);
+		free(set);
+	    } else
+	    free(cet);
+	} else
+	    kdc_log(5, "Using e-types %d/%d", cetype, setype);
     }
     
-
-    memset(&rep, 0, sizeof(rep));
-    rep.pvno = 5;
-    rep.msg_type = krb_as_rep;
-    copy_Realm(&b->realm, &rep.crealm);
-    copy_PrincipalName(b->cname, &rep.cname);
-    rep.ticket.tkt_vno = 5;
-    copy_Realm(&b->realm, &rep.ticket.realm);
-    copy_PrincipalName(b->sname, &rep.ticket.sname);
-
     {
 	char str[128];
 	unparse_flags(KDCOptions2int(f), KDCOptions_units, str, sizeof(str));
@@ -651,13 +668,25 @@ as_rep(KDC_REQ *req,
 	    kdc_log(2, "Requested flags: %s", str);
     }
     
-    if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey || 
-       f.request_anonymous){
+
+    if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey
+       || (f.request_anonymous && !allow_anonymous)) {
 	ret = KRB5KDC_ERR_BADOPTION;
 	kdc_log(0, "Bad KDC options -- %s", client_name);
 	goto out;
     }
     
+    rep.pvno = 5;
+    rep.msg_type = krb_as_rep;
+    copy_Realm(&b->realm, &rep.crealm);
+    if (f.request_anonymous)
+	make_anonymous_principalname (&rep.cname);
+    else
+	copy_PrincipalName(b->cname, &rep.cname);
+    rep.ticket.tkt_vno = 5;
+    copy_Realm(&b->realm, &rep.ticket.realm);
+    copy_PrincipalName(b->sname, &rep.ticket.sname);
+
     et.flags.initial = 1;
     if(client->flags.forwardable && server->flags.forwardable)
 	et.flags.forwardable = f.forwardable;
@@ -689,7 +718,7 @@ as_rep(KDC_REQ *req,
     }
 
     krb5_generate_random_keyblock(context, setype, &et.key);
-    copy_PrincipalName(b->cname, &et.cname);
+    copy_PrincipalName(&rep.cname, &et.cname);
     copy_Realm(&b->realm, &et.crealm);
     
     {
@@ -706,10 +735,13 @@ as_rep(KDC_REQ *req,
 	}
 	fix_time(&b->till);
 	t = *b->till;
+
+	/* be careful not overflowing */
+
 	if(client->max_life)
-	    t = min(t, start + *client->max_life);
+	    t = start + min(t - start, *client->max_life);
 	if(server->max_life)
-	    t = min(t, start + *server->max_life);
+	    t = start + min(t - start, *server->max_life);
 #if 0
 	t = min(t, start + realm->max_life);
 #endif
@@ -728,9 +760,9 @@ as_rep(KDC_REQ *req,
 	    if(t == 0)
 		t = MAX_TIME;
 	    if(client->max_renew)
-		t = min(t, start + *client->max_renew);
+		t = start + min(t - start, *client->max_renew);
 	    if(server->max_renew)
-		t = min(t, start + *server->max_renew);
+		t = start + min(t - start, *server->max_renew);
 #if 0
 	    t = min(t, start + realm->max_renew);
 #endif
@@ -739,6 +771,9 @@ as_rep(KDC_REQ *req,
 	    et.flags.renewable = 1;
 	}
     }
+
+    if (f.request_anonymous)
+	et.flags.anonymous = 1;
     
     if(b->addresses){
 	ALLOC(et.caddr);
@@ -836,15 +871,10 @@ out2:
     free(client_name);
     krb5_free_principal(context, server_princ);
     free(server_name);
-    if(client){
-	hdb_free_entry(context, client);
-	free(client);
-    }
-    if(server){
-	hdb_free_entry(context, server);
-	free(server);
-    }
-    
+    if(client)
+	free_ent(client);
+    if(server)
+	free_ent(server);
     return ret;
 }
 
@@ -948,11 +978,11 @@ check_tgs_flags(KDC_REQ_BODY *b, EncTicketPart *tgt, EncTicketPart *et)
 	    old_life -= *tgt->starttime;
 	else
 	    old_life -= tgt->authtime;
-	et->endtime = min(*b->till, *et->starttime + old_life);
+	et->endtime = min(*et->renew_till, *et->starttime + old_life);
     }	    
     
     /* checks for excess flags */
-    if(f.request_anonymous){
+    if(f.request_anonymous && !allow_anonymous){
 	kdc_log(0, "Request for anonymous ticket");
 	return KRB5KDC_ERR_BADOPTION;
     }
@@ -1089,7 +1119,10 @@ tgs_make_reply(KDC_REQ_BODY *b,
 	       &rep.ticket.realm);
     krb5_principal2principalname(&rep.ticket.sname, server->principal);
     copy_Realm(&tgt->crealm, &rep.crealm);
-    copy_PrincipalName(&tgt->cname, &rep.cname);
+    if (f.request_anonymous)
+	make_anonymous_principalname (&tgt->cname);
+    else
+	copy_PrincipalName(&tgt->cname, &rep.cname);
     rep.ticket.tkt_vno = 5;
 
     ek.caddr = et.caddr;
@@ -1140,7 +1173,8 @@ tgs_make_reply(KDC_REQ_BODY *b,
     }
     
     et.flags.pre_authent = tgt->flags.pre_authent;
-    et.flags.hw_authent = tgt->flags.hw_authent;
+    et.flags.hw_authent  = tgt->flags.hw_authent;
+    et.flags.anonymous   = tgt->flags.anonymous;
 	    
     /* XXX Check enc-authorization-data */
     et.authorization_data = auth_data;
@@ -1228,7 +1262,12 @@ tgs_check_authenticator(krb5_auth_context ac,
 		krb5_get_err_text(context, ret));
 	goto out;
     }
-    krb5_crypto_init(context, key, 0, &crypto);
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret) {
+	kdc_log(0, "krb5_crypto_init failed: %s",
+		krb5_get_err_text(context, ret));
+	goto out;
+    }
     ret = krb5_verify_checksum(context,
 			       crypto,
 			       KRB5_KU_TGS_REQ_AUTH_CKSUM,
@@ -1312,12 +1351,13 @@ tgs_rep2(KDC_REQ_BODY *b,
 				 ap_req.ticket.sname,
 				 ap_req.ticket.realm);
     
-    krbtgt = db_fetch(princ);
+    ret = db_fetch(princ, &krbtgt);
 
-    if(krbtgt == NULL) {
+    if(ret) {
 	char *p;
 	krb5_unparse_name(context, princ, &p);
-	kdc_log(0, "Ticket-granting ticket not found in database: %s", p);
+	kdc_log(0, "Ticket-granting ticket not found in database: %s: %s",
+		p, krb5_get_err_text(context, ret));
 	free(p);
 	ret = KRB5KRB_AP_ERR_NOT_US;
 	goto out2;
@@ -1352,14 +1392,15 @@ tgs_rep2(KDC_REQ_BODY *b,
     else
 	verify_ap_req_flags = 0;
 
-    ret = krb5_verify_ap_req(context,
-			     &ac,
-			     &ap_req,
-			     princ,
-			     &tkey->key,
-			     verify_ap_req_flags,
-			     &ap_req_options,
-			     &ticket);
+    ret = krb5_verify_ap_req2(context,
+			      &ac,
+			      &ap_req,
+			      princ,
+			      &tkey->key,
+			      verify_ap_req_flags,
+			      &ap_req_options,
+			      &ticket,
+			      KRB5_KU_TGS_REQ_AUTH);
 			     
     krb5_free_principal(context, princ);
     if(ret) {
@@ -1381,6 +1422,7 @@ tgs_rep2(KDC_REQ_BODY *b,
 					    ac,
 					    &subkey);
 	if(ret){
+	    krb5_auth_con_free(context, ac);
 	    kdc_log(0, "Failed to get remote subkey: %s", 
 		    krb5_get_err_text(context, ret));
 	    goto out2;
@@ -1388,17 +1430,25 @@ tgs_rep2(KDC_REQ_BODY *b,
 	if(subkey == NULL){
 	    ret = krb5_auth_con_getkey(context, ac, &subkey);
 	    if(ret) {
+		krb5_auth_con_free(context, ac);
 		kdc_log(0, "Failed to get session key: %s", 
 			krb5_get_err_text(context, ret));
 		goto out2;
 	    }
 	}
 	if(subkey == NULL){
+	    krb5_auth_con_free(context, ac);
 	    kdc_log(0, "Failed to get key for enc-authorization-data");
 	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
 	    goto out2;
 	}
-	krb5_crypto_init(context, subkey, 0, &crypto);
+	ret = krb5_crypto_init(context, subkey, 0, &crypto);
+	if (ret) {
+	    krb5_auth_con_free(context, ac);
+	    kdc_log(0, "krb5_crypto_init failed: %s",
+		    krb5_get_err_text(context, ret));
+	    goto out2;
+	}
 	ret = krb5_decrypt_EncryptedData (context,
 					  crypto,
 					  KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY,
@@ -1406,6 +1456,7 @@ tgs_rep2(KDC_REQ_BODY *b,
 					  &ad);
 	krb5_crypto_destroy(context, crypto);
 	if(ret){
+	    krb5_auth_con_free(context, ac);
 	    kdc_log(0, "Failed to decrypt enc-authorization-data");
 	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
 	    goto out2;
@@ -1414,6 +1465,7 @@ tgs_rep2(KDC_REQ_BODY *b,
 	ALLOC(auth_data);
 	ret = decode_AuthorizationData(ad.data, ad.length, auth_data, NULL);
 	if(ret){
+	    krb5_auth_con_free(context, ac);
 	    free(auth_data);
 	    auth_data = NULL;
 	    kdc_log(0, "Failed to decode authorization data");
@@ -1460,10 +1512,11 @@ tgs_rep2(KDC_REQ_BODY *b,
 		goto out2;
 	    }
 	    principalname2krb5_principal(&p, t->sname, t->realm);
-	    uu = db_fetch(p);
+	    ret = db_fetch(p, &uu);
 	    krb5_free_principal(context, p);
-	    if(uu == NULL){
-		ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+	    if(ret){
+		if (ret == ENOENT)
+		    ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
 		goto out;
 	    }
 	    ret = hdb_enctype2key(context, uu, t->enc_part.etype, &tkey);
@@ -1491,10 +1544,9 @@ tgs_rep2(KDC_REQ_BODY *b,
 	else
 	    kdc_log(0, "TGS-REQ %s from %s for %s", cpn, from, spn);
     server_lookup:
-	server = db_fetch(sp);
-    
+	ret = db_fetch(sp, &server);
 
-	if(server == NULL){
+	if(ret){
 	    Realm req_rlm, new_rlm;
 	    if(loop++ < 2 && (req_rlm = is_krbtgt(&sp->name))){
 		new_rlm = find_rpath(req_rlm);
@@ -1509,19 +1561,24 @@ tgs_rep2(KDC_REQ_BODY *b,
 		    goto server_lookup;
 		}
 	    }
-	    kdc_log(0, "Server not found in database: %s", spn);
-	    ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+	    kdc_log(0, "Server not found in database: %s: %s", spn,
+		    krb5_get_err_text(context, ret));
+	    if (ret == ENOENT)
+		ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
 	    goto out;
 	}
 
-	client = db_fetch(cp);
-	if(client == NULL)
-	    kdc_log(1, "Client not found in database: %s", cpn);
+	ret = db_fetch(cp, &client);
+	if(ret)
+	    kdc_log(1, "Client not found in database: %s: %s",
+		    cpn, krb5_get_err_text(context, ret));
 #if 0
 	/* XXX check client only if same realm as krbtgt-instance */
-	if(client == NULL){
-	    kdc_log(0, "Client not found in database: %s", cpn);
-	    ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+	if(ret){
+	    kdc_log(0, "Client not found in database: %s: %s",
+		    cpn, krb5_get_err_text(context, ret));
+	    if (ret == ENOENT)
+		ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
 	    goto out;
 	}
 #endif
@@ -1561,15 +1618,10 @@ tgs_rep2(KDC_REQ_BODY *b,
 	free(spn);
 	free(cpn);
 	    
-	if(server){
-	    hdb_free_entry(context, server);
-	    free(server);
-	}
-	if(client){
-	    hdb_free_entry(context, client);
-	    free(client);
-	}
-	
+	if(server)
+	    free_ent(server);
+	if(client)
+	    free_ent(client);
     }
 out2:
     if(ret)
@@ -1593,10 +1645,8 @@ out2:
 	free(auth_data);
     }
 
-    if(krbtgt){
-	hdb_free_entry(context, krbtgt);
-	free(krbtgt);
-    }
+    if(krbtgt)
+	free_ent(krbtgt);
     return ret;
 }
 
@@ -1617,7 +1667,7 @@ tgs_rep(KDC_REQ *req,
 	goto out;
     }
     
-    tgs_req = find_padata(req, &i, pa_tgs_req);
+    tgs_req = find_padata(req, &i, KRB5_PADATA_TGS_REQ);
 
     if(tgs_req == NULL){
 	ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
diff --git a/crypto/heimdal/kdc/kstash.8 b/crypto/heimdal/kdc/kstash.8
index e9a7502..92b532d 100644
--- a/crypto/heimdal/kdc/kstash.8
+++ b/crypto/heimdal/kdc/kstash.8
@@ -1,27 +1,59 @@
-.\" $Id: kstash.8,v 1.2 2000/01/08 10:57:31 assar Exp $
+.\" $Id: kstash.8,v 1.3 2000/09/01 16:37:52 joda Exp $
 .\"
-.Dd Aug 27, 1997
+.Dd September  1, 2000
 .Dt KSTASH 8
 .Os HEIMDAL
 .Sh NAME
 .Nm kstash
 .Nd
-Store the KDC master password in a file
+store the KDC master password in a file
 .Sh SYNOPSIS
 .Nm
-.Op Fl k Ar file
-.Op Fl -key-file= Ns Ar file
+.Oo Fl e Ar string \*(Ba Xo
+.Fl -enctype= Ns Ar string Oc
+.Xc
+.Oo Fl k Ar file \*(Ba Xo
+.Fl -key-file= Ns Ar file Oc
+.Xc
+.Op Fl -convert-file
+.Op Fl -master-key-fd= Ns Ar fd
+.Op Fl h | Fl -help
+.Op Fl -version
 .Sh DESCRIPTION
 .Nm
-allows you to the master password and store in a file that will be read
-by the KDC.
+reads the Kerberos master key and stores it in a file that will be
+used by the KDC.
 .Pp
-Options supported:
+Supported options:
 .Bl -tag -width Ds
-.It Fl k Ar file
-.It Fl -key-file= Ns Ar file
-Specify what file the master key is stored in.  The default is
-.Pa m-key .
+.It Xo
+.Fl e Ar string Ns ,
+.Fl -enctype= Ns Ar string
+.Xc
+the encryption type to use, defaults to DES3-CBC-SHA1
+.It Xo
+.Fl k Ar file Ns ,
+.Fl -key-file= Ns Ar file
+.Xc
+the name of the master key file
+.It Xo
+.Fl -convert-file
+.Xc
+don't ask for a new master key, just read an old master key file, and
+writes it back in the new keyfile format
+.It Xo
+.Fl -master-key-fd= Ns Ar fd
+.Xc
+filedescriptor to read passphrase from, if not specified the
+passphrase will be read from the terminal
 .El
+.\".Sh ENVIRONMENT
+.\".Sh FILES
+.\".Sh EXAMPLES
+.\".Sh DIAGNOSTICS
 .Sh SEE ALSO
 .Xr kdc 8
+.\".Sh STANDARDS
+.\".Sh HISTORY
+.\".Sh AUTHORS
+.\".Sh BUGS
diff --git a/crypto/heimdal/kdc/kstash.c b/crypto/heimdal/kdc/kstash.c
index 5b79fd1..edb00b2 100644
--- a/crypto/heimdal/kdc/kstash.c
+++ b/crypto/heimdal/kdc/kstash.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,122 +33,41 @@
 
 #include "headers.h"
 
-RCSID("$Id: kstash.c,v 1.10 1999/11/13 04:14:17 assar Exp $");
+RCSID("$Id: kstash.c,v 1.14 2001/01/30 17:08:35 assar Exp $");
 
 krb5_context context;
 
 char *keyfile = HDB_DB_DIR "/m-key";
-char *v4_keyfile;
 int convert_flag;
 int help_flag;
 int version_flag;
 
+int master_key_fd = -1;
+
+char *enctype_str = "des3-cbc-sha1";
+
 struct getargs args[] = {
+    { "enctype", 'e', arg_string, &enctype_str, "encryption type" },
     { "key-file", 'k', arg_string, &keyfile, "master key file", "file" },
-    { "version4-key-file", '4', arg_string, &v4_keyfile, 
-      "kerberos 4 master key file", "file" },
     { "convert-file", 0, arg_flag, &convert_flag, 
-      "convert keytype of keyfile" },
+      "just convert keyfile to new format" },
+    { "master-key-fd", 0, arg_integer, &master_key_fd, 
+      "filedescriptor to read passphrase from", "fd" },
     { "help", 'h', arg_flag, &help_flag },
     { "version", 0, arg_flag, &version_flag }
 };
 
 int num_args = sizeof(args) / sizeof(args[0]);
 
-static void
-write_keyfile(EncryptionKey key)
-{
-    FILE *f;
-    char buf[1024];
-    size_t len;
-
-#ifdef HAVE_UMASK
-    umask(077);
-#endif
-
-    f = fopen(keyfile, "w");
-    if(f == NULL)
-	krb5_err(context, 1, errno, "%s", keyfile);
-    encode_EncryptionKey((unsigned char *)buf + sizeof(buf) - 1,
-			 sizeof(buf), &key, &len);
-    fwrite(buf + sizeof(buf) - len, len, 1, f);
-    memset(buf, 0, sizeof(buf));
-    if(ferror(f)) {
-	int e = errno;
-	unlink(keyfile);
-	krb5_err(context, 1, e, "%s", keyfile);
-    }
-    fclose(f);
-    chmod(keyfile, 0400);
-}
-
-static int
-convert_file(void)
-{
-    FILE *f;
-    unsigned char buf[1024];
-    char *fn;
-    size_t len;
-    EncryptionKey key;
-    krb5_error_code ret;
-
-    f = fopen(keyfile, "r");
-    if(f == NULL) {
-	krb5_warn(context, errno, "%s", keyfile);
-	return 1;
-    }
-    len = fread(buf, 1, sizeof(buf), f);
-    if(ferror(f)) {
-	krb5_warn(context, errno, "fread");
-	ret = 1;
-	goto out1;
-    }
-    fclose(f);
-    ret = decode_EncryptionKey(buf, len, &key, &len);
-    memset(buf, 0, sizeof(buf));
-    if(ret) {
-	krb5_warn(context, ret, "decode_EncryptionKey");
-	goto out2;
-    }
-    if(key.keytype == KEYTYPE_DES)
-	key.keytype = ETYPE_DES_CBC_MD5;
-    else if(key.keytype == ETYPE_DES_CBC_MD5) {
-	krb5_warnx(context, "keyfile already converted");
-	ret = 0;
-	goto out2;
-    } else {
-	krb5_warnx(context, "bad encryption key type (%d)", key.keytype);
-	ret = 1;
-	goto out2;
-    }
-    asprintf(&fn, "%s.old", keyfile);
-    if(fn == NULL) {
-	krb5_warn(context, ENOMEM, "malloc");
-	ret = 1;
-	goto out1;
-    }
-    if(rename(keyfile, fn) < 0) {
-	krb5_warn(context, errno, "rename");
-	ret = 1;
-	goto out1;
-    }
-    write_keyfile(key);
-    krb5_free_keyblock_contents(context, &key);
-    return 0;
-out1:
-    memset(buf, 0, sizeof(buf));
-    return ret ? 1 : 0;
-out2:
-    krb5_free_keyblock_contents(context, &key);
-    return ret ? 1 : 0;
-}
-
 int
 main(int argc, char **argv)
 {
     char buf[1024];
-    EncryptionKey key;
-    FILE *f;
+    krb5_error_code ret;
+    
+    krb5_enctype enctype;
+
+    hdb_master_key mkey;
     
     krb5_program_setup(&context, argc, argv, args, num_args, NULL);
 
@@ -159,30 +78,71 @@ main(int argc, char **argv)
 	exit(0);
     }
 
-    if(convert_flag)
-	exit(convert_file());
-
-    key.keytype = ETYPE_DES_CBC_MD5; /* XXX */
-    if(v4_keyfile) {
-	f = fopen(v4_keyfile, "r");
-	if(f == NULL)
-	    krb5_err(context, 1, errno, "fopen(%s)", v4_keyfile);
-	key.keyvalue.length = sizeof(des_cblock);
-	key.keyvalue.data = malloc(key.keyvalue.length);
-	fread(key.keyvalue.data, 1, key.keyvalue.length, f);
-	fclose(f);
+    ret = krb5_string_to_enctype(context, enctype_str, &enctype);
+    if(ret)
+	krb5_err(context, 1, ret, "krb5_string_to_enctype");
+
+    ret = hdb_read_master_key(context, keyfile, &mkey);
+    if(ret && ret != ENOENT)
+	krb5_err(context, 1, ret, "reading master key from %s", keyfile);
+
+    if (convert_flag) {
+	if (ret)
+	    krb5_err(context, 1, ret, "reading master key from %s", keyfile);
     } else {
+	krb5_keyblock key;
 	krb5_salt salt;
 	salt.salttype = KRB5_PW_SALT;
 	/* XXX better value? */
 	salt.saltvalue.data = NULL;
 	salt.saltvalue.length = 0;
-	if(des_read_pw_string(buf, sizeof(buf), "Master key: ", 1))
-	    exit(1);
-	krb5_string_to_key_salt(context, key.keytype, buf, salt, &key);
+	if(master_key_fd != -1) {
+	    ssize_t n;
+	    n = read(master_key_fd, buf, sizeof(buf));
+	    if(n <= 0)
+		krb5_err(context, 1, errno, "failed to read passphrase");
+	    buf[n] = '\0';
+	    buf[strcspn(buf, "\r\n")] = '\0';
+	} else {
+	    if(des_read_pw_string(buf, sizeof(buf), "Master key: ", 1))
+		exit(1);
+	}
+	krb5_string_to_key_salt(context, enctype, buf, salt, &key);
+	ret = hdb_add_master_key(context, &key, &mkey);
+	
+	krb5_free_keyblock_contents(context, &key);
+
     }
     
-    write_keyfile(key);
-    krb5_free_keyblock_contents(context, &key);
-    exit(0);
+    {
+	char *new, *old;
+	asprintf(&old, "%s.old", keyfile);
+	asprintf(&new, "%s.new", keyfile);
+	if(unlink(new) < 0 && errno != ENOENT) {
+	    ret = errno;
+	    goto out;
+	}
+	krb5_warnx(context, "writing key to `%s'", keyfile);
+	ret = hdb_write_master_key(context, new, mkey);
+	if(ret)
+	    unlink(new);
+	else {
+	    unlink(old);
+	    if(link(keyfile, old) < 0 && errno != ENOENT) {
+		ret = errno;
+		unlink(new);
+	    } else if(rename(new, keyfile) < 0) {
+		ret = errno;
+	    }
+	}
+    out:
+	free(old);
+	free(new);
+	if(ret)
+	    krb5_warn(context, errno, "writing master key file");
+    }
+
+    hdb_free_master_key(context, mkey);
+
+    exit(ret != 0);
 }
diff --git a/crypto/heimdal/kdc/log.c b/crypto/heimdal/kdc/log.c
index ddbdbee..5a36969 100644
--- a/crypto/heimdal/kdc/log.c
+++ b/crypto/heimdal/kdc/log.c
@@ -32,7 +32,7 @@
  */
 
 #include "kdc_locl.h"
-RCSID("$Id: log.c,v 1.12 1999/12/02 17:05:00 joda Exp $");
+RCSID("$Id: log.c,v 1.13 2000/09/10 19:27:29 joda Exp $");
 
 static krb5_log_facility *logf;
 
@@ -51,7 +51,7 @@ kdc_openlog(krb5_config_section *cf)
 	    krb5_addlog_dest(context, logf, *p);
 	krb5_config_free_strings(s);
     }else
-	krb5_addlog_dest(context, logf, "0-1/FILE:" HDB_DB_DIR "/kdc.log");
+	krb5_addlog_dest(context, logf, DEFAULT_LOG_DEST);
     krb5_set_warn_dest(context, logf);
 }
 
diff --git a/crypto/heimdal/kdc/main.c b/crypto/heimdal/kdc/main.c
index 46d7aba..a14ae84 100644
--- a/crypto/heimdal/kdc/main.c
+++ b/crypto/heimdal/kdc/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: main.c,v 1.21 1999/12/02 17:05:00 joda Exp $");
+RCSID("$Id: main.c,v 1.24 2000/12/31 07:46:14 assar Exp $");
 
 sig_atomic_t exit_flag = 0;
 krb5_context context;
@@ -50,7 +50,9 @@ main(int argc, char **argv)
     krb5_error_code ret;
     set_progname(argv[0]);
     
-    krb5_init_context(&context);
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
 
     configure(argc, argv);
 
@@ -88,10 +90,13 @@ main(int argc, char **argv)
 	sigemptyset(&sa.sa_mask);
 
 	sigaction(SIGINT, &sa, NULL);
+	sigaction(SIGTERM, &sa, NULL);
     }
 #else
     signal(SIGINT, sigterm);
+    signal(SIGTERM, sigterm);
 #endif
+    pidfile(NULL);
     loop();
     krb5_free_context(context);
     return 0;
diff --git a/crypto/heimdal/kdc/misc.c b/crypto/heimdal/kdc/misc.c
index e476ebc..aebdc68 100644
--- a/crypto/heimdal/kdc/misc.c
+++ b/crypto/heimdal/kdc/misc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,17 +33,20 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: misc.c,v 1.18 1999/12/02 17:05:00 joda Exp $");
+RCSID("$Id: misc.c,v 1.22 2001/01/30 03:54:21 assar Exp $");
 
 struct timeval now;
 
-hdb_entry*
-db_fetch(krb5_principal principal)
+krb5_error_code
+db_fetch(krb5_principal principal, hdb_entry **h)
 {
     hdb_entry *ent;
-    krb5_error_code ret;
+    krb5_error_code ret = HDB_ERR_NOENTRY;
     int i;
-    ALLOC(ent);
+
+    ent = malloc (sizeof (*ent));
+    if (ent == NULL)
+	return ENOMEM;
     ent->principal = principal;
 
     for(i = 0; i < num_db; i++) {
@@ -55,9 +58,19 @@ db_fetch(krb5_principal principal)
 	}
 	ret = db[i]->fetch(context, db[i], HDB_F_DECRYPT, ent);
 	db[i]->close(context, db[i]);
-	if(ret == 0)
-	    return ent;
+	if(ret == 0) {
+	    *h = ent;
+	    return 0;
+	}
     }
     free(ent);
-    return NULL;
+    return ret;
+}
+
+void
+free_ent(hdb_entry *ent)
+{
+    hdb_free_entry (context, ent);
+    free (ent);
 }
+
diff --git a/crypto/heimdal/kdc/mit_dump.c b/crypto/heimdal/kdc/mit_dump.c
new file mode 100644
index 0000000..336d265
--- /dev/null
+++ b/crypto/heimdal/kdc/mit_dump.c
@@ -0,0 +1,370 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "hprop.h"
+
+RCSID("$Id: mit_dump.c,v 1.3 2000/08/09 09:57:37 joda Exp $");
+
+/*
+can have any number of princ stanzas.
+format is as follows (only \n indicates newlines)
+princ\t%d\t (%d is KRB5_KDB_V1_BASE_LENGTH, always 38)
+%d\t (strlen of principal e.g. shadow/foo@ANDREW.CMU.EDU)
+%d\t (number of tl_data)
+%d\t (number of key data, e.g. how many keys for this user)
+%d\t (extra data length) 
+%s\t (principal name)
+%d\t (attributes)
+%d\t (max lifetime, seconds)
+%d\t (max renewable life, seconds)
+%d\t (expiration, seconds since epoch or 2145830400 for never)
+%d\t (password expiration, seconds, 0 for never) 
+%d\t (last successful auth, seconds since epoch)
+%d\t (last failed auth, per above)
+%d\t (failed auth count)
+foreach tl_data 0 to number of tl_data - 1 as above
+  %d\t%d\t (data type, data length)
+  foreach tl_data 0 to length-1
+    %02x (tl data contents[element n])
+  except if tl_data length is 0
+    %d (always -1)
+  \t
+foreach key 0 to number of keys - 1 as above
+  %d\t%d\t (key data version, kvno)
+  foreach version 0 to key data version - 1 (a key or a salt)
+    %d\t%d\t(data type for this key, data length for this key)
+    foreach key data length 0 to length-1
+      %02x (key data contents[element n])
+    except if key_data length is 0
+      %d (always -1)
+    \t    
+foreach extra data length 0 to length - 1
+  %02x (extra data part)
+unless no extra data
+  %d (always -1)
+;\n
+
+*/
+
+static int
+hex_to_octet_string(const char *ptr, krb5_data *data)
+{
+    int i;
+    unsigned int v;
+    for(i = 0; i < data->length; i++) {
+	if(sscanf(ptr + 2 * i, "%02x", &v) != 1)
+	    return -1;
+	((unsigned char*)data->data)[i] = v;
+    }
+    return 2 * i;
+}
+
+static char *
+nexttoken(char **p)
+{
+    char *q;
+    do {
+	q = strsep(p, " \t");
+    } while(q && *q == '\0');
+    return q;
+}
+
+static size_t
+getdata(char **p, unsigned char *buf, size_t len)
+{
+    size_t i;
+    int v;
+    char *q = nexttoken(p);
+    i = 0;
+    while(*q && i < len) {
+	if(sscanf(q, "%02x", &v) != 1)
+	    break;
+	buf[i++] = v;
+	q += 2;
+    }
+    return i;
+}
+
+static int
+getint(char **p)
+{
+    int val;
+    char *q = nexttoken(p);
+    sscanf(q, "%d", &val);
+    return val;
+}
+
+#include <kadm5/admin.h>
+
+static void
+attr_to_flags(unsigned attr, HDBFlags *flags)
+{
+    flags->postdate =		!(attr & KRB5_KDB_DISALLOW_POSTDATED);
+    flags->forwardable =	!(attr & KRB5_KDB_DISALLOW_FORWARDABLE);
+    flags->initial =	       !!(attr & KRB5_KDB_DISALLOW_TGT_BASED);
+    flags->renewable =		!(attr & KRB5_KDB_DISALLOW_RENEWABLE);
+    flags->proxiable =		!(attr & KRB5_KDB_DISALLOW_PROXIABLE);
+    /* DUP_SKEY */
+    flags->invalid =	       !!(attr & KRB5_KDB_DISALLOW_ALL_TIX);
+    flags->require_preauth =   !!(attr & KRB5_KDB_REQUIRES_PRE_AUTH);
+    /* HW_AUTH */
+    flags->server =		!(attr & KRB5_KDB_DISALLOW_SVR);
+    flags->change_pw = 	       !!(attr & KRB5_KDB_PWCHANGE_SERVICE);
+    flags->client =	        1; /* XXX */
+}
+
+#define KRB5_KDB_SALTTYPE_NORMAL	0
+#define KRB5_KDB_SALTTYPE_V4		1
+#define KRB5_KDB_SALTTYPE_NOREALM	2
+#define KRB5_KDB_SALTTYPE_ONLYREALM	3
+#define KRB5_KDB_SALTTYPE_SPECIAL	4
+#define KRB5_KDB_SALTTYPE_AFS3		5
+
+static krb5_error_code
+fix_salt(krb5_context context, hdb_entry *ent, int key_num)
+{
+    krb5_error_code ret;
+    Salt *salt = ent->keys.val[key_num].salt;
+    /* fix salt type */
+    switch((int)salt->type) {
+    case KRB5_KDB_SALTTYPE_NORMAL:
+	salt->type = KRB5_PADATA_PW_SALT;
+	break;
+    case KRB5_KDB_SALTTYPE_V4:
+	krb5_data_free(&salt->salt);
+	salt->type = KRB5_PADATA_PW_SALT;
+	break;
+    case KRB5_KDB_SALTTYPE_NOREALM:
+    {
+	size_t len;
+	int i;
+	krb5_error_code ret;
+	char *p;
+	    
+	len = 0;
+	for (i = 0; i < ent->principal->name.name_string.len; ++i)
+	    len += strlen(ent->principal->name.name_string.val[i]);
+	ret = krb5_data_alloc (&salt->salt, len);
+	if (ret)
+	    return ret;
+	p = salt->salt.data;
+	for (i = 0; i < ent->principal->name.name_string.len; ++i) {
+	    memcpy (p,
+		    ent->principal->name.name_string.val[i],
+		    strlen(ent->principal->name.name_string.val[i]));
+	    p += strlen(ent->principal->name.name_string.val[i]);
+	}
+
+	salt->type = KRB5_PADATA_PW_SALT;
+	break;
+    }
+    case KRB5_KDB_SALTTYPE_ONLYREALM:
+	krb5_data_free(&salt->salt);
+	ret = krb5_data_copy(&salt->salt, 
+			     ent->principal->realm, 
+			     strlen(ent->principal->realm));
+	if(ret)
+	    return ret;
+	salt->type = KRB5_PADATA_PW_SALT;
+	break;
+    case KRB5_KDB_SALTTYPE_SPECIAL:
+	salt->type = KRB5_PADATA_PW_SALT;
+	break;
+    case KRB5_KDB_SALTTYPE_AFS3:
+	krb5_data_free(&salt->salt);
+	ret = krb5_data_copy(&salt->salt, 
+		       ent->principal->realm, 
+		       strlen(ent->principal->realm));
+	if(ret)
+	    return ret;
+	salt->type = KRB5_PADATA_AFS3_SALT;
+	break;
+    default:
+	abort();
+    }
+    return 0;
+}
+
+int
+mit_prop_dump(void *arg, const char *file)
+{
+    krb5_error_code ret;
+    char buf [1024];
+    FILE *f;
+    int lineno = 0;
+    struct hdb_entry ent;
+
+    struct prop_data *pd = arg;
+
+    f = fopen(file, "r");
+    if(f == NULL)
+	return errno;
+    
+    while(fgets(buf, sizeof(buf), f)) {
+	char *p = buf, *q;
+
+	int i;
+
+	int num_tl_data;
+	int num_key_data;
+	int extra_data_length;
+	int attributes;
+
+	int tmp;
+
+	lineno++;
+
+	memset(&ent, 0, sizeof(ent));
+
+	q = nexttoken(&p);
+	if(strcmp(q, "kdb5_util") == 0) {
+	    int major;
+	    q = nexttoken(&p); /* load_dump */
+	    if(strcmp(q, "load_dump"))
+		errx(1, "line %d: unknown version", lineno);
+	    q = nexttoken(&p); /* load_dump */
+	    if(strcmp(q, "version"))
+		errx(1, "line %d: unknown version", lineno);
+	    q = nexttoken(&p); /* x.0 */
+	    if(sscanf(q, "%d", &major) != 1)
+		errx(1, "line %d: unknown version", lineno);
+	    if(major != 4)
+		errx(1, "unknown dump file format, got %d, expected 4", major);
+	    continue;
+	} else if(strcmp(q, "princ") != 0) {
+	    warnx("line %d: not a principal", lineno);
+	    continue;
+	}
+	tmp = getint(&p);
+	if(tmp != 38) {
+	    warnx("line %d: bad base length %d != 38", lineno, tmp);
+	    continue;
+	}
+	q = nexttoken(&p); /* length of principal */
+	num_tl_data = getint(&p); /* number of tl-data */
+	num_key_data = getint(&p); /* number of key-data */
+	extra_data_length = getint(&p);  /* length of extra data */
+	q = nexttoken(&p); /* principal name */
+	krb5_parse_name(pd->context, q, &ent.principal);
+	attributes = getint(&p); /* attributes */
+	attr_to_flags(attributes, &ent.flags);
+	tmp = getint(&p); /* max life */
+	if(tmp != 0) {
+	    ALLOC(ent.max_life);
+	    *ent.max_life = tmp;
+	}
+	tmp = getint(&p); /* max renewable life */
+	if(tmp != 0) {
+	    ALLOC(ent.max_renew);
+	    *ent.max_renew = tmp;
+	}
+	tmp = getint(&p); /* expiration */
+	if(tmp != 0 && tmp != 2145830400) {
+	    ALLOC(ent.valid_end);
+	    *ent.valid_end = tmp;
+	}
+	tmp = getint(&p); /* pw expiration */
+	if(tmp != 0) {
+	    ALLOC(ent.pw_end);
+	    *ent.pw_end = tmp;
+	}
+	q = nexttoken(&p); /* last auth */
+	q = nexttoken(&p); /* last failed auth */
+	q = nexttoken(&p); /* fail auth count */
+	for(i = 0; i < num_tl_data; i++) {
+	    unsigned long val;
+	    int tl_type, tl_length;
+	    unsigned char *buf;
+	    krb5_principal princ;
+
+	    tl_type = getint(&p); /* data type */
+	    tl_length = getint(&p); /* data length */
+
+#define KRB5_TL_LAST_PWD_CHANGE	1
+#define KRB5_TL_MOD_PRINC	2
+	    switch(tl_type) {
+	    case KRB5_TL_MOD_PRINC:
+		buf = malloc(tl_length);
+		getdata(&p, buf, tl_length); /* data itself */
+		val = buf[0] | (buf[1] << 8) | (buf[2] << 16) | (buf[3] << 24);
+		ret = krb5_parse_name(pd->context, buf + 4, &princ);
+		free(buf);
+		ALLOC(ent.modified_by);
+		ent.modified_by->time = val;
+		ent.modified_by->principal = princ;
+		break;
+	    default:
+		nexttoken(&p);
+		break;
+	    }
+	}
+	ALLOC_SEQ(&ent.keys, num_key_data);
+	for(i = 0; i < num_key_data; i++) {
+	    int key_versions;
+	    key_versions = getint(&p); /* key data version */
+	    ent.kvno = getint(&p); /* XXX kvno */
+	    
+	    ALLOC(ent.keys.val[i].mkvno);
+	    *ent.keys.val[i].mkvno = 0;
+	    
+	    /* key version 0 -- actual key */
+	    ent.keys.val[i].key.keytype = getint(&p); /* key type */
+	    tmp = getint(&p); /* key length */
+	    /* the first two bytes of the key is the key length --
+	       skip it */
+	    krb5_data_alloc(&ent.keys.val[i].key.keyvalue, tmp - 2);
+	    q = nexttoken(&p); /* key itself */
+	    hex_to_octet_string(q + 4, &ent.keys.val[i].key.keyvalue);
+
+	    if(key_versions > 1) {
+		/* key version 1 -- optional salt */
+		ALLOC(ent.keys.val[i].salt);
+		ent.keys.val[i].salt->type = getint(&p); /* salt type */
+		tmp = getint(&p); /* salt length */
+		if(tmp > 0) {
+		    krb5_data_alloc(&ent.keys.val[i].salt->salt, tmp - 2);
+		    q = nexttoken(&p); /* salt itself */
+		    hex_to_octet_string(q + 4, &ent.keys.val[i].salt->salt);
+		} else {
+		    ent.keys.val[i].salt->salt.length = 0;
+		    ent.keys.val[i].salt->salt.data = NULL;
+		    tmp = getint(&p);	/* -1, if no data. */
+		}
+		fix_salt(pd->context, &ent, i);
+	    }
+	}
+	q = nexttoken(&p); /* extra data */
+	v5_prop(pd->context, NULL, &ent, arg);
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/kdc/string2key.8 b/crypto/heimdal/kdc/string2key.8
new file mode 100644
index 0000000..be8b1f6
--- /dev/null
+++ b/crypto/heimdal/kdc/string2key.8
@@ -0,0 +1,76 @@
+.\" $Id: string2key.8,v 1.2 2000/03/04 14:02:55 assar Exp $
+.\"
+.Dd March  4, 2000
+.Dt STRING2KEY 8
+.Os HEIMDAL
+.Sh NAME
+.Nm string2key
+.Nd
+map a password into a key
+.Sh SYNOPSIS
+.Nm
+.Op Fl 5 | Fl -version5
+.Op Fl 4 | Fl -version4
+.Op Fl a | Fl -afs
+.Oo Fl c Ar cell \*(Ba Xo
+.Fl -cell= Ns Ar cell Oc
+.Xc
+.Oo Fl w Ar password \*(Ba Xo
+.Fl -password= Ns Ar password Oc
+.Xc
+.Oo Fl p Ar principal \*(Ba Xo
+.Fl -principal= Ns Ar principal Oc
+.Xc
+.Oo Fl k Ar string \*(Ba Xo
+.Fl -keytype= Ns Ar string Oc
+.Xc
+.Ar password
+.Sh DESCRIPTION
+.Nm
+performs the string-to-key function.
+This is useful when you want to handle the raw key instead of the password.
+Supported options:
+.Bl -tag -width Ds
+.It Xo
+.Fl 5 Ns ,
+.Fl -version5
+.Xc
+Output Kerberos v5 string-to-key
+.It Xo
+.Fl 4 Ns ,
+.Fl -version4
+.Xc
+Output Kerberos v4 string-to-key
+.It Xo
+.Fl a Ns ,
+.Fl -afs
+.Xc
+Output AFS string-to-key
+.It Xo
+.Fl c Ar cell Ns ,
+.Fl -cell= Ns Ar cell
+.Xc
+AFS cell to use
+.It Xo
+.Fl w Ar password Ns ,
+.Fl -password= Ns Ar password
+.Xc
+Password to use
+.It Xo
+.Fl p Ar principal Ns ,
+.Fl -principal= Ns Ar principal
+.Xc
+Kerberos v5 principal to use
+.It Xo
+.Fl k Ar string Ns ,
+.Fl -keytype= Ns Ar string
+.Xc
+Keytype
+.It Xo
+.Fl -version
+.Xc
+print version
+.It Xo
+.Fl -help
+.Xc
+.El
diff --git a/crypto/heimdal/kdc/v4_dump.c b/crypto/heimdal/kdc/v4_dump.c
new file mode 100644
index 0000000..dc0a8f2
--- /dev/null
+++ b/crypto/heimdal/kdc/v4_dump.c
@@ -0,0 +1,142 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "hprop.h"
+
+RCSID("$Id: v4_dump.c,v 1.4 2001/01/26 15:55:07 joda Exp $");
+
+static time_t
+time_parse(const char *cp)
+{
+    char wbuf[5];
+    struct tm tp;
+    int local;
+
+    memset(&tp, 0, sizeof(tp));	/* clear out the struct */
+    
+    /* new format is YYYYMMDDHHMM UTC,
+       old format is YYMMDDHHMM local time */
+    if (strlen(cp) > 10) {		/* new format */
+	strlcpy(wbuf, cp, sizeof(wbuf));
+	tp.tm_year = atoi(wbuf) - 1900;
+	cp += 4;
+	local = 0;
+    } else {
+	wbuf[0] = *cp++;
+	wbuf[1] = *cp++;
+	wbuf[2] = '\0';
+	tp.tm_year = atoi(wbuf);
+	if(tp.tm_year < 38)
+	    tp.tm_year += 100;
+	local = 1;
+    }
+
+    wbuf[0] = *cp++;
+    wbuf[1] = *cp++;
+    wbuf[2] = 0;
+    tp.tm_mon = atoi(wbuf) - 1;
+
+    wbuf[0] = *cp++;
+    wbuf[1] = *cp++;
+    tp.tm_mday = atoi(wbuf);
+    
+    wbuf[0] = *cp++;
+    wbuf[1] = *cp++;
+    tp.tm_hour = atoi(wbuf);
+    
+    wbuf[0] = *cp++;
+    wbuf[1] = *cp++;
+    tp.tm_min = atoi(wbuf);
+    
+    return(tm2time(tp, local));
+}
+
+/* convert a version 4 dump file */
+int
+v4_prop_dump(void *arg, const char *file)
+{
+    char buf [1024];
+    FILE *f;
+    int lineno = 0;
+
+    f = fopen(file, "r");
+    if(f == NULL)
+	return errno;
+    
+    while(fgets(buf, sizeof(buf), f)) {
+	int ret;
+	unsigned long key[2]; /* yes, long */
+	char exp_date[64], mod_date[64];
+	struct v4_principal pr;
+	int attributes;
+    
+	memset(&pr, 0, sizeof(pr));
+	errno = 0;
+	lineno++;
+	ret = sscanf(buf, "%s %s %d %d %d %d %lx %lx %s %s %s %s",
+		     pr.name, pr.instance,
+		     &pr.max_life, &pr.mkvno, &pr.kvno,
+		     &attributes,
+		     &key[0], &key[1],
+		     exp_date, mod_date,
+		     pr.mod_name, pr.mod_instance);
+	if(ret != 12){
+	    warnx("Line %d malformed (ignored)", lineno);
+	    continue;
+	}
+	if(attributes != 0) {
+	    warnx("Line %d (%s.%s) has non-zero attributes - skipping", 
+		  lineno, pr.name, pr.instance);
+	    continue;
+	}
+	pr.key[0] = (key[0] >> 24) & 0xff;
+	pr.key[1] = (key[0] >> 16) & 0xff;
+	pr.key[2] = (key[0] >> 8) & 0xff;
+	pr.key[3] = (key[0] >> 0) & 0xff;
+	pr.key[4] = (key[1] >> 24) & 0xff;
+	pr.key[5] = (key[1] >> 16) & 0xff;
+	pr.key[6] = (key[1] >> 8) & 0xff;
+	pr.key[7] = (key[1] >> 0) & 0xff;
+	pr.exp_date = time_parse(exp_date);
+	pr.mod_date = time_parse(mod_date);
+	if (pr.instance[0] == '*')
+	    pr.instance[0] = '\0';
+	if (pr.mod_name[0] == '*')
+	    pr.mod_name[0] = '\0';
+	if (pr.mod_instance[0] == '*')
+	    pr.mod_instance[0] = '\0';
+	v4_prop(arg, &pr);
+	memset(&pr, 0, sizeof(pr));
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/kpasswd/Makefile.am b/crypto/heimdal/kpasswd/Makefile.am
index fba61e3..fc9cb67 100644
--- a/crypto/heimdal/kpasswd/Makefile.am
+++ b/crypto/heimdal/kpasswd/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.11 1999/04/20 16:48:34 assar Exp $
+# $Id: Makefile.am,v 1.15 2000/11/15 22:51:13 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
@@ -10,16 +10,20 @@ kpasswd_SOURCES = kpasswd.c kpasswd_locl.h
 
 libexec_PROGRAMS = kpasswdd
 
+noinst_PROGRAMS = kpasswd-generator
+
 kpasswdd_SOURCES = kpasswdd.c kpasswd_locl.h
 
 kpasswdd_LDADD = \
 	$(top_builddir)/lib/kadm5/libkadm5srv.la \
 	$(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
 	$(LDADD) \
+	$(LIB_pidfile) \
 	$(LIB_dlopen) \
 	$(DBLIB)
 
 LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
-	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_des) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken)
diff --git a/crypto/heimdal/kpasswd/Makefile.in b/crypto/heimdal/kpasswd/Makefile.in
index 11e169b..ae146d5 100644
--- a/crypto/heimdal/kpasswd/Makefile.in
+++ b/crypto/heimdal/kpasswd/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.11 1999/04/20 16:48:34 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.15 2000/11/15 22:51:13 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,24 +170,20 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
@@ -181,60 +195,83 @@ kpasswd_SOURCES = kpasswd.c kpasswd_locl.h
 
 libexec_PROGRAMS = kpasswdd
 
+noinst_PROGRAMS = kpasswd-generator
+
 kpasswdd_SOURCES = kpasswdd.c kpasswd_locl.h
 
-kpasswdd_LDADD =  	$(top_builddir)/lib/kadm5/libkadm5srv.la 	$(top_builddir)/lib/hdb/libhdb.la 	$(LDADD) 	$(LIB_dlopen) 	$(DBLIB)
+kpasswdd_LDADD = \
+	$(top_builddir)/lib/kadm5/libkadm5srv.la \
+	$(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
+	$(LDADD) \
+	$(LIB_pidfile) \
+	$(LIB_dlopen) \
+	$(DBLIB)
 
 
-LDADD = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/des/libdes.la 	$(top_builddir)/lib/asn1/libasn1.la 	$(LIB_roken)
+LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
 
+subdir = kpasswd
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../include/config.h
 CONFIG_CLEAN_FILES = 
 bin_PROGRAMS =  kpasswd$(EXEEXT)
 libexec_PROGRAMS =  kpasswdd$(EXEEXT)
-PROGRAMS =  $(bin_PROGRAMS) $(libexec_PROGRAMS)
+noinst_PROGRAMS =  kpasswd-generator$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS) $(libexec_PROGRAMS) $(noinst_PROGRAMS)
 
 
 DEFS = @DEFS@ -I. -I$(srcdir) -I../include
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
-LIBS = @LIBS@
 X_CFLAGS = @X_CFLAGS@
 X_LIBS = @X_LIBS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
-kpasswd_OBJECTS =  kpasswd.$(OBJEXT)
+am_kpasswd_OBJECTS =  kpasswd.$(OBJEXT)
+kpasswd_OBJECTS =  $(am_kpasswd_OBJECTS)
 kpasswd_LDADD = $(LDADD)
 kpasswd_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
-$(top_builddir)/lib/des/libdes.la $(top_builddir)/lib/asn1/libasn1.la
+$(top_builddir)/lib/asn1/libasn1.la
 kpasswd_LDFLAGS = 
-kpasswdd_OBJECTS =  kpasswdd.$(OBJEXT)
+kpasswd_generator_SOURCES = kpasswd-generator.c
+kpasswd_generator_OBJECTS =  kpasswd-generator.$(OBJEXT)
+kpasswd_generator_LDADD = $(LDADD)
+kpasswd_generator_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+kpasswd_generator_LDFLAGS = 
+am_kpasswdd_OBJECTS =  kpasswdd.$(OBJEXT)
+kpasswdd_OBJECTS =  $(am_kpasswdd_OBJECTS)
 kpasswdd_DEPENDENCIES =  $(top_builddir)/lib/kadm5/libkadm5srv.la \
 $(top_builddir)/lib/hdb/libhdb.la $(top_builddir)/lib/krb5/libkrb5.la \
-$(top_builddir)/lib/des/libdes.la $(top_builddir)/lib/asn1/libasn1.la
+$(top_builddir)/lib/asn1/libasn1.la
 kpasswdd_LDFLAGS = 
-CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(kpasswd_SOURCES) kpasswd-generator.c \
+$(kpasswdd_SOURCES)
 man1dir = $(mandir)/man1
 man8dir = $(mandir)/man8
 MANS = $(man_MANS)
+depcomp = 
 DIST_COMMON =  Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
-SOURCES = $(kpasswd_SOURCES) $(kpasswdd_SOURCES)
-OBJECTS = $(kpasswd_OBJECTS) $(kpasswdd_OBJECTS)
+SOURCES = $(kpasswd_SOURCES) kpasswd-generator.c $(kpasswdd_SOURCES)
+OBJECTS = $(am_kpasswd_OBJECTS) kpasswd-generator.$(OBJEXT) $(am_kpasswdd_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign kpasswd/Makefile
 
@@ -257,15 +294,18 @@ install-binPROGRAMS: $(bin_PROGRAMS)
 	$(mkinstalldirs) $(DESTDIR)$(bindir)
 	@list='$(bin_PROGRAMS)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
 	  else :; fi; \
 	done
 
 uninstall-binPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	list='$(bin_PROGRAMS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
 	done
 
 mostlyclean-libexecPROGRAMS:
@@ -282,30 +322,28 @@ install-libexecPROGRAMS: $(libexec_PROGRAMS)
 	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
 	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f; \
 	  else :; fi; \
 	done
 
 uninstall-libexecPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	list='$(libexec_PROGRAMS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \
+	  rm -f $(DESTDIR)$(libexecdir)/$$f; \
 	done
 
-.c.o:
-	$(COMPILE) -c $<
+mostlyclean-noinstPROGRAMS:
 
-# FIXME: We should only use cygpath when building on Windows,
-# and only if it is available.
-.c.obj:
-	$(COMPILE) -c `cygpath -w $<`
+clean-noinstPROGRAMS:
+	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
 
-.s.o:
-	$(COMPILE) -c $<
+distclean-noinstPROGRAMS:
 
-.S.o:
-	$(COMPILE) -c $<
+maintainer-clean-noinstPROGRAMS:
 
 mostlyclean-compile:
 	-rm -f *.o core *.core
@@ -318,15 +356,6 @@ distclean-compile:
 
 maintainer-clean-compile:
 
-.c.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.s.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.S.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -341,9 +370,19 @@ kpasswd$(EXEEXT): $(kpasswd_OBJECTS) $(kpasswd_DEPENDENCIES)
 	@rm -f kpasswd$(EXEEXT)
 	$(LINK) $(kpasswd_LDFLAGS) $(kpasswd_OBJECTS) $(kpasswd_LDADD) $(LIBS)
 
+kpasswd-generator$(EXEEXT): $(kpasswd_generator_OBJECTS) $(kpasswd_generator_DEPENDENCIES)
+	@rm -f kpasswd-generator$(EXEEXT)
+	$(LINK) $(kpasswd_generator_LDFLAGS) $(kpasswd_generator_OBJECTS) $(kpasswd_generator_LDADD) $(LIBS)
+
 kpasswdd$(EXEEXT): $(kpasswdd_OBJECTS) $(kpasswdd_DEPENDENCIES)
 	@rm -f kpasswdd$(EXEEXT)
 	$(LINK) $(kpasswdd_LDFLAGS) $(kpasswdd_OBJECTS) $(kpasswdd_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
 
 install-man1:
 	$(mkinstalldirs) $(DESTDIR)$(man1dir)
@@ -358,6 +397,7 @@ install-man1:
 	  else file=$$i; fi; \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
 	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
 	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \
 	  $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \
@@ -373,6 +413,7 @@ uninstall-man1:
 	for i in $$list; do \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
 	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
 	  echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \
 	  rm -f $(DESTDIR)$(man1dir)/$$inst; \
@@ -391,6 +432,7 @@ install-man8:
 	  else file=$$i; fi; \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
 	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
 	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \
 	  $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \
@@ -406,6 +448,7 @@ uninstall-man8:
 	for i in $$list; do \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
 	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
 	  echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \
 	  rm -f $(DESTDIR)$(man8dir)/$$inst; \
@@ -419,23 +462,27 @@ uninstall-man:
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -448,17 +495,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = kpasswd
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
@@ -488,7 +534,7 @@ uninstall: uninstall-am
 all-am: Makefile $(PROGRAMS) $(MANS) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
 	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(libexecdir) \
 		$(DESTDIR)$(mandir)/man1 $(DESTDIR)$(mandir)/man8
@@ -503,26 +549,31 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-libexecPROGRAMS \
-		mostlyclean-compile mostlyclean-libtool \
-		mostlyclean-tags mostlyclean-generic
+		mostlyclean-noinstPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
 
 mostlyclean: mostlyclean-am
 
-clean-am:  clean-binPROGRAMS clean-libexecPROGRAMS clean-compile \
-		clean-libtool clean-tags clean-generic mostlyclean-am
+clean-am:  clean-binPROGRAMS clean-libexecPROGRAMS clean-noinstPROGRAMS \
+		clean-compile clean-libtool clean-tags clean-generic \
+		mostlyclean-am
 
 clean: clean-am
 
 distclean-am:  distclean-binPROGRAMS distclean-libexecPROGRAMS \
-		distclean-compile distclean-libtool distclean-tags \
-		distclean-generic clean-am
+		distclean-noinstPROGRAMS distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
 	-rm -f libtool
 
 distclean: distclean-am
 
 maintainer-clean-am:  maintainer-clean-binPROGRAMS \
 		maintainer-clean-libexecPROGRAMS \
+		maintainer-clean-noinstPROGRAMS \
 		maintainer-clean-compile maintainer-clean-libtool \
 		maintainer-clean-tags maintainer-clean-generic \
 		distclean-am
@@ -535,18 +586,20 @@ maintainer-clean: maintainer-clean-am
 maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
 mostlyclean-libexecPROGRAMS distclean-libexecPROGRAMS \
 clean-libexecPROGRAMS maintainer-clean-libexecPROGRAMS \
-uninstall-libexecPROGRAMS install-libexecPROGRAMS mostlyclean-compile \
-distclean-compile clean-compile maintainer-clean-compile \
-mostlyclean-libtool distclean-libtool clean-libtool \
-maintainer-clean-libtool install-man1 uninstall-man1 install-man8 \
-uninstall-man8 install-man uninstall-man tags mostlyclean-tags \
-distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
-dvi-am dvi check-local check check-am installcheck-am installcheck \
-install-exec-am install-exec install-data-local install-data-am \
-install-data install-am install uninstall-am uninstall all-local \
-all-redirect all-am all installdirs mostlyclean-generic \
-distclean-generic clean-generic maintainer-clean-generic clean \
-mostlyclean distclean maintainer-clean
+uninstall-libexecPROGRAMS install-libexecPROGRAMS \
+mostlyclean-noinstPROGRAMS distclean-noinstPROGRAMS \
+clean-noinstPROGRAMS maintainer-clean-noinstPROGRAMS \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool install-man1 uninstall-man1 \
+install-man8 uninstall-man8 install-man uninstall-man tags \
+mostlyclean-tags distclean-tags clean-tags maintainer-clean-tags \
+distdir info-am info dvi-am dvi check-local check check-am \
+installcheck-am installcheck install-exec-am install-exec \
+install-data-local install-data-am install-data install-am install \
+uninstall-am uninstall all-local all-redirect all-am all install-strip \
+installdirs mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
 
 
 install-suid-programs:
@@ -554,7 +607,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -566,8 +622,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -636,87 +692,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/kpasswd/kpasswd-generator.c b/crypto/heimdal/kpasswd/kpasswd-generator.c
new file mode 100644
index 0000000..6bd836c
--- /dev/null
+++ b/crypto/heimdal/kpasswd/kpasswd-generator.c
@@ -0,0 +1,193 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kpasswd_locl.h"
+
+RCSID("$Id: kpasswd-generator.c,v 1.2 2000/12/31 07:47:38 assar Exp $");
+
+static unsigned
+read_words (const char *filename, char ***ret_w)
+{
+    unsigned n, alloc;
+    FILE *f;
+    char buf[256];
+    char **w = NULL;
+
+    f = fopen (filename, "r");
+    if (f == NULL)
+	err (1, "cannot open %s", filename);
+    alloc = n = 0;
+    while (fgets (buf, sizeof(buf), f) != NULL) {
+	if (buf[strlen (buf) - 1] == '\n')
+	    buf[strlen (buf) - 1] = '\0';
+	if (n >= alloc) {
+	    alloc += 16;
+	    w = erealloc (w, alloc * sizeof(char **));
+	}
+	w[n++] = estrdup (buf);
+    }
+    *ret_w = w;
+    return n;
+}
+
+static int
+nop_prompter (krb5_context context,
+	      void *data,
+	      const char *banner,
+	      int num_prompts,
+	      krb5_prompt prompts[])
+{
+    return 0;
+}
+
+static void
+generate_requests (const char *filename, unsigned nreq)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    int i;
+    char **words;
+    unsigned nwords;
+
+    ret = krb5_init_context (&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    nwords = read_words (filename, &words);
+
+    for (i = 0; i < nreq; ++i) {
+	char *name = words[rand() % nwords];
+	krb5_get_init_creds_opt opt;
+	krb5_creds cred;
+	krb5_principal principal;
+	int result_code;
+	krb5_data result_code_string, result_string;
+	char *old_pwd, *new_pwd;
+
+	krb5_get_init_creds_opt_init (&opt);
+	krb5_get_init_creds_opt_set_tkt_life (&opt, 300);
+	krb5_get_init_creds_opt_set_forwardable (&opt, FALSE);
+	krb5_get_init_creds_opt_set_proxiable (&opt, FALSE);
+
+	ret = krb5_parse_name (context, name, &principal);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_parse_name %s", name);
+
+	asprintf (&old_pwd, "%s", name);
+	asprintf (&new_pwd, "%s2", name);
+
+	ret = krb5_get_init_creds_password (context,
+					    &cred,
+					    principal,
+					    old_pwd,
+					    nop_prompter,
+					    NULL,
+					    0,
+					    "kadmin/changepw",
+					    &opt);
+	if( ret == KRB5KRB_AP_ERR_BAD_INTEGRITY
+	    || ret == KRB5KRB_AP_ERR_MODIFIED) {
+	    char *tmp;
+
+	    tmp = new_pwd;
+	    new_pwd = old_pwd;
+	    old_pwd = tmp;
+
+	    ret = krb5_get_init_creds_password (context,
+						&cred,
+						principal,
+						old_pwd,
+						nop_prompter,
+						NULL,
+						0,
+						"kadmin/changepw",
+						&opt);
+	}
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_get_init_creds_password");
+
+	krb5_free_principal (context, principal);
+
+	ret = krb5_change_password (context, &cred, new_pwd,
+				    &result_code,
+				    &result_code_string,
+				    &result_string);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_change_password");
+
+	free (old_pwd);
+	free (new_pwd);
+	krb5_free_creds_contents (context, &cred);
+    }
+}
+
+static int version_flag	= 0;
+static int help_flag	= 0;
+
+static struct getargs args[] = {
+    { "version", 	0,   arg_flag, &version_flag },
+    { "help",		0,   arg_flag, &help_flag }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args)/sizeof(*args),
+		    NULL,
+		    "file [number]");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    int optind = 0;
+    int nreq;
+    char *end;
+
+    set_progname(argv[0]);
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+	usage(1);
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 2)
+	usage (1);
+    srand (0);
+    nreq = strtol (argv[1], &end, 0);
+    if (argv[1] == end || *end != '\0')
+	usage (1);
+    generate_requests (argv[0], nreq);
+    return 0;
+}
diff --git a/crypto/heimdal/kpasswd/kpasswd.1 b/crypto/heimdal/kpasswd/kpasswd.1
index 8cbc83b..d4c986d 100644
--- a/crypto/heimdal/kpasswd/kpasswd.1
+++ b/crypto/heimdal/kpasswd/kpasswd.1
@@ -1,6 +1,6 @@
-.\" $Id: kpasswd.1,v 1.1 1997/08/27 23:44:08 assar Exp $
+.\" $Id: kpasswd.1,v 1.2 2000/06/27 00:51:06 assar Exp $
 .\"
-.Dt Aug 27, 1997
+.Dd Aug 27, 1997
 .Dt KPASSWD 1
 .Os HEIMDAL
 .Sh NAME
diff --git a/crypto/heimdal/kpasswd/kpasswd.c b/crypto/heimdal/kpasswd/kpasswd.c
index f072804..28de853 100644
--- a/crypto/heimdal/kpasswd/kpasswd.c
+++ b/crypto/heimdal/kpasswd/kpasswd.c
@@ -32,7 +32,7 @@
  */
 
 #include "kpasswd_locl.h"
-RCSID("$Id: kpasswd.c,v 1.21 2000/01/28 03:19:32 assar Exp $");
+RCSID("$Id: kpasswd.c,v 1.23 2000/12/31 07:48:34 assar Exp $");
 
 static int version_flag;
 static int help_flag;
@@ -43,12 +43,9 @@ static struct getargs args[] = {
 };
 
 static void
-usage (int ret)
+usage (int ret, struct getargs *a, int num_args)
 {
-    arg_printusage (args,
-		    sizeof(args)/sizeof(*args),
-		    NULL,
-		    "[principal]");
+    arg_printusage (a, num_args, NULL, "[principal]");
     exit (ret);
 }
 
@@ -66,10 +63,10 @@ main (int argc, char **argv)
     char pwbuf[BUFSIZ];
 
     optind = krb5_program_setup(&context, argc, argv,
-				args, sizeof(args) / sizeof(args[0]), NULL);
+				args, sizeof(args) / sizeof(args[0]), usage);
 
     if (help_flag)
-	usage (0);
+	usage (0, args, sizeof(args) / sizeof(args[0]));
 
     if(version_flag){
 	print_version (NULL);
@@ -86,11 +83,11 @@ main (int argc, char **argv)
     argv += optind;
 
     if (argc > 1)
-	usage(1);
+	usage (1, args, sizeof(args) / sizeof(args[0]));
 
     ret = krb5_init_context (&context);
     if (ret)
-	errx (1, "krb5_init_context: %s", krb5_get_err_text(context, ret));
+	errx (1, "krb5_init_context failed: %d", ret);
   
     if(argv[0]) {
 	ret = krb5_parse_name (context, argv[0], &principal);
diff --git a/crypto/heimdal/kpasswd/kpasswd_locl.h b/crypto/heimdal/kpasswd/kpasswd_locl.h
index 0e05489..61f2284 100644
--- a/crypto/heimdal/kpasswd/kpasswd_locl.h
+++ b/crypto/heimdal/kpasswd/kpasswd_locl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: kpasswd_locl.h,v 1.7 1999/12/02 17:05:00 joda Exp $ */
+/* $Id: kpasswd_locl.h,v 1.9 2000/08/04 11:22:51 joda Exp $ */
 
 #ifndef __KPASSWD_LOCL_H__
 #define __KPASSWD_LOCL_H__
@@ -86,9 +86,16 @@
 #ifdef HAVE_ERRNO_H
 #include <errno.h>
 #endif
+#ifdef HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+#ifdef HAVE_UTIL_H
+#include <util.h>
+#endif
 #include <err.h>
 #include <roken.h>
 #include <getarg.h>
+#include <des.h>
 #include <krb5.h>
 
 #endif /* __KPASSWD_LOCL_H__ */
diff --git a/crypto/heimdal/kpasswd/kpasswdd.8 b/crypto/heimdal/kpasswd/kpasswdd.8
index f4db441..a54b9a1 100644
--- a/crypto/heimdal/kpasswd/kpasswdd.8
+++ b/crypto/heimdal/kpasswd/kpasswdd.8
@@ -1,4 +1,4 @@
-.\" $Id: kpasswdd.8,v 1.2 1999/04/19 16:32:01 joda Exp $
+.\" $Id: kpasswdd.8,v 1.3 2001/01/11 21:36:43 assar Exp $
 .\"
 .Dd April 19, 1999
 .Dt KPASSWDD 8
@@ -11,6 +11,17 @@ Kerberos 5 password changing server
 .Nm
 .Op Fl -check-library= Ns Ar library
 .Op Fl -check-function= Ns Ar function
+.Oo Fl k Ar kspec \*(Ba Xo
+.Fl -keytab= Ns Ar kspec Oc
+.Xc
+.Oo Fl r Ar realm \*(Ba Xo
+.Fl -realm= Ns Ar realm Oc
+.Xc
+.Oo Fl p Ar string \*(Ba Xo
+.Fl -port= Ns Ar string Oc
+.Xc
+.Op Fl -version
+.Op Fl -help
 .Sh DESCRIPTION
 .Nm
 serves request for password changes. It listens on UDP port 464
@@ -42,6 +53,21 @@ is the one who tries to change passwords, and
 is the new password. Note that the password (in
 .Fa password->data )
 is not zero terminated.
+.It Xo
+.Fl k Ar kspec Ns ,
+.Fl -keytab= Ns Ar kspec
+.Xc
+keytab to get authentication key from
+.It Xo
+.Fl r Ar realm Ns ,
+.Fl -realm= Ns Ar realm
+.Xc
+default realm
+.It Xo
+.Fl p Ar string Ns ,
+.Fl -port= Ns Ar string
+.Xc
+port to listen on (default service kpasswd - 464).
 .El
 .Sh DIAGNOSTICS
 If an error occurs, the error message is returned to the user and/or
diff --git a/crypto/heimdal/kpasswd/kpasswdd.c b/crypto/heimdal/kpasswd/kpasswdd.c
index 04b8ea3..4c6f197 100644
--- a/crypto/heimdal/kpasswd/kpasswdd.c
+++ b/crypto/heimdal/kpasswd/kpasswdd.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,12 +32,9 @@
  */
 
 #include "kpasswd_locl.h"
-RCSID("$Id: kpasswdd.c,v 1.41 1999/12/02 17:05:00 joda Exp $");
+RCSID("$Id: kpasswdd.c,v 1.49 2001/01/11 21:33:53 assar Exp $");
 
 #include <kadm5/admin.h>
-#ifdef HAVE_DLFCN_H
-#include <dlfcn.h>
-#endif
 
 #include <hdb.h>
 
@@ -166,7 +163,7 @@ reply_priv (krb5_auth_context auth_context,
     krb5_data e_data;
 
     ret = krb5_mk_rep (context,
-		       &auth_context,
+		       auth_context,
 		       &ap_rep_data);
     if (ret) {
 	krb5_warn (context, ret, "Could not even generate error reply");
@@ -206,14 +203,10 @@ change (krb5_auth_context auth_context,
 {
     krb5_error_code ret;
     char *client;
-    kadm5_principal_ent_rec ent;
-    krb5_key_data *kd;
-    krb5_salt salt;
-    krb5_keyblock new_keyblock;
     const char *pwd_reason;
-    int unchanged;
     kadm5_config_params conf;
     void *kadm5_handle;
+    char *tmp;
 
     memset (&conf, 0, sizeof(conf));
     
@@ -244,75 +237,27 @@ change (krb5_auth_context auth_context,
 	return;
     }
 
-    ret = kadm5_get_principal (kadm5_handle,
-			       principal,
-			       &ent,
-			       KADM5_KEY_DATA);
-    if (ret) {
-	krb5_warn (context, ret, "kadm5_get_principal");
+    tmp = malloc (pwd_data->length + 1);
+    if (tmp == NULL) {
+	krb5_warnx (context, "malloc: out of memory");
 	reply_priv (auth_context, s, sa, sa_size, 2,
 		    "Internal error");
-	kadm5_destroy (kadm5_handle);
-	return;
+	goto out;
     }
+    memcpy (tmp, pwd_data->data, pwd_data->length);
+    tmp[pwd_data->length] = '\0';
 
-    /*
-     * Compare with the first key to see if it already has been
-     * changed.  If it hasn't, store the new key in the database and
-     * string2key all the rest of them.
-     */
-
-    kd = &ent.key_data[0];
-    
-    salt.salttype         = kd->key_data_type[1];
-    salt.saltvalue.length = kd->key_data_length[1];
-    salt.saltvalue.data   = kd->key_data_contents[1];
-
-    memset (&new_keyblock, 0, sizeof(new_keyblock));
-    krb5_string_to_key_data_salt (context,
-				  kd->key_data_type[0],
-				  *pwd_data,
-				  salt,
-				  &new_keyblock);
-
-    unchanged = new_keyblock.keytype == kd->key_data_type[0]
-	&& new_keyblock.keyvalue.length == kd->key_data_length[0]
-	&& memcmp(new_keyblock.keyvalue.data,
-		  kd->key_data_contents[0],
-		  new_keyblock.keyvalue.length) == 0;
-
-    krb5_free_keyblock_contents (context, &new_keyblock);
-
-    if (unchanged) {
-	ret = 0;
-    } else {
-	char *tmp;
-
-	tmp = malloc (pwd_data->length + 1);
-	if (tmp == NULL) {
-	    krb5_warnx (context, "malloc: out of memory");
-	    reply_priv (auth_context, s, sa, sa_size, 2,
-			"Internal error");
-	    goto out;
-	}
-	memcpy (tmp, pwd_data->data, pwd_data->length);
-	tmp[pwd_data->length] = '\0';
-
-	ret = kadm5_chpass_principal (kadm5_handle,
-				      principal,
-				      tmp);
-	memset (tmp, 0, pwd_data->length);
-	free (tmp);
-	if (ret) {
-	    krb5_warn (context, ret, "kadm5_s_chpass_principal");
-	    reply_priv (auth_context, s, sa, sa_size, 2,
-			"Internal error");
-	    goto out;
-	}
+    ret = kadm5_s_chpass_principal_cond (kadm5_handle, principal, tmp);
+    memset (tmp, 0, pwd_data->length);
+    free (tmp);
+    if (ret) {
+	krb5_warn (context, ret, "kadm5_s_chpass_principal_cond");
+	reply_priv (auth_context, s, sa, sa_size, 2,
+		    "Internal error");
+	goto out;
     }
     reply_priv (auth_context, s, sa, sa_size, 0, "Password changed");
 out:
-    kadm5_free_principal_ent (kadm5_handle, &ent);
     kadm5_destroy (kadm5_handle);
 }
 
@@ -421,9 +366,6 @@ process (krb5_principal server,
 	return;
     }
 
-    krb5_auth_con_setflags (context, auth_context,
-			    KRB5_AUTH_CONTEXT_DO_SEQUENCE);
-
     ret = krb5_sockaddr2address (sa, &other_addr);
     if (ret) {
 	krb5_warn (context, ret, "krb5_sockaddr2address");
@@ -447,6 +389,7 @@ process (krb5_principal server,
 		s,
 		sa, sa_size,
 		&out_data);
+	memset (out_data.data, 0, out_data.length);
 	krb5_free_ticket (context, ticket);
 	free (ticket);
     }
@@ -457,8 +400,7 @@ out:
 }
 
 static int
-doit (krb5_keytab keytab,
-      int port)
+doit (krb5_keytab keytab, int port)
 {
     krb5_error_code ret;
     krb5_principal server;
@@ -514,6 +456,8 @@ doit (krb5_keytab keytab,
 	    krb5_err (context, 1, errno, "bind(%s)", str);
 	}
 	maxfd = max (maxfd, sockets[i]);
+	if (maxfd >= FD_SETSIZE)
+	    krb5_errx (context, 1, "fd too large");
 	FD_SET(sockets[i], &real_fdset);
     }
 
@@ -531,7 +475,7 @@ doit (krb5_keytab keytab,
 	for (i = 0; i < n; ++i)
 	    if (FD_ISSET(sockets[i], &fdset)) {
 		u_char buf[BUFSIZ];
-		int addrlen = sizeof(__ss);
+		socklen_t addrlen = sizeof(__ss);
 
 		ret = recvfrom (sockets[i], buf, sizeof(buf), 0,
 				sa, &addrlen);
@@ -566,6 +510,7 @@ char *keytab_str = "HDB:";
 char *realm_str;
 int version_flag;
 int help_flag;
+char *port_str;
 
 struct getargs args[] = {
 #ifdef HAVE_DLOPEN
@@ -577,6 +522,7 @@ struct getargs args[] = {
     { "keytab", 'k', arg_string, &keytab_str, 
       "keytab to get authentication key from", "kspec" },
     { "realm", 'r', arg_string, &realm_str, "default realm", "realm" },
+    { "port",  'p', arg_string, &port_str, "port" },
     { "version", 0, arg_flag, &version_flag },
     { "help", 0, arg_flag, &help_flag }
 };
@@ -588,6 +534,7 @@ main (int argc, char **argv)
     int optind;
     krb5_keytab keytab;
     krb5_error_code ret;
+    int port;
     
     optind = krb5_program_setup(&context, argc, argv, args, num_args, NULL);
     
@@ -604,6 +551,22 @@ main (int argc, char **argv)
     krb5_openlog (context, "kpasswdd", &log_facility);
     krb5_set_warn_dest(context, log_facility);
 
+    if (port_str != NULL) {
+	struct servent *s = roken_getservbyname (port_str, "udp");
+
+	if (s != NULL)
+	    port = s->s_port;
+	else {
+	    char *ptr;
+
+	    port = strtol (port_str, &ptr, 10);
+	    if (port == 0 && ptr == port_str)
+		krb5_errx (context, 1, "bad port `%s'", port_str);
+	    port = htons(port);
+	}
+    } else
+	port = krb5_getportbyname (context, "kpasswd", "udp", KPASSWD_PORT);
+
     ret = krb5_kt_register(context, &hdb_kt_ops);
     if(ret)
 	krb5_err(context, 1, ret, "krb5_kt_register");
@@ -622,13 +585,15 @@ main (int argc, char **argv)
 	sa.sa_handler = sigterm;
 	sigemptyset(&sa.sa_mask);
 
-	sigaction(SIGINT, &sa, NULL);
+	sigaction(SIGINT,  &sa, NULL);
+	sigaction(SIGTERM, &sa, NULL);
     }
 #else
-    signal(SIGINT, sigterm);
+    signal(SIGINT,  sigterm);
+    signal(SIGTERM, sigterm);
 #endif
 
-    return doit (keytab,
-		 krb5_getportbyname (context, "kpasswd", 
-				     "udp", KPASSWD_PORT));
+    pidfile(NULL);
+
+    return doit (keytab, port);
 }
diff --git a/crypto/heimdal/kuser/Makefile.am b/crypto/heimdal/kuser/Makefile.am
index 4faed9a..f3900ff 100644
--- a/crypto/heimdal/kuser/Makefile.am
+++ b/crypto/heimdal/kuser/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.25 1999/09/21 05:12:29 assar Exp $
+# $Id: Makefile.am,v 1.27 2000/11/15 22:51:13 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
@@ -12,7 +12,7 @@ kinit_SOURCES = kinit.c kinit_options.c
 
 kauth_SOURCES = kinit.c kauth_options.c
 
-noinst_PROGRAMS = kverify kdecode_ticket
+noinst_PROGRAMS = kverify kdecode_ticket generate-requests
 
 CHECK_LOCAL = $(bin_PROGRAMS)
 
@@ -20,7 +20,7 @@ kauth_LDADD = \
 	$(LIB_kafs) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(LIB_krb4) \
-	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_des) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken)
 
@@ -32,6 +32,6 @@ klist_LDADD	= $(kauth_LDADD)
 
 LDADD = \
 	$(top_builddir)/lib/krb5/libkrb5.la \
- 	$(top_builddir)/lib/des/libdes.la \
- 	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken)
diff --git a/crypto/heimdal/kuser/Makefile.in b/crypto/heimdal/kuser/Makefile.in
index 06ec4716..40ab2b6 100644
--- a/crypto/heimdal/kuser/Makefile.in
+++ b/crypto/heimdal/kuser/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.25 1999/09/21 05:12:29 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.27 2000/11/15 22:51:13 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4)
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,24 +170,20 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(bin_PROGRAMS)
 
@@ -181,9 +195,15 @@ kinit_SOURCES = kinit.c kinit_options.c
 
 kauth_SOURCES = kinit.c kauth_options.c
 
-noinst_PROGRAMS = kverify kdecode_ticket
+noinst_PROGRAMS = kverify kdecode_ticket generate-requests
 
-kauth_LDADD =  	$(LIB_kafs) 	$(top_builddir)/lib/krb5/libkrb5.la 	$(LIB_krb4) 	$(top_builddir)/lib/des/libdes.la 	$(top_builddir)/lib/asn1/libasn1.la 	$(LIB_roken)
+kauth_LDADD = \
+	$(LIB_kafs) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
 
 
 kinit_LDADD = $(kauth_LDADD)
@@ -192,101 +212,108 @@ kdestroy_LDADD = $(kauth_LDADD)
 
 klist_LDADD = $(kauth_LDADD)
 
-LDADD =  	$(top_builddir)/lib/krb5/libkrb5.la  	$(top_builddir)/lib/des/libdes.la  	$(top_builddir)/lib/asn1/libasn1.la 	$(LIB_roken)
+LDADD = \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
 
+subdir = kuser
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../include/config.h
 CONFIG_CLEAN_FILES = 
 bin_PROGRAMS =  kinit$(EXEEXT) kauth$(EXEEXT) klist$(EXEEXT) \
 kdestroy$(EXEEXT) kgetcred$(EXEEXT)
-noinst_PROGRAMS =  kverify$(EXEEXT) kdecode_ticket$(EXEEXT)
+noinst_PROGRAMS =  kverify$(EXEEXT) kdecode_ticket$(EXEEXT) \
+generate-requests$(EXEEXT)
 PROGRAMS =  $(bin_PROGRAMS) $(noinst_PROGRAMS)
 
 
 DEFS = @DEFS@ -I. -I$(srcdir) -I../include
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
-LIBS = @LIBS@
 X_CFLAGS = @X_CFLAGS@
 X_LIBS = @X_LIBS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
-kinit_OBJECTS =  kinit.$(OBJEXT) kinit_options.$(OBJEXT)
-@KRB4_TRUE@kinit_DEPENDENCIES =  $(top_builddir)/lib/kafs/libkafs.la \
-@KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
-@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la \
-@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
-@KRB4_FALSE@kinit_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
-@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la \
+generate_requests_SOURCES = generate-requests.c
+generate_requests_OBJECTS =  generate-requests.$(OBJEXT)
+generate_requests_LDADD = $(LDADD)
+generate_requests_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+generate_requests_LDFLAGS = 
+am_kauth_OBJECTS =  kinit.$(OBJEXT) kauth_options.$(OBJEXT)
+kauth_OBJECTS =  $(am_kauth_OBJECTS)
+@KRB4_FALSE@kauth_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
 @KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
-kinit_LDFLAGS = 
-kauth_OBJECTS =  kinit.$(OBJEXT) kauth_options.$(OBJEXT)
 @KRB4_TRUE@kauth_DEPENDENCIES =  $(top_builddir)/lib/kafs/libkafs.la \
 @KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
-@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la \
 @KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
-@KRB4_FALSE@kauth_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
-@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la \
-@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
 kauth_LDFLAGS = 
-klist_SOURCES = klist.c
-klist_OBJECTS =  klist.$(OBJEXT)
-@KRB4_TRUE@klist_DEPENDENCIES =  $(top_builddir)/lib/kafs/libkafs.la \
-@KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
-@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la \
-@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
-@KRB4_FALSE@klist_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
-@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la \
-@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
-klist_LDFLAGS = 
+kdecode_ticket_SOURCES = kdecode_ticket.c
+kdecode_ticket_OBJECTS =  kdecode_ticket.$(OBJEXT)
+kdecode_ticket_LDADD = $(LDADD)
+kdecode_ticket_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+kdecode_ticket_LDFLAGS = 
 kdestroy_SOURCES = kdestroy.c
 kdestroy_OBJECTS =  kdestroy.$(OBJEXT)
+@KRB4_FALSE@kdestroy_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
 @KRB4_TRUE@kdestroy_DEPENDENCIES =  $(top_builddir)/lib/kafs/libkafs.la \
 @KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
-@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la \
 @KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
-@KRB4_FALSE@kdestroy_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
-@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la \
-@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
 kdestroy_LDFLAGS = 
 kgetcred_SOURCES = kgetcred.c
 kgetcred_OBJECTS =  kgetcred.$(OBJEXT)
 kgetcred_LDADD = $(LDADD)
 kgetcred_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
-$(top_builddir)/lib/des/libdes.la $(top_builddir)/lib/asn1/libasn1.la
+$(top_builddir)/lib/asn1/libasn1.la
 kgetcred_LDFLAGS = 
+am_kinit_OBJECTS =  kinit.$(OBJEXT) kinit_options.$(OBJEXT)
+kinit_OBJECTS =  $(am_kinit_OBJECTS)
+@KRB4_FALSE@kinit_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_TRUE@kinit_DEPENDENCIES =  $(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+kinit_LDFLAGS = 
+klist_SOURCES = klist.c
+klist_OBJECTS =  klist.$(OBJEXT)
+@KRB4_FALSE@klist_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_TRUE@klist_DEPENDENCIES =  $(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+klist_LDFLAGS = 
 kverify_SOURCES = kverify.c
 kverify_OBJECTS =  kverify.$(OBJEXT)
 kverify_LDADD = $(LDADD)
 kverify_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
-$(top_builddir)/lib/des/libdes.la $(top_builddir)/lib/asn1/libasn1.la
+$(top_builddir)/lib/asn1/libasn1.la
 kverify_LDFLAGS = 
-kdecode_ticket_SOURCES = kdecode_ticket.c
-kdecode_ticket_OBJECTS =  kdecode_ticket.$(OBJEXT)
-kdecode_ticket_LDADD = $(LDADD)
-kdecode_ticket_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
-$(top_builddir)/lib/des/libdes.la $(top_builddir)/lib/asn1/libasn1.la
-kdecode_ticket_LDFLAGS = 
-CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  generate-requests.c $(kauth_SOURCES) kdecode_ticket.c \
+kdestroy.c kgetcred.c $(kinit_SOURCES) klist.c kverify.c
 man1dir = $(mandir)/man1
 MANS = $(man_MANS)
+depcomp = 
 DIST_COMMON =  Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
-SOURCES = $(kinit_SOURCES) $(kauth_SOURCES) klist.c kdestroy.c kgetcred.c kverify.c kdecode_ticket.c
-OBJECTS = $(kinit_OBJECTS) $(kauth_OBJECTS) klist.$(OBJEXT) kdestroy.$(OBJEXT) kgetcred.$(OBJEXT) kverify.$(OBJEXT) kdecode_ticket.$(OBJEXT)
+SOURCES = generate-requests.c $(kauth_SOURCES) kdecode_ticket.c kdestroy.c kgetcred.c $(kinit_SOURCES) klist.c kverify.c
+OBJECTS = generate-requests.$(OBJEXT) $(am_kauth_OBJECTS) kdecode_ticket.$(OBJEXT) kdestroy.$(OBJEXT) kgetcred.$(OBJEXT) $(am_kinit_OBJECTS) klist.$(OBJEXT) kverify.$(OBJEXT)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign kuser/Makefile
 
@@ -309,15 +336,18 @@ install-binPROGRAMS: $(bin_PROGRAMS)
 	$(mkinstalldirs) $(DESTDIR)$(bindir)
 	@list='$(bin_PROGRAMS)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
 	  else :; fi; \
 	done
 
 uninstall-binPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	list='$(bin_PROGRAMS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
 	done
 
 mostlyclean-noinstPROGRAMS:
@@ -329,20 +359,6 @@ distclean-noinstPROGRAMS:
 
 maintainer-clean-noinstPROGRAMS:
 
-.c.o:
-	$(COMPILE) -c $<
-
-# FIXME: We should only use cygpath when building on Windows,
-# and only if it is available.
-.c.obj:
-	$(COMPILE) -c `cygpath -w $<`
-
-.s.o:
-	$(COMPILE) -c $<
-
-.S.o:
-	$(COMPILE) -c $<
-
 mostlyclean-compile:
 	-rm -f *.o core *.core
 	-rm -f *.$(OBJEXT)
@@ -354,15 +370,6 @@ distclean-compile:
 
 maintainer-clean-compile:
 
-.c.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.s.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.S.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -373,17 +380,17 @@ distclean-libtool:
 
 maintainer-clean-libtool:
 
-kinit$(EXEEXT): $(kinit_OBJECTS) $(kinit_DEPENDENCIES)
-	@rm -f kinit$(EXEEXT)
-	$(LINK) $(kinit_LDFLAGS) $(kinit_OBJECTS) $(kinit_LDADD) $(LIBS)
+generate-requests$(EXEEXT): $(generate_requests_OBJECTS) $(generate_requests_DEPENDENCIES)
+	@rm -f generate-requests$(EXEEXT)
+	$(LINK) $(generate_requests_LDFLAGS) $(generate_requests_OBJECTS) $(generate_requests_LDADD) $(LIBS)
 
 kauth$(EXEEXT): $(kauth_OBJECTS) $(kauth_DEPENDENCIES)
 	@rm -f kauth$(EXEEXT)
 	$(LINK) $(kauth_LDFLAGS) $(kauth_OBJECTS) $(kauth_LDADD) $(LIBS)
 
-klist$(EXEEXT): $(klist_OBJECTS) $(klist_DEPENDENCIES)
-	@rm -f klist$(EXEEXT)
-	$(LINK) $(klist_LDFLAGS) $(klist_OBJECTS) $(klist_LDADD) $(LIBS)
+kdecode_ticket$(EXEEXT): $(kdecode_ticket_OBJECTS) $(kdecode_ticket_DEPENDENCIES)
+	@rm -f kdecode_ticket$(EXEEXT)
+	$(LINK) $(kdecode_ticket_LDFLAGS) $(kdecode_ticket_OBJECTS) $(kdecode_ticket_LDADD) $(LIBS)
 
 kdestroy$(EXEEXT): $(kdestroy_OBJECTS) $(kdestroy_DEPENDENCIES)
 	@rm -f kdestroy$(EXEEXT)
@@ -393,13 +400,23 @@ kgetcred$(EXEEXT): $(kgetcred_OBJECTS) $(kgetcred_DEPENDENCIES)
 	@rm -f kgetcred$(EXEEXT)
 	$(LINK) $(kgetcred_LDFLAGS) $(kgetcred_OBJECTS) $(kgetcred_LDADD) $(LIBS)
 
+kinit$(EXEEXT): $(kinit_OBJECTS) $(kinit_DEPENDENCIES)
+	@rm -f kinit$(EXEEXT)
+	$(LINK) $(kinit_LDFLAGS) $(kinit_OBJECTS) $(kinit_LDADD) $(LIBS)
+
+klist$(EXEEXT): $(klist_OBJECTS) $(klist_DEPENDENCIES)
+	@rm -f klist$(EXEEXT)
+	$(LINK) $(klist_LDFLAGS) $(klist_OBJECTS) $(klist_LDADD) $(LIBS)
+
 kverify$(EXEEXT): $(kverify_OBJECTS) $(kverify_DEPENDENCIES)
 	@rm -f kverify$(EXEEXT)
 	$(LINK) $(kverify_LDFLAGS) $(kverify_OBJECTS) $(kverify_LDADD) $(LIBS)
-
-kdecode_ticket$(EXEEXT): $(kdecode_ticket_OBJECTS) $(kdecode_ticket_DEPENDENCIES)
-	@rm -f kdecode_ticket$(EXEEXT)
-	$(LINK) $(kdecode_ticket_LDFLAGS) $(kdecode_ticket_OBJECTS) $(kdecode_ticket_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
 
 install-man1:
 	$(mkinstalldirs) $(DESTDIR)$(man1dir)
@@ -414,6 +431,7 @@ install-man1:
 	  else file=$$i; fi; \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
 	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
 	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \
 	  $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \
@@ -429,6 +447,7 @@ uninstall-man1:
 	for i in $$list; do \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
 	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
 	  echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \
 	  rm -f $(DESTDIR)$(man1dir)/$$inst; \
@@ -442,23 +461,27 @@ uninstall-man:
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -471,17 +494,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = kuser
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
@@ -510,7 +532,7 @@ uninstall: uninstall-am
 all-am: Makefile $(PROGRAMS) $(MANS) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
 	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1
 
@@ -524,6 +546,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-noinstPROGRAMS \
 		mostlyclean-compile mostlyclean-libtool \
 		mostlyclean-tags mostlyclean-generic
@@ -564,8 +587,9 @@ clean-tags maintainer-clean-tags distdir info-am info dvi-am dvi \
 check-local check check-am installcheck-am installcheck install-exec-am \
 install-exec install-data-local install-data-am install-data install-am \
 install uninstall-am uninstall all-local all-redirect all-am all \
-installdirs mostlyclean-generic distclean-generic clean-generic \
-maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+install-strip installdirs mostlyclean-generic distclean-generic \
+clean-generic maintainer-clean-generic clean mostlyclean distclean \
+maintainer-clean
 
 
 install-suid-programs:
@@ -573,7 +597,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -585,8 +612,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -655,87 +682,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/kuser/generate-requests.c b/crypto/heimdal/kuser/generate-requests.c
new file mode 100644
index 0000000..f7f5dd1
--- /dev/null
+++ b/crypto/heimdal/kuser/generate-requests.c
@@ -0,0 +1,151 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kuser_locl.h"
+
+RCSID("$Id: generate-requests.c,v 1.2 2000/12/31 07:49:27 assar Exp $");
+
+static krb5_error_code
+null_key_proc (krb5_context context,
+	       krb5_enctype type,
+	       krb5_salt salt,
+	       krb5_const_pointer keyseed,
+	       krb5_keyblock **key)
+{
+    return ENOTTY;
+}
+
+static unsigned
+read_words (const char *filename, char ***ret_w)
+{
+    unsigned n, alloc;
+    FILE *f;
+    char buf[256];
+    char **w = NULL;
+
+    f = fopen (filename, "r");
+    if (f == NULL)
+	err (1, "cannot open %s", filename);
+    alloc = n = 0;
+    while (fgets (buf, sizeof(buf), f) != NULL) {
+	if (buf[strlen (buf) - 1] == '\n')
+	    buf[strlen (buf) - 1] = '\0';
+	if (n >= alloc) {
+	    alloc += 16;
+	    w = erealloc (w, alloc * sizeof(char **));
+	}
+	w[n++] = estrdup (buf);
+    }
+    *ret_w = w;
+    return n;
+}
+
+static void
+generate_requests (const char *filename, unsigned nreq)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    krb5_creds cred;
+    int i;
+    char **words;
+    unsigned nwords;
+
+    ret = krb5_init_context (&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    nwords = read_words (filename, &words);
+
+    for (i = 0; i < nreq; ++i) {
+	char *name = words[rand() % nwords];
+	krb5_realm *client_realm;
+
+	memset(&cred, 0, sizeof(cred));
+
+	ret = krb5_parse_name (context, name, &cred.client);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_parse_name %s", name);
+	client_realm = krb5_princ_realm (context, cred.client);
+
+	ret = krb5_make_principal(context, &cred.server, *client_realm,
+				  KRB5_TGS_NAME, *client_realm, NULL);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_make_principal");
+
+	ret = krb5_get_in_cred (context, 0, NULL, NULL, NULL, NULL,
+				null_key_proc, NULL, NULL, NULL,
+				&cred, NULL);
+	krb5_free_creds_contents (context, &cred);
+    }
+}
+
+static int version_flag	= 0;
+static int help_flag	= 0;
+
+static struct getargs args[] = {
+    { "version", 	0,   arg_flag, &version_flag },
+    { "help",		0,   arg_flag, &help_flag }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args)/sizeof(*args),
+		    NULL,
+		    "file number");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    int optind = 0;
+    int nreq;
+    char *end;
+
+    set_progname(argv[0]);
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+	usage(1);
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 2)
+	usage (1);
+    srand (0);
+    nreq = strtol (argv[1], &end, 0);
+    if (argv[1] == end || *end != '\0')
+	usage (1);
+    generate_requests (argv[0], nreq);
+    return 0;
+}
diff --git a/crypto/heimdal/kuser/kdecode_ticket.c b/crypto/heimdal/kuser/kdecode_ticket.c
index dd365dc..499a3e9 100644
--- a/crypto/heimdal/kuser/kdecode_ticket.c
+++ b/crypto/heimdal/kuser/kdecode_ticket.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kuser_locl.h"
 
-RCSID("$Id: kdecode_ticket.c,v 1.2 1999/12/02 17:05:00 joda Exp $");
+RCSID("$Id: kdecode_ticket.c,v 1.4 2000/12/31 07:50:19 assar Exp $");
 
 static char *etype_str;
 static int version_flag;
@@ -61,7 +61,9 @@ print_and_decode_tkt (krb5_context context,
     if (ret)
 	krb5_err (context, 1, ret, "krb5_string_to_key");
 
-    krb5_crypto_init(context, &key, 0, &crypto);
+    ret = krb5_crypto_init(context, &key, 0, &crypto);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_crypto_init");
 
     ret = krb5_decrypt_EncryptedData (context, crypto, KRB5_KU_TICKET,
 				      &tkt.enc_part, &dec_data);
@@ -105,7 +107,7 @@ main(int argc, char **argv)
 
     ret = krb5_init_context (&context);
     if (ret)
-	errx(1, "krb5_init_context failed: %u", ret);
+	errx(1, "krb5_init_context failed: %d", ret);
   
     if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
 	usage(1);
diff --git a/crypto/heimdal/kuser/kdestroy.c b/crypto/heimdal/kuser/kdestroy.c
index 632d02e..847c50e 100644
--- a/crypto/heimdal/kuser/kdestroy.c
+++ b/crypto/heimdal/kuser/kdestroy.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,7 +32,7 @@
  */
 
 #include "kuser_locl.h"
-RCSID("$Id: kdestroy.c,v 1.11 1999/12/02 17:05:01 joda Exp $");
+RCSID("$Id: kdestroy.c,v 1.12 2000/12/31 07:51:09 assar Exp $");
 
 static const char *cache;
 static int help_flag;
@@ -89,7 +89,7 @@ main (int argc, char **argv)
 
     ret = krb5_init_context (&context);
     if (ret)
-	errx (1, "krb5_init_context: %s", krb5_get_err_text(context, ret));
+	errx (1, "krb5_init_context failed: %d", ret);
   
     if(cache == NULL)
 	cache = krb5_cc_default_name(context);
diff --git a/crypto/heimdal/kuser/kgetcred.c b/crypto/heimdal/kuser/kgetcred.c
index 644e69e..a2b3b27 100644
--- a/crypto/heimdal/kuser/kgetcred.c
+++ b/crypto/heimdal/kuser/kgetcred.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kuser_locl.h"
 
-RCSID("$Id: kgetcred.c,v 1.3 1999/12/02 17:05:01 joda Exp $");
+RCSID("$Id: kgetcred.c,v 1.4 2000/12/31 07:52:59 assar Exp $");
 
 static char *etype_str;
 static int version_flag;
@@ -69,7 +69,7 @@ main(int argc, char **argv)
 
     ret = krb5_init_context (&context);
     if (ret)
-	errx(1, "krb5_init_context failed: %u", ret);
+	errx(1, "krb5_init_context failed: %d", ret);
   
     if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
 	usage(1);
diff --git a/crypto/heimdal/kuser/kinit.1 b/crypto/heimdal/kuser/kinit.1
index 749798a..37d7390 100644
--- a/crypto/heimdal/kuser/kinit.1
+++ b/crypto/heimdal/kuser/kinit.1
@@ -1,4 +1,4 @@
-.\" $Id: kinit.1,v 1.4 2000/02/01 14:12:13 joda Exp $
+.\" $Id: kinit.1,v 1.8 2001/01/28 21:44:56 assar Exp $
 .\"
 .Dd May 29, 1998
 .Dt KINIT 1
@@ -10,38 +10,38 @@
 acquire initial tickets
 .Sh SYNOPSIS
 .Nm kinit
-.Op Fl 4
-.Op Fl -524init
+.Op Fl 4 | Fl -524init
 .Op Fl -afslog
-.Op Fl c Ar cachename
-.Op Fl -cache= Ns Ar cachename
-.Op Fl c Ar cachename
-.Op Fl -cache= Ns Ar cachename
-.Op Fl f
-.Op Fl -forwardable
-.Op Fl t Ar keytabname
-.Op Fl -keytab= Ns Ar keytabname
-.Op Fl l Ar seconds
-.Op Fl -lifetime= Ns Ar seconds
-.Op Fl p
-.Op Fl -proxiable
-.Op Fl R
-.Op Fl -renew
+.Oo Fl c Ar cachename \*(Ba Xo
+.Fl -cache= Ns Ar cachename Oc
+.Xc
+.Op Fl f | Fl -forwardable
+.Oo Fl t Ar keytabname \*(Ba Xo
+.Fl -keytab= Ns Ar keytabname Oc
+.Xc
+.Oo Fl l Ar time \*(Ba Xo
+.Fl -lifetime= Ns Ar time Oc
+.Xc
+.Op Fl p | Fl -proxiable
+.Op Fl R | Fl -renew
 .Op Fl -renewable
-.Op Fl r Ar seconds
-.Op Fl -renewable-life= Ns Ar seconds
-.Op Fl S Ar principal
-.Op Fl -server= Ns Ar principal
-.Op Fl s Ar seconds
-.Op Fl -start-time= Ns Ar seconds
-.Op Fl k
-.Op Fl -use-keytab
-.Op Fl v
-.Op Fl -validate
-.Op Fl e
-.Op Fl -enctypes= Ns Ar enctypes
-.Op Fl -fcache-version= Ns Ar version
+.Oo Fl r Ar time \*(Ba Xo
+.Fl -renewable-life= Ns Ar time Oc
+.Xc
+.Oo Fl S Ar principal \*(Ba Xo
+.Fl -server= Ns Ar principal Oc
+.Xc
+.Oo Fl s Ar time \*(Ba Xo
+.Fl -start-time= Ns Ar time Oc
+.Xc
+.Op Fl k | Fl -use-keytab
+.Op Fl v | Fl -validate
+.Oo Fl e Ar enctype \*(Ba Xo
+.Fl -enctypes= Ns Ar enctype Oc
+.Xc
+.Op Fl -fcache-version= Ns Ar integer
 .Op Fl -no-addresses
+.Op Fl -anonymous
 .Op Fl -version
 .Op Fl -help
 .Op Ar principal
@@ -49,9 +49,15 @@ acquire initial tickets
 .Nm
 is used to authenticate to the kerberos server as
 .Ar principal ,
-or if none is given, a system generated default, and acquire a ticket
-granting ticket that can later be used to obtain tickets for other
-services.
+or if none is given, a system generated default (typically your login
+name at the default realm), and acquire a ticket granting ticket that
+can later be used to obtain tickets for other services.
+.Pp
+If you have compiled kinit with Kerberos 4 support and you have a
+Kerberos 4 server,
+.Nm
+will detect this and get you Kerberos 4 tickets.
+.Pp
 Supported options:
 .Bl -tag -width Ds
 .It Xo
@@ -72,10 +78,12 @@ Get ticket that can be forwarded to another host.
 Don't ask for a password, but instead get the key from the specified
 keytab.
 .It Xo 
-.Fl l Ar seconds Ns , 
-.Fl -lifetime= Ns Ar seconds
+.Fl l Ar time Ns , 
+.Fl -lifetime= Ns Ar time
 .Xc
-Specifies the lifetime of the ticket.
+Specifies the lifetime of the ticket. The argument can either be in
+seconds, or a more human readable string like
+.Sq 1h .
 .It Xo
 .Fl p Ns ,
 .Fl -proxiable
@@ -93,8 +101,8 @@ The same as
 .Fl -renewable-life ,
 with an infinite time.
 .It Xo
-.Fl r Ar seconds Ns ,
-.Fl -renewable-life= Ns Ar seconds
+.Fl r Ar time Ns ,
+.Fl -renewable-life= Ns Ar time
 .Xc
 The max renewable ticket life.
 .It Xo
@@ -103,10 +111,14 @@ The max renewable ticket life.
 .Xc
 Get a ticket for a service other than krbtgt/LOCAL.REALM.
 .It Xo
-.Fl s Ar seconds Ns ,
-.Fl -start-time= Ns Ar seconds
+.Fl s Ar time Ns ,
+.Fl -start-time= Ns Ar time
 .Xc
-Start time of ticket, if other than the current time.
+Obtain a ticket that starts to be valid
+.Ar time
+(which can really be a generic time specification, like
+.Sq 1h )
+seconds into the future.
 .It Xo
 .Fl k Ns ,
 .Fl -use-keytab
@@ -134,8 +146,14 @@ Create a credentials cache of version
 .Fl -no-addresses
 .Xc
 Request a ticket with no addresses.
+.It Xo
+.Fl -anonymous
+.Xc
+Request an anonymous ticket (which means that the ticket will be
+issued to an anonymous principal, typically 
+.Dq anonymous@REALM).
 .El
-
+.Pp
 The following options are only available if
 .Nm 
 has been compiled with support for Kerberos 4. The 
@@ -149,13 +167,24 @@ default.
 .Fl 4 Ns ,
 .Fl -524init
 .Xc
-Try to convert the obtained krbtgt to a version 4 compatible
+Try to convert the obtained Kerberos 5 krbtgt to a version 4 compatible
 ticket. It will store this ticket in the default Kerberos 4 ticket
 file.
 .It Fl -afslog
 Gets AFS tickets, converts them to version 4 format, and stores them
 in the kernel. Only useful if you have AFS.
 .El
+.Pp
+The 
+.Ar forwardable ,
+.Ar proxiable ,
+.Ar ticket_life ,
+and
+.Ar renewable_life 
+options can be set to a default value from the
+.Dv appdefaults
+section in krb5.conf, see
+.Xr krb5_appdefault 3 .
 .Sh ENVIRONMENT
 .Bl -tag -width Ds
 .It Ev KRB5CCNAME
@@ -172,9 +201,10 @@ Specifies the Kerberos 4 ticket file to store version 4 tickets in.
 .\".Sh EXAMPLES
 .\".Sh DIAGNOSTICS
 .Sh SEE ALSO
-.Xr krb5.conf 5 ,
+.Xr kdestroy 1 ,
 .Xr klist 1 ,
-.Xr kdestroy 1
+.Xr krb5.conf 5 ,
+.Xr krb5_appdefault 3
 .\".Sh STANDARDS
 .\".Sh HISTORY
 .\".Sh AUTHORS
diff --git a/crypto/heimdal/kuser/kinit.c b/crypto/heimdal/kuser/kinit.c
index 35b493a..be2857c 100644
--- a/crypto/heimdal/kuser/kinit.c
+++ b/crypto/heimdal/kuser/kinit.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,16 +32,142 @@
  */
 
 #include "kuser_locl.h"
-RCSID("$Id: kinit.c,v 1.60 2000/02/01 14:06:33 joda Exp $");
+RCSID("$Id: kinit.c,v 1.69 2001/01/05 16:32:55 joda Exp $");
 
-int forwardable		= 0;
-int proxiable		= 0;
-int renewable		= 0;
+#ifdef KRB4
+/* for when the KDC tells us it's a v4 one, we try to talk that */
+
+static int
+key_to_key(const char *user,
+	   char *instance,
+	   const char *realm,
+	   const void *arg,
+	   des_cblock *key)
+{
+    memcpy(key, arg, sizeof(des_cblock));
+    return 0;
+}
+
+static int
+do_v4_fallback (krb5_context context,
+		const krb5_principal principal,
+		int lifetime,
+		int use_srvtab, const char *srvtab_str,
+		char *passwd, size_t passwd_size)
+{
+    int ret;
+    krb_principal princ;
+    des_cblock key;
+    krb5_error_code kret;
+
+    if (lifetime == 0)
+	lifetime = DEFAULT_TKT_LIFE;
+    else
+	lifetime = krb_time_to_life (0, lifetime);
+
+    kret = krb5_524_conv_principal (context, principal,
+				    princ.name,
+				    princ.instance,
+				    princ.realm);
+    if (kret) {
+	krb5_warn (context, kret, "krb5_524_conv_principal");
+	return 1;
+    }
+
+    if (use_srvtab || srvtab_str) {
+	if (srvtab_str == NULL)
+	    srvtab_str = KEYFILE;
+
+	ret = read_service_key (princ.name, princ.instance, princ.realm,
+				0, srvtab_str, (char *)&key);
+	if (ret) {
+	    warnx ("read_service_key %s: %s", srvtab_str,
+		   krb_get_err_text (ret));
+	    return 1;
+	}
+	ret = krb_get_in_tkt (princ.name, princ.instance, princ.realm,
+			      KRB_TICKET_GRANTING_TICKET, princ.realm,
+			      lifetime, key_to_key, NULL, key);
+    } else {
+	ret = krb_get_pw_in_tkt2(princ.name, princ.instance, princ.realm, 
+				 KRB_TICKET_GRANTING_TICKET, princ.realm, 
+				 lifetime, passwd, &key);
+    }
+    memset (passwd, 0, passwd_size);
+    memset (key, 0, sizeof(key));
+    if (ret) {
+	warnx ("%s", krb_get_err_text(ret));
+	return 1;
+    }
+    if (k_hasafs()) {
+	if ((ret = krb_afslog(NULL, NULL)) != 0 && ret != KDC_PR_UNKNOWN) {
+	    if(ret > 0)
+		warnx ("%s", krb_get_err_text(ret));
+	    else
+		warnx ("failed to store AFS token");
+	}
+    }
+    return 0;
+}
+
+
+/*
+ * the special version of get_default_principal that takes v4 into account
+ */
+
+static krb5_error_code
+kinit_get_default_principal (krb5_context context,
+			     krb5_principal *princ)
+{
+    krb5_error_code ret;
+    krb5_ccache id;
+    krb_principal v4_princ;
+    int kret;
+
+    ret = krb5_cc_default (context, &id);
+    if (ret == 0) {
+	ret = krb5_cc_get_principal (context, id, princ);
+	krb5_cc_close (context, id);
+	if (ret == 0)
+	    return 0;
+    }
+
+    kret = krb_get_tf_fullname (tkt_string(),
+				v4_princ.name,
+				v4_princ.instance,
+				v4_princ.realm);
+    if (kret == KSUCCESS) {
+	ret = krb5_425_conv_principal (context,
+				       v4_princ.name,
+				       v4_princ.instance,
+				       v4_princ.realm,
+				       princ);
+	if (ret == 0)
+	    return 0;
+    }
+    return krb5_get_default_principal (context, princ);
+}
+
+#else /* !KRB4 */
+
+static krb5_error_code
+kinit_get_default_principal (krb5_context context,
+			     krb5_principal *princ)
+{
+    return krb5_get_default_principal (context, princ);
+}
+
+#endif /* !KRB4 */
+
+int forwardable_flag	= -1;
+int proxiable_flag	= -1;
+int renewable_flag	= -1;
 int renew_flag		= 0;
 int validate_flag	= 0;
 int version_flag	= 0;
 int help_flag		= 0;
 int addrs_flag		= 1;
+int anonymous_flag	= 0;
 char *lifetime 		= NULL;
 char *renew_life	= NULL;
 char *server		= NULL;
@@ -56,7 +182,7 @@ extern int get_v4_tgt;
 #endif
 int fcache_version;
 
-struct getargs args[] = {
+static struct getargs args[] = {
 #ifdef KRB4
     { "524init", 	'4', arg_flag, &get_v4_tgt,
       "obtain version 4 TGT" },
@@ -67,32 +193,32 @@ struct getargs args[] = {
     { "cache", 		'c', arg_string, &cred_cache,
       "credentials cache", "cachename" },
 
-    { "forwardable",	'f', arg_flag, &forwardable,
+    { "forwardable",	'f', arg_flag, &forwardable_flag,
       "get forwardable tickets"},
 
     { "keytab",         't', arg_string, &keytab_str,
       "keytab to use", "keytabname" },
 
     { "lifetime",	'l', arg_string, &lifetime,
-      "lifetime of tickets", "seconds"},
+      "lifetime of tickets", "time"},
 
-    { "proxiable",	'p', arg_flag, &proxiable,
+    { "proxiable",	'p', arg_flag, &proxiable_flag,
       "get proxiable tickets" },
 
     { "renew",          'R', arg_flag, &renew_flag,
       "renew TGT" },
 
-    { "renewable",	0,   arg_flag, &renewable,
+    { "renewable",	0,   arg_flag, &renewable_flag,
       "get renewable tickets" },
 
     { "renewable-life",	'r', arg_string, &renew_life,
-      "renewable lifetime of tickets", "seconds" },
+      "renewable lifetime of tickets", "time" },
 
     { "server", 	'S', arg_string, &server,
       "server to get ticket for", "principal" },
 
     { "start-time",	's', arg_string, &start_str,
-      "when ticket gets valid", "seconds" },
+      "when ticket gets valid", "time" },
 
     { "use-keytab",     'k', arg_flag, &use_keytab,
       "get key from keytab" },
@@ -101,7 +227,7 @@ struct getargs args[] = {
       "validate TGT" },
 
     { "enctypes",	'e', arg_strings, &etype_str,
-      "encryption type to use", "enctype" },
+      "encryption types to use", "enctypes" },
 
     { "fcache-version", 0,   arg_integer, &fcache_version,
       "file cache version to create" },
@@ -109,6 +235,9 @@ struct getargs args[] = {
     { "addresses",	0,   arg_negative_flag,	&addrs_flag,
       "request a ticket with no addresses" },
 
+    { "anonymous",	0,   arg_flag,	&anonymous_flag,
+      "request an anonymous ticket" },
+
     { "version", 	0,   arg_flag, &version_flag },
     { "help",		0,   arg_flag, &help_flag }
 };
@@ -159,10 +288,11 @@ renew_validate(krb5_context context,
 	}
     }
     flags.i = 0;
-    flags.b.renewable   = flags.b.renew = renew;
-    flags.b.validate    = validate;
-    flags.b.forwardable = forwardable;
-    flags.b.proxiable   = proxiable;
+    flags.b.renewable         = flags.b.renew = renew;
+    flags.b.validate          = validate;
+    flags.b.forwardable       = forwardable_flag;
+    flags.b.proxiable         = proxiable_flag;
+    flags.b.request_anonymous = anonymous_flag;
     if(life)
 	in.times.endtime = time(NULL) + life;
 
@@ -207,18 +337,22 @@ main (int argc, char **argv)
     krb5_deltat start_time = 0;
     krb5_deltat ticket_life = 0;
     krb5_addresses no_addrs;
+    char passwd[256];
 
     set_progname (argv[0]);
     memset(&cred, 0, sizeof(cred));
     
     ret = krb5_init_context (&context);
     if (ret)
-	errx(1, "krb5_init_context failed: %u", ret);
+	errx(1, "krb5_init_context failed: %d", ret);
   
-    forwardable = krb5_config_get_bool (context, NULL,
-					"libdefaults",
-					"forwardable",
-					NULL);
+    /* XXX no way to figure out if set without explict test */
+    if(krb5_config_get_string(context, NULL, "libdefaults", 
+			      "forwardable", NULL))
+	forwardable_flag = krb5_config_get_bool (context, NULL,
+						 "libdefaults",
+						 "forwardable",
+						 NULL);
 
 #ifdef KRB4
     get_v4_tgt = krb5_config_get_bool_default (context, NULL,
@@ -239,6 +373,22 @@ main (int argc, char **argv)
 	exit(0);
     }
 
+    argc -= optind;
+    argv += optind;
+
+    if (argc > 1)
+	usage (1);
+
+    if (argv[0]) {
+	ret = krb5_parse_name (context, argv[0], &principal);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_parse_name");
+    } else {
+	ret = kinit_get_default_principal (context, &principal);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_get_default_principal");
+    }
+
     if(fcache_version)
 	krb5_set_fcache_version(context, fcache_version);
 
@@ -264,8 +414,15 @@ main (int argc, char **argv)
 
     krb5_get_init_creds_opt_init (&opt);
     
-    krb5_get_init_creds_opt_set_forwardable (&opt, forwardable);
-    krb5_get_init_creds_opt_set_proxiable (&opt, proxiable);
+    krb5_get_init_creds_opt_set_default_flags(context, "kinit", 
+					      /* XXX */principal->realm, &opt);
+
+    if(forwardable_flag != -1)
+	krb5_get_init_creds_opt_set_forwardable (&opt, forwardable_flag);
+    if(proxiable_flag != -1)
+	krb5_get_init_creds_opt_set_proxiable (&opt, proxiable_flag);
+    if(anonymous_flag != -1)
+	krb5_get_init_creds_opt_set_anonymous (&opt, anonymous_flag);
 
     if (!addrs_flag) {
 	no_addrs.len = 0;
@@ -280,7 +437,7 @@ main (int argc, char **argv)
 	    errx (1, "unparsable time: %s", renew_life);
 
 	krb5_get_init_creds_opt_set_renew_life (&opt, tmp);
-    } else if (renewable)
+    } else if (renewable_flag)
 	krb5_get_init_creds_opt_set_renew_life (&opt, 1 << 30);
 
     if(ticket_life != 0)
@@ -311,18 +468,16 @@ main (int argc, char **argv)
 					       etype_str.num_strings);
     }
 
-    argc -= optind;
-    argv += optind;
-
-    if (argc > 1)
-	usage (1);
-
-    if (argv[0]) {
-	ret = krb5_parse_name (context, argv[0], &principal);
-	if (ret)
-	    krb5_err (context, 1, ret, "krb5_parse_name");
-    } else
-	principal = NULL;
+#ifdef KRB4
+    get_v4_tgt = krb5_config_get_bool_default (context,
+					       NULL,
+					       get_v4_tgt,
+					       "realms",
+					       krb5_princ_realm(context,
+								principal),
+					       "krb4_get_tickets",
+					       NULL);
+#endif
 
     if(use_keytab || keytab_str) {
 	krb5_keytab kt;
@@ -340,23 +495,55 @@ main (int argc, char **argv)
 					  server,
 					  &opt);
 	krb5_kt_close(context, kt);
-    } else 
+    } else {
+	char *p, *prompt;
+
+	krb5_unparse_name (context, principal, &p);
+	asprintf (&prompt, "%s's Password: ", p);
+	free (p);
+
+	if (des_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){
+	    memset(passwd, 0, sizeof(passwd));
+	    exit(1);
+	}
+
+	free (prompt);
+
 	ret = krb5_get_init_creds_password (context,
 					    &cred,
 					    principal,
-					    NULL,
+					    passwd,
 					    krb5_prompter_posix,
 					    NULL,
 					    start_time,
 					    server,
 					    &opt);
+    }
+#ifdef KRB4
+    if (ret == KRB5KRB_AP_ERR_V4_REPLY || ret == KRB5_KDC_UNREACH) {
+	int exit_val;
+
+	exit_val = do_v4_fallback (context, principal, ticket_life,
+				   use_keytab, keytab_str,
+				   passwd, sizeof(passwd));
+	memset(passwd, 0, sizeof(passwd));
+	if (exit_val == 0 || ret == KRB5KRB_AP_ERR_V4_REPLY) {
+	    krb5_free_context (context);
+	    return exit_val;
+	}
+    }
+#endif
+    memset(passwd, 0, sizeof(passwd));
+
     switch(ret){
     case 0:
 	break;
     case KRB5_LIBOS_PWDINTR: /* don't print anything if it was just C-c:ed */
+	memset(passwd, 0, sizeof(passwd));
 	exit(1);
     case KRB5KRB_AP_ERR_BAD_INTEGRITY:
     case KRB5KRB_AP_ERR_MODIFIED:
+	memset(passwd, 0, sizeof(passwd));
 	krb5_errx(context, 1, "Password incorrect");
 	break;
     default:
diff --git a/crypto/heimdal/kuser/klist.1 b/crypto/heimdal/kuser/klist.1
index e875401..384ce8e 100644
--- a/crypto/heimdal/kuser/klist.1
+++ b/crypto/heimdal/kuser/klist.1
@@ -1,36 +1,118 @@
-.\" $Id: klist.1,v 1.4 1999/05/14 14:03:55 assar Exp $
+.\" $Id: klist.1,v 1.6 2000/07/08 20:47:58 joda Exp $
 .\"
-.Dd Aug 27, 1997
+.Dd July 8, 2000
 .Dt KLIST 1
 .Os HEIMDAL
 .Sh NAME
 .Nm klist
 .Nd
-list the current tickets
+list Kerberos credentials
 .Sh SYNOPSIS
 .Nm
-.Op Fl t | Fl -test
+.Oo Fl c Ar cache \*(Ba Xo
+.Fl -cache= Ns Ar cache Oc
+.Xc
+.Op Fl s | Fl t | Fl -test
+.Op Fl 4 | Fl -v4
+.Op Fl T | Fl -tokens
+.Op Fl 5 | Fl -v5
 .Op Fl v | Fl -verbose
+.Op Fl f
 .Op Fl -version
 .Op Fl -help
 .Sh DESCRIPTION
 .Nm
 reads and displays the current tickets in the crential cache (also
-knows as the ticket file).
+known as the ticket file).
 .Pp
 Options supported:
 .Bl -tag -width Ds
 .It Xo
+.Fl c Ar cache Ns ,
+.Fl -cache= Ns Ar cache
+.Xc
+credentials cache to list
+.It Xo
+.Fl s Ns ,
 .Fl t Ns ,
 .Fl -test
 .Xc
 Test for there being an active and valid TGT for the local realm of
 the user in the credential cache.
 .It Xo
+.Fl 4 Ns ,
+.Fl -v4
+.Xc
+display v4 tickets
+.It Xo
+.Fl T Ns ,
+.Fl -tokens
+.Xc
+display AFS tokens
+.It Xo
+.Fl 5 Ns ,
+.Fl -v5
+.Xc
+display v5 cred cache (this is the default)
+.It Fl f
+Include ticket flags in short form, each charcted stands for a
+specific flag, as follows:
+.Bl -tag -width  XXX -compact -offset indent
+.It F
+forwardable
+.It f
+forwarded
+.It P
+proxiable
+.It p
+proxied
+.It D
+postdate-able
+.It d
+postdated
+.It R
+renewable
+.It I
+initial
+.It i
+invalid
+.It A
+pre-authenticated
+.It H
+hardware authenticated
+.El
+
+This information is also output with the 
+.Fl -verbose
+option, but in a more verbose way.
+.It Xo
 .Fl v Ns ,
 .Fl -verbose
 .Xc
-Verbose output. Include all information from tickets.
+Verbose output. Include all possible information:
+.Bl -tag -width XXXX -offset indent
+.It Server
+the princial the ticket is for
+.It Ticket etype
+the encryption type use in the ticket, followed by the key version of
+the ticket, if it is available
+.It Session key
+the encryption type of the session key, if it's different from the
+encryption type of the ticket
+.It Auth time
+the time the authentication exchange took place
+.It Start time
+the time that this tickets is valid from (only printed if it's
+different from the auth time)
+.It End time
+when the ticket expires, if it has already expired this is also noted
+.It Renew till
+the maximum possible end time of any ticket derived from this one
+.It Ticket flags
+the flags set on the ticket
+.It Addresses
+the set of addresses from which this ticket is valid
+.El
 .El
 .Sh SEE ALSO
 .Xr kinit 1 ,
diff --git a/crypto/heimdal/kuser/klist.c b/crypto/heimdal/kuser/klist.c
index 180e9f3..6bfaeb8 100644
--- a/crypto/heimdal/kuser/klist.c
+++ b/crypto/heimdal/kuser/klist.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,8 +32,9 @@
  */
 
 #include "kuser_locl.h"
+#include "rtbl.h"
 
-RCSID("$Id: klist.c,v 1.53 2000/02/06 08:15:40 assar Exp $");
+RCSID("$Id: klist.c,v 1.62 2001/01/25 12:37:01 assar Exp $");
 
 static char*
 printable_time(time_t t)
@@ -53,8 +54,14 @@ printable_time_long(time_t t)
     return s;
 }
 
+#define COL_ISSUED		"  Issued"
+#define COL_EXPIRES		"  Expires"
+#define COL_FLAGS		"Flags"
+#define COL_PRINCIPAL		"  Principal"
+#define COL_PRINCIPAL_KVNO	"  Principal (kvno)"
+
 static void
-print_cred(krb5_context context, krb5_creds *cred)
+print_cred(krb5_context context, krb5_creds *cred, rtbl_t ct, int do_flags)
 {
     char *str;
     krb5_error_code ret;
@@ -62,20 +69,51 @@ print_cred(krb5_context context, krb5_creds *cred)
 
     krb5_timeofday (context, &sec);
 
+
     if(cred->times.starttime)
-	printf ("%s  ", printable_time(cred->times.starttime));
+	rtbl_add_column_entry(ct, COL_ISSUED,
+			      printable_time(cred->times.starttime));
     else
-	printf ("%s  ", printable_time(cred->times.authtime));
+	rtbl_add_column_entry(ct, COL_ISSUED,
+			      printable_time(cred->times.authtime));
     
     if(cred->times.endtime > sec)
-	printf ("%s  ", printable_time(cred->times.endtime));
+	rtbl_add_column_entry(ct, COL_EXPIRES,
+			      printable_time(cred->times.endtime));
     else
-	printf ("%-15s  ", ">>>Expired<<<");
+	rtbl_add_column_entry(ct, COL_EXPIRES, ">>>Expired<<<");
     ret = krb5_unparse_name (context, cred->server, &str);
     if (ret)
 	krb5_err(context, 1, ret, "krb5_unparse_name");
-    printf ("%s\n", str);
-    free (str);
+    rtbl_add_column_entry(ct, COL_PRINCIPAL, str);
+    if(do_flags) {
+	char s[16], *sp = s;
+	if(cred->flags.b.forwardable)
+	    *sp++ = 'F';
+	if(cred->flags.b.forwarded)
+	    *sp++ = 'f';
+	if(cred->flags.b.proxiable)
+	    *sp++ = 'P';
+	if(cred->flags.b.proxy)
+	    *sp++ = 'p';
+	if(cred->flags.b.may_postdate)
+	    *sp++ = 'D';
+	if(cred->flags.b.postdated)
+	    *sp++ = 'd';
+	if(cred->flags.b.renewable)
+	    *sp++ = 'R';
+	if(cred->flags.b.initial)
+	    *sp++ = 'I';
+	if(cred->flags.b.invalid)
+	    *sp++ = 'i';
+	if(cred->flags.b.pre_authent)
+	    *sp++ = 'A';
+	if(cred->flags.b.hw_authent)
+	    *sp++ = 'H';
+	*sp++ = '\0';
+	rtbl_add_column_entry(ct, COL_FLAGS, s);
+    }
+    free(str);
 }
 
 static void
@@ -101,11 +139,12 @@ print_cred_verbose(krb5_context context, krb5_creds *cred)
 
 	decode_Ticket(cred->ticket.data, cred->ticket.length, &t, &len);
 	ret = krb5_enctype_to_string(context, t.enc_part.etype, &s);
+	printf("Ticket etype: ");
 	if (ret == 0) {
-	    printf("Ticket etype: %s", s);
+	    printf("%s", s);
 	    free(s);
 	} else {
-	    printf("Unknown etype: %d", t.enc_part.etype);
+	    printf("unknown(%d)", t.enc_part.etype);
 	}
 	if(t.enc_part.kvno)
 	    printf(", kvno %d", *t.enc_part.kvno);
@@ -175,13 +214,16 @@ static void
 print_tickets (krb5_context context,
 	       krb5_ccache ccache,
 	       krb5_principal principal,
-	       int do_verbose)
+	       int do_verbose,
+	       int do_flags)
 {
     krb5_error_code ret;
     char *str;
     krb5_cc_cursor cursor;
     krb5_creds creds;
 
+    rtbl_t ct = NULL;
+
     ret = krb5_unparse_name (context, principal, &str);
     if (ret)
 	krb5_err (context, 1, ret, "krb5_unparse_name");
@@ -208,7 +250,7 @@ print_tickets (krb5_context context,
 	    sig = -1;
 	    val = -val;
 	}
-
+	
 	unparse_time (val, buf, sizeof(buf));
 
 	printf ("%17s: %s%s\n", "KDC time offset",
@@ -221,9 +263,16 @@ print_tickets (krb5_context context,
     if (ret)
 	krb5_err(context, 1, ret, "krb5_cc_start_seq_get");
 
-    if(!do_verbose)
-	printf("  %-15s  %-15s  %s\n", "Issued", "Expires", "Principal");
-
+    if(!do_verbose) {
+	ct = rtbl_create();
+	rtbl_add_column(ct, COL_ISSUED, 0);
+	rtbl_add_column(ct, COL_EXPIRES, 0);
+	if(do_flags)
+	    rtbl_add_column(ct, COL_FLAGS, 0);
+	rtbl_add_column(ct, COL_PRINCIPAL, 0);
+	rtbl_set_prefix(ct, "  ");
+	rtbl_set_column_prefix(ct, COL_ISSUED, "");
+    }
     while (krb5_cc_next_cred (context,
 			      ccache,
 			      &creds,
@@ -231,13 +280,17 @@ print_tickets (krb5_context context,
 	if(do_verbose){
 	    print_cred_verbose(context, &creds);
 	}else{
-	    print_cred(context, &creds);
+	    print_cred(context, &creds, ct, do_flags);
 	}
 	krb5_free_creds_contents (context, &creds);
     }
     ret = krb5_cc_end_seq_get (context, ccache, &cursor);
     if (ret)
 	krb5_err (context, 1, ret, "krb5_cc_end_seq_get");
+    if(!do_verbose) {
+	rtbl_format(ct, stdout);
+	rtbl_destroy(ct);
+    }
 }
 
 /*
@@ -277,6 +330,143 @@ check_for_tgt (krb5_context context,
 }
 
 #ifdef KRB4
+/* prints the approximate kdc time differential as something human
+   readable */
+
+static void
+print_time_diff(int do_verbose)
+{
+    int d = abs(krb_get_kdc_time_diff());
+    char buf[80];
+
+    if ((do_verbose && d > 0) || d > 60) {
+	unparse_time_approx (d, buf, sizeof(buf));
+	printf ("Time diff:\t%s\n", buf);
+    }
+}
+
+/*
+ * return a short representation of `dp' in string form.
+ */
+
+static char *
+short_date(int32_t dp)
+{
+    char *cp;
+    time_t t = (time_t)dp;
+
+    if (t == (time_t)(-1L)) return "***  Never  *** ";
+    cp = ctime(&t) + 4;
+    cp[15] = '\0';
+    return (cp);
+}
+
+/*
+ * Print a list of all the v4 tickets
+ */
+
+static int
+display_v4_tickets (int do_verbose)
+{
+    char *file;
+    int ret;
+    krb_principal princ;
+    CREDENTIALS cred;
+    int found = 0;
+
+    rtbl_t ct;
+
+    file = getenv ("KRBTKFILE");
+    if (file == NULL)
+	file = TKT_FILE;
+
+    printf("v4-ticket file:	%s\n", file);
+
+    ret = krb_get_tf_realm (file, princ.realm);
+    if (ret) {
+	warnx ("%s", krb_get_err_text(ret));
+	return 1;
+    }
+
+    ret = tf_init (file, R_TKT_FIL);
+    if (ret) {
+	warnx ("tf_init: %s", krb_get_err_text(ret));
+	return 1;
+    }
+    ret = tf_get_pname (princ.name);
+    if (ret) {
+	tf_close ();
+	warnx ("tf_get_pname: %s", krb_get_err_text(ret));
+	return 1;
+    }
+    ret = tf_get_pinst (princ.instance);
+    if (ret) {
+	tf_close ();
+	warnx ("tf_get_pname: %s", krb_get_err_text(ret));
+	return 1;
+    }
+
+    printf("Principal:\t%s\n", krb_unparse_name (&princ));
+    print_time_diff(do_verbose);
+    printf("\n");
+
+    ct = rtbl_create();
+    rtbl_add_column(ct, COL_ISSUED, 0);
+    rtbl_add_column(ct, COL_EXPIRES, 0);
+    if (do_verbose)
+	rtbl_add_column(ct, COL_PRINCIPAL_KVNO, 0);
+    else
+	rtbl_add_column(ct, COL_PRINCIPAL, 0);
+    rtbl_set_prefix(ct, "  ");
+    rtbl_set_column_prefix(ct, COL_ISSUED, "");
+
+    while ((ret = tf_get_cred(&cred)) == KSUCCESS) {
+	struct timeval tv;
+	char buf1[20], buf2[20];
+	const char *pp;
+
+	found++;
+
+	strlcpy(buf1,
+		short_date(cred.issue_date),
+		sizeof(buf1));
+	cred.issue_date = krb_life_to_time(cred.issue_date, cred.lifetime);
+	krb_kdctimeofday(&tv);
+	if (do_verbose || tv.tv_sec < (unsigned long) cred.issue_date)
+	    strlcpy(buf2,
+		    short_date(cred.issue_date),
+		    sizeof(buf2));
+	else
+	    strlcpy(buf2,
+		    ">>> Expired <<<",
+		    sizeof(buf2));
+	rtbl_add_column_entry(ct, COL_ISSUED, buf1);
+	rtbl_add_column_entry(ct, COL_EXPIRES, buf2);
+	pp = krb_unparse_name_long(cred.service,
+				   cred.instance,
+				   cred.realm);
+	if (do_verbose) {
+	    char *tmp;
+
+	    asprintf(&tmp, "%s (%d)", pp, cred.kvno);
+	    rtbl_add_column_entry(ct, COL_PRINCIPAL_KVNO, tmp);
+	    free(tmp);
+	} else {
+	    rtbl_add_column_entry(ct, COL_PRINCIPAL, pp);
+	}
+    }
+    rtbl_format(ct, stdout);
+    rtbl_destroy(ct);
+    if (!found && ret == EOF)
+	printf("No tickets in file.\n");
+    tf_close();
+    
+    /*
+     * should do NAT stuff here
+     */
+    return 0;
+}
+
 /*
  * Print a list of all AFS tokens
  */
@@ -332,28 +522,91 @@ display_tokens(int do_verbose)
 	putchar('\n');
     }
 }
-#endif
+#endif /* KRB4 */
+
+/*
+ * display the ccache in `cred_cache'
+ */
+
+static int
+display_v5_ccache (const char *cred_cache, int do_test, int do_verbose, 
+		   int do_flags)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_ccache ccache;
+    krb5_principal principal;
+    int exit_status = 0;
+
+    ret = krb5_init_context (&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    if(cred_cache) {
+	ret = krb5_cc_resolve(context, cred_cache, &ccache);
+	if (ret)
+	    krb5_err (context, 1, ret, "%s", cred_cache);
+    } else {
+	ret = krb5_cc_default (context, &ccache);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_cc_resolve");
+    }
+
+    ret = krb5_cc_get_principal (context, ccache, &principal);
+    if (ret) {
+	if(ret == ENOENT) {
+	    if (!do_test)
+		krb5_warnx(context, "No ticket file: %s",
+			   krb5_cc_get_name(context, ccache));
+	    return 1;
+	} else
+	    krb5_err (context, 1, ret, "krb5_cc_get_principal");
+    }
+    if (do_test)
+	exit_status = check_for_tgt (context, ccache, principal);
+    else
+	print_tickets (context, ccache, principal, do_verbose, do_flags);
+
+    ret = krb5_cc_close (context, ccache);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_cc_close");
+
+    krb5_free_principal (context, principal);
+    krb5_free_context (context);
+    return exit_status;
+}
 
 static int version_flag = 0;
 static int help_flag	= 0;
 static int do_verbose	= 0;
 static int do_test	= 0;
 #ifdef KRB4
+static int do_v4	= 1;
 static int do_tokens	= 0;
 #endif
+static int do_v5	= 1;
 static char *cred_cache;
+static int do_flags = 0;
 
 static struct getargs args[] = {
+    { NULL, 'f', arg_flag, &do_flags },
     { "cache",			'c', arg_string, &cred_cache,
       "credentials cache to list", "cache" },
     { "test",			't', arg_flag, &do_test,
       "test for having tickets", NULL },
+    { NULL,			's', arg_flag, &do_test },
 #ifdef KRB4
+    { "v4",			'4',	arg_flag, &do_v4,
+      "display v4 tickets", NULL },
     { "tokens",			'T',   arg_flag, &do_tokens,
       "display AFS tokens", NULL },
 #endif
+    { "v5",			'5',	arg_flag, &do_v5,
+      "display v5 cred cache", NULL},
     { "verbose",		'v', arg_flag, &do_verbose,
-      "Verbose output", NULL },
+      "verbose output", NULL },
+    { NULL,			'a', arg_flag, &do_verbose },
+    { NULL,			'n', arg_flag, &do_verbose },
     { "version", 		0,   arg_flag, &version_flag, 
       "print version", NULL },
     { "help",			0,   arg_flag, &help_flag, 
@@ -373,10 +626,6 @@ usage (int ret)
 int
 main (int argc, char **argv)
 {
-    krb5_error_code ret;
-    krb5_context context;
-    krb5_ccache ccache;
-    krb5_principal principal;
     int optind = 0;
     int exit_status = 0;
 
@@ -399,46 +648,23 @@ main (int argc, char **argv)
     if (argc != 0)
 	usage (1);
 
-    ret = krb5_init_context (&context);
-    if (ret)
-	krb5_err(context, 1, ret, "krb5_init_context");
-
-    if(cred_cache) {
-	ret = krb5_cc_resolve(context, cred_cache, &ccache);
-	if (ret)
-	    krb5_err (context, 1, ret, "%s", cred_cache);
-    } else {
-	ret = krb5_cc_default (context, &ccache);
-	if (ret)
-	    krb5_err (context, 1, ret, "krb5_cc_resolve");
-    }
-
-    ret = krb5_cc_get_principal (context, ccache, &principal);
-    if (ret) {
-	if(ret == ENOENT) {
-	    if (do_test)
-		return 1;
-	    else
-		krb5_errx(context, 1, "No ticket file: %s", 
-			  krb5_cc_get_name(context, ccache));
-	} else
-	    krb5_err (context, 1, ret, "krb5_cc_get_principal");
-    }
-    if (do_test)
-	exit_status = check_for_tgt (context, ccache, principal);
-    else
-	print_tickets (context, ccache, principal, do_verbose);
-
-    ret = krb5_cc_close (context, ccache);
-    if (ret)
-	krb5_err (context, 1, ret, "krb5_cc_close");
-
-    krb5_free_principal (context, principal);
-    krb5_free_context (context);
+    if (do_v5)
+	exit_status = display_v5_ccache (cred_cache, do_test, 
+					 do_verbose, do_flags);
 
 #ifdef KRB4
-    if (!do_test && do_tokens && k_hasafs ())
-	display_tokens (do_verbose);
+    if (!do_test) {
+	if (do_v4) {
+	    if (do_v5)
+		printf ("\n");
+	    display_v4_tickets (do_verbose);
+	}
+	if (do_tokens && k_hasafs ()) {
+	    if (do_v4 || do_v5)
+		printf ("\n");
+	    display_tokens (do_verbose);
+	}
+    }
 #endif
 
     return exit_status;
diff --git a/crypto/heimdal/kuser/kverify.c b/crypto/heimdal/kuser/kverify.c
index 986d7c9..72b15f9 100644
--- a/crypto/heimdal/kuser/kverify.c
+++ b/crypto/heimdal/kuser/kverify.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kuser_locl.h"
 
-RCSID("$Id: kverify.c,v 1.3 1999/12/02 17:05:01 joda Exp $");
+RCSID("$Id: kverify.c,v 1.4 2000/12/31 07:55:54 assar Exp $");
 
 int
 main(int argc, char **argv)
@@ -45,7 +45,9 @@ main(int argc, char **argv)
     krb5_get_init_creds_opt get_options;
     krb5_verify_init_creds_opt verify_options;
 
-    krb5_init_context(&context);
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
 
     krb5_get_init_creds_opt_init (&get_options);
 
diff --git a/crypto/heimdal/lib/45/Makefile.in b/crypto/heimdal/lib/45/Makefile.in
index 9b0c7fc..66dfc0f 100644
--- a/crypto/heimdal/lib/45/Makefile.in
+++ b/crypto/heimdal/lib/45/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.5 1999/03/20 13:58:17 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.5 1999/03/20 13:58:17 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4)
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,24 +170,20 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
@@ -178,6 +192,7 @@ lib_LIBRARIES = @EXTRA_LIB45@
 EXTRA_LIBRARIES = lib45.a
 
 lib45_a_SOURCES = get_ad_tkt.c mk_req.c 45_locl.h
+subdir = lib/45
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -187,32 +202,34 @@ LIBRARIES =  $(lib_LIBRARIES)
 DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
-LIBS = @LIBS@
 X_CFLAGS = @X_CFLAGS@
 X_LIBS = @X_LIBS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
+lib45_a_AR = $(AR) cru
 lib45_a_LIBADD = 
-lib45_a_OBJECTS =  get_ad_tkt.$(OBJEXT) mk_req.$(OBJEXT)
+am_lib45_a_OBJECTS =  get_ad_tkt.$(OBJEXT) mk_req.$(OBJEXT)
+lib45_a_OBJECTS =  $(am_lib45_a_OBJECTS)
 AR = ar
-CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(lib45_a_SOURCES)
+depcomp = 
 DIST_COMMON =  Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
 SOURCES = $(lib45_a_SOURCES)
-OBJECTS = $(lib45_a_OBJECTS)
+OBJECTS = $(am_lib45_a_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/45/Makefile
 
@@ -249,24 +266,11 @@ install-libLIBRARIES: $(lib_LIBRARIES)
 
 uninstall-libLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	list='$(lib_LIBRARIES)'; for p in $$list; do \
+	@list='$(lib_LIBRARIES)'; for p in $$list; do \
+	  echo " rm -f $(DESTDIR)$(libdir)/$$p"; \
 	  rm -f $(DESTDIR)$(libdir)/$$p; \
 	done
 
-.c.o:
-	$(COMPILE) -c $<
-
-# FIXME: We should only use cygpath when building on Windows,
-# and only if it is available.
-.c.obj:
-	$(COMPILE) -c `cygpath -w $<`
-
-.s.o:
-	$(COMPILE) -c $<
-
-.S.o:
-	$(COMPILE) -c $<
-
 mostlyclean-compile:
 	-rm -f *.o core *.core
 	-rm -f *.$(OBJEXT)
@@ -278,15 +282,6 @@ distclean-compile:
 
 maintainer-clean-compile:
 
-.c.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.s.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.S.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -299,28 +294,38 @@ maintainer-clean-libtool:
 
 lib45.a: $(lib45_a_OBJECTS) $(lib45_a_DEPENDENCIES)
 	-rm -f lib45.a
-	$(AR) cru lib45.a $(lib45_a_OBJECTS) $(lib45_a_LIBADD)
+	$(lib45_a_AR) lib45.a $(lib45_a_OBJECTS) $(lib45_a_LIBADD)
 	$(RANLIB) lib45.a
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -333,17 +338,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = lib/45
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
@@ -372,7 +376,7 @@ uninstall: uninstall-am
 all-am: Makefile $(LIBRARIES) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
 	$(mkinstalldirs)  $(DESTDIR)$(libdir)
 
@@ -386,6 +390,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-libLIBRARIES mostlyclean-compile \
 		mostlyclean-libtool mostlyclean-tags \
 		mostlyclean-generic
@@ -422,8 +427,8 @@ mostlyclean-tags distclean-tags clean-tags maintainer-clean-tags \
 distdir info-am info dvi-am dvi check-local check check-am \
 installcheck-am installcheck install-exec-am install-exec \
 install-data-local install-data-am install-data install-am install \
-uninstall-am uninstall all-local all-redirect all-am all installdirs \
-mostlyclean-generic distclean-generic clean-generic \
+uninstall-am uninstall all-local all-redirect all-am all install-strip \
+installdirs mostlyclean-generic distclean-generic clean-generic \
 maintainer-clean-generic clean mostlyclean distclean maintainer-clean
 
 
@@ -432,7 +437,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -444,8 +452,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -514,87 +522,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/lib/45/mk_req.c b/crypto/heimdal/lib/45/mk_req.c
index 7074ebf..db909c2 100644
--- a/crypto/heimdal/lib/45/mk_req.c
+++ b/crypto/heimdal/lib/45/mk_req.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -35,12 +35,13 @@
 
 #include "45_locl.h"
 
-RCSID("$Id: mk_req.c,v 1.2 1999/12/02 17:05:01 joda Exp $");
+RCSID("$Id: mk_req.c,v 1.6 2000/04/11 00:49:35 assar Exp $");
 
 static int lifetime = 255;
 
 static void
-build_request(KTEXT req, char *name, char *inst, char *realm, 
+build_request(KTEXT req,
+	      const char *name, const char *inst, const char *realm, 
 	      u_int32_t checksum)
 {
     struct timeval tv;
@@ -61,20 +62,31 @@ build_request(KTEXT req, char *name, char *inst, char *realm,
     krb5_data_free(&data);
 }
 
+#ifdef KRB_MK_REQ_CONST
 int
-krb_mk_req(KTEXT authent, char *service, char *instance, char *realm, 
+krb_mk_req(KTEXT authent,
+	   const char *service, const char *instance, const char *realm, 
 	   int32_t checksum)
+#else
+int
+krb_mk_req(KTEXT authent,
+	   char *service, char *instance, char *realm, 
+	   int32_t checksum)
+
+#endif
 {
     CREDENTIALS cr;
     KTEXT_ST req;
     krb5_storage *sp;
     int code;
-    char *myrealm;
+    /* XXX get user realm */
+    const char *myrealm = realm;
     krb5_data a;
 
     code = krb_get_cred(service, instance, realm, &cr);
     if(code || time(NULL) > krb_life_to_time(cr.issue_date, cr.lifetime)){
-	code = get_ad_tkt(service, instance, realm, lifetime);
+	code = get_ad_tkt((char *)service,
+			  (char *)instance, (char *)realm, lifetime);
 	if(code == KSUCCESS)
 	    code = krb_get_cred(service, instance, realm, &cr);
     }
@@ -82,9 +94,6 @@ krb_mk_req(KTEXT authent, char *service, char *instance, char *realm,
     if(code)
 	return code;
 
-    /* XXX get user realm */
-    myrealm = realm;
-
     sp = krb5_storage_emem();
 
     krb5_store_int8(sp, KRB_PROT_VERSION);
diff --git a/crypto/heimdal/lib/Makefile.am b/crypto/heimdal/lib/Makefile.am
index c600c22..ed228d1 100644
--- a/crypto/heimdal/lib/Makefile.am
+++ b/crypto/heimdal/lib/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.16 1999/04/01 15:03:37 joda Exp $
+# $Id: Makefile.am,v 1.21 2000/11/15 23:11:05 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
@@ -8,6 +8,9 @@ endif
 if OTP
 dir_otp = otp
 endif
+if DCE
+dir_dce = kdfs
+endif
 
-SUBDIRS = roken editline com_err sl asn1 des krb5 \
-	kafs hdb kadm5 gssapi auth $(dir_45) $(dir_otp)
+SUBDIRS = @DIR_roken@ vers editline com_err sl asn1 @DIR_des@ krb5 \
+	kafs hdb kadm5 gssapi auth $(dir_45) $(dir_otp) $(dir_dce)
diff --git a/crypto/heimdal/lib/Makefile.in b/crypto/heimdal/lib/Makefile.in
index 4c8aa71..22a350f 100644
--- a/crypto/heimdal/lib/Makefile.in
+++ b/crypto/heimdal/lib/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.16 1999/04/01 15:03:37 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.21 2000/11/15 23:11:05 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,32 +170,31 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
-@KRB4_TRUE@dir_45 = 45
-@OTP_TRUE@dir_otp = otp
+@KRB4_TRUE@dir_45 = @KRB4_TRUE@45
+@OTP_TRUE@dir_otp = @OTP_TRUE@otp
+@DCE_TRUE@dir_dce = @DCE_TRUE@kdfs
 
-SUBDIRS = roken editline com_err sl asn1 des krb5 	kafs hdb kadm5 gssapi auth $(dir_45) $(dir_otp)
+SUBDIRS = @DIR_roken@ vers editline com_err sl asn1 @DIR_des@ krb5 \
+	kafs hdb kadm5 gssapi auth $(dir_45) $(dir_otp) $(dir_dce)
 
+subdir = lib
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -185,16 +202,17 @@ CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES = 
+depcomp = 
 DIST_COMMON =  Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
-DIST_SUBDIRS =  roken editline com_err sl asn1 des krb5 kafs hdb kadm5 \
-gssapi auth 45 otp
+DIST_SUBDIRS =  @DIR_roken@ vers editline com_err sl asn1 @DIR_des@ krb5 \
+kafs hdb kadm5 gssapi auth 45 otp kdfs
 all: all-redirect
 .SUFFIXES:
 .SUFFIXES: .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .et .h .x
@@ -213,8 +231,6 @@ Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
 #     (which will cause the Makefiles to be regenerated when you run `make');
 # (2) otherwise, pass the desired values on the `make' command line.
 
-@SET_MAKE@
-
 all-recursive install-data-recursive install-exec-recursive \
 installdirs-recursive install-recursive uninstall-recursive  \
 check-recursive installcheck-recursive info-recursive dvi-recursive:
@@ -242,7 +258,7 @@ maintainer-clean-recursive:
 	dot_seen=no; \
 	rev=''; list='$(SUBDIRS)'; for subdir in $$list; do \
 	  rev="$$subdir $$rev"; \
-	  test "$$subdir" = "." && dot_seen=yes; \
+	  if test "$$subdir" = "."; then dot_seen=yes; else :; fi; \
 	done; \
 	test "$$dot_seen" = "no" && rev=". $$rev"; \
 	target=`echo $@ | sed s/-recursive//`; \
@@ -263,15 +279,17 @@ tags-recursive:
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
 	list='$(SUBDIRS)'; for subdir in $$list; do \
@@ -279,12 +297,14 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
 	    test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \
    fi; \
 	done; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -297,17 +317,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = lib
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	for subdir in $(DIST_SUBDIRS); do \
@@ -315,7 +334,6 @@ distdir: $(DISTFILES)
 	    test -d $(distdir)/$$subdir \
 	    || mkdir $(distdir)/$$subdir \
 	    || exit 1; \
-	    chmod 777 $(distdir)/$$subdir; \
 	    (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$(top_distdir) distdir=../$(distdir)/$$subdir distdir) \
 	      || exit 1; \
 	  fi; \
@@ -346,7 +364,7 @@ uninstall: uninstall-recursive
 all-am: Makefile all-local
 all-redirect: all-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs: installdirs-recursive
 installdirs-am:
 
@@ -360,6 +378,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-tags mostlyclean-generic
 
 mostlyclean: mostlyclean-recursive
@@ -380,19 +399,19 @@ maintainer-clean-am:  maintainer-clean-tags maintainer-clean-generic \
 
 maintainer-clean: maintainer-clean-recursive
 
-.PHONY: install-data-recursive uninstall-data-recursive \
-install-exec-recursive uninstall-exec-recursive installdirs-recursive \
-uninstalldirs-recursive all-recursive check-recursive \
-installcheck-recursive info-recursive dvi-recursive \
-mostlyclean-recursive distclean-recursive clean-recursive \
+.PHONY: install-recursive uninstall-recursive install-data-recursive \
+uninstall-data-recursive install-exec-recursive \
+uninstall-exec-recursive installdirs-recursive uninstalldirs-recursive \
+all-recursive check-recursive installcheck-recursive info-recursive \
+dvi-recursive mostlyclean-recursive distclean-recursive clean-recursive \
 maintainer-clean-recursive tags tags-recursive mostlyclean-tags \
 distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
 dvi-am dvi check-local check check-am installcheck-am installcheck \
 install-exec-am install-exec install-data-local install-data-am \
 install-data install-am install uninstall-am uninstall all-local \
-all-redirect all-am all installdirs-am installdirs mostlyclean-generic \
-distclean-generic clean-generic maintainer-clean-generic clean \
-mostlyclean distclean maintainer-clean
+all-redirect all-am all install-strip installdirs-am installdirs \
+mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
 
 
 install-suid-programs:
@@ -400,7 +419,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -412,8 +434,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -482,87 +504,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/lib/asn1/Makefile.am b/crypto/heimdal/lib/asn1/Makefile.am
index 97fb2bb..8f89441 100644
--- a/crypto/heimdal/lib/asn1/Makefile.am
+++ b/crypto/heimdal/lib/asn1/Makefile.am
@@ -1,62 +1,67 @@
-# $Id: Makefile.am,v 1.54 1999/12/21 17:03:42 assar Exp $
+# $Id: Makefile.am,v 1.59 2001/01/30 01:46:53 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
 YFLAGS = -d
 
 lib_LTLIBRARIES = libasn1.la
-libasn1_la_LDFLAGS = -version-info 1:4:0
+libasn1_la_LDFLAGS = -version-info 4:0:2
 
 BUILT_SOURCES =			\
 	$(gen_files:.x=.c)	\
 	asn1_err.h		\
 	asn1_err.c
 
-gen_files =				\
-	asn1_APOptions.x		\
-	asn1_AP_REP.x			\
-	asn1_AP_REQ.x			\
-	asn1_AS_REP.x			\
-	asn1_AS_REQ.x			\
-	asn1_Authenticator.x		\
-	asn1_AuthorizationData.x	\
-	asn1_Checksum.x			\
-	asn1_EncAPRepPart.x		\
-	asn1_EncASRepPart.x		\
-	asn1_EncKDCRepPart.x		\
-	asn1_EncKrbCredPart.x		\
-	asn1_EncKrbPrivPart.x		\
-	asn1_EncTGSRepPart.x		\
-	asn1_EncTicketPart.x		\
-	asn1_EncryptedData.x		\
-	asn1_EncryptionKey.x		\
-	asn1_ETYPE_INFO.x		\
-	asn1_ETYPE_INFO_ENTRY.x		\
-	asn1_HostAddress.x		\
-	asn1_HostAddresses.x		\
-	asn1_KDCOptions.x		\
-	asn1_KDC_REP.x			\
-	asn1_KDC_REQ.x			\
-	asn1_KDC_REQ_BODY.x		\
-	asn1_KRB_CRED.x			\
-	asn1_KRB_ERROR.x		\
-	asn1_KRB_PRIV.x			\
-	asn1_KRB_SAFE.x			\
-	asn1_KRB_SAFE_BODY.x		\
-	asn1_KerberosTime.x		\
-	asn1_KrbCredInfo.x		\
-	asn1_LastReq.x			\
-	asn1_METHOD_DATA.x		\
-	asn1_PA_DATA.x			\
-	asn1_PA_ENC_TS_ENC.x		\
-	asn1_Principal.x		\
-	asn1_PrincipalName.x		\
-	asn1_Realm.x			\
-	asn1_TGS_REP.x			\
-	asn1_TGS_REQ.x			\
-	asn1_Ticket.x			\
-	asn1_TicketFlags.x		\
-	asn1_TransitedEncoding.x
+gen_files =					\
+	asn1_APOptions.x			\
+	asn1_AP_REP.x				\
+	asn1_AP_REQ.x				\
+	asn1_AS_REP.x				\
+	asn1_AS_REQ.x				\
+	asn1_Authenticator.x			\
+	asn1_AuthorizationData.x		\
+	asn1_CKSUMTYPE.x			\
+	asn1_Checksum.x				\
+	asn1_ETYPE_INFO.x			\
+	asn1_ETYPE_INFO_ENTRY.x			\
+	asn1_EncAPRepPart.x			\
+	asn1_EncASRepPart.x			\
+	asn1_EncKDCRepPart.x			\
+	asn1_EncKrbCredPart.x			\
+	asn1_EncKrbPrivPart.x			\
+	asn1_EncTGSRepPart.x			\
+	asn1_EncTicketPart.x			\
+	asn1_EncryptedData.x			\
+	asn1_EncryptionKey.x			\
+	asn1_HostAddress.x			\
+	asn1_HostAddresses.x			\
+	asn1_KDCOptions.x			\
+	asn1_KDC_REP.x				\
+	asn1_KDC_REQ.x				\
+	asn1_KDC_REQ_BODY.x			\
+	asn1_KRB_CRED.x				\
+	asn1_KRB_ERROR.x			\
+	asn1_KRB_PRIV.x				\
+	asn1_KRB_SAFE.x				\
+	asn1_KRB_SAFE_BODY.x			\
+	asn1_KerberosTime.x			\
+	asn1_KrbCredInfo.x			\
+	asn1_LastReq.x				\
+	asn1_MESSAGE_TYPE.x			\
+	asn1_METHOD_DATA.x			\
+	asn1_NAME_TYPE.x			\
+	asn1_PADATA_TYPE.x			\
+	asn1_PA_DATA.x				\
+	asn1_PA_ENC_TS_ENC.x			\
+	asn1_Principal.x			\
+	asn1_PrincipalName.x			\
+	asn1_Realm.x				\
+	asn1_TGS_REP.x				\
+	asn1_TGS_REQ.x				\
+	asn1_Ticket.x				\
+	asn1_TicketFlags.x			\
+	asn1_TransitedEncoding.x		\
+	asn1_UNSIGNED.x
 
 
 noinst_PROGRAMS = asn1_compile asn1_print
diff --git a/crypto/heimdal/lib/asn1/Makefile.in b/crypto/heimdal/lib/asn1/Makefile.in
index 25acf1a..7652c10 100644
--- a/crypto/heimdal/lib/asn1/Makefile.in
+++ b/crypto/heimdal/lib/asn1/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.54 1999/12/21 17:03:42 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.59 2001/01/30 01:46:53 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,36 +170,84 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
 YFLAGS = -d
 
 lib_LTLIBRARIES = libasn1.la
-libasn1_la_LDFLAGS = -version-info 1:4:0
-
-BUILT_SOURCES =  	$(gen_files:.x=.c)		asn1_err.h			asn1_err.c
-
-
-gen_files =  	asn1_APOptions.x			asn1_AP_REP.x				asn1_AP_REQ.x				asn1_AS_REP.x				asn1_AS_REQ.x				asn1_Authenticator.x			asn1_AuthorizationData.x		asn1_Checksum.x				asn1_EncAPRepPart.x			asn1_EncASRepPart.x			asn1_EncKDCRepPart.x			asn1_EncKrbCredPart.x			asn1_EncKrbPrivPart.x			asn1_EncTGSRepPart.x			asn1_EncTicketPart.x			asn1_EncryptedData.x			asn1_EncryptionKey.x			asn1_ETYPE_INFO.x			asn1_ETYPE_INFO_ENTRY.x			asn1_HostAddress.x			asn1_HostAddresses.x			asn1_KDCOptions.x			asn1_KDC_REP.x				asn1_KDC_REQ.x				asn1_KDC_REQ_BODY.x			asn1_KRB_CRED.x				asn1_KRB_ERROR.x			asn1_KRB_PRIV.x				asn1_KRB_SAFE.x				asn1_KRB_SAFE_BODY.x			asn1_KerberosTime.x			asn1_KrbCredInfo.x			asn1_LastReq.x				asn1_METHOD_DATA.x			asn1_PA_DATA.x				asn1_PA_ENC_TS_ENC.x			asn1_Principal.x			asn1_PrincipalName.x			asn1_Realm.x				asn1_TGS_REP.x				asn1_TGS_REQ.x				asn1_Ticket.x				asn1_TicketFlags.x			asn1_TransitedEncoding.x
+libasn1_la_LDFLAGS = -version-info 4:0:2
+
+BUILT_SOURCES = \
+	$(gen_files:.x=.c)	\
+	asn1_err.h		\
+	asn1_err.c
+
+
+gen_files = \
+	asn1_APOptions.x			\
+	asn1_AP_REP.x				\
+	asn1_AP_REQ.x				\
+	asn1_AS_REP.x				\
+	asn1_AS_REQ.x				\
+	asn1_Authenticator.x			\
+	asn1_AuthorizationData.x		\
+	asn1_CKSUMTYPE.x			\
+	asn1_Checksum.x				\
+	asn1_ETYPE_INFO.x			\
+	asn1_ETYPE_INFO_ENTRY.x			\
+	asn1_EncAPRepPart.x			\
+	asn1_EncASRepPart.x			\
+	asn1_EncKDCRepPart.x			\
+	asn1_EncKrbCredPart.x			\
+	asn1_EncKrbPrivPart.x			\
+	asn1_EncTGSRepPart.x			\
+	asn1_EncTicketPart.x			\
+	asn1_EncryptedData.x			\
+	asn1_EncryptionKey.x			\
+	asn1_HostAddress.x			\
+	asn1_HostAddresses.x			\
+	asn1_KDCOptions.x			\
+	asn1_KDC_REP.x				\
+	asn1_KDC_REQ.x				\
+	asn1_KDC_REQ_BODY.x			\
+	asn1_KRB_CRED.x				\
+	asn1_KRB_ERROR.x			\
+	asn1_KRB_PRIV.x				\
+	asn1_KRB_SAFE.x				\
+	asn1_KRB_SAFE_BODY.x			\
+	asn1_KerberosTime.x			\
+	asn1_KrbCredInfo.x			\
+	asn1_LastReq.x				\
+	asn1_MESSAGE_TYPE.x			\
+	asn1_METHOD_DATA.x			\
+	asn1_NAME_TYPE.x			\
+	asn1_PADATA_TYPE.x			\
+	asn1_PA_DATA.x				\
+	asn1_PA_ENC_TS_ENC.x			\
+	asn1_Principal.x			\
+	asn1_PrincipalName.x			\
+	asn1_Realm.x				\
+	asn1_TGS_REP.x				\
+	asn1_TGS_REQ.x				\
+	asn1_Ticket.x				\
+	asn1_TicketFlags.x			\
+	asn1_TransitedEncoding.x		\
+	asn1_UNSIGNED.x
 
 
 noinst_PROGRAMS = asn1_compile asn1_print
@@ -189,26 +255,41 @@ check_PROGRAMS = check-der
 
 TESTS = check-der
 
-asn1_compile_SOURCES = parse.y lex.l main.c hash.c symbol.c gen.c 	gen_encode.c gen_decode.c gen_free.c gen_length.c gen_copy.c 	gen_glue.c
+asn1_compile_SOURCES = parse.y lex.l main.c hash.c symbol.c gen.c \
+	gen_encode.c gen_decode.c gen_free.c gen_length.c gen_copy.c \
+	gen_glue.c
 
 
-libasn1_la_SOURCES =  	der_get.c 	der_put.c 	der_free.c 	der_length.c 	der_copy.c 	timegm.c 	$(BUILT_SOURCES)
+libasn1_la_SOURCES = \
+	der_get.c \
+	der_put.c \
+	der_free.c \
+	der_length.c \
+	der_copy.c \
+	timegm.c \
+	$(BUILT_SOURCES)
 
 
-asn1_compile_LDADD =  	$(LIB_roken) $(LEXLIB)
+asn1_compile_LDADD = \
+	$(LIB_roken) $(LEXLIB)
 
 
-check_der_LDADD =  	libasn1.la 	../com_err/libcom_err.la 	$(LIB_roken)
+check_der_LDADD = \
+	libasn1.la \
+	../com_err/libcom_err.la \
+	$(LIB_roken)
 
 
 asn1_print_LDADD = $(check_der_LDADD)
 
-CLEANFILES = lex.c parse.c parse.h asn1.h $(BUILT_SOURCES) 	$(gen_files) asn1_files
+CLEANFILES = lex.c parse.c parse.h asn1.h $(BUILT_SOURCES) \
+	$(gen_files) asn1_files
 
 
 include_HEADERS = asn1.h asn1_err.h der.h
 
 EXTRA_DIST = asn1_err.et
+subdir = lib/asn1
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -218,66 +299,72 @@ LTLIBRARIES =  $(lib_LTLIBRARIES)
 DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
-LIBS = @LIBS@
 X_CFLAGS = @X_CFLAGS@
 X_LIBS = @X_LIBS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 libasn1_la_LIBADD = 
-libasn1_la_OBJECTS =  der_get.lo der_put.lo der_free.lo der_length.lo \
+am_libasn1_la_OBJECTS =  der_get.lo der_put.lo der_free.lo der_length.lo \
 der_copy.lo timegm.lo asn1_APOptions.lo asn1_AP_REP.lo asn1_AP_REQ.lo \
 asn1_AS_REP.lo asn1_AS_REQ.lo asn1_Authenticator.lo \
-asn1_AuthorizationData.lo asn1_Checksum.lo asn1_EncAPRepPart.lo \
+asn1_AuthorizationData.lo asn1_CKSUMTYPE.lo asn1_Checksum.lo \
+asn1_ETYPE_INFO.lo asn1_ETYPE_INFO_ENTRY.lo asn1_EncAPRepPart.lo \
 asn1_EncASRepPart.lo asn1_EncKDCRepPart.lo asn1_EncKrbCredPart.lo \
 asn1_EncKrbPrivPart.lo asn1_EncTGSRepPart.lo asn1_EncTicketPart.lo \
-asn1_EncryptedData.lo asn1_EncryptionKey.lo asn1_ETYPE_INFO.lo \
-asn1_ETYPE_INFO_ENTRY.lo asn1_HostAddress.lo asn1_HostAddresses.lo \
-asn1_KDCOptions.lo asn1_KDC_REP.lo asn1_KDC_REQ.lo asn1_KDC_REQ_BODY.lo \
-asn1_KRB_CRED.lo asn1_KRB_ERROR.lo asn1_KRB_PRIV.lo asn1_KRB_SAFE.lo \
-asn1_KRB_SAFE_BODY.lo asn1_KerberosTime.lo asn1_KrbCredInfo.lo \
-asn1_LastReq.lo asn1_METHOD_DATA.lo asn1_PA_DATA.lo \
-asn1_PA_ENC_TS_ENC.lo asn1_Principal.lo asn1_PrincipalName.lo \
-asn1_Realm.lo asn1_TGS_REP.lo asn1_TGS_REQ.lo asn1_Ticket.lo \
-asn1_TicketFlags.lo asn1_TransitedEncoding.lo asn1_err.lo
+asn1_EncryptedData.lo asn1_EncryptionKey.lo asn1_HostAddress.lo \
+asn1_HostAddresses.lo asn1_KDCOptions.lo asn1_KDC_REP.lo \
+asn1_KDC_REQ.lo asn1_KDC_REQ_BODY.lo asn1_KRB_CRED.lo asn1_KRB_ERROR.lo \
+asn1_KRB_PRIV.lo asn1_KRB_SAFE.lo asn1_KRB_SAFE_BODY.lo \
+asn1_KerberosTime.lo asn1_KrbCredInfo.lo asn1_LastReq.lo \
+asn1_MESSAGE_TYPE.lo asn1_METHOD_DATA.lo asn1_NAME_TYPE.lo \
+asn1_PADATA_TYPE.lo asn1_PA_DATA.lo asn1_PA_ENC_TS_ENC.lo \
+asn1_Principal.lo asn1_PrincipalName.lo asn1_Realm.lo asn1_TGS_REP.lo \
+asn1_TGS_REQ.lo asn1_Ticket.lo asn1_TicketFlags.lo \
+asn1_TransitedEncoding.lo asn1_UNSIGNED.lo asn1_err.lo
+libasn1_la_OBJECTS =  $(am_libasn1_la_OBJECTS)
 check_PROGRAMS =  check-der$(EXEEXT)
 noinst_PROGRAMS =  asn1_compile$(EXEEXT) asn1_print$(EXEEXT)
 PROGRAMS =  $(noinst_PROGRAMS)
 
-check_der_SOURCES = check-der.c
-check_der_OBJECTS =  check-der.$(OBJEXT)
-check_der_DEPENDENCIES =  libasn1.la ../com_err/libcom_err.la
-check_der_LDFLAGS = 
-asn1_compile_OBJECTS =  parse.$(OBJEXT) lex.$(OBJEXT) main.$(OBJEXT) \
+am_asn1_compile_OBJECTS =  parse.$(OBJEXT) lex.$(OBJEXT) main.$(OBJEXT) \
 hash.$(OBJEXT) symbol.$(OBJEXT) gen.$(OBJEXT) gen_encode.$(OBJEXT) \
 gen_decode.$(OBJEXT) gen_free.$(OBJEXT) gen_length.$(OBJEXT) \
 gen_copy.$(OBJEXT) gen_glue.$(OBJEXT)
+asn1_compile_OBJECTS =  $(am_asn1_compile_OBJECTS)
 asn1_compile_DEPENDENCIES = 
 asn1_compile_LDFLAGS = 
 asn1_print_SOURCES = asn1_print.c
 asn1_print_OBJECTS =  asn1_print.$(OBJEXT)
 asn1_print_DEPENDENCIES =  libasn1.la ../com_err/libcom_err.la
 asn1_print_LDFLAGS = 
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-CFLAGS = @CFLAGS@
+check_der_SOURCES = check-der.c
+check_der_OBJECTS =  check-der.$(OBJEXT)
+check_der_DEPENDENCIES =  libasn1.la ../com_err/libcom_err.la
+check_der_LDFLAGS = 
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(libasn1_la_SOURCES) $(asn1_compile_SOURCES) \
+asn1_print.c check-der.c
 HEADERS =  $(include_HEADERS)
 
-DIST_COMMON =  Makefile.am Makefile.in lex.c parse.c
+depcomp = 
+DIST_COMMON =  $(include_HEADERS) Makefile.am Makefile.in lex.c parse.c \
+parse.h
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
-SOURCES = $(libasn1_la_SOURCES) check-der.c $(asn1_compile_SOURCES) asn1_print.c
-OBJECTS = $(libasn1_la_OBJECTS) check-der.$(OBJEXT) $(asn1_compile_OBJECTS) asn1_print.$(OBJEXT)
+SOURCES = $(libasn1_la_SOURCES) $(asn1_compile_SOURCES) asn1_print.c check-der.c
+OBJECTS = $(am_libasn1_la_OBJECTS) $(am_asn1_compile_OBJECTS) asn1_print.$(OBJEXT) check-der.$(OBJEXT)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .l .lo .o .obj .s .x .y
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .l .lo .o .obj .x .y
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/asn1/Makefile
 
@@ -300,31 +387,18 @@ install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 	$(mkinstalldirs) $(DESTDIR)$(libdir)
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo "$(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p; \
 	  else :; fi; \
 	done
 
 uninstall-libLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  echo " $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \
 	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
 	done
 
-.c.o:
-	$(COMPILE) -c $<
-
-# FIXME: We should only use cygpath when building on Windows,
-# and only if it is available.
-.c.obj:
-	$(COMPILE) -c `cygpath -w $<`
-
-.s.o:
-	$(COMPILE) -c $<
-
-.S.o:
-	$(COMPILE) -c $<
-
 mostlyclean-compile:
 	-rm -f *.o core *.core
 	-rm -f *.$(OBJEXT)
@@ -336,15 +410,6 @@ distclean-compile:
 
 maintainer-clean-compile:
 
-.c.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.s.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.S.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -376,10 +441,6 @@ distclean-noinstPROGRAMS:
 
 maintainer-clean-noinstPROGRAMS:
 
-check-der$(EXEEXT): $(check_der_OBJECTS) $(check_der_DEPENDENCIES)
-	@rm -f check-der$(EXEEXT)
-	$(LINK) $(check_der_LDFLAGS) $(check_der_OBJECTS) $(check_der_LDADD) $(LIBS)
-
 asn1_compile$(EXEEXT): $(asn1_compile_OBJECTS) $(asn1_compile_DEPENDENCIES)
 	@rm -f asn1_compile$(EXEEXT)
 	$(LINK) $(asn1_compile_LDFLAGS) $(asn1_compile_OBJECTS) $(asn1_compile_LDADD) $(LIBS)
@@ -387,6 +448,16 @@ asn1_compile$(EXEEXT): $(asn1_compile_OBJECTS) $(asn1_compile_DEPENDENCIES)
 asn1_print$(EXEEXT): $(asn1_print_OBJECTS) $(asn1_print_DEPENDENCIES)
 	@rm -f asn1_print$(EXEEXT)
 	$(LINK) $(asn1_print_LDFLAGS) $(asn1_print_OBJECTS) $(asn1_print_LDADD) $(LIBS)
+
+check-der$(EXEEXT): $(check_der_OBJECTS) $(check_der_DEPENDENCIES)
+	@rm -f check-der$(EXEEXT)
+	$(LINK) $(check_der_LDFLAGS) $(check_der_OBJECTS) $(check_der_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
 .l.c:
 	$(LEX) $(AM_LFLAGS) $(LFLAGS) $< && mv $(LEX_OUTPUT_ROOT).c $@
 .y.c:
@@ -402,35 +473,42 @@ install-includeHEADERS: $(include_HEADERS)
 	$(mkinstalldirs) $(DESTDIR)$(includedir)
 	@list='$(include_HEADERS)'; for p in $$list; do \
 	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
-	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p"; \
-	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f; \
 	done
 
 uninstall-includeHEADERS:
 	@$(NORMAL_UNINSTALL)
-	list='$(include_HEADERS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(includedir)/$$p; \
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(includedir)/$$f"; \
+	  rm -f $(DESTDIR)$(includedir)/$$f; \
 	done
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -440,48 +518,76 @@ distclean-tags:
 	-rm -f TAGS ID
 
 maintainer-clean-tags:
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; \
+	srcdir=$(srcdir); export srcdir; \
+	list='$(TESTS)'; \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *" $$tst "*) \
+	        xpass=`expr $$xpass + 1`; \
+	        failed=`expr $$failed + 1`; \
+	        echo "XPASS: $$tst"; \
+	      ;; \
+	      *) \
+	        echo "PASS: $$tst"; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *" $$tst "*) \
+	        xfail=`expr $$xfail + 1`; \
+	        echo "XFAIL: $$tst"; \
+	      ;; \
+	      *) \
+	        failed=`expr $$failed + 1`; \
+	        echo "FAIL: $$tst"; \
+	      ;; \
+	      esac; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="All $$all tests passed"; \
+	    else \
+	      banner="All $$all tests behaved as expected ($$xfail expected failures)"; \
+	    fi; \
+	  else \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all tests failed"; \
+	    else \
+	      banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \
+	    fi; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = lib/asn1
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
-check-TESTS: $(TESTS)
-	@failed=0; all=0; \
-	srcdir=$(srcdir); export srcdir; \
-	for tst in $(TESTS); do \
-	  if test -f $$tst; then dir=.; \
-	  else dir="$(srcdir)"; fi; \
-	  if $(TESTS_ENVIRONMENT) $$dir/$$tst; then \
-	    all=`expr $$all + 1`; \
-	    echo "PASS: $$tst"; \
-	  elif test $$? -ne 77; then \
-	    all=`expr $$all + 1`; \
-	    failed=`expr $$failed + 1`; \
-	    echo "FAIL: $$tst"; \
-	  fi; \
-	done; \
-	if test "$$failed" -eq 0; then \
-	  banner="All $$all tests passed"; \
-	else \
-	  banner="$$failed of $$all tests failed"; \
-	fi; \
-	dashes=`echo "$$banner" | sed s/./=/g`; \
-	echo "$$dashes"; \
-	echo "$$banner"; \
-	echo "$$dashes"; \
-	test "$$failed" -eq 0
 info-am:
 info: info-am
 dvi-am:
@@ -508,7 +614,7 @@ uninstall: uninstall-am
 all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
 	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(includedir)
 
@@ -523,7 +629,8 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
-	-test -z "lexlparsehparsec$(BUILT_SOURCES)" || rm -f lexl parseh parsec $(BUILT_SOURCES)
+	-rm -f Makefile.in
+	-test -z "lex.cparse.hparse.c$(BUILT_SOURCES)" || rm -f lex.c parse.h parse.c $(BUILT_SOURCES)
 mostlyclean-am:  mostlyclean-libLTLIBRARIES mostlyclean-compile \
 		mostlyclean-libtool mostlyclean-checkPROGRAMS \
 		mostlyclean-noinstPROGRAMS mostlyclean-tags \
@@ -566,12 +673,13 @@ maintainer-clean-checkPROGRAMS mostlyclean-noinstPROGRAMS \
 distclean-noinstPROGRAMS clean-noinstPROGRAMS \
 maintainer-clean-noinstPROGRAMS uninstall-includeHEADERS \
 install-includeHEADERS tags mostlyclean-tags distclean-tags clean-tags \
-maintainer-clean-tags distdir check-TESTS info-am info dvi-am dvi \
+maintainer-clean-tags check-TESTS distdir info-am info dvi-am dvi \
 check-local check check-am installcheck-am installcheck install-exec-am \
 install-exec install-data-local install-data-am install-data install-am \
 install uninstall-am uninstall all-local all-redirect all-am all \
-installdirs mostlyclean-generic distclean-generic clean-generic \
-maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+install-strip installdirs mostlyclean-generic distclean-generic \
+clean-generic maintainer-clean-generic clean mostlyclean distclean \
+maintainer-clean
 
 
 install-suid-programs:
@@ -579,7 +687,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -591,8 +702,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -661,87 +772,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/lib/asn1/asn1-common.h b/crypto/heimdal/lib/asn1/asn1-common.h
new file mode 100644
index 0000000..d3a30f2
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/asn1-common.h
@@ -0,0 +1,16 @@
+/* $Id: asn1-common.h,v 1.1 2000/04/14 15:41:31 joda Exp $ */
+
+#include <stddef.h>
+#include <time.h>
+
+#ifndef __asn1_common_definitions__
+#define __asn1_common_definitions__
+
+typedef struct octet_string {
+    size_t length;
+    void *data;
+} octet_string;
+
+typedef char *general_string;
+
+#endif
diff --git a/crypto/heimdal/lib/asn1/asn1_print.c b/crypto/heimdal/lib/asn1/asn1_print.c
index 92e6419..e66ac22 100644
--- a/crypto/heimdal/lib/asn1/asn1_print.c
+++ b/crypto/heimdal/lib/asn1/asn1_print.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -37,7 +37,7 @@
 #include <getarg.h>
 #include <err.h>
 
-RCSID("$Id: asn1_print.c,v 1.5 1999/12/02 17:05:01 joda Exp $");
+RCSID("$Id: asn1_print.c,v 1.6 2000/12/29 03:34:16 assar Exp $");
 
 static struct et_list *et_list;
 
@@ -99,6 +99,9 @@ loop (unsigned char *buf, size_t len, int indent)
 	ret = der_get_tag (buf, len, &class, &type, &tag, &sz);
 	if (ret)
 	    errx (1, "der_get_tag: %s", com_right (et_list, ret));
+	if (sz > len)
+	    errx (1, "unreasonable length (%u) > %u",
+		  (unsigned)sz, (unsigned)len);
 	buf += sz;
 	len -= sz;
 	for (i = 0; i < indent; ++i)
diff --git a/crypto/heimdal/lib/asn1/der.h b/crypto/heimdal/lib/asn1/der.h
index 37158af..f031f81 100644
--- a/crypto/heimdal/lib/asn1/der.h
+++ b/crypto/heimdal/lib/asn1/der.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: der.h,v 1.18 1999/12/02 17:05:01 joda Exp $ */
+/* $Id: der.h,v 1.20 2001/01/29 08:31:27 assar Exp $ */
 
 #ifndef __DER_H__
 #define __DER_H__
@@ -66,7 +66,7 @@ enum {
 time_t timegm (struct tm *);
 #endif
 
-void time2generalizedtime (time_t t, octet_string *s);
+int time2generalizedtime (time_t t, octet_string *s);
 
 int der_get_int (const unsigned char *p, size_t len, int *ret, size_t *size);
 int der_get_length (const unsigned char *p, size_t len,
@@ -87,6 +87,7 @@ int der_match_tag_and_length (const unsigned char *p, size_t len,
 			      size_t *length_ret, size_t *size);
 
 int decode_integer (const unsigned char*, size_t, int*, size_t*);
+int decode_unsigned (const unsigned char*, size_t, unsigned*, size_t*);
 int decode_general_string (const unsigned char*, size_t,
 			   general_string*, size_t*);
 int decode_octet_string (const unsigned char*, size_t, octet_string*, size_t*);
@@ -105,6 +106,8 @@ int der_put_length_and_tag (unsigned char*, size_t, size_t,
 
 int encode_integer (unsigned char *p, size_t len,
 		    const int *data, size_t*);
+int encode_unsigned (unsigned char *p, size_t len,
+		     const unsigned *data, size_t*);
 int encode_general_string (unsigned char *p, size_t len, 
 			   const general_string *data, size_t*);
 int encode_octet_string (unsigned char *p, size_t len,
@@ -119,6 +122,7 @@ void free_generalized_time (time_t *t);
 
 size_t length_len (size_t len);
 size_t length_integer (const int *data);
+size_t length_unsigned (const unsigned *data);
 size_t length_general_string (const general_string *data);
 size_t length_octet_string (const octet_string *k);
 size_t length_generalized_time (const time_t *t);
diff --git a/crypto/heimdal/lib/asn1/der_get.c b/crypto/heimdal/lib/asn1/der_get.c
index 9f0616b..1a180da 100644
--- a/crypto/heimdal/lib/asn1/der_get.c
+++ b/crypto/heimdal/lib/asn1/der_get.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "der_locl.h"
 
-RCSID("$Id: der_get.c,v 1.27 1999/12/02 17:05:01 joda Exp $");
+RCSID("$Id: der_get.c,v 1.28 2000/04/06 17:19:53 assar Exp $");
 
 #include <version.h>
 
@@ -225,6 +225,33 @@ decode_integer (const unsigned char *p, size_t len,
 }
 
 int
+decode_unsigned (const unsigned char *p, size_t len,
+		 unsigned *num, size_t *size)
+{
+    size_t ret = 0;
+    size_t l, reallen;
+    int e;
+
+    e = der_match_tag (p, len, UNIV, PRIM, UT_Integer, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+    e = der_get_length (p, len, &reallen, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+    e = der_get_unsigned (p, reallen, num, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+    if(size) *size = ret;
+    return 0;
+}
+
+int
 decode_general_string (const unsigned char *p, size_t len, 
 		       general_string *str, size_t *size)
 {
diff --git a/crypto/heimdal/lib/asn1/der_length.c b/crypto/heimdal/lib/asn1/der_length.c
index 5db95ba..d488f8f 100644
--- a/crypto/heimdal/lib/asn1/der_length.c
+++ b/crypto/heimdal/lib/asn1/der_length.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,10 +33,10 @@
 
 #include "der_locl.h"
 
-RCSID("$Id: der_length.c,v 1.10 1999/12/02 17:05:01 joda Exp $");
+RCSID("$Id: der_length.c,v 1.11 2000/04/06 17:20:26 assar Exp $");
 
 static size_t
-length_unsigned (unsigned val)
+len_unsigned (unsigned val)
 {
   size_t ret = 0;
 
@@ -48,7 +48,7 @@ length_unsigned (unsigned val)
 }
 
 static size_t
-length_int (int val)
+len_int (int val)
 {
   size_t ret = 0;
 
@@ -73,13 +73,21 @@ length_len (size_t len)
   if (len < 128)
     return 1;
   else
-    return length_unsigned (len) + 1;
+    return len_unsigned (len) + 1;
 }
 
 size_t
 length_integer (const int *data)
 {
-  size_t len = length_int (*data);
+  size_t len = len_int (*data);
+
+  return 1 + length_len(len) + len;
+}
+
+size_t
+length_unsigned (const unsigned *data)
+{
+  size_t len = len_unsigned (*data);
 
   return 1 + length_len(len) + len;
 }
diff --git a/crypto/heimdal/lib/asn1/der_put.c b/crypto/heimdal/lib/asn1/der_put.c
index ce21654..1eda917 100644
--- a/crypto/heimdal/lib/asn1/der_put.c
+++ b/crypto/heimdal/lib/asn1/der_put.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "der_locl.h"
 
-RCSID("$Id: der_put.c,v 1.22 1999/12/02 17:05:02 joda Exp $");
+RCSID("$Id: der_put.c,v 1.24 2001/01/29 08:31:27 assar Exp $");
 
 /*
  * All encoding functions take a pointer `p' to first position in
@@ -221,6 +221,31 @@ encode_integer (unsigned char *p, size_t len, const int *data, size_t *size)
 }
 
 int
+encode_unsigned (unsigned char *p, size_t len, const unsigned *data,
+		 size_t *size)
+{
+    unsigned num = *data;
+    size_t ret = 0;
+    size_t l;
+    int e;
+    
+    e = der_put_unsigned (p, len, num, &l);
+    if(e)
+	return e;
+    p -= l;
+    len -= l;
+    ret += l;
+    e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_Integer, &l);
+    if (e)
+	return e;
+    p -= l;
+    len -= l;
+    ret += l;
+    *size = ret;
+    return 0;
+}
+
+int
 encode_general_string (unsigned char *p, size_t len, 
 		       const general_string *data, size_t *size)
 {
@@ -268,17 +293,20 @@ encode_octet_string (unsigned char *p, size_t len,
     return 0;
 }
 
-void
+int
 time2generalizedtime (time_t t, octet_string *s)
 {
      struct tm *tm;
 
      s->data = malloc(16);
+     if (s->data == NULL)
+	 return ENOMEM;
      s->length = 15;
      tm = gmtime (&t);
      sprintf (s->data, "%04d%02d%02d%02d%02d%02dZ", tm->tm_year + 1900,
 	      tm->tm_mon + 1, tm->tm_mday, tm->tm_hour, tm->tm_min,
 	      tm->tm_sec);
+     return 0;
 }
 
 int
@@ -290,7 +318,9 @@ encode_generalized_time (unsigned char *p, size_t len,
     octet_string k;
     int e;
 
-    time2generalizedtime (*t, &k);
+    e = time2generalizedtime (*t, &k);
+    if (e)
+	return e;
     e = der_put_octet_string (p, len, &k, &l);
     free (k.data);
     if (e)
diff --git a/crypto/heimdal/lib/asn1/gen.c b/crypto/heimdal/lib/asn1/gen.c
index bca4516..54212d9 100644
--- a/crypto/heimdal/lib/asn1/gen.c
+++ b/crypto/heimdal/lib/asn1/gen.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,18 +33,24 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id: gen.c,v 1.41 1999/12/02 17:05:02 joda Exp $");
+RCSID("$Id: gen.c,v 1.44 2000/06/19 15:17:52 joda Exp $");
 
 FILE *headerfile, *codefile, *logfile;
 
 #define STEM "asn1"
 
-static char *orig_filename;
+static const char *orig_filename;
 static char header[1024];
 static char headerbase[1024] = STEM;
 
+const char *
+filename (void)
+{
+    return orig_filename;
+}
+
 void
-init_generate (char *filename, char *base)
+init_generate (const char *filename, const char *base)
 {
     orig_filename = filename;
     if(base)
@@ -91,7 +97,7 @@ init_generate (char *filename, char *base)
 }
 
 void
-close_generate ()
+close_generate (void)
 {
     fprintf (headerfile, "#endif /* __%s_h__ */\n", headerbase);
 
@@ -126,6 +132,10 @@ define_asn1 (int level, Type *t)
 	space(level);
 	fprintf (headerfile, "INTEGER");
 	break;
+    case TUInteger:
+	space(level);
+	fprintf (headerfile, "UNSIGNED INTEGER");
+	break;
     case TOctetString:
 	space(level);
 	fprintf (headerfile, "OCTET STRING");
@@ -217,7 +227,21 @@ define_type (int level, char *name, Type *t, int typedefp)
 	break;
     case TInteger:
 	space(level);
-	fprintf (headerfile, "int %s;\n", name);
+        if(t->members == NULL) {
+            fprintf (headerfile, "int %s;\n", name);
+        } else {
+            Member *m;
+            int tag = -1;
+            fprintf (headerfile, "enum %s {\n", typedefp ? name : "");
+	    for (m = t->members; m && m->val != tag; m = m->next) {
+                if(tag == -1)
+                    tag = m->val;
+                space (level + 1);
+                fprintf(headerfile, "%s = %d%s\n", m->gen_name, m->val, 
+                        m->next->val == tag ? "" : ",");
+            }
+            fprintf (headerfile, "} %s;\n", name);
+        }
 	break;
     case TUInteger:
 	space(level);
diff --git a/crypto/heimdal/lib/asn1/gen_copy.c b/crypto/heimdal/lib/asn1/gen_copy.c
index f9aa489..7d414a9 100644
--- a/crypto/heimdal/lib/asn1/gen_copy.c
+++ b/crypto/heimdal/lib/asn1/gen_copy.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id: gen_copy.c,v 1.10 1999/12/02 17:05:02 joda Exp $");
+RCSID("$Id: gen_copy.c,v 1.11 2000/04/06 17:22:05 assar Exp $");
 
 static void
 copy_primitive (const char *typename, const char *from, const char *to)
@@ -54,6 +54,7 @@ copy_type (const char *from, const char *to, const Type *t)
 	       t->symbol->gen_name, from, to);
       break;
   case TInteger:
+  case TUInteger:
       fprintf(codefile, "*(%s) = *(%s);\n", to, from);
       break;
   case TOctetString:
diff --git a/crypto/heimdal/lib/asn1/gen_decode.c b/crypto/heimdal/lib/asn1/gen_decode.c
index 078ac44..bed19a9 100644
--- a/crypto/heimdal/lib/asn1/gen_decode.c
+++ b/crypto/heimdal/lib/asn1/gen_decode.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id: gen_decode.c,v 1.11 1999/12/02 17:05:02 joda Exp $");
+RCSID("$Id: gen_decode.c,v 1.15 2001/01/29 08:36:45 assar Exp $");
 
 static void
 decode_primitive (const char *typename, const char *name)
@@ -48,215 +48,228 @@ decode_primitive (const char *typename, const char *name)
 static void
 decode_type (const char *name, const Type *t)
 {
-  switch (t->type) {
-  case TType:
+    switch (t->type) {
+    case TType:
 #if 0
-    decode_type (name, t->symbol->type);
+	decode_type (name, t->symbol->type);
 #endif
-    fprintf (codefile,
-	     "e = decode_%s(p, len, %s, &l);\n"
-	     "FORW;\n",
-	     t->symbol->gen_name, name);
-    break;
-  case TInteger:
-    decode_primitive ("integer", name);
-    break;
-  case TOctetString:
-    decode_primitive ("octet_string", name);
-    break;
-  case TBitString: {
-    Member *m;
-    int tag = -1;
-    int pos;
+	fprintf (codefile,
+		 "e = decode_%s(p, len, %s, &l);\n"
+		 "FORW;\n",
+		 t->symbol->gen_name, name);
+	break;
+    case TInteger:
+	if(t->members == NULL)
+	    decode_primitive ("integer", name);
+	else {
+	    char *s;
+	    asprintf(&s, "(int*)%s", name);
+	    if(s == NULL)
+		errx (1, "out of memory");
+	    decode_primitive ("integer", s);
+	    free(s);
+	}
+	break;
+    case TUInteger:
+	decode_primitive ("unsigned", name);
+	break;
+    case TOctetString:
+	decode_primitive ("octet_string", name);
+	break;
+    case TBitString: {
+	Member *m;
+	int tag = -1;
+	int pos;
 
-    fprintf (codefile,
-	     "e = der_match_tag_and_length (p, len, UNIV, PRIM, UT_BitString,"
-	     "&reallen, &l);\n"
-	     "FORW;\n"
-	     "if(len < reallen)\n"
-	     "return ASN1_OVERRUN;\n"
-	     "p++;\n"
-	     "len--;\n"
-	     "reallen--;\n"
-	     "ret++;\n");
-    pos = 0;
-    for (m = t->members; m && tag != m->val; m = m->next) {
-      while (m->val / 8 > pos / 8) {
 	fprintf (codefile,
-		 "p++; len--; reallen--; ret++;\n");
-	pos += 8;
-      }
-      fprintf (codefile,
-	       "%s->%s = (*p >> %d) & 1;\n",
-	       name, m->gen_name, 7 - m->val % 8);
-      if (tag == -1)
-	tag = m->val;
+		 "e = der_match_tag_and_length (p, len, UNIV, PRIM, UT_BitString,"
+		 "&reallen, &l);\n"
+		 "FORW;\n"
+		 "if(len < reallen)\n"
+		 "return ASN1_OVERRUN;\n"
+		 "p++;\n"
+		 "len--;\n"
+		 "reallen--;\n"
+		 "ret++;\n");
+	pos = 0;
+	for (m = t->members; m && tag != m->val; m = m->next) {
+	    while (m->val / 8 > pos / 8) {
+		fprintf (codefile,
+			 "p++; len--; reallen--; ret++;\n");
+		pos += 8;
+	    }
+	    fprintf (codefile,
+		     "%s->%s = (*p >> %d) & 1;\n",
+		     name, m->gen_name, 7 - m->val % 8);
+	    if (tag == -1)
+		tag = m->val;
+	}
+	fprintf (codefile,
+		 "p += reallen; len -= reallen; ret += reallen;\n");
+	break;
     }
-    fprintf (codefile,
-	     "p += reallen; len -= reallen; ret += reallen;\n");
-    break;
-  }
-  case TSequence: {
-    Member *m;
-    int tag = -1;
+    case TSequence: {
+	Member *m;
+	int tag = -1;
 
-    if (t->members == NULL)
-      break;
+	if (t->members == NULL)
+	    break;
 
-    fprintf (codefile,
-	     "e = der_match_tag_and_length (p, len, UNIV, CONS, UT_Sequence,"
-	     "&reallen, &l);\n"
-	     "FORW;\n"
-	     "{\n"
-	     "int dce_fix;\n"
-	     "if((dce_fix = fix_dce(reallen, &len)) < 0)\n"
-	     "return ASN1_BAD_FORMAT;\n");
+	fprintf (codefile,
+		 "e = der_match_tag_and_length (p, len, UNIV, CONS, UT_Sequence,"
+		 "&reallen, &l);\n"
+		 "FORW;\n"
+		 "{\n"
+		 "int dce_fix;\n"
+		 "if((dce_fix = fix_dce(reallen, &len)) < 0)\n"
+		 "return ASN1_BAD_FORMAT;\n");
 
-    for (m = t->members; m && tag != m->val; m = m->next) {
-      char *s;
+	for (m = t->members; m && tag != m->val; m = m->next) {
+	    char *s;
 
-      asprintf (&s, "%s(%s)->%s", m->optional ? "" : "&", name, m->gen_name);
-      if (0 && m->type->type == TType){
-	  if(m->optional)
-	      fprintf (codefile,
-		       "%s = malloc(sizeof(*%s));\n", s, s);
-	  fprintf (codefile, 
-		   "e = decode_seq_%s(p, len, %d, %d, %s, &l);\n",
-		   m->type->symbol->gen_name,
-		   m->val, 
-		   m->optional,
-		   s);
-	  if(m->optional)
-	      fprintf (codefile, 
-		       "if (e == ASN1_MISSING_FIELD) {\n"
-		       "free(%s);\n"
-		       "%s = NULL;\n"
-		       "e = l = 0;\n"
-		       "}\n",
-		       s, s);
+	    asprintf (&s, "%s(%s)->%s", m->optional ? "" : "&", name, m->gen_name);
+	    if (0 && m->type->type == TType){
+		if(m->optional)
+		    fprintf (codefile,
+			     "%s = malloc(sizeof(*%s));\n"
+			     "if(%s == NULL) return ENOMEM;\n", s, s, s);
+		fprintf (codefile, 
+			 "e = decode_seq_%s(p, len, %d, %d, %s, &l);\n",
+			 m->type->symbol->gen_name,
+			 m->val, 
+			 m->optional,
+			 s);
+		if(m->optional)
+		    fprintf (codefile, 
+			     "if (e == ASN1_MISSING_FIELD) {\n"
+			     "free(%s);\n"
+			     "%s = NULL;\n"
+			     "e = l = 0;\n"
+			     "}\n",
+			     s, s);
 	  
-	  fprintf (codefile, "FORW;\n");
+		fprintf (codefile, "FORW;\n");
 	  
-      }else{
-	  fprintf (codefile, "{\n"
-		   "size_t newlen, oldlen;\n\n"
-		   "e = der_match_tag (p, len, CONTEXT, CONS, %d, &l);\n",
-		   m->val);
-	  fprintf (codefile,
-		   "if (e)\n");
-	  if(m->optional)
-	      /* XXX should look at e */
-	      fprintf (codefile,
-		       "%s = NULL;\n", s);
-	  else
-	      fprintf (codefile,
-		       "return e;\n");
-	  fprintf (codefile, 
-		   "else {\n");
-	  fprintf (codefile,
-		   "p += l;\n"
-		   "len -= l;\n"
-		   "ret += l;\n"
-		   "e = der_get_length (p, len, &newlen, &l);\n"
-		   "FORW;\n"
-		   "{\n"
+	    }else{
+		fprintf (codefile, "{\n"
+			 "size_t newlen, oldlen;\n\n"
+			 "e = der_match_tag (p, len, CONTEXT, CONS, %d, &l);\n",
+			 m->val);
+		fprintf (codefile,
+			 "if (e)\n");
+		if(m->optional)
+		    /* XXX should look at e */
+		    fprintf (codefile,
+			     "%s = NULL;\n", s);
+		else
+		    fprintf (codefile,
+			     "return e;\n");
+		fprintf (codefile, 
+			 "else {\n");
+		fprintf (codefile,
+			 "p += l;\n"
+			 "len -= l;\n"
+			 "ret += l;\n"
+			 "e = der_get_length (p, len, &newlen, &l);\n"
+			 "FORW;\n"
+			 "{\n"
 	       
-		   "int dce_fix;\n"
-		   "oldlen = len;\n"
-		   "if((dce_fix = fix_dce(newlen, &len)) < 0)"
-		   "return ASN1_BAD_FORMAT;\n");
-	  if (m->optional)
-	      fprintf (codefile,
-		       "%s = malloc(sizeof(*%s));\n",
-		       s, s);
-	  decode_type (s, m->type);
-	  fprintf (codefile,
-		   "if(dce_fix){\n"
-		   "e = der_match_tag_and_length (p, len, "
-		   "(Der_class)0, (Der_type)0, 0, &reallen, &l);\n"
-		   "FORW;\n"
-		   "}else \n"
-		   "len = oldlen - newlen;\n"
-		   "}\n"
-		   "}\n");
-	  fprintf (codefile,
-		   "}\n");
-      }
-      if (tag == -1)
-	tag = m->val;
-      free (s);
-    }
-    fprintf(codefile,
-	    "if(dce_fix){\n"
-	    "e = der_match_tag_and_length (p, len, "
-	    "(Der_class)0, (Der_type)0, 0, &reallen, &l);\n"
-	    "FORW;\n"
-	    "}\n"
-	    "}\n");
+			 "int dce_fix;\n"
+			 "oldlen = len;\n"
+			 "if((dce_fix = fix_dce(newlen, &len)) < 0)"
+			 "return ASN1_BAD_FORMAT;\n");
+		if (m->optional)
+		    fprintf (codefile,
+			     "%s = malloc(sizeof(*%s));\n"
+			     "if(%s == NULL) return ENOMEM;\n", s, s, s);
+		decode_type (s, m->type);
+		fprintf (codefile,
+			 "if(dce_fix){\n"
+			 "e = der_match_tag_and_length (p, len, "
+			 "(Der_class)0, (Der_type)0, 0, &reallen, &l);\n"
+			 "FORW;\n"
+			 "}else \n"
+			 "len = oldlen - newlen;\n"
+			 "}\n"
+			 "}\n");
+		fprintf (codefile,
+			 "}\n");
+	    }
+	    if (tag == -1)
+		tag = m->val;
+	    free (s);
+	}
+	fprintf(codefile,
+		"if(dce_fix){\n"
+		"e = der_match_tag_and_length (p, len, "
+		"(Der_class)0, (Der_type)0, 0, &reallen, &l);\n"
+		"FORW;\n"
+		"}\n"
+		"}\n");
 
-    break;
-  }
-  case TSequenceOf: {
-    char *n;
+	break;
+    }
+    case TSequenceOf: {
+	char *n;
 
-    fprintf (codefile,
-	     "e = der_match_tag_and_length (p, len, UNIV, CONS, UT_Sequence,"
-	     "&reallen, &l);\n"
-	     "FORW;\n"
-	     "if(len < reallen)\n"
-	     "return ASN1_OVERRUN;\n"
-	     "len = reallen;\n");
+	fprintf (codefile,
+		 "e = der_match_tag_and_length (p, len, UNIV, CONS, UT_Sequence,"
+		 "&reallen, &l);\n"
+		 "FORW;\n"
+		 "if(len < reallen)\n"
+		 "return ASN1_OVERRUN;\n"
+		 "len = reallen;\n");
 
-    fprintf (codefile,
-	     "{\n"
-	     "size_t origlen = len;\n"
-	     "int oldret = ret;\n"
-	     "ret = 0;\n"
-	     "(%s)->len = 0;\n"
-	     "(%s)->val = NULL;\n"
-	     "while(ret < origlen) {\n"
-	     "(%s)->len++;\n"
-	     "(%s)->val = realloc((%s)->val, sizeof(*((%s)->val)) * (%s)->len);\n",
-	     name, name, name, name, name, name, name);
-    asprintf (&n, "&(%s)->val[(%s)->len-1]", name, name);
-    decode_type (n, t->subtype);
-    fprintf (codefile, 
-	     "len = origlen - ret;\n"
-	     "}\n"
-	     "ret += oldret;\n"
-	     "}\n");
-    free (n);
-    break;
-  }
-  case TGeneralizedTime:
-    decode_primitive ("generalized_time", name);
-    break;
-  case TGeneralString:
-    decode_primitive ("general_string", name);
-    break;
-  case TApplication:
-    fprintf (codefile,
-	     "e = der_match_tag_and_length (p, len, APPL, CONS, %d, "
-	     "&reallen, &l);\n"
-	     "FORW;\n"
-	     "{\n"
-	     "int dce_fix;\n"
-	     "if((dce_fix = fix_dce(reallen, &len)) < 0)\n"
-	     "return ASN1_BAD_FORMAT;\n", 
-	     t->application);
-    decode_type (name, t->subtype);
-    fprintf(codefile,
-	    "if(dce_fix){\n"
-	    "e = der_match_tag_and_length (p, len, "
-	    "(Der_class)0, (Der_type)0, 0, &reallen, &l);\n"
-	    "FORW;\n"
-	    "}\n"
-	    "}\n");
+	fprintf (codefile,
+		 "{\n"
+		 "size_t origlen = len;\n"
+		 "int oldret = ret;\n"
+		 "ret = 0;\n"
+		 "(%s)->len = 0;\n"
+		 "(%s)->val = NULL;\n"
+		 "while(ret < origlen) {\n"
+		 "(%s)->len++;\n"
+		 "(%s)->val = realloc((%s)->val, sizeof(*((%s)->val)) * (%s)->len);\n",
+		 name, name, name, name, name, name, name);
+	asprintf (&n, "&(%s)->val[(%s)->len-1]", name, name);
+	decode_type (n, t->subtype);
+	fprintf (codefile, 
+		 "len = origlen - ret;\n"
+		 "}\n"
+		 "ret += oldret;\n"
+		 "}\n");
+	free (n);
+	break;
+    }
+    case TGeneralizedTime:
+	decode_primitive ("generalized_time", name);
+	break;
+    case TGeneralString:
+	decode_primitive ("general_string", name);
+	break;
+    case TApplication:
+	fprintf (codefile,
+		 "e = der_match_tag_and_length (p, len, APPL, CONS, %d, "
+		 "&reallen, &l);\n"
+		 "FORW;\n"
+		 "{\n"
+		 "int dce_fix;\n"
+		 "if((dce_fix = fix_dce(reallen, &len)) < 0)\n"
+		 "return ASN1_BAD_FORMAT;\n", 
+		 t->application);
+	decode_type (name, t->subtype);
+	fprintf(codefile,
+		"if(dce_fix){\n"
+		"e = der_match_tag_and_length (p, len, "
+		"(Der_class)0, (Der_type)0, 0, &reallen, &l);\n"
+		"FORW;\n"
+		"}\n"
+		"}\n");
 
-    break;
-  default :
-    abort ();
-  }
+	break;
+    default :
+	abort ();
+    }
 }
 
 void
@@ -282,17 +295,10 @@ generate_type_decode (const Symbol *s)
 
   switch (s->type->type) {
   case TInteger:
-    fprintf (codefile, "return decode_integer (p, len, data, size);\n");
-    break;
+  case TUInteger:
   case TOctetString:
-    fprintf (codefile, "return decode_octet_string (p, len, data, size);\n");
-    break;
   case TGeneralizedTime:
-    fprintf (codefile, "return decode_generalized_time (p, len, data, size);\n");
-    break;
   case TGeneralString:
-    fprintf (codefile, "return decode_general_string (p, len, data, size);\n");
-    break;
   case TBitString:
   case TSequence:
   case TSequenceOf:
@@ -303,6 +309,7 @@ generate_type_decode (const Symbol *s)
 	     "size_t l;\n"
 	     "int i, e;\n\n");
     fprintf(codefile, "i = 0;\n"); /* hack to avoid `unused variable' */
+    fprintf(codefile, "reallen = 0;\n"); /* hack to avoid `unused variable' */
 
     decode_type ("data", s->type);
     fprintf (codefile, 
diff --git a/crypto/heimdal/lib/asn1/gen_encode.c b/crypto/heimdal/lib/asn1/gen_encode.c
index 9e9b293..367ca37 100644
--- a/crypto/heimdal/lib/asn1/gen_encode.c
+++ b/crypto/heimdal/lib/asn1/gen_encode.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id: gen_encode.c,v 1.9 1999/12/02 17:05:02 joda Exp $");
+RCSID("$Id: gen_encode.c,v 1.11 2000/06/19 15:19:08 joda Exp $");
 
 static void
 encode_primitive (const char *typename, const char *name)
@@ -48,154 +48,166 @@ encode_primitive (const char *typename, const char *name)
 static void
 encode_type (const char *name, const Type *t)
 {
-  switch (t->type) {
-  case TType:
+    switch (t->type) {
+    case TType:
 #if 0
-    encode_type (name, t->symbol->type);
+	encode_type (name, t->symbol->type);
 #endif
-    fprintf (codefile,
-	     "e = encode_%s(p, len, %s, &l);\n"
-	     "BACK;\n",
-	     t->symbol->gen_name, name);
-    break;
-  case TInteger:
-    encode_primitive ("integer", name);
-    break;
-  case TOctetString:
-    encode_primitive ("octet_string", name);
-    break;
-  case TBitString: {
-    Member *m;
-    int pos;
-    int rest;
-    int tag = -1;
-
-    if (t->members == NULL)
-      break;
-
-    fprintf (codefile, "{\n"
-	     "unsigned char c = 0;\n");
-    pos = t->members->prev->val;
-    /* fix for buggy MIT (and OSF?) code */
-    if (pos > 31)
-	abort ();
-    /*
-     * It seems that if we do not always set pos to 31 here, the MIT
-     * code will do the wrong thing.
-     *
-     * I hate ASN.1 (and DER), but I hate it even more when everybody
-     * has to screw it up differently.
-     */
-    pos = 31;
-    rest = 7 - (pos % 8);
-
-    for (m = t->members->prev; m && tag != m->val; m = m->prev) {
-      while (m->val / 8 < pos / 8) {
 	fprintf (codefile,
-		 "*p-- = c; len--; ret++;\n"
-		 "c = 0;\n");
-	pos -= 8;
-      }
-      fprintf (codefile,
-	       "if(%s->%s) c |= 1<<%d;\n", name, m->gen_name,
-	       7 - m->val % 8);
-
-      if (tag == -1)
-	tag = m->val;
-    }
+		 "e = encode_%s(p, len, %s, &l);\n"
+		 "BACK;\n",
+		 t->symbol->gen_name, name);
+	break;
+    case TInteger:
+	if(t->members == NULL)
+	    encode_primitive ("integer", name);
+	else {
+	    char *s;
+	    asprintf(&s, "(const int*)%s", name);
+	    if(s == NULL)
+		errx(1, "out of memory");
+	    encode_primitive ("integer", s);
+	    free(s);
+	}
+	break;
+    case TUInteger:
+	encode_primitive ("unsigned", name);
+	break;
+    case TOctetString:
+	encode_primitive ("octet_string", name);
+	break;
+    case TBitString: {
+	Member *m;
+	int pos;
+	int rest;
+	int tag = -1;
 
-    fprintf (codefile, 
-	     "*p-- = c;\n"
-	     "*p-- = %d;\n"
-	     "len -= 2;\n"
-	     "ret += 2;\n"
-	     "}\n\n"
-	     "e = der_put_length_and_tag (p, len, ret, UNIV, PRIM,"
-	     "UT_BitString, &l);\n"
-	     "BACK;\n",
-	     rest);
-    break;
-  }
-  case TSequence: {
-    Member *m;
-    int tag = -1;
+	if (t->members == NULL)
+	    break;
 
-    if (t->members == NULL)
-      break;
+	fprintf (codefile, "{\n"
+		 "unsigned char c = 0;\n");
+	pos = t->members->prev->val;
+	/* fix for buggy MIT (and OSF?) code */
+	if (pos > 31)
+	    abort ();
+	/*
+	 * It seems that if we do not always set pos to 31 here, the MIT
+	 * code will do the wrong thing.
+	 *
+	 * I hate ASN.1 (and DER), but I hate it even more when everybody
+	 * has to screw it up differently.
+	 */
+	pos = 31;
+	rest = 7 - (pos % 8);
 
-    for (m = t->members->prev; m && tag != m->val; m = m->prev) {
-      char *s;
+	for (m = t->members->prev; m && tag != m->val; m = m->prev) {
+	    while (m->val / 8 < pos / 8) {
+		fprintf (codefile,
+			 "*p-- = c; len--; ret++;\n"
+			 "c = 0;\n");
+		pos -= 8;
+	    }
+	    fprintf (codefile,
+		     "if(%s->%s) c |= 1<<%d;\n", name, m->gen_name,
+		     7 - m->val % 8);
 
-      asprintf (&s, "%s(%s)->%s", m->optional ? "" : "&", name, m->gen_name);
-      if (m->optional)
-	fprintf (codefile,
-		 "if(%s)\n",
-		 s);
+	    if (tag == -1)
+		tag = m->val;
+	}
+
+	fprintf (codefile, 
+		 "*p-- = c;\n"
+		 "*p-- = %d;\n"
+		 "len -= 2;\n"
+		 "ret += 2;\n"
+		 "}\n\n"
+		 "e = der_put_length_and_tag (p, len, ret, UNIV, PRIM,"
+		 "UT_BitString, &l);\n"
+		 "BACK;\n",
+		 rest);
+	break;
+    }
+    case TSequence: {
+	Member *m;
+	int tag = -1;
+
+	if (t->members == NULL)
+	    break;
+
+	for (m = t->members->prev; m && tag != m->val; m = m->prev) {
+	    char *s;
+
+	    asprintf (&s, "%s(%s)->%s", m->optional ? "" : "&", name, m->gen_name);
+	    if (m->optional)
+		fprintf (codefile,
+			 "if(%s)\n",
+			 s);
 #if 1
-      fprintf (codefile, "{\n"
-	       "int oldret = ret;\n"
-	       "ret = 0;\n");
+	    fprintf (codefile, "{\n"
+		     "int oldret = ret;\n"
+		     "ret = 0;\n");
 #endif
-      encode_type (s, m->type);
-      fprintf (codefile,
-	       "e = der_put_length_and_tag (p, len, ret, CONTEXT, CONS, "
-	       "%d, &l);\n"
-	       "BACK;\n",
-	       m->val);
+	    encode_type (s, m->type);
+	    fprintf (codefile,
+		     "e = der_put_length_and_tag (p, len, ret, CONTEXT, CONS, "
+		     "%d, &l);\n"
+		     "BACK;\n",
+		     m->val);
 #if 1
-      fprintf (codefile,
-	       "ret += oldret;\n"
-	       "}\n");
+	    fprintf (codefile,
+		     "ret += oldret;\n"
+		     "}\n");
 #endif
-      if (tag == -1)
-	tag = m->val;
-      free (s);
+	    if (tag == -1)
+		tag = m->val;
+	    free (s);
+	}
+	fprintf (codefile,
+		 "e = der_put_length_and_tag (p, len, ret, UNIV, CONS, UT_Sequence, &l);\n"
+		 "BACK;\n");
+	break;
     }
-    fprintf (codefile,
-	     "e = der_put_length_and_tag (p, len, ret, UNIV, CONS, UT_Sequence, &l);\n"
-	     "BACK;\n");
-    break;
-  }
-  case TSequenceOf: {
-    char *n;
+    case TSequenceOf: {
+	char *n;
 
-    fprintf (codefile,
-	     "for(i = (%s)->len - 1; i >= 0; --i) {\n"
+	fprintf (codefile,
+		 "for(i = (%s)->len - 1; i >= 0; --i) {\n"
 #if 1
-	     "int oldret = ret;\n"
-	     "ret = 0;\n",
+		 "int oldret = ret;\n"
+		 "ret = 0;\n",
 #else
-	     ,
+		 ,
 #endif
-	     name);
-    asprintf (&n, "&(%s)->val[i]", name);
-    encode_type (n, t->subtype);
-    fprintf (codefile,
+		 name);
+	asprintf (&n, "&(%s)->val[i]", name);
+	encode_type (n, t->subtype);
+	fprintf (codefile,
 #if 1
-	     "ret += oldret;\n"
+		 "ret += oldret;\n"
 #endif
-	     "}\n"
-	     "e = der_put_length_and_tag (p, len, ret, UNIV, CONS, UT_Sequence, &l);\n"
-	     "BACK;\n");
-    free (n);
-    break;
-  }
-  case TGeneralizedTime:
-    encode_primitive ("generalized_time", name);
-    break;
-  case TGeneralString:
-    encode_primitive ("general_string", name);
-    break;
-  case TApplication:
-    encode_type (name, t->subtype);
-    fprintf (codefile,
-	     "e = der_put_length_and_tag (p, len, ret, APPL, CONS, %d, &l);\n"
-	     "BACK;\n",
-	     t->application);
-    break;
-  default:
-    abort ();
-  }
+		 "}\n"
+		 "e = der_put_length_and_tag (p, len, ret, UNIV, CONS, UT_Sequence, &l);\n"
+		 "BACK;\n");
+	free (n);
+	break;
+    }
+    case TGeneralizedTime:
+	encode_primitive ("generalized_time", name);
+	break;
+    case TGeneralString:
+	encode_primitive ("general_string", name);
+	break;
+    case TApplication:
+	encode_type (name, t->subtype);
+	fprintf (codefile,
+		 "e = der_put_length_and_tag (p, len, ret, APPL, CONS, %d, &l);\n"
+		 "BACK;\n",
+		 t->application);
+	break;
+    default:
+	abort ();
+    }
 }
 
 void
@@ -217,17 +229,10 @@ generate_type_encode (const Symbol *s)
 
   switch (s->type->type) {
   case TInteger:
-    fprintf (codefile, "return encode_integer (p, len, data, size);\n");
-    break;
+  case TUInteger:
   case TOctetString:
-    fprintf (codefile, "return encode_octet_string (p, len, data, size);\n");
-    break;
   case TGeneralizedTime:
-    fprintf (codefile, "return encode_generalized_time (p, len, data, size);\n");
-    break;
   case TGeneralString:
-    fprintf (codefile, "return encode_general_string (p, len, data, size);\n");
-    break;
   case TBitString:
   case TSequence:
   case TSequenceOf:
@@ -239,7 +244,8 @@ generate_type_encode (const Symbol *s)
 	     "int i, e;\n\n");
     fprintf(codefile, "i = 0;\n"); /* hack to avoid `unused variable' */
     
-    encode_type ("data", s->type);
+      encode_type("data", s->type);
+
     fprintf (codefile, "*size = ret;\n"
 	     "return 0;\n");
     break;
diff --git a/crypto/heimdal/lib/asn1/gen_free.c b/crypto/heimdal/lib/asn1/gen_free.c
index 0f6078b..20ae521 100644
--- a/crypto/heimdal/lib/asn1/gen_free.c
+++ b/crypto/heimdal/lib/asn1/gen_free.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id: gen_free.c,v 1.7 1999/12/02 17:05:02 joda Exp $");
+RCSID("$Id: gen_free.c,v 1.8 2000/04/06 17:24:02 assar Exp $");
 
 static void
 free_primitive (const char *typename, const char *name)
@@ -52,6 +52,7 @@ free_type (const char *name, const Type *t)
       fprintf (codefile, "free_%s(%s);\n", t->symbol->gen_name, name);
       break;
   case TInteger:
+  case TUInteger:
       break;
   case TOctetString:
       free_primitive ("octet_string", name);
diff --git a/crypto/heimdal/lib/asn1/gen_length.c b/crypto/heimdal/lib/asn1/gen_length.c
index 1c3566d..ca2af6f 100644
--- a/crypto/heimdal/lib/asn1/gen_length.c
+++ b/crypto/heimdal/lib/asn1/gen_length.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id: gen_length.c,v 1.7 1999/12/02 17:05:02 joda Exp $");
+RCSID("$Id: gen_length.c,v 1.10 2000/06/21 22:40:53 assar Exp $");
 
 static void
 length_primitive (const char *typename,
@@ -46,91 +46,103 @@ length_primitive (const char *typename,
 static void
 length_type (const char *name, const Type *t, const char *variable)
 {
-  switch (t->type) {
-  case TType:
+    switch (t->type) {
+    case TType:
 #if 0
-      length_type (name, t->symbol->type);
+	length_type (name, t->symbol->type);
 #endif
-      fprintf (codefile, "%s += length_%s(%s);\n",
-	       variable, t->symbol->gen_name, name);
-      break;
-  case TInteger:
-      length_primitive ("integer", name, variable);
-      break;
-  case TOctetString:
-      length_primitive ("octet_string", name, variable);
-      break;
-  case TBitString: {
-      /*
-       * XXX - Hope this is correct
-       * look at TBitString case in `encode_type'
-       */
-      fprintf (codefile, "%s += 7;\n", variable);
-      break;
-  }
-  case TSequence: {
-      Member *m;
-      int tag = -1;
+	fprintf (codefile, "%s += length_%s(%s);\n",
+		 variable, t->symbol->gen_name, name);
+	break;
+    case TInteger:
+        if(t->members == NULL)
+            length_primitive ("integer", name, variable);
+        else {
+            char *s;
+            asprintf(&s, "(const int*)%s", name);
+            if(s == NULL)
+		errx (1, "out of memory");
+            length_primitive ("integer", s, variable);
+            free(s);
+        }
+	break;
+    case TUInteger:
+	length_primitive ("unsigned", name, variable);
+	break;
+    case TOctetString:
+	length_primitive ("octet_string", name, variable);
+	break;
+    case TBitString: {
+	/*
+	 * XXX - Hope this is correct
+	 * look at TBitString case in `encode_type'
+	 */
+	fprintf (codefile, "%s += 7;\n", variable);
+	break;
+    }
+    case TSequence: {
+	Member *m;
+	int tag = -1;
 
-      if (t->members == NULL)
-	  break;
+	if (t->members == NULL)
+	    break;
       
-      for (m = t->members; m && tag != m->val; m = m->next) {
-	  char *s;
+	for (m = t->members; m && tag != m->val; m = m->next) {
+	    char *s;
 
-	  asprintf (&s, "%s(%s)->%s",
-		    m->optional ? "" : "&", name, m->gen_name);
-	  if (m->optional)
-	      fprintf (codefile, "if(%s)", s);
-	  fprintf (codefile, "{\n"
-		   "int oldret = %s;\n"
-		   "%s = 0;\n", variable, variable);
-	  length_type (s, m->type, "ret");
-	  fprintf (codefile, "%s += 1 + length_len(%s) + oldret;\n",
-		   variable, variable);
-	  fprintf (codefile, "}\n");
-	  if (tag == -1)
-	      tag = m->val;
-	  free (s);
-      }
-      fprintf (codefile,
-	       "%s += 1 + length_len(%s);\n", variable, variable);
-      break;
-  }
-  case TSequenceOf: {
-      char *n;
+	    asprintf (&s, "%s(%s)->%s",
+		      m->optional ? "" : "&", name, m->gen_name);
+	    if (m->optional)
+		fprintf (codefile, "if(%s)", s);
+	    fprintf (codefile, "{\n"
+		     "int oldret = %s;\n"
+		     "%s = 0;\n", variable, variable);
+	    length_type (s, m->type, "ret");
+	    fprintf (codefile, "%s += 1 + length_len(%s) + oldret;\n",
+		     variable, variable);
+	    fprintf (codefile, "}\n");
+	    if (tag == -1)
+		tag = m->val;
+	    free (s);
+	}
+	fprintf (codefile,
+		 "%s += 1 + length_len(%s);\n", variable, variable);
+	break;
+    }
+    case TSequenceOf: {
+	char *n;
 
-      fprintf (codefile,
-	       "{\n"
-	       "int oldret = %s;\n"
-	       "int i;\n"
-	       "%s = 0;\n",
-	       variable, variable);
+	fprintf (codefile,
+		 "{\n"
+		 "int oldret = %s;\n"
+		 "int i;\n"
+		 "%s = 0;\n",
+		 variable, variable);
 
-      fprintf (codefile, "for(i = (%s)->len - 1; i >= 0; --i){\n", name);
-      asprintf (&n, "&(%s)->val[i]", name);
-      length_type(n, t->subtype, variable);
-      fprintf (codefile, "}\n");
+	fprintf (codefile, "for(i = (%s)->len - 1; i >= 0; --i){\n", name);
+	asprintf (&n, "&(%s)->val[i]", name);
+	length_type(n, t->subtype, variable);
+	fprintf (codefile, "}\n");
 
-      fprintf (codefile,
-	       "%s += 1 + length_len(%s) + oldret;\n"
-	       "}\n", variable, variable);
-      free(n);
-      break;
-  }
-  case TGeneralizedTime:
-      length_primitive ("generalized_time", name, variable);
-      break;
-  case TGeneralString:
-      length_primitive ("general_string", name, variable);
-      break;
-  case TApplication:
-      length_type (name, t->subtype, variable);
-      fprintf (codefile, "ret += 1 + length_len (ret);\n");
-      break;
-  default :
-      abort ();
-  }
+	fprintf (codefile,
+		 "%s += 1 + length_len(%s) + oldret;\n"
+		 "}\n", variable, variable);
+	free(n);
+	break;
+    }
+    case TGeneralizedTime:
+	length_primitive ("generalized_time", name, variable);
+	break;
+    case TGeneralString:
+	length_primitive ("general_string", name, variable);
+	break;
+    case TApplication:
+	length_type (name, t->subtype, variable);
+	fprintf (codefile, "ret += 1 + length_len (ret);\n");
+	break;
+    default :
+	abort ();
+    }
 }
 
 void
diff --git a/crypto/heimdal/lib/asn1/gen_locl.h b/crypto/heimdal/lib/asn1/gen_locl.h
index 7ee37ae..acf6bc1a 100644
--- a/crypto/heimdal/lib/asn1/gen_locl.h
+++ b/crypto/heimdal/lib/asn1/gen_locl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: gen_locl.h,v 1.6 1999/12/02 17:05:02 joda Exp $ */
+/* $Id: gen_locl.h,v 1.7 2000/04/09 09:21:56 assar Exp $ */
 
 #ifndef __GEN_LOCL_H__
 #define __GEN_LOCL_H__
@@ -63,7 +63,8 @@ void generate_type_copy (const Symbol *s);
 void generate_type_maybe (const Symbol *s);
 void generate_glue (const Symbol *s);
 
-void init_generate (char *filename, char *basename);
+void init_generate (const char *filename, const char *basename);
+const char *filename (void);
 void close_generate(void);
 int yyparse(void);
 
diff --git a/crypto/heimdal/lib/asn1/k5.asn1 b/crypto/heimdal/lib/asn1/k5.asn1
index a7f4199..c5382f3 100644
--- a/crypto/heimdal/lib/asn1/k5.asn1
+++ b/crypto/heimdal/lib/asn1/k5.asn1
@@ -1,16 +1,89 @@
+-- $Id: k5.asn1,v 1.23 2000/12/11 06:30:35 assar Exp $
+
 KERBEROS5 DEFINITIONS ::=
 BEGIN
 
-nt-unknown INTEGER ::= 0 -- Name type not known
-nt-principal INTEGER ::= 1 -- Just the name of the principal as in
-nt-srv-inst INTEGER ::= 2 -- Service and other unique instance (krbtgt)
-nt-srv-hst INTEGER ::= 3 -- Service with host name as instance
-nt-srv-xhst INTEGER ::= 4 -- Service with host as remaining components
-nt-uid INTEGER ::= 5 -- Unique ID
+NAME-TYPE ::= INTEGER {
+	KRB5_NT_UNKNOWN(0),	-- Name type not known
+	KRB5_NT_PRINCIPAL(1),	-- Just the name of the principal as in
+	KRB5_NT_SRV_INST(2),	-- Service and other unique instance (krbtgt)
+	KRB5_NT_SRV_HST(3),	-- Service with host name as instance
+	KRB5_NT_SRV_XHST(4),	-- Service with host as remaining components
+	KRB5_NT_UID(5),		-- Unique ID
+	KRB5_NT_X500_PRINCIPAL(6) -- PKINIT
+}
+
+-- message types
+
+MESSAGE-TYPE ::= INTEGER {
+	krb-as-req(10), -- Request for initial authentication
+	krb-as-rep(11), -- Response to KRB_AS_REQ request
+	krb-tgs-req(12), -- Request for authentication based on TGT
+	krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
+	krb-ap-req(14), -- application request to server
+	krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
+	krb-safe(20), -- Safe (checksummed) application message
+	krb-priv(21), -- Private (encrypted) application message
+	krb-cred(22), -- Private (encrypted) message to forward credentials
+	krb-error(30) -- Error response
+}
+
+
+-- pa-data types
+
+PADATA-TYPE ::= INTEGER {
+	KRB5-PADATA-NONE(0),
+	KRB5-PADATA-TGS-REQ(1),
+	KRB5-PADATA-AP-REQ(1),
+	KRB5-PADATA-ENC-TIMESTAMP(2),
+	KRB5-PADATA-PW-SALT(3),
+	KRB5-PADATA-ENC-UNIX-TIME(5),
+	KRB5-PADATA-SANDIA-SECUREID(6),
+	KRB5-PADATA-SESAME(7),
+	KRB5-PADATA-OSF-DCE(8),
+	KRB5-PADATA-CYBERSAFE-SECUREID(9),
+	KRB5-PADATA-AFS3-SALT(10),
+	KRB5-PADATA-ETYPE-INFO(11),
+	KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
+	KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
+	KRB5-PADATA-PK-AS-REQ(14), -- (PKINIT)
+	KRB5-PADATA-PK-AS-REP(15), -- (PKINIT)
+	KRB5-PADATA-PK-AS-SIGN(16), -- (PKINIT)
+	KRB5-PADATA-PK-KEY-REQ(17), -- (PKINIT)
+	KRB5-PADATA-PK-KEY-REP(18), -- (PKINIT)
+	KRB5-PADATA-USE-SPECIFIED-KVNO(20),
+	KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
+	KRB5-PADATA-GET-FROM-TYPED-DATA(22),
+	KRB5-PADATA-SAM-ETYPE-INFO(23)
+}
+
+-- checksumtypes
+
+CKSUMTYPE ::= INTEGER {
+	CKSUMTYPE_NONE(0),
+	CKSUMTYPE_CRC32(1),
+	CKSUMTYPE_RSA_MD4(2),
+	CKSUMTYPE_RSA_MD4_DES(3),
+	CKSUMTYPE_DES_MAC(4),
+	CKSUMTYPE_DES_MAC_K(5),
+	CKSUMTYPE_RSA_MD4_DES_K(6),
+	CKSUMTYPE_RSA_MD5(7),
+	CKSUMTYPE_RSA_MD5_DES(8),
+	CKSUMTYPE_RSA_MD5_DES3(9),
+	-- CKSUMTYPE_SHA1(10),
+	CKSUMTYPE_HMAC_SHA1_DES3(12),
+	CKSUMTYPE_SHA1(1000),		-- correct value? 10 (9 also)
+	CKSUMTYPE_HMAC_MD5(-138),	-- unofficial microsoft number
+	CKSUMTYPE_HMAC_MD5_ENC(-1138)	-- even more unofficial
+}
+
+-- this is sugar to make something ASN1 does not have: unsigned
+
+UNSIGNED ::= INTEGER (0..4294967295)
 
 Realm ::= GeneralString
 PrincipalName ::= SEQUENCE {
-	name-type[0]		INTEGER,
+	name-type[0]		NAME-TYPE,
 	name-string[1]		SEQUENCE OF GeneralString
 }
 
@@ -81,6 +154,7 @@ KDCOptions ::= BIT STRING {
 	unused10(10),
 	unused11(11),
 	request-anonymous(14),
+	canonicalize(15),
 	disable-transited-check(26),
 	renewable-ok(27),
 	enc-tkt-in-skey(28),
@@ -133,7 +207,7 @@ EncTicketPart ::= [APPLICATION 3] SEQUENCE {
 }
 
 Checksum ::= SEQUENCE {
-	cksumtype[0]		INTEGER,
+	cksumtype[0]		CKSUMTYPE,
 	checksum[1]		OCTET STRING
 }
 
@@ -145,13 +219,13 @@ Authenticator ::= [APPLICATION 2] SEQUENCE    {
 	cusec[4]		INTEGER,
 	ctime[5]		KerberosTime,
 	subkey[6]		EncryptionKey OPTIONAL,
-	seq-number[7]		INTEGER OPTIONAL,
+	seq-number[7]		UNSIGNED OPTIONAL,
 	authorization-data[8]	AuthorizationData OPTIONAL
 	}
 
 PA-DATA ::= SEQUENCE {
 	-- might be encoded AP-REQ
-	padata-type[1]		INTEGER,
+	padata-type[1]		PADATA-TYPE,
 	padata-value[2]		OCTET STRING
 }
 
@@ -185,7 +259,7 @@ KDC-REQ-BODY ::= SEQUENCE {
 
 KDC-REQ ::= SEQUENCE {
 	pvno[1]			INTEGER,
-	msg-type[2]		INTEGER,
+	msg-type[2]		MESSAGE-TYPE,
 	padata[3]		METHOD-DATA OPTIONAL,
 	req-body[4]		KDC-REQ-BODY
 }
@@ -203,7 +277,7 @@ PA-ENC-TS-ENC ::= SEQUENCE {
 
 KDC-REP ::= SEQUENCE {
 	pvno[0]			INTEGER,
-	msg-type[1]		INTEGER,
+	msg-type[1]		MESSAGE-TYPE,
 	padata[2]		METHOD-DATA OPTIONAL,
 	crealm[3]		Realm,
 	cname[4]		PrincipalName,
@@ -234,7 +308,7 @@ EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
 
 AP-REQ ::= [APPLICATION 14] SEQUENCE {
 	pvno[0]			INTEGER,
-	msg-type[1]		INTEGER,
+	msg-type[1]		MESSAGE-TYPE,
 	ap-options[2]		APOptions,
 	ticket[3]		Ticket,
 	authenticator[4]	EncryptedData
@@ -242,7 +316,7 @@ AP-REQ ::= [APPLICATION 14] SEQUENCE {
 
 AP-REP ::= [APPLICATION 15] SEQUENCE {
 	pvno[0]			INTEGER,
-	msg-type[1]		INTEGER,
+	msg-type[1]		MESSAGE-TYPE,
 	enc-part[2]		EncryptedData
 }
 
@@ -250,42 +324,42 @@ EncAPRepPart ::= [APPLICATION 27]     SEQUENCE {
 	ctime[0]		KerberosTime,
 	cusec[1]		INTEGER,
 	subkey[2]		EncryptionKey OPTIONAL,
-	seq-number[3]		INTEGER OPTIONAL
+	seq-number[3]		UNSIGNED OPTIONAL
 }
 
 KRB-SAFE-BODY ::= SEQUENCE {
 	user-data[0]		OCTET STRING,
 	timestamp[1]		KerberosTime OPTIONAL,
 	usec[2]			INTEGER OPTIONAL,
-	seq-number[3]		INTEGER OPTIONAL,
+	seq-number[3]		UNSIGNED OPTIONAL,
 	s-address[4]		HostAddress OPTIONAL,
 	r-address[5]		HostAddress OPTIONAL
 }
 
 KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
 	pvno[0]			INTEGER,
-	msg-type[1]		INTEGER,
+	msg-type[1]		MESSAGE-TYPE,
 	safe-body[2]		KRB-SAFE-BODY,
 	cksum[3]		Checksum
 }
 
 KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
 	pvno[0]			INTEGER,
-	msg-type[1]		INTEGER,
+	msg-type[1]		MESSAGE-TYPE,
 	enc-part[3]		EncryptedData
 }
 EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
 	user-data[0]		OCTET STRING,
 	timestamp[1]		KerberosTime OPTIONAL,
 	usec[2]			INTEGER OPTIONAL,
-	seq-number[3]		INTEGER OPTIONAL,
+	seq-number[3]		UNSIGNED OPTIONAL,
 	s-address[4]		HostAddress OPTIONAL, -- sender's addr
 	r-address[5]		HostAddress OPTIONAL  -- recip's addr
 }
 
 KRB-CRED ::= [APPLICATION 22]   SEQUENCE {
 	pvno[0]			INTEGER,
-	msg-type[1]		INTEGER, -- KRB_CRED
+	msg-type[1]		MESSAGE-TYPE, -- KRB_CRED
 	tickets[2]		SEQUENCE OF Ticket,
 	enc-part[3]		EncryptedData
 }
@@ -315,7 +389,7 @@ EncKrbCredPart ::= [APPLICATION 29]   SEQUENCE {
 
 KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
 	pvno[0]			INTEGER,
-	msg-type[1]		INTEGER,
+	msg-type[1]		MESSAGE-TYPE,
 	ctime[2]		KerberosTime OPTIONAL,
 	cusec[3]		INTEGER OPTIONAL,
 	stime[4]		KerberosTime,
@@ -331,51 +405,6 @@ KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
 
 pvno INTEGER ::= 5 -- current Kerberos protocol version number
 
--- message types
-
-krb-as-req INTEGER ::= 10 -- Request for initial authentication
-krb-as-rep INTEGER ::= 11 -- Response to KRB_AS_REQ request
-krb-tgs-req INTEGER ::= 12 -- Request for authentication based on TGT
-krb-tgs-rep INTEGER ::= 13 -- Response to KRB_TGS_REQ request
-krb-ap-req INTEGER ::= 14 -- application request to server
-krb-ap-rep INTEGER ::= 15 -- Response to KRB_AP_REQ_MUTUAL
-krb-safe INTEGER ::= 20 -- Safe (checksummed) application message
-krb-priv INTEGER ::= 21 -- Private (encrypted) application message
-krb-cred INTEGER ::= 22 -- Private (encrypted) message to forward credentials
-krb-error INTEGER ::= 30 -- Error response
-
--- pa-data types
-
-pa-tgs-req		INTEGER ::= 1
-pa-enc-timestamp	INTEGER ::= 2
-pa-pw-salt		INTEGER ::= 3
-pa-enc-unix-time	INTEGER ::= 5
-pa-sandia-secureid	INTEGER ::= 6
-pa-sesame		INTEGER ::= 7
-pa-osf-dce		INTEGER ::= 8
-pa-cybersafe-secureid	INTEGER ::= 9
-pa-afs3-salt		INTEGER ::= 10
-pa-etype-info		INTEGER ::= 11
-sam-challenge		INTEGER ::= 12 -- (sam/otp)
-sam-response		INTEGER ::= 13 -- (sam/otp)
-pa-pk-as-req		INTEGER ::= 14 -- (pkinit)
-pa-pk-as-rep		INTEGER ::= 15 -- (pkinit)
-pa-pk-as-sign		INTEGER ::= 16 -- (pkinit)
-pa-pk-key-req		INTEGER ::= 17 -- (pkinit)
-pa-pk-key-rep		INTEGER ::= 18 -- (pkinit)
--- checksumtypes
-
-CRC32 			INTEGER ::= 1
-rsa-md4 		INTEGER ::= 2
-rsa-md4-des		INTEGER ::= 3
-des-mac			INTEGER ::= 4
-des-mac-k 		INTEGER ::= 5
-rsa-md4-des-k		INTEGER ::= 6
-rsa-md5			INTEGER ::= 7
-rsa-md5-des		INTEGER ::= 8
-rsa-md5-des3		INTEGER ::= 9
-hmac-sha1-des3		INTEGER ::= 12
-
 -- transited encodings
 
 DOMAIN-X500-COMPRESS	INTEGER ::= 1
diff --git a/crypto/heimdal/lib/asn1/lex.h b/crypto/heimdal/lib/asn1/lex.h
index 66d708c..9f5cadf 100644
--- a/crypto/heimdal/lib/asn1/lex.h
+++ b/crypto/heimdal/lib/asn1/lex.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,6 +31,11 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: lex.h,v 1.3 1999/12/02 17:05:02 joda Exp $ */
+/* $Id: lex.h,v 1.5 2000/07/01 20:21:34 assar Exp $ */
 
-void error_message (char *, ...);
+#include <roken.h>
+
+void error_message (const char *, ...)
+__attribute__ ((format (printf, 1, 2)));
+
+int yylex(void);
diff --git a/crypto/heimdal/lib/asn1/lex.l b/crypto/heimdal/lib/asn1/lex.l
index b3fbf71..ffb6fd5 100644
--- a/crypto/heimdal/lib/asn1/lex.l
+++ b/crypto/heimdal/lib/asn1/lex.l
@@ -1,6 +1,6 @@
 %{
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,7 +32,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: lex.l,v 1.10 1999/12/02 17:05:02 joda Exp $ */
+/* $Id: lex.l,v 1.15 2000/07/02 04:08:02 assar Exp $ */
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
@@ -46,17 +46,22 @@
 #endif
 #include "symbol.h"
 #include "parse.h"
-
-void error_message(char *, ...);
+#include "lex.h"
+#include "gen_locl.h"
 
 static unsigned lineno = 1;
 
-/* ","|"{"|"}"|"("|")"|"["|"]"|"|"	{ return *yytext; } */
+#define YY_NO_UNPUT
+
+#undef ECHO
+
 %}
 
 
 %%
 INTEGER			{ return INTEGER; }
+IMPORTS			{ return IMPORTS; }
+FROM			{ return FROM; }
 SEQUENCE		{ return SEQUENCE; }
 OF			{ return OF; }
 OCTET			{ return OCTET; }
@@ -70,15 +75,16 @@ BEGIN			{ return TBEGIN; }
 END			{ return END; }
 DEFINITIONS		{ return DEFINITIONS; }
 EXTERNAL		{ return EXTERNAL; }
-[,{}()|]		{ return *yytext; }
+[,;{}()|]		{ return *yytext; }
 "["			{ return *yytext; }
 "]"			{ return *yytext; }
 ::=			{ return EEQUAL; }
---[^\n]*\n		{ ; }
+--[^\n]*\n		{ ++lineno; }
 -?[0-9]+		{ yylval.constant = atoi(yytext); return CONSTANT; }
 [A-Za-z][-A-Za-z0-9_]*	{ yylval.name =  strdup (yytext); return IDENTIFIER; }
 [ \t]			;
-\n			{ lineno++; }
+\n			{ ++lineno; }
+\.\.			{ return DOTDOT; }
 .			{ error_message("Ignoring char(%c)\n", *yytext); }
 %%
 
@@ -91,12 +97,12 @@ yywrap ()
 #endif
 
 void
-error_message (char *format, ...)
+error_message (const char *format, ...)
 {
      va_list args;
 
      va_start (args, format);
-     fprintf (stderr, ":%d: ", lineno);
+     fprintf (stderr, "%s:%d: ", filename(), lineno);
      vfprintf (stderr, format, args);
      va_end (args);
 }
diff --git a/crypto/heimdal/lib/asn1/parse.y b/crypto/heimdal/lib/asn1/parse.y
index f9e82b5..4b8e590 100644
--- a/crypto/heimdal/lib/asn1/parse.y
+++ b/crypto/heimdal/lib/asn1/parse.y
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: parse.y,v 1.12 1999/12/02 17:05:02 joda Exp $ */
+/* $Id: parse.y,v 1.16 2000/07/08 11:35:47 assar Exp $ */
 
 %{
 #ifdef HAVE_CONFIG_H
@@ -44,11 +44,10 @@
 #include "lex.h"
 #include "gen_locl.h"
 
-RCSID("$Id: parse.y,v 1.12 1999/12/02 17:05:02 joda Exp $");
+RCSID("$Id: parse.y,v 1.16 2000/07/08 11:35:47 assar Exp $");
 
 static Type *new_type (Typetype t);
 void yyerror (char *);
-int yylex(void);
 
 static void append (Member *l, Member *r);
 
@@ -63,6 +62,8 @@ static void append (Member *l, Member *r);
 
 %token INTEGER SEQUENCE OF OCTET STRING GeneralizedTime GeneralString
 %token BIT APPLICATION OPTIONAL EEQUAL TBEGIN END DEFINITIONS EXTERNAL
+%token DOTDOT
+%token IMPORTS FROM
 %token <name> IDENTIFIER 
 %token <constant> CONSTANT
 
@@ -81,16 +82,24 @@ specification	:
 		| specification declaration
 		;
 
-declaration	: extern_decl
+declaration	: imports_decl
 		| type_decl
 		| constant_decl
 		;
 
-extern_decl	: IDENTIFIER EXTERNAL
+referencenames	: IDENTIFIER ',' referencenames
 		{
 			Symbol *s = addsym($1);
 			s->stype = Stype;
 		}
+		| IDENTIFIER
+		{
+			Symbol *s = addsym($1);
+			s->stype = Stype;
+		}
+		;
+
+imports_decl	: IMPORTS referencenames FROM IDENTIFIER ';'
 		;
 
 type_decl	: IDENTIFIER EEQUAL type
@@ -112,6 +121,19 @@ constant_decl	: IDENTIFIER type EEQUAL constant
 		;
 
 type		: INTEGER     { $$ = new_type(TInteger); }
+		| INTEGER '(' constant DOTDOT constant ')' {
+		    if($3 != 0)
+			error_message("Only 0 supported as low range");
+		    if($5 != INT_MIN && $5 != UINT_MAX && $5 != INT_MAX)
+			error_message("Only %u supported as high range",
+				      UINT_MAX);
+		    $$ = new_type(TUInteger);
+		}
+                | INTEGER '{' bitdecls '}'
+                {
+			$$ = new_type(TInteger);
+			$$->members = $3;
+                }
 		| OCTET STRING { $$ = new_type(TOctetString); }
 		| GeneralString { $$ = new_type(TGeneralString); }
 		| GeneralizedTime { $$ = new_type(TGeneralizedTime); }
diff --git a/crypto/heimdal/lib/asn1/pkinit.asn1 b/crypto/heimdal/lib/asn1/pkinit.asn1
new file mode 100644
index 0000000..92c5de7
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/pkinit.asn1
@@ -0,0 +1,189 @@
+PKINIT DEFINITIONS ::= BEGIN
+
+IMPORTS  EncryptionKey, PrincipalName, Realm, KerberosTime, TypedData 
+	FROM krb5;
+IMPORTS SignedData, EnvelopedData FROM CMS;
+IMPORTS CertificateSerialNumber, AttributeTypeAndValue, Name FROM X509;
+
+
+-- 3.1
+
+CertPrincipalName ::= SEQUENCE {
+	name-type[0]		INTEGER,
+	name-string[1]		SEQUENCE OF UTF8String
+}
+
+
+-- 3.2.2
+
+
+TrustedCertifiers ::= SEQUENCE OF PrincipalName
+				-- X.500 name encoded as a principal name
+				-- see Section 3.1
+CertificateIndex  ::= INTEGER
+				-- 0 = 1st certificate,
+				--     (in order of encoding)
+				-- 1 = 2nd certificate, etc
+
+PA-PK-AS-REP ::= CHOICE {
+				-- PA TYPE 15
+	dhSignedData[0]		SignedData,
+				-- Defined in CMS and used only with
+				-- Diffie-Hellman key exchange (if the
+				-- client public value was present in the
+				-- request).
+				-- This choice MUST be supported
+				-- by compliant implementations.
+	encKeyPack[1]		EnvelopedData
+				-- Defined in CMS
+				-- The temporary key is encrypted
+				-- using the client public key
+				-- key
+				-- SignedReplyKeyPack, encrypted
+				-- with the temporary key, is also
+				-- included.
+}
+
+
+
+KdcDHKeyInfo ::= SEQUENCE {
+				-- used only when utilizing Diffie-Hellman
+	nonce[0]		INTEGER,
+				-- binds responce to the request
+	subjectPublicKey[2]	BIT STRING
+				-- Equals public exponent (g^a mod p)
+				-- INTEGER encoded as payload of
+				-- BIT STRING
+}
+
+ReplyKeyPack ::= SEQUENCE {
+				-- not used for Diffie-Hellman
+	replyKey[0]		EncryptionKey,
+				-- used to encrypt main reply
+				-- ENCTYPE is at least as strong as
+				-- ENCTYPE of session key
+	nonce[1]		INTEGER
+				-- binds response to the request
+				-- must be same as the nonce
+				-- passed in the PKAuthenticator
+}
+
+-- subjectAltName EXTENSION ::= {
+-- 	SYNTAX GeneralNames
+-- 	IDENTIFIED BY id-ce-subjectAltName
+-- }
+
+OtherName ::= SEQUENCE {
+	type-id			OBJECT IDENTIFIER,
+	value[0]		OCTET STRING
+--	value[0] EXPLICIT ANY DEFINED BY type-id
+}
+
+GeneralName ::= CHOICE {
+	otherName       [0] OtherName,
+	...
+}
+
+GeneralNames ::= SEQUENCE -- SIZE(1..MAX)
+	OF GeneralName
+
+KerberosName ::= SEQUENCE {
+	realm[0]		Realm,
+				-- as defined in RFC 1510
+	principalName[1]	CertPrincipalName
+				-- defined above
+}
+
+
+-- krb5 OBJECT IDENTIFIER ::= {
+-- 	iso (1) org (3) dod (6) internet (1) security (5) kerberosv5 (2)
+-- }
+
+-- krb5PrincipalName OBJECT IDENTIFIER ::= { krb5 2 }
+
+-- 3.2.1
+
+
+IssuerAndSerialNumber ::= SEQUENCE {
+	issuer			Name,
+	serialNumber		CertificateSerialNumber
+}
+
+TrustedCas ::= CHOICE {
+	principalName[0]	KerberosName,
+				-- as defined below
+	caName[1]		Name,
+				-- fully qualified X.500 name
+				-- as defined by X.509
+	issuerAndSerial[2]	IssuerAndSerialNumber
+				-- Since a CA may have a number of
+				-- certificates, only one of which
+				-- a client trusts
+}
+
+PA-PK-AS-REQ ::= SEQUENCE {
+	-- PA TYPE 14
+	signedAuthPack[0]	SignedData,
+				-- defined in CMS [11]
+				-- AuthPack (below) defines the data
+				-- that is signed
+	trustedCertifiers[1]	SEQUENCE OF TrustedCas OPTIONAL,
+				-- CAs that the client trusts
+	kdcCert[2]		IssuerAndSerialNumber OPTIONAL,
+				-- as defined in CMS [11]
+				-- specifies a particular KDC
+				-- certificate if the client
+				-- already has it;
+	encryptionCert[3]	IssuerAndSerialNumber OPTIONAL
+				-- For example, this may be the
+				-- client's Diffie-Hellman
+				-- certificate, or it may be the
+				-- client's RSA encryption
+				-- certificate.
+}
+
+PKAuthenticator ::= SEQUENCE {
+	kdcName[0]		PrincipalName,
+	kdcRealm[1]		Realm,
+	cusec[2]		INTEGER,
+				-- for replay prevention as in RFC1510
+	ctime[3]		KerberosTime,
+				-- for replay prevention as in RFC1510
+	nonce[4]		INTEGER
+}
+
+-- This is the real definition of AlgorithmIdentifier
+-- AlgorithmIdentifier ::= SEQUENCE {
+-- 	algorithm		ALGORITHM.&id,
+--	parameters		ALGORITHM.&Type
+-- }   -- as specified by the X.509 recommendation[10]
+
+-- But we'll use this one instead:
+
+AlgorithmIdentifier ::= SEQUENCE {
+	algorithm		OBJECT IDENTIFIER,
+	parameters		CHOICE {
+					a INTEGER
+				}
+}
+
+
+
+SubjectPublicKeyInfo ::= SEQUENCE {
+	algorithm		AlgorithmIdentifier,
+				-- dhKeyAgreement
+	subjectPublicKey	BIT STRING
+				-- for DH, equals
+				-- public exponent (INTEGER encoded
+				-- as payload of BIT STRING)
+} -- as specified by the X.509 recommendation[10]
+
+AuthPack ::= SEQUENCE {
+	pkAuthenticator[0]	PKAuthenticator,
+	clientPublicValue[1]	SubjectPublicKeyInfo OPTIONAL
+				-- if client is using Diffie-Hellman
+				-- (ephemeral-ephemeral only)
+}
+
+
+END
diff --git a/crypto/heimdal/lib/asn1/rfc2459.asn1 b/crypto/heimdal/lib/asn1/rfc2459.asn1
new file mode 100644
index 0000000..c9adec6
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/rfc2459.asn1
@@ -0,0 +1,21 @@
+RFC2459 DEFINITIONS ::= BEGIN
+
+AttributeType ::= OBJECT-IDENTIFIER
+
+AttributeValue ::= OCTET STRING --ANY DEFINED BY AttributeType
+
+AttributeTypeAndValue ::= SEQUENCE {
+	type AttributeType,
+	value AttributeValue
+}
+
+RelativeDistinguishedName ::= --SET
+SEQUENCE OF AttributeTypeAndValue
+
+RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+
+Name ::= CHOICE { -- RFC2459
+	x RDNSequence
+}
+
+END
\ No newline at end of file
diff --git a/crypto/heimdal/lib/asn1/x509.asn1 b/crypto/heimdal/lib/asn1/x509.asn1
new file mode 100644
index 0000000..4a15844
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/x509.asn1
@@ -0,0 +1,23 @@
+X509 DEFINITIONS ::= BEGIN
+
+CertificateSerialNumber ::= INTEGER -- X.509 '97
+
+AttributeType ::= OBJECT-IDENTIFIER
+
+AttributeValue ::= OCTET STRING --ANY DEFINED BY AttributeType
+
+AttributeTypeAndValue ::= SEQUENCE {
+	type AttributeType,
+	value AttributeValue
+}
+
+RelativeDistinguishedName ::= --SET
+SEQUENCE OF AttributeTypeAndValue
+
+RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+
+Name ::= CHOICE { -- RFC2459
+	x RDNSequence
+}
+
+END
\ No newline at end of file
diff --git a/crypto/heimdal/lib/auth/ChangeLog b/crypto/heimdal/lib/auth/ChangeLog
index 9b1ebaf..79d39e9 100644
--- a/crypto/heimdal/lib/auth/ChangeLog
+++ b/crypto/heimdal/lib/auth/ChangeLog
@@ -1,3 +1,30 @@
+2001-01-29  Assar Westerlund  <assar@sics.se>
+
+	* sia/Makefile.am (libsia_krb5.so): actually run ld in the case
+	shared library case
+
+2000-12-31  Assar Westerlund  <assar@sics.se>
+
+	* sia/sia.c (siad_ses_init): handle krb5_init_context failure
+	consistently
+	* afskauthlib/verify.c (verify_krb5): handle krb5_init_context
+	failure consistently
+
+2000-11-30  Johan Danielsson  <joda@pdc.kth.se>
+
+	* afskauthlib/Makefile.am: use libtool
+
+	* afskauthlib/Makefile.am: work with krb4 only
+
+2000-07-30  Johan Danielsson  <joda@pdc.kth.se>
+
+	* sia/Makefile.am: don't compress library, since 5.0 seems to have
+	a problem with this
+
+2000-07-02  Assar Westerlund  <assar@sics.se>
+
+	* afskauthlib/verify.c: fixes for pag setting
+
 1999-12-30  Assar Westerlund  <assar@sics.se>
 
 	* sia/Makefile.am: try to link with shared libraries if we don't
@@ -29,6 +56,10 @@
 	* afskauthlib/verify.c (verify_krb5): remove krb5_kuserok.  use
  	krb5_verify_user_lrealm
 
+1999-08-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* pam/Makefile.in: link with res_search/dn_expand libraries
+
 1999-08-11  Johan Danielsson  <joda@pdc.kth.se>
 
 	* afskauthlib/verify.c: make this compile w/o krb4
diff --git a/crypto/heimdal/lib/auth/Makefile.in b/crypto/heimdal/lib/auth/Makefile.in
index aab069e..95673ac 100644
--- a/crypto/heimdal/lib/auth/Makefile.in
+++ b/crypto/heimdal/lib/auth/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.2 1999/03/21 17:11:08 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.2 1999/03/21 17:11:08 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,29 +170,26 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
 SUBDIRS = @LIB_AUTH_SUBDIRS@
 DIST_SUBDIRS = afskauthlib pam sia
+subdir = lib/auth
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -182,13 +197,14 @@ CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES = 
+depcomp = 
 DIST_COMMON =  ChangeLog Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
 all: all-redirect
 .SUFFIXES:
@@ -208,8 +224,6 @@ Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
 #     (which will cause the Makefiles to be regenerated when you run `make');
 # (2) otherwise, pass the desired values on the `make' command line.
 
-@SET_MAKE@
-
 all-recursive install-data-recursive install-exec-recursive \
 installdirs-recursive install-recursive uninstall-recursive  \
 check-recursive installcheck-recursive info-recursive dvi-recursive:
@@ -237,7 +251,7 @@ maintainer-clean-recursive:
 	dot_seen=no; \
 	rev=''; list='$(SUBDIRS)'; for subdir in $$list; do \
 	  rev="$$subdir $$rev"; \
-	  test "$$subdir" = "." && dot_seen=yes; \
+	  if test "$$subdir" = "."; then dot_seen=yes; else :; fi; \
 	done; \
 	test "$$dot_seen" = "no" && rev=". $$rev"; \
 	target=`echo $@ | sed s/-recursive//`; \
@@ -258,15 +272,17 @@ tags-recursive:
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
 	list='$(SUBDIRS)'; for subdir in $$list; do \
@@ -274,12 +290,14 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
 	    test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \
    fi; \
 	done; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -292,17 +310,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = lib/auth
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	for subdir in $(DIST_SUBDIRS); do \
@@ -310,7 +327,6 @@ distdir: $(DISTFILES)
 	    test -d $(distdir)/$$subdir \
 	    || mkdir $(distdir)/$$subdir \
 	    || exit 1; \
-	    chmod 777 $(distdir)/$$subdir; \
 	    (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$(top_distdir) distdir=../$(distdir)/$$subdir distdir) \
 	      || exit 1; \
 	  fi; \
@@ -341,7 +357,7 @@ uninstall: uninstall-recursive
 all-am: Makefile all-local
 all-redirect: all-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs: installdirs-recursive
 installdirs-am:
 
@@ -355,6 +371,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-tags mostlyclean-generic
 
 mostlyclean: mostlyclean-recursive
@@ -375,19 +392,19 @@ maintainer-clean-am:  maintainer-clean-tags maintainer-clean-generic \
 
 maintainer-clean: maintainer-clean-recursive
 
-.PHONY: install-data-recursive uninstall-data-recursive \
-install-exec-recursive uninstall-exec-recursive installdirs-recursive \
-uninstalldirs-recursive all-recursive check-recursive \
-installcheck-recursive info-recursive dvi-recursive \
-mostlyclean-recursive distclean-recursive clean-recursive \
+.PHONY: install-recursive uninstall-recursive install-data-recursive \
+uninstall-data-recursive install-exec-recursive \
+uninstall-exec-recursive installdirs-recursive uninstalldirs-recursive \
+all-recursive check-recursive installcheck-recursive info-recursive \
+dvi-recursive mostlyclean-recursive distclean-recursive clean-recursive \
 maintainer-clean-recursive tags tags-recursive mostlyclean-tags \
 distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
 dvi-am dvi check-local check check-am installcheck-am installcheck \
 install-exec-am install-exec install-data-local install-data-am \
 install-data install-am install uninstall-am uninstall all-local \
-all-redirect all-am all installdirs-am installdirs mostlyclean-generic \
-distclean-generic clean-generic maintainer-clean-generic clean \
-mostlyclean distclean maintainer-clean
+all-redirect all-am all install-strip installdirs-am installdirs \
+mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
 
 
 install-suid-programs:
@@ -395,7 +412,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -407,8 +427,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -477,87 +497,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/lib/auth/afskauthlib/Makefile.am b/crypto/heimdal/lib/auth/afskauthlib/Makefile.am
index 7dd6d52..d3e771c 100644
--- a/crypto/heimdal/lib/auth/afskauthlib/Makefile.am
+++ b/crypto/heimdal/lib/auth/afskauthlib/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.3 1999/04/08 12:35:33 joda Exp $
+# $Id: Makefile.am,v 1.5 2000/11/30 01:39:09 joda Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
@@ -17,22 +17,33 @@ OBJS = verify.o
 CLEANFILES = $(foo_DATA) $(OBJS) so_locations
 
 afskauthlib.so: $(OBJS)
-	$(LD) -shared -o $@ $(LDFLAGS) $(OBJS) $(L)
+	$(LINK) -shared $(OBJS) $(L)
 
 .c.o:
 	$(COMPILE) -c $<
 
 if KRB4
-KAFS = $(top_builddir)/lib/kafs/.libs/libkafs.a
+KAFS = $(top_builddir)/lib/kafs/libkafs.la
 endif
 
+if KRB5
 L = \
 	$(KAFS)	\
-	$(top_builddir)/lib/krb5/.libs/libkrb5.a	\
-	$(top_builddir)/lib/asn1/.libs/libasn1.a	\
+	$(top_builddir)/lib/krb5/libkrb5.la	\
+	$(top_builddir)/lib/asn1/libasn1.la	\
 	$(LIB_krb4)					\
-	$(top_builddir)/lib/des/.libs/libdes.a		\
-	$(top_builddir)/lib/roken/.libs/libroken.a	\
+	$(top_builddir)/lib/des/libdes.la		\
+	$(top_builddir)/lib/roken/libroken.la	\
 	-lc
 
+else
+
+L = \
+	$(KAFS)	\
+	$(LIB_krb4)					\
+	$(top_builddir)/lib/des/libdes.la		\
+	$(top_builddir)/lib/roken/libroken.la	\
+	-lc
+endif
+
 $(OBJS): $(top_builddir)/include/config.h
diff --git a/crypto/heimdal/lib/auth/afskauthlib/Makefile.in b/crypto/heimdal/lib/auth/afskauthlib/Makefile.in
index d3a4041..7ba1c6e 100644
--- a/crypto/heimdal/lib/auth/afskauthlib/Makefile.in
+++ b/crypto/heimdal/lib/auth/afskauthlib/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.3 1999/04/08 12:35:33 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.5 2000/11/30 01:39:09 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .o
 
-INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4)
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,24 +170,20 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
@@ -183,10 +197,23 @@ OBJS = verify.o
 
 CLEANFILES = $(foo_DATA) $(OBJS) so_locations
 
-@KRB4_TRUE@KAFS = $(top_builddir)/lib/kafs/.libs/libkafs.a
-
-L =  	$(KAFS)		$(top_builddir)/lib/krb5/.libs/libkrb5.a		$(top_builddir)/lib/asn1/.libs/libasn1.a		$(LIB_krb4)						$(top_builddir)/lib/des/.libs/libdes.a			$(top_builddir)/lib/roken/.libs/libroken.a		-lc
-
+@KRB4_TRUE@KAFS = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la
+
+@KRB5_TRUE@L = @KRB5_TRUE@\
+@KRB5_TRUE@	$(KAFS)	\
+@KRB5_TRUE@	$(top_builddir)/lib/krb5/libkrb5.la	\
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la	\
+@KRB5_TRUE@	$(LIB_krb4)					\
+@KRB5_TRUE@	$(top_builddir)/lib/des/libdes.la		\
+@KRB5_TRUE@	$(top_builddir)/lib/roken/libroken.la	\
+@KRB5_TRUE@	-lc
+@KRB5_FALSE@L = @KRB5_FALSE@\
+@KRB5_FALSE@	$(KAFS)	\
+@KRB5_FALSE@	$(LIB_krb4)					\
+@KRB5_FALSE@	$(top_builddir)/lib/des/libdes.la		\
+@KRB5_FALSE@	$(top_builddir)/lib/roken/libroken.la	\
+@KRB5_FALSE@	-lc
+subdir = lib/auth/afskauthlib
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -194,15 +221,16 @@ CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES = 
 DATA =  $(foo_DATA)
 
+depcomp = 
 DIST_COMMON =  Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
 all: all-redirect
 .SUFFIXES:
@@ -219,19 +247,18 @@ install-fooDATA: $(foo_DATA)
 	@$(NORMAL_INSTALL)
 	$(mkinstalldirs) $(DESTDIR)$(foodir)
 	@list='$(foo_DATA)'; for p in $$list; do \
-	  if test -f $(srcdir)/$$p; then \
-	    echo " $(INSTALL_DATA) $(srcdir)/$$p $(DESTDIR)$(foodir)/$$p"; \
-	    $(INSTALL_DATA) $(srcdir)/$$p $(DESTDIR)$(foodir)/$$p; \
-	  else if test -f $$p; then \
-	    echo " $(INSTALL_DATA) $$p $(DESTDIR)$(foodir)/$$p"; \
-	    $(INSTALL_DATA) $$p $(DESTDIR)$(foodir)/$$p; \
-	  fi; fi; \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(foodir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(foodir)/$$f; \
 	done
 
 uninstall-fooDATA:
 	@$(NORMAL_UNINSTALL)
-	list='$(foo_DATA)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(foodir)/$$p; \
+	@list='$(foo_DATA)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(foodir)/$$f"; \
+	  rm -f $(DESTDIR)$(foodir)/$$f; \
 	done
 tags: TAGS
 TAGS:
@@ -239,17 +266,16 @@ TAGS:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = lib/auth/afskauthlib
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
@@ -278,7 +304,7 @@ uninstall: uninstall-am
 all-am: Makefile $(DATA) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
 	$(mkinstalldirs)  $(DESTDIR)$(foodir)
 
@@ -293,6 +319,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-generic
 
 mostlyclean: mostlyclean-am
@@ -316,7 +343,7 @@ maintainer-clean: maintainer-clean-am
 dvi-am dvi check-local check check-am installcheck-am installcheck \
 install-exec-am install-exec install-data-local install-data-am \
 install-data install-am install uninstall-am uninstall all-local \
-all-redirect all-am all installdirs mostlyclean-generic \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
 distclean-generic clean-generic maintainer-clean-generic clean \
 mostlyclean distclean maintainer-clean
 
@@ -326,7 +353,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -338,8 +368,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -408,87 +438,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
@@ -526,7 +477,7 @@ check-local::
 	fi
 
 afskauthlib.so: $(OBJS)
-	$(LD) -shared -o $@ $(LDFLAGS) $(OBJS) $(L)
+	$(LINK) -shared $(OBJS) $(L)
 
 .c.o:
 	$(COMPILE) -c $<
diff --git a/crypto/heimdal/lib/auth/afskauthlib/verify.c b/crypto/heimdal/lib/auth/afskauthlib/verify.c
index 1c23119..e0e31b6 100644
--- a/crypto/heimdal/lib/auth/afskauthlib/verify.c
+++ b/crypto/heimdal/lib/auth/afskauthlib/verify.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995-2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: verify.c,v 1.20 1999/12/02 16:58:37 joda Exp $");
+RCSID("$Id: verify.c,v 1.24 2000/12/31 07:57:08 assar Exp $");
 #endif
 #include <unistd.h>
 #include <sys/types.h>
@@ -123,7 +123,11 @@ verify_krb5(struct passwd *pwd,
     krb5_ccache ccache;
     krb5_principal principal;
     
-    krb5_init_context(&context);
+    ret = krb5_init_context(&context);
+    if (ret) {
+	syslog(LOG_AUTH|LOG_DEBUG, "krb5_init_context failed: %d", ret);
+	goto out;
+    }
 
     ret = krb5_parse_name (context, pwd->pw_name, &principal);
     if (ret) {
@@ -193,9 +197,11 @@ verify_krb5(struct passwd *pwd,
     if (!pag_set && k_hasafs()) {
 	k_setpag();
 	pag_set = 1;
+    }
+
+    if (pag_set)
 	krb5_afslog_uid_home(context, ccache, NULL, NULL, 
 			     pwd->pw_uid, pwd->pw_dir);
-    }
 #endif
 out:
     if(ret && !quiet)
@@ -222,8 +228,9 @@ verify_krb4(struct passwd *pwd,
 	    if (!pag_set && k_hasafs()) {
 		k_setpag ();
 		pag_set = 1;
+            }
+            if (pag_set)
 		krb_afslog_uid_home (0, 0, pwd->pw_uid, pwd->pw_dir);
-	    }
 	} else if (!quiet)
 	    printf ("%s\n", krb_get_err_text (ret));
     }
@@ -242,6 +249,12 @@ afs_verify(char *name,
 
     if(pwd == NULL)
 	return 1;
+
+    if (!pag_set && k_hasafs()) {
+        k_setpag();
+        pag_set=1;
+    }
+
     if (ret)
 	ret = unix_verify_user (name, password);
 #ifdef KRB5
@@ -277,10 +290,10 @@ afs_gettktstring (void)
 	}
     }
 #ifdef KRB5
-    setenv("KRB5CCNAME",krb5ccname,1);
+    esetenv("KRB5CCNAME",krb5ccname,1);
 #endif
 #ifdef KRB4
-    setenv("KRBTKFILE",krbtkfile,1);
+    esetenv("KRBTKFILE",krbtkfile,1);
     return krbtkfile;
 #else
     return "";
diff --git a/crypto/heimdal/lib/auth/pam/Makefile.in b/crypto/heimdal/lib/auth/pam/Makefile.in
index 37f8d22..87759de 100644
--- a/crypto/heimdal/lib/auth/pam/Makefile.in
+++ b/crypto/heimdal/lib/auth/pam/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.2 1999/04/01 14:57:04 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.2 1999/04/01 14:57:04 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,26 +170,23 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
+subdir = lib/auth/pam
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -179,13 +194,14 @@ CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES = 
+depcomp = 
 DIST_COMMON =  Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
 all: all-redirect
 .SUFFIXES:
@@ -203,17 +219,16 @@ TAGS:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = lib/auth/pam
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
@@ -242,7 +257,7 @@ uninstall: uninstall-am
 all-am: Makefile all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
 
 
@@ -255,6 +270,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-generic
 
 mostlyclean: mostlyclean-am
@@ -277,8 +293,8 @@ maintainer-clean: maintainer-clean-am
 .PHONY: tags distdir info-am info dvi-am dvi check-local check check-am \
 installcheck-am installcheck install-exec-am install-exec \
 install-data-local install-data-am install-data install-am install \
-uninstall-am uninstall all-local all-redirect all-am all installdirs \
-mostlyclean-generic distclean-generic clean-generic \
+uninstall-am uninstall all-local all-redirect all-am all install-strip \
+installdirs mostlyclean-generic distclean-generic clean-generic \
 maintainer-clean-generic clean mostlyclean distclean maintainer-clean
 
 
@@ -287,7 +303,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -299,8 +318,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -369,87 +388,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/lib/auth/pam/pam.c b/crypto/heimdal/lib/auth/pam/pam.c
index 1a385e0..c207756 100644
--- a/crypto/heimdal/lib/auth/pam/pam.c
+++ b/crypto/heimdal/lib/auth/pam/pam.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include<config.h>
-RCSID("$Id: pam.c,v 1.24 2000/02/18 14:33:06 bg Exp $");
+RCSID("$Id: pam.c,v 1.26 2000/10/04 20:22:15 bg Exp $");
 #endif
 
 #include <stdio.h>
@@ -60,12 +60,12 @@ RCSID("$Id: pam.c,v 1.24 2000/02/18 14:33:06 bg Exp $");
 #endif
 
 static void
-log_error(int level, const char *format, ...)
+psyslog(int level, const char *format, ...)
 {
   va_list args;
   va_start(args, format);
   openlog("pam_krb4", LOG_CONS|LOG_PID, LOG_AUTH);
-  vsyslog(level | LOG_AUTH, format, args);
+  vsyslog(level, format, args);
   va_end(args);
   closelog();
 }
@@ -115,7 +115,7 @@ parse_ctrl(int argc, const char **argv)
 	  break;
     
       if (j >= KRB4_CTRLS)
-	log_error(LOG_ALERT, "unrecognized option [%s]", *argv);
+	psyslog(LOG_ALERT, "unrecognized option [%s]", *argv);
       else
 	ctrl_flags |= krb4_args[j].flag;
     }
@@ -128,13 +128,13 @@ pdeb(const char *format, ...)
   if (ctrl_off(KRB4_DEBUG))
     return;
   va_start(args, format);
-  openlog("pam_krb4", LOG_PID, LOG_AUTH);
-  vsyslog(LOG_DEBUG | LOG_AUTH, format, args);
+  openlog("pam_krb4", LOG_CONS|LOG_PID, LOG_AUTH);
+  vsyslog(LOG_DEBUG, format, args);
   va_end(args);
   closelog();
 }
 
-#define ENTRY(f) pdeb("%s() ruid = %d euid = %d", f, getuid(), geteuid())
+#define ENTRY(func) pdeb("%s() flags = %d ruid = %d euid = %d", func, flags, getuid(), geteuid())
 
 static void
 set_tkt_string(uid_t uid)
@@ -182,9 +182,14 @@ verify_pass(pam_handle_t *pamh,
   old_euid = geteuid();
   setreuid(0, 0);
   ret = krb_verify_user(name, inst, realm, pass, krb_verify, NULL);
-  if (setreuid(old_ruid, old_euid) != 0)
+  pdeb("krb_verify_user(`%s', `%s', `%s', pw, %d, NULL) returns %s",
+       name, inst, realm, krb_verify,
+       krb_get_err_text(ret));
+  setreuid(old_ruid, old_euid);
+  if (getuid() != old_ruid || geteuid() != old_euid)
     {
-      log_error(LOG_ALERT , "setreuid(%d, %d) failed", old_ruid, old_euid);
+      psyslog(LOG_ALERT , "setreuid(%d, %d) failed at line %d",
+	      old_ruid, old_euid, __LINE__);
       exit(1);
     }
     
@@ -220,7 +225,7 @@ krb4_auth(pam_handle_t *pamh,
       ret = pam_get_item(pamh, PAM_AUTHTOK, (void **) &pass);
       if (ret != PAM_SUCCESS)
         {
-          log_error(LOG_ERR , "pam_get_item returned error to get-password");
+          psyslog(LOG_ERR , "pam_get_item returned error to get-password");
           return ret;
         }
       else if (pass != 0 && verify_pass(pamh, name, inst, pass) == PAM_SUCCESS)
@@ -271,6 +276,8 @@ pam_sm_authenticate(pam_handle_t *pamh,
   struct passwd *pw;
   uid_t uid = -1;
   const char *name, *inst;
+  char realm[REALM_SZ];
+  realm[0] = 0;
 
   parse_ctrl(argc, argv);
   ENTRY("pam_sm_authenticate");
@@ -316,11 +323,9 @@ pam_sm_authenticate(pam_handle_t *pamh,
    */
   if (ret == PAM_SUCCESS && inst[0] != 0)
     {
-      char realm[REALM_SZ];
       uid_t old_euid = geteuid();
       uid_t old_ruid = getuid();
 
-      realm[0] = 0;
       setreuid(0, 0);		/* To read ticket file. */
       if (krb_get_tf_fullname(tkt_string(), 0, 0, realm) != KSUCCESS)
 	ret = PAM_SERVICE_ERR;
@@ -334,28 +339,44 @@ pam_sm_authenticate(pam_handle_t *pamh,
       if (ret != PAM_SUCCESS)
 	{
 	  dest_tkt();		/* Passwd known, ok to kill ticket. */
-	  log_error(LOG_NOTICE,
-		    "%s.%s@%s is not allowed to log in as %s",
-		    name, inst, realm, user);
+	  psyslog(LOG_NOTICE,
+		  "%s.%s@%s is not allowed to log in as %s",
+		  name, inst, realm, user);
 	}
 
-      if (setreuid(old_ruid, old_euid) != 0)
+      setreuid(old_ruid, old_euid);
+      if (getuid() != old_ruid || geteuid() != old_euid)
 	{
-	  log_error(LOG_ALERT , "setreuid(%d, %d) failed", old_ruid, old_euid);
+	  psyslog(LOG_ALERT , "setreuid(%d, %d) failed at line %d",
+		  old_ruid, old_euid, __LINE__);
 	  exit(1);
 	}
     }
 
   if (ret == PAM_SUCCESS)
-    chown(tkt_string(), uid, -1);
-
-  /* Sun dtlogin unlock screen does not call any other pam_* funcs. */
-  if (ret == PAM_SUCCESS
-      && ctrl_on(KRB4_REAFSLOG)
-      && k_hasafs()
-      && (pw = getpwnam(user)) != 0)
-    krb_afslog_uid_home(/*cell*/ 0,/*realm_hint*/ 0, pw->pw_uid, pw->pw_dir);
+    {
+      psyslog(LOG_INFO,
+	      "%s.%s@%s authenticated as user %s",
+	      name, inst, realm, user);
+      if (chown(tkt_string(), uid, -1) == -1)
+	{
+	  dest_tkt();
+	  psyslog(LOG_ALERT , "chown(%s, %d, -1) failed", tkt_string(), uid);
+	  exit(1);
+	}
+    }
 
+  /*
+   * Kludge alert!!! Sun dtlogin unlock screen fails to call
+   * pam_setcred(3) with PAM_REFRESH_CRED after a successful
+   * authentication attempt, sic.
+   *
+   * This hack is designed as a workaround to that problem.
+   */
+  if (ctrl_on(KRB4_REAFSLOG))
+    if (ret == PAM_SUCCESS)
+      pam_sm_setcred(pamh, PAM_REFRESH_CRED, argc, argv);
+  
   return ret;
 }
 
@@ -364,14 +385,13 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
 {
   parse_ctrl(argc, argv);
   ENTRY("pam_sm_setcred");
-  pdeb("flags = 0x%x", flags);
 
   switch (flags & ~PAM_SILENT) {
   case 0:
   case PAM_ESTABLISH_CRED:
     if (k_hasafs())
       k_setpag();
-    /* Fill PAG with credentials below. */
+    /* Fall through, fill PAG with credentials below. */
   case PAM_REINITIALIZE_CRED:
   case PAM_REFRESH_CRED:
     if (k_hasafs())
@@ -393,7 +413,7 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
       k_unlog();
     break;
   default:
-    log_error(LOG_ALERT , "pam_sm_setcred: unknown flags 0x%x", flags);
+    psyslog(LOG_ALERT , "pam_sm_setcred: unknown flags 0x%x", flags);
     break;
   }
   
@@ -417,9 +437,7 @@ pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char**argv)
   ENTRY("pam_sm_close_session");
 
   /* This isn't really kosher, but it's handy. */
-  dest_tkt();
-  if (k_hasafs())
-    k_unlog();
+  pam_sm_setcred(pamh, PAM_DELETE_CRED, argc, argv);
 
   return PAM_SUCCESS;
 }
diff --git a/crypto/heimdal/lib/auth/pam/pam.conf.add b/crypto/heimdal/lib/auth/pam/pam.conf.add
index 64a4915..7db3e3d 100644
--- a/crypto/heimdal/lib/auth/pam/pam.conf.add
+++ b/crypto/heimdal/lib/auth/pam/pam.conf.add
@@ -32,36 +32,52 @@ To enable PAM in dtlogin and /bin/login under SunOS 5.6 apply this patch:
  #
  # Password management
 ---------------------------------------------------------------------------
-To enable PAM in /bin/login and xdm under Red Hat 6.1 apply these patches:
+To enable PAM in /bin/login and xdm under Red Hat 6.? apply these patches:
 
---- /etc/pam.d/login~   Thu Jul  8 00:14:02 1999
-+++ /etc/pam.d/login    Mon Aug 30 14:33:12 1999
+--- /etc/pam.d/login~	Tue Dec  7 12:01:35 1999
++++ /etc/pam.d/login	Wed May 31 16:27:55 2000
 @@ -1,9 +1,12 @@
  #%PAM-1.0
 +# Updated to work with kerberos
-+auth       sufficient   /lib/security/pam_krb4.so
- auth       required    /lib/security/pam_securetty.so
- auth       required    /lib/security/pam_pwdb.so shadow nullok
- auth       required    /lib/security/pam_nologin.so
- account    required    /lib/security/pam_pwdb.so
- password   required    /lib/security/pam_cracklib.so
- password   required    /lib/security/pam_pwdb.so nullok use_authtok shadow
-+session    required     /lib/security/pam_krb4.so
- session    required    /lib/security/pam_pwdb.so
- session    optional    /lib/security/pam_console.so
---- /etc/pam.d/xdm~     Mon Jun 14 17:39:05 1999
-+++ /etc/pam.d/xdm      Mon Aug 30 14:54:51 1999
-@@ -1,8 +1,10 @@
++auth       sufficient   /usr/athena/lib/pam_krb4.so.1.0.1
+ auth       required	/lib/security/pam_securetty.so
+ auth       required	/lib/security/pam_pwdb.so shadow nullok
+ auth       required	/lib/security/pam_nologin.so
+ account    required	/lib/security/pam_pwdb.so
+ password   required	/lib/security/pam_cracklib.so
+ password   required	/lib/security/pam_pwdb.so nullok use_authtok md5 shadow
++session    required     /usr/athena/lib/pam_krb4.so.1.0.1
+ session    required	/lib/security/pam_pwdb.so
+ session    optional	/lib/security/pam_console.so
+--- /etc/pam.d/xdm~	Wed May 31 16:33:54 2000
++++ /etc/pam.d/xdm	Wed May 31 16:28:29 2000
+@@ -1,8 +1,11 @@
  #%PAM-1.0
-+auth       sufficient   /lib/security/pam_krb4.so
- auth       required    /lib/security/pam_pwdb.so shadow nullok
- auth       required    /lib/security/pam_nologin.so
- account    required    /lib/security/pam_pwdb.so
- password   required    /lib/security/pam_cracklib.so
- password   required    /lib/security/pam_pwdb.so shadow nullok use_authtok
-+session    required     /lib/security/pam_krb4.so
- session    required    /lib/security/pam_pwdb.so
++# Updated to work with kerberos
++auth       sufficient   /usr/athena/lib/pam_krb4.so.1.0.1
+ auth       required	/lib/security/pam_pwdb.so shadow nullok
+ auth       required	/lib/security/pam_nologin.so
+ account    required	/lib/security/pam_pwdb.so
+ password   required	/lib/security/pam_cracklib.so
+ password   required	/lib/security/pam_pwdb.so shadow nullok use_authtok
++session    required     /usr/athena/lib/pam_krb4.so.1.0.1
+ session    required	/lib/security/pam_pwdb.so
  session    optional     /lib/security/pam_console.so
+--- /etc/pam.d/gdm~	Wed May 31 16:33:54 2000
++++ /etc/pam.d/gdm	Wed May 31 16:34:28 2000
+@@ -1,8 +1,11 @@
+ #%PAM-1.0
++# Updated to work with kerberos
++auth       sufficient   /usr/athena/lib/pam_krb4.so.1.0.1
+ auth       required	/lib/security/pam_pwdb.so shadow nullok
+ auth       required	/lib/security/pam_nologin.so
+ account    required	/lib/security/pam_pwdb.so
+ password   required	/lib/security/pam_cracklib.so
+ password   required	/lib/security/pam_pwdb.so shadow nullok use_authtok
++session    required     /usr/athena/lib/pam_krb4.so.1.0.1
+ session    required	/lib/security/pam_pwdb.so
+ session    optional     /lib/security/pam_console.so
+
 --------------------------------------------------------------------------
 
 This stuff may work under some other system.
diff --git a/crypto/heimdal/lib/auth/sia/Makefile.am b/crypto/heimdal/lib/auth/sia/Makefile.am
index efba5c0..276da15 100644
--- a/crypto/heimdal/lib/auth/sia/Makefile.am
+++ b/crypto/heimdal/lib/auth/sia/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.5 1999/12/30 03:47:03 assar Exp $
+# $Id: Makefile.am,v 1.8 2001/01/29 22:38:36 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
@@ -17,6 +17,7 @@ KAFS=$(top_builddir)/lib/kafs/.libs/libkafs.a
 KAFS_S=$(top_builddir)/lib/kafs/.libs/libkafs.so
 endif
 
+if KRB5
 L = \
 	$(KAFS)						\
 	$(top_builddir)/lib/krb5/.libs/libkrb5.a	\
@@ -39,26 +40,69 @@ L_shared = \
 	$(LIB_getpwnam_r)				\
 	-lc
 
-EXTRA_DIST = sia.c krb5_matrix.conf krb5+c2_matrix.conf security.patch
+MOD = libsia_krb5.so
+
+else
+
+L = \
+	$(KAFS)						\
+	$(top_builddir)/lib/kadm/.libs/libkadm.a	\
+	$(top_builddir)/lib/krb/.libs/libkrb.a		\
+	$(top_builddir)/lib/des/.libs/libdes.a		\
+	$(top_builddir)/lib/com_err/.libs/libcom_err.a	\
+	$(top_builddir)/lib/roken/.libs/libroken.a	\
+	$(LIB_getpwnam_r)				\
+	-lc
+
+L_shared = \
+	$(KAFS_S)					\
+	$(top_builddir)/lib/kadm/.libs/libkadm.so	\
+	$(top_builddir)/lib/krb/.libs/libkrb.so		\
+	$(top_builddir)/lib/des/.libs/libdes.so		\
+	$(top_builddir)/lib/com_err/.libs/libcom_err.so	\
+	$(top_builddir)/lib/roken/.libs/libroken.so	\
+	$(LIB_getpwnam_r)				\
+	-lc
+
+MOD = libsia_krb4.so
+
+endif
+
+EXTRA_DIST = sia.c krb4_matrix.conf krb4+c2_matrix.conf \
+	krb5_matrix.conf krb5+c2_matrix.conf security.patch
 
 foodir = $(libdir)
-foo_DATA = libsia_krb5.so
+foo_DATA = $(MOD)
 
 LDFLAGS = -rpath $(libdir) -hidden -exported_symbol siad_\* 
 
 OBJS = sia.o posix_getpw.o
 
 libsia_krb5.so: $(OBJS)
-	if test -f $(top_builddir)/lib/krb5/.libs/libkrb5.a; then \
+	@if test -f $(top_builddir)/lib/krb5/.libs/libkrb5.a; then \
+		echo "ld -shared -o $@ $(LDFLAGS) $(OBJS) $(L)"; \
 		ld -shared -o $@ $(LDFLAGS) $(OBJS) $(L); \
 	elif test -f $(top_builddir)/lib/krb5/.libs/libkrb5.so; then \
+		echo "ld -shared -o $@ $(LDFLAGS) $(OBJS) $(L_shared)"; \
 		ld -shared -o $@ $(LDFLAGS) $(OBJS) $(L_shared); \
 	else \
 		echo "missing libraries"; exit 1; \
 	fi
 	ostrip -x -z $@
 
-CLEANFILES = libsia_krb5.so $(OBJS) so_locations
+libsia_krb4.so: $(OBJS)
+	@if test -f $(top_builddir)/lib/krb/.libs/libkrb.a; then \
+		echo "ld -shared -o $@ $(LDFLAGS) $(OBJS) $(L)"; \
+		ld -shared -o $@ $(LDFLAGS) $(OBJS) $(L); \
+	elif test -f $(top_builddir)/lib/krb/.libs/libkrb.so; then \
+		echo "ld -shared -o $@ $(LDFLAGS) $(OBJS) $(L_shared)"; \
+		ld -shared -o $@ $(LDFLAGS) $(OBJS) $(L_shared); \
+	else \
+		echo "missing libraries"; exit 1; \
+	fi
+	ostrip -x $@
+
+CLEANFILES = $(MOD) $(OBJS) so_locations
 
 SUFFIXES += .c .o
 
diff --git a/crypto/heimdal/lib/auth/sia/Makefile.in b/crypto/heimdal/lib/auth/sia/Makefile.in
index fb36b4e..a93d31f 100644
--- a/crypto/heimdal/lib/auth/sia/Makefile.in
+++ b/crypto/heimdal/lib/auth/sia/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.5 1999/12/30 03:47:03 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,30 +95,42 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.8 2001/01/29 22:38:36 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .o
 
-INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4)
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -135,6 +150,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -143,6 +159,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -151,24 +169,20 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
@@ -176,25 +190,65 @@ WFLAGS = @WFLAGS@ $(WFLAGS_NOIMPLICITINT)
 
 DEFS = @DEFS@
 
-@KRB4_TRUE@KAFS = $(top_builddir)/lib/kafs/.libs/libkafs.a
-@KRB4_TRUE@KAFS_S = $(top_builddir)/lib/kafs/.libs/libkafs.so
-
-L =  	$(KAFS)							$(top_builddir)/lib/krb5/.libs/libkrb5.a		$(top_builddir)/lib/asn1/.libs/libasn1.a		$(LIB_krb4)						$(top_builddir)/lib/des/.libs/libdes.a			$(top_builddir)/lib/com_err/.libs/libcom_err.a		$(top_builddir)/lib/roken/.libs/libroken.a		$(LIB_getpwnam_r)					-lc
-
+@KRB4_TRUE@KAFS = @KRB4_TRUE@$(top_builddir)/lib/kafs/.libs/libkafs.a
+@KRB4_TRUE@KAFS_S = @KRB4_TRUE@$(top_builddir)/lib/kafs/.libs/libkafs.so
+
+@KRB5_TRUE@L = @KRB5_TRUE@\
+@KRB5_TRUE@	$(KAFS)						\
+@KRB5_TRUE@	$(top_builddir)/lib/krb5/.libs/libkrb5.a	\
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/.libs/libasn1.a	\
+@KRB5_TRUE@	$(LIB_krb4)					\
+@KRB5_TRUE@	$(top_builddir)/lib/des/.libs/libdes.a		\
+@KRB5_TRUE@	$(top_builddir)/lib/com_err/.libs/libcom_err.a	\
+@KRB5_TRUE@	$(top_builddir)/lib/roken/.libs/libroken.a	\
+@KRB5_TRUE@	$(LIB_getpwnam_r)				\
+@KRB5_TRUE@	-lc
+@KRB5_FALSE@L = @KRB5_FALSE@\
+@KRB5_FALSE@	$(KAFS)						\
+@KRB5_FALSE@	$(top_builddir)/lib/kadm/.libs/libkadm.a	\
+@KRB5_FALSE@	$(top_builddir)/lib/krb/.libs/libkrb.a		\
+@KRB5_FALSE@	$(top_builddir)/lib/des/.libs/libdes.a		\
+@KRB5_FALSE@	$(top_builddir)/lib/com_err/.libs/libcom_err.a	\
+@KRB5_FALSE@	$(top_builddir)/lib/roken/.libs/libroken.a	\
+@KRB5_FALSE@	$(LIB_getpwnam_r)				\
+@KRB5_FALSE@	-lc
+
+@KRB5_TRUE@L_shared = @KRB5_TRUE@\
+@KRB5_TRUE@	$(KAFS_S)					\
+@KRB5_TRUE@	$(top_builddir)/lib/krb5/.libs/libkrb5.so	\
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/.libs/libasn1.so	\
+@KRB5_TRUE@	$(LIB_krb4)					\
+@KRB5_TRUE@	$(top_builddir)/lib/des/.libs/libdes.so		\
+@KRB5_TRUE@	$(top_builddir)/lib/com_err/.libs/libcom_err.so	\
+@KRB5_TRUE@	$(top_builddir)/lib/roken/.libs/libroken.so	\
+@KRB5_TRUE@	$(LIB_getpwnam_r)				\
+@KRB5_TRUE@	-lc
+@KRB5_FALSE@L_shared = @KRB5_FALSE@\
+@KRB5_FALSE@	$(KAFS_S)					\
+@KRB5_FALSE@	$(top_builddir)/lib/kadm/.libs/libkadm.so	\
+@KRB5_FALSE@	$(top_builddir)/lib/krb/.libs/libkrb.so		\
+@KRB5_FALSE@	$(top_builddir)/lib/des/.libs/libdes.so		\
+@KRB5_FALSE@	$(top_builddir)/lib/com_err/.libs/libcom_err.so	\
+@KRB5_FALSE@	$(top_builddir)/lib/roken/.libs/libroken.so	\
+@KRB5_FALSE@	$(LIB_getpwnam_r)				\
+@KRB5_FALSE@	-lc
+
+@KRB5_TRUE@MOD = @KRB5_TRUE@libsia_krb5.so
+@KRB5_FALSE@MOD = @KRB5_FALSE@libsia_krb4.so
+
+EXTRA_DIST = sia.c krb4_matrix.conf krb4+c2_matrix.conf \
+	krb5_matrix.conf krb5+c2_matrix.conf security.patch
 
-L_shared =  	$(KAFS_S)						$(top_builddir)/lib/krb5/.libs/libkrb5.so		$(top_builddir)/lib/asn1/.libs/libasn1.so		$(LIB_krb4)						$(top_builddir)/lib/des/.libs/libdes.so			$(top_builddir)/lib/com_err/.libs/libcom_err.so		$(top_builddir)/lib/roken/.libs/libroken.so		$(LIB_getpwnam_r)					-lc
-
-
-EXTRA_DIST = sia.c krb5_matrix.conf krb5+c2_matrix.conf security.patch
 
 foodir = $(libdir)
-foo_DATA = libsia_krb5.so
+foo_DATA = $(MOD)
 
 LDFLAGS = -rpath $(libdir) -hidden -exported_symbol siad_\* 
 
 OBJS = sia.o posix_getpw.o
 
-CLEANFILES = libsia_krb5.so $(OBJS) so_locations
+CLEANFILES = $(MOD) $(OBJS) so_locations
+subdir = lib/auth/sia
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -202,15 +256,16 @@ CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES = 
 DATA =  $(foo_DATA)
 
+depcomp = 
 DIST_COMMON =  Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
 all: all-redirect
 .SUFFIXES:
@@ -227,19 +282,18 @@ install-fooDATA: $(foo_DATA)
 	@$(NORMAL_INSTALL)
 	$(mkinstalldirs) $(DESTDIR)$(foodir)
 	@list='$(foo_DATA)'; for p in $$list; do \
-	  if test -f $(srcdir)/$$p; then \
-	    echo " $(INSTALL_DATA) $(srcdir)/$$p $(DESTDIR)$(foodir)/$$p"; \
-	    $(INSTALL_DATA) $(srcdir)/$$p $(DESTDIR)$(foodir)/$$p; \
-	  else if test -f $$p; then \
-	    echo " $(INSTALL_DATA) $$p $(DESTDIR)$(foodir)/$$p"; \
-	    $(INSTALL_DATA) $$p $(DESTDIR)$(foodir)/$$p; \
-	  fi; fi; \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(foodir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(foodir)/$$f; \
 	done
 
 uninstall-fooDATA:
 	@$(NORMAL_UNINSTALL)
-	list='$(foo_DATA)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(foodir)/$$p; \
+	@list='$(foo_DATA)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(foodir)/$$f"; \
+	  rm -f $(DESTDIR)$(foodir)/$$f; \
 	done
 tags: TAGS
 TAGS:
@@ -247,17 +301,16 @@ TAGS:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = lib/auth/sia
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
@@ -286,7 +339,7 @@ uninstall: uninstall-am
 all-am: Makefile $(DATA) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
 	$(mkinstalldirs)  $(DESTDIR)$(foodir)
 
@@ -301,6 +354,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-generic
 
 mostlyclean: mostlyclean-am
@@ -324,7 +378,7 @@ maintainer-clean: maintainer-clean-am
 dvi-am dvi check-local check check-am installcheck-am installcheck \
 install-exec-am install-exec install-data-local install-data-am \
 install-data install-am install uninstall-am uninstall all-local \
-all-redirect all-am all installdirs mostlyclean-generic \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
 distclean-generic clean-generic maintainer-clean-generic clean \
 mostlyclean distclean maintainer-clean
 
@@ -334,7 +388,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -346,8 +403,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -416,87 +473,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
@@ -534,15 +512,29 @@ check-local::
 	fi
 
 libsia_krb5.so: $(OBJS)
-	if test -f $(top_builddir)/lib/krb5/.libs/libkrb5.a; then \
+	@if test -f $(top_builddir)/lib/krb5/.libs/libkrb5.a; then \
+		echo "ld -shared -o $@ $(LDFLAGS) $(OBJS) $(L)"; \
 		ld -shared -o $@ $(LDFLAGS) $(OBJS) $(L); \
 	elif test -f $(top_builddir)/lib/krb5/.libs/libkrb5.so; then \
+		echo "ld -shared -o $@ $(LDFLAGS) $(OBJS) $(L_shared)"; \
 		ld -shared -o $@ $(LDFLAGS) $(OBJS) $(L_shared); \
 	else \
 		echo "missing libraries"; exit 1; \
 	fi
 	ostrip -x -z $@
 
+libsia_krb4.so: $(OBJS)
+	@if test -f $(top_builddir)/lib/krb/.libs/libkrb.a; then \
+		echo "ld -shared -o $@ $(LDFLAGS) $(OBJS) $(L)"; \
+		ld -shared -o $@ $(LDFLAGS) $(OBJS) $(L); \
+	elif test -f $(top_builddir)/lib/krb/.libs/libkrb.so; then \
+		echo "ld -shared -o $@ $(LDFLAGS) $(OBJS) $(L_shared)"; \
+		ld -shared -o $@ $(LDFLAGS) $(OBJS) $(L_shared); \
+	else \
+		echo "missing libraries"; exit 1; \
+	fi
+	ostrip -x $@
+
 .c.o:
 	$(COMPILE) -c $<
 
diff --git a/crypto/heimdal/lib/auth/sia/sia.c b/crypto/heimdal/lib/auth/sia/sia.c
index 01e2ac0..0894591 100644
--- a/crypto/heimdal/lib/auth/sia/sia.c
+++ b/crypto/heimdal/lib/auth/sia/sia.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995-2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -33,7 +33,7 @@
 
 #include "sia_locl.h"
 
-RCSID("$Id: sia.c,v 1.33 1999/12/20 09:46:44 joda Exp $");
+RCSID("$Id: sia.c,v 1.34 2000/12/31 07:57:46 assar Exp $");
 
 int 
 siad_init(void)
@@ -51,13 +51,17 @@ siad_chk_invoker(void)
 int 
 siad_ses_init(SIAENTITY *entity, int pkgind)
 {
+    krb5_error_code ret;
     struct state *s = malloc(sizeof(*s));
+
     SIA_DEBUG(("DEBUG", "siad_ses_init"));
     if(s == NULL)
 	return SIADFAIL;
     memset(s, 0, sizeof(*s));
 #ifdef SIA_KRB5
-    krb5_init_context(&s->context);
+    ret = krb5_init_context(&s->context);
+    if (ret)
+	return SIADFAIL;
 #endif
     entity->mech[pkgind] = (int*)s;
     return SIADSUCCESS;
diff --git a/crypto/heimdal/lib/com_err/ChangeLog b/crypto/heimdal/lib/com_err/ChangeLog
new file mode 100644
index 0000000..1ca005b
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/ChangeLog
@@ -0,0 +1,127 @@
+2000-08-16  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 1:1:0
+
+2000-07-31  Assar Westerlund  <assar@sics.se>
+
+	* com_right.h (initialize_error_table_r): fix prototype
+
+2000-04-05  Assar Westerlund  <assar@sics.se>
+
+	* com_err.c (_et_lit): explicitly initialize it to NULL to make
+	dyld on Darwin/MacOS X happy
+
+2000-01-16  Assar Westerlund  <assar@sics.se>
+
+	* com_err.h: remove __P definition (now in com_right.h).  this
+	file always includes com_right.h so that's where it should reside.
+	* com_right.h: moved __P here and added it to the function
+	prototypes
+	* com_err.h (error_table_name): add __P
+
+1999-07-03  Assar Westerlund  <assar@sics.se>
+
+	* parse.y (statement): use asprintf
+
+1999-06-13  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: make it solaris make vpath-safe
+
+Thu Apr  1 11:13:53 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* compile_et.c: use getargs
+
+Sat Mar 20 00:16:30 1999  Assar Westerlund  <assar@sics.se>
+
+	* compile_et.c: static-ize
+
+Thu Mar 18 11:22:13 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: include Makefile.am.common
+
+Tue Mar 16 22:30:05 1999  Assar Westerlund  <assar@sics.se>
+
+	* parse.y: use YYACCEPT instead of return
+
+Sat Mar 13 22:22:56 1999  Assar Westerlund  <assar@sics.se>
+
+	* compile_et.c (generate_h): cast when calling is* to get rid of a
+ 	warning
+
+Thu Mar 11 15:00:51 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* parse.y: prototype for error_message
+
+Sun Nov 22 10:39:02 1998  Assar Westerlund  <assar@sics.se>
+
+	* compile_et.h: include ctype and roken
+
+	* compile_et.c: include err.h
+	(generate_h): remove unused variable
+
+	* Makefile.in (WFLAGS): set
+
+Fri Nov 20 06:58:59 1998  Assar Westerlund  <assar@sics.se>
+
+	* lex.l: undef ECHO to work around AIX lex bug
+
+Sun Sep 27 02:23:59 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* com_err.c (error_message): try to pass code to strerror, to see
+ 	if it might be an errno code (this if broken, but some MIT code
+ 	seems to expect this behaviour)
+
+Sat Sep 26 17:42:39 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* compile_et.c: <foo_err.h> -> "foo_err.h"
+
+Tue Jun 30 17:17:36 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: add str{cpy,cat}_truncate
+
+Mon May 25 05:24:39 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (clean): try to remove shared library debris
+
+Sun Apr 19 09:50:17 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: add symlink magic for linux
+
+Sun Apr  5 09:22:11 1998  Assar Westerlund  <assar@sics.se>
+
+	* parse.y: define alloca to malloc in case we're using bison but
+ 	don't have alloca
+
+Tue Mar 24 05:13:01 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: link with snprintf (From Derrick J Brashear
+ 	<shadow@dementia.org>)
+
+Fri Feb 27 05:01:42 1998  Assar Westerlund  <assar@sics.se>
+
+	* parse.y: initialize ec->next
+
+Thu Feb 26 02:22:25 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: @LEXLIB@
+
+Sat Feb 21 15:18:54 1998  assar westerlund  <assar@sics.se>
+
+	* Makefile.in: set YACC and LEX
+
+Tue Feb 17 22:20:27 1998  Bjoern Groenvall  <bg@sics.se>
+
+	* com_right.h: Change typedefs so that one may mix MIT compile_et
+ 	generated code with krb4 dito.
+
+Tue Feb 17 16:30:55 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* compile_et.c (generate): Always return a value.
+
+	* parse.y: Files don't have to end with `end'.
+
+Mon Feb 16 16:09:20 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lex.l (getstring): Replace getc() with input().
+
+	* Makefile.am: Fixes for new compile_et.
diff --git a/crypto/heimdal/lib/com_err/Makefile.am b/crypto/heimdal/lib/com_err/Makefile.am
new file mode 100644
index 0000000..8e18108
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/Makefile.am
@@ -0,0 +1,24 @@
+# $Id: Makefile.am,v 1.24 2000/08/16 11:24:54 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+YFLAGS = -d
+
+lib_LTLIBRARIES = libcom_err.la
+libcom_err_la_LDFLAGS = -version-info 1:1:0
+
+bin_PROGRAMS = compile_et
+
+include_HEADERS = com_err.h com_right.h
+
+compile_et_SOURCES = compile_et.c compile_et.h parse.y lex.l
+
+libcom_err_la_SOURCES = error.c com_err.c roken_rename.h
+
+CLEANFILES = lex.c parse.c parse.h
+
+$(compile_et_OBJECTS): parse.h
+
+compile_et_LDADD = \
+	$(LIB_roken) \
+	$(LEXLIB)
diff --git a/crypto/heimdal/lib/com_err/Makefile.in b/crypto/heimdal/lib/com_err/Makefile.in
new file mode 100644
index 0000000..986e078
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/Makefile.in
@@ -0,0 +1,649 @@
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
+
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.24 2000/08/16 11:24:54 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+YFLAGS = -d
+
+lib_LTLIBRARIES = libcom_err.la
+libcom_err_la_LDFLAGS = -version-info 1:1:0
+
+bin_PROGRAMS = compile_et
+
+include_HEADERS = com_err.h com_right.h
+
+compile_et_SOURCES = compile_et.c compile_et.h parse.y lex.l
+
+libcom_err_la_SOURCES = error.c com_err.c roken_rename.h
+
+CLEANFILES = lex.c parse.c parse.h
+
+compile_et_LDADD = \
+	$(LIB_roken) \
+	$(LEXLIB)
+
+subdir = lib/com_err
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+LTLIBRARIES =  $(lib_LTLIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+libcom_err_la_LIBADD = 
+am_libcom_err_la_OBJECTS =  error.lo com_err.lo
+libcom_err_la_OBJECTS =  $(am_libcom_err_la_OBJECTS)
+bin_PROGRAMS =  compile_et$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS)
+
+am_compile_et_OBJECTS =  compile_et.$(OBJEXT) parse.$(OBJEXT) \
+lex.$(OBJEXT)
+compile_et_OBJECTS =  $(am_compile_et_OBJECTS)
+compile_et_DEPENDENCIES = 
+compile_et_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(libcom_err_la_SOURCES) $(compile_et_SOURCES)
+HEADERS =  $(include_HEADERS)
+
+depcomp = 
+DIST_COMMON =  $(include_HEADERS) ChangeLog Makefile.am Makefile.in \
+lex.c parse.c parse.h
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(libcom_err_la_SOURCES) $(compile_et_SOURCES)
+OBJECTS = $(am_libcom_err_la_OBJECTS) $(am_compile_et_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .l .lo .o .obj .x .y
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/com_err/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libLTLIBRARIES:
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+
+distclean-libLTLIBRARIES:
+
+maintainer-clean-libLTLIBRARIES:
+
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libdir)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p; \
+	  else :; fi; \
+	done
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  echo " $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \
+	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+libcom_err.la: $(libcom_err_la_OBJECTS) $(libcom_err_la_DEPENDENCIES)
+	$(LINK) -rpath $(libdir) $(libcom_err_la_LDFLAGS) $(libcom_err_la_OBJECTS) $(libcom_err_la_LIBADD) $(LIBS)
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
+
+compile_et$(EXEEXT): $(compile_et_OBJECTS) $(compile_et_DEPENDENCIES)
+	@rm -f compile_et$(EXEEXT)
+	$(LINK) $(compile_et_LDFLAGS) $(compile_et_OBJECTS) $(compile_et_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+.l.c:
+	$(LEX) $(AM_LFLAGS) $(LFLAGS) $< && mv $(LEX_OUTPUT_ROOT).c $@
+.y.c:
+	$(YACC) $(AM_YFLAGS) $(YFLAGS) $< && mv y.tab.c $*.c
+	if test -f y.tab.h; then \
+	if cmp -s y.tab.h $*.h; then rm -f y.tab.h; else mv y.tab.h $*.h; fi; \
+	else :; fi
+parse.h: parse.c
+
+
+install-includeHEADERS: $(include_HEADERS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(includedir)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f; \
+	done
+
+uninstall-includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(includedir)/$$f"; \
+	  rm -f $(DESTDIR)$(includedir)/$$f; \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libLTLIBRARIES install-binPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-includeHEADERS install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libLTLIBRARIES uninstall-binPROGRAMS \
+		uninstall-includeHEADERS
+uninstall: uninstall-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(bindir) \
+		$(DESTDIR)$(includedir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+	-test -z "lex.cparse.hparse.c" || rm -f lex.c parse.h parse.c
+mostlyclean-am:  mostlyclean-libLTLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-binPROGRAMS \
+		mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libLTLIBRARIES clean-compile clean-libtool \
+		clean-binPROGRAMS clean-tags clean-generic \
+		mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libLTLIBRARIES distclean-compile \
+		distclean-libtool distclean-binPROGRAMS distclean-tags \
+		distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libLTLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-binPROGRAMS maintainer-clean-tags \
+		maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libLTLIBRARIES distclean-libLTLIBRARIES \
+clean-libLTLIBRARIES maintainer-clean-libLTLIBRARIES \
+uninstall-libLTLIBRARIES install-libLTLIBRARIES mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool mostlyclean-binPROGRAMS distclean-binPROGRAMS \
+clean-binPROGRAMS maintainer-clean-binPROGRAMS uninstall-binPROGRAMS \
+install-binPROGRAMS uninstall-includeHEADERS install-includeHEADERS \
+tags mostlyclean-tags distclean-tags clean-tags maintainer-clean-tags \
+distdir info-am info dvi-am dvi check-local check check-am \
+installcheck-am installcheck install-exec-am install-exec \
+install-data-local install-data-am install-data install-am install \
+uninstall-am uninstall all-local all-redirect all-am all install-strip \
+installdirs mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+$(compile_et_OBJECTS): parse.h
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/com_err/com_err.c b/crypto/heimdal/lib/com_err/com_err.c
new file mode 100644
index 0000000..25c679e
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/com_err.c
@@ -0,0 +1,151 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: com_err.c,v 1.15 2000/04/04 22:04:55 assar Exp $");
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <roken.h>
+#include "com_err.h"
+
+struct et_list *_et_list = NULL;
+
+
+const char *
+error_message (long code)
+{
+    static char msg[128];
+    const char *p = com_right(_et_list, code);
+    if (p == NULL)
+	p = strerror(code);
+    if (p != NULL && *p != '\0') {
+	strncpy(msg, p, sizeof(msg) - 1);
+	msg[sizeof(msg) - 1] = 0;
+    } else 
+	sprintf(msg, "Unknown error %ld", code);
+    return msg;
+}
+
+int
+init_error_table(const char **msgs, long base, int count)
+{
+    initialize_error_table_r(&_et_list, msgs, count, base);
+    return 0;
+}
+
+static void
+default_proc (const char *whoami, long code, const char *fmt, va_list args)
+{
+    if (whoami)
+      fprintf(stderr, "%s: ", whoami);
+    if (code)
+      fprintf(stderr, "%s ", error_message(code));
+    if (fmt)
+      vfprintf(stderr, fmt, args);
+    fprintf(stderr, "\r\n");	/* ??? */
+}
+
+static errf com_err_hook = default_proc;
+
+void 
+com_err_va (const char *whoami, 
+	    long code, 
+	    const char *fmt, 
+	    va_list args)
+{
+    (*com_err_hook) (whoami, code, fmt, args);
+}
+
+void
+com_err (const char *whoami,
+	 long code,
+	 const char *fmt, 
+	 ...)
+{
+    va_list ap;
+    va_start(ap, fmt);
+    com_err_va (whoami, code, fmt, ap);
+    va_end(ap);
+}
+
+errf
+set_com_err_hook (errf new)
+{
+    errf old = com_err_hook;
+
+    if (new)
+	com_err_hook = new;
+    else
+	com_err_hook = default_proc;
+    
+    return old;
+}
+
+errf
+reset_com_err_hook (void) 
+{
+    return set_com_err_hook(NULL);
+}
+
+#define ERRCODE_RANGE   8       /* # of bits to shift table number */
+#define BITS_PER_CHAR   6       /* # bits to shift per character in name */
+
+static const char char_set[] =
+        "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_";
+
+static char buf[6];
+
+const char *
+error_table_name(int num)
+{
+    int ch;
+    int i;
+    char *p;
+
+    /* num = aa aaa abb bbb bcc ccc cdd ddd d?? ??? ??? */
+    p = buf;
+    num >>= ERRCODE_RANGE;
+    /* num = ?? ??? ??? aaa aaa bbb bbb ccc ccc ddd ddd */
+    num &= 077777777;
+    /* num = 00 000 000 aaa aaa bbb bbb ccc ccc ddd ddd */
+    for (i = 4; i >= 0; i--) {
+        ch = (num >> BITS_PER_CHAR * i) & ((1 << BITS_PER_CHAR) - 1);
+        if (ch != 0)
+            *p++ = char_set[ch-1];
+    }
+    *p = '\0';
+    return(buf);
+}
diff --git a/crypto/heimdal/lib/com_err/com_err.h b/crypto/heimdal/lib/com_err/com_err.h
new file mode 100644
index 0000000..9703336
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/com_err.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: com_err.h,v 1.6 2000/01/16 04:51:16 assar Exp $ */
+
+/* MIT compatible com_err library */
+
+#ifndef __COM_ERR_H__
+#define __COM_ERR_H__
+
+#include <com_right.h>
+
+typedef void (*errf) __P((const char *, long, const char *, va_list));
+
+const char * error_message __P((long));
+int init_error_table __P((const char**, long, int));
+
+void com_err_va __P((const char *, long, const char *, va_list));
+void com_err __P((const char *, long, const char *, ...));
+
+errf set_com_err_hook __P((errf));
+errf reset_com_err_hook __P((void));
+
+const char *error_table_name  __P((int num));
+
+#endif /* __COM_ERR_H__ */
diff --git a/crypto/heimdal/lib/com_err/com_right.h b/crypto/heimdal/lib/com_err/com_right.h
new file mode 100644
index 0000000..c87bb0d
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/com_right.h
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: com_right.h,v 1.11 2000/07/31 01:11:08 assar Exp $ */
+
+#ifndef __COM_RIGHT_H__
+#define __COM_RIGHT_H__
+
+#ifdef __STDC__
+#include <stdarg.h>
+#endif
+
+#ifndef __P
+#ifdef __STDC__
+#define __P(X) X
+#else
+#define __P(X) ()
+#endif
+#endif
+
+struct error_table {
+    char const * const * msgs;
+    long base;
+    int n_msgs;
+};
+struct et_list {
+    struct et_list *next;
+    struct error_table *table;
+};
+extern struct et_list *_et_list;
+
+const char *com_right __P((struct et_list *list, long code));
+void initialize_error_table_r __P((struct et_list **, const char **, int, long));
+void free_error_table __P((struct et_list *));
+
+#endif /* __COM_RIGHT_H__ */
diff --git a/crypto/heimdal/lib/com_err/compile_et.c b/crypto/heimdal/lib/com_err/compile_et.c
new file mode 100644
index 0000000..f982dcd
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/compile_et.c
@@ -0,0 +1,235 @@
+/*
+ * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#undef ROKEN_RENAME
+#include "compile_et.h"
+#include <getarg.h>
+
+RCSID("$Id: compile_et.c,v 1.13 1999/12/02 16:58:38 joda Exp $");
+
+#include <roken.h>
+#include <err.h>
+#include "parse.h"
+
+int numerror;
+extern FILE *yyin;
+
+extern void yyparse(void);
+
+long base;
+int number;
+char *prefix;
+char *id_str;
+
+char name[128];
+char Basename[128];
+
+#ifdef YYDEBUG
+extern int yydebug = 1;
+#endif
+
+char *filename;
+char hfn[128];
+char cfn[128];
+
+struct error_code *codes = NULL;
+
+static int
+generate_c(void)
+{
+    int n;
+    struct error_code *ec;
+
+    FILE *c_file = fopen(cfn, "w");
+    if(c_file == NULL)
+	return 1;
+
+    fprintf(c_file, "/* Generated from %s */\n", filename);
+    if(id_str) 
+	fprintf(c_file, "/* %s */\n", id_str);
+    fprintf(c_file, "\n");
+    fprintf(c_file, "#include <stddef.h>\n");
+    fprintf(c_file, "#include <com_err.h>\n");
+    fprintf(c_file, "#include \"%s\"\n", hfn);
+    fprintf(c_file, "\n");
+
+    fprintf(c_file, "static const char *text[] = {\n");
+
+    for(ec = codes, n = 0; ec; ec = ec->next, n++) {
+	while(n < ec->number) {
+	    fprintf(c_file, "\t/* %03d */ \"Reserved %s error (%d)\",\n",
+		    n, name, n);
+	    n++;
+	    
+	}
+	fprintf(c_file, "\t/* %03d */ \"%s\",\n", ec->number, ec->string);
+    }
+
+    fprintf(c_file, "\tNULL\n");
+    fprintf(c_file, "};\n");
+    fprintf(c_file, "\n");
+    fprintf(c_file, 
+	    "void initialize_%s_error_table_r(struct et_list **list)\n", 
+	    name);
+    fprintf(c_file, "{\n");
+    fprintf(c_file, 
+	    "    initialize_error_table_r(list, text, "
+	    "%s_num_errors, ERROR_TABLE_BASE_%s);\n", name, name);
+    fprintf(c_file, "}\n");
+    fprintf(c_file, "\n");
+    fprintf(c_file, "void initialize_%s_error_table(void)\n", name);
+    fprintf(c_file, "{\n");
+    fprintf(c_file,
+	    "    init_error_table(text, ERROR_TABLE_BASE_%s, "
+	    "%s_num_errors);\n", name, name);
+    fprintf(c_file, "}\n");
+
+    fclose(c_file);
+    return 0;
+}
+
+static int
+generate_h(void)
+{
+    struct error_code *ec;
+    char fn[128];
+    FILE *h_file = fopen(hfn, "w");
+    char *p;
+
+    if(h_file == NULL)
+	return 1;
+
+    snprintf(fn, sizeof(fn), "__%s__", hfn);
+    for(p = fn; *p; p++)
+	if(!isalnum((unsigned char)*p))
+	    *p = '_';
+    
+    fprintf(h_file, "/* Generated from %s */\n", filename);
+    if(id_str) 
+	fprintf(h_file, "/* %s */\n", id_str);
+    fprintf(h_file, "\n");
+    fprintf(h_file, "#ifndef %s\n", fn);
+    fprintf(h_file, "#define %s\n", fn);
+    fprintf(h_file, "\n");
+    fprintf(h_file, "#include <com_right.h>\n");
+    fprintf(h_file, "\n");
+    fprintf(h_file, 
+	    "void initialize_%s_error_table_r(struct et_list **);\n",
+	    name);
+    fprintf(h_file, "\n");
+    fprintf(h_file, "void initialize_%s_error_table(void);\n", name);
+    fprintf(h_file, "#define init_%s_err_tbl initialize_%s_error_table\n", 
+	    name, name);
+    fprintf(h_file, "\n");
+    fprintf(h_file, "typedef enum %s_error_number{\n", name);
+    fprintf(h_file, "\tERROR_TABLE_BASE_%s = %ld,\n", name, base);
+    fprintf(h_file, "\t%s_err_base = %ld,\n", name, base);
+
+    for(ec = codes; ec; ec = ec->next) {
+	fprintf(h_file, "\t%s = %ld,\n", ec->name, base + ec->number);
+    }
+
+    fprintf(h_file, "\t%s_num_errors = %d\n", name, number);
+    fprintf(h_file, "} %s_error_number;\n", name);
+    fprintf(h_file, "\n");
+    fprintf(h_file, "#endif /* %s */\n", fn);
+
+
+    fclose(h_file);
+    return 0;
+}
+
+static int
+generate(void)
+{
+    return generate_c() || generate_h();
+}
+
+int version_flag;
+int help_flag;
+struct getargs args[] = {
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int code)
+{
+    arg_printusage(args, num_args, NULL, "error-table");
+    exit(code);
+}
+
+int
+main(int argc, char **argv)
+{
+    char *p;
+    int optind = 0;
+
+    set_progname(argv[0]);
+    if(getarg(args, num_args, argc, argv, &optind))
+	usage(1);
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    if(optind == argc) 
+	usage(1);
+    filename = argv[optind];
+    yyin = fopen(filename, "r");
+    if(yyin == NULL)
+	err(1, "%s", filename);
+	
+    
+    p = strrchr(filename, '/');
+    if(p)
+	p++;
+    else
+	p = filename;
+    strncpy(Basename, p, sizeof(Basename));
+    Basename[sizeof(Basename) - 1] = '\0';
+    
+    Basename[strcspn(Basename, ".")] = '\0';
+    
+    snprintf(hfn, sizeof(hfn), "%s.h", Basename);
+    snprintf(cfn, sizeof(cfn), "%s.c", Basename);
+    
+    yyparse();
+    if(numerror)
+	return 1;
+
+    return generate();
+}
diff --git a/crypto/heimdal/lib/com_err/compile_et.h b/crypto/heimdal/lib/com_err/compile_et.h
new file mode 100644
index 0000000..86dd113
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/compile_et.h
@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: compile_et.h,v 1.6 2000/07/01 20:21:48 assar Exp $ */
+
+#ifndef __COMPILE_ET_H__
+#define __COMPILE_ET_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <ctype.h>
+#include <roken.h>
+
+extern long base;
+extern int number;
+extern char *prefix;
+extern char name[128];
+extern char *id_str;
+extern char *filename;
+extern int numerror;
+
+struct error_code {
+    unsigned number;
+    char *name;
+    char *string;
+    struct error_code *next, **tail;
+};
+
+extern struct error_code *codes;
+
+#define APPEND(L, V) 				\
+do {						\
+    if((L) == NULL) {				\
+	(L) = (V);				\
+	(L)->tail = &(V)->next;			\
+	(L)->next = NULL;			\
+    }else{					\
+	*(L)->tail = (V);			\
+	(L)->tail = &(V)->next;			\
+    }						\
+}while(0)
+
+#endif /* __COMPILE_ET_H__ */
diff --git a/crypto/heimdal/lib/com_err/error.c b/crypto/heimdal/lib/com_err/error.c
new file mode 100644
index 0000000..d122007
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/error.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: error.c,v 1.14 1999/12/02 16:58:38 joda Exp $");
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <com_right.h>
+
+const char *
+com_right(struct et_list *list, long code)
+{
+    struct et_list *p;
+    for (p = list; p; p = p->next) {
+	if (code >= p->table->base && code < p->table->base + p->table->n_msgs)
+	    return p->table->msgs[code - p->table->base];
+    }
+    return NULL;
+}
+
+struct foobar {
+    struct et_list etl;
+    struct error_table et;
+};
+
+void
+initialize_error_table_r(struct et_list **list, 
+			 const char **messages, 
+			 int num_errors,
+			 long base)
+{
+    struct et_list *et;
+    struct foobar *f;
+    for (et = *list; et; et = et->next)
+        if (et->table->msgs == messages)
+            return;
+    f = malloc(sizeof(*f));
+    if (f == NULL)
+        return;
+    et = &f->etl;
+    et->table = &f->et;
+    et->table->msgs = messages;
+    et->table->n_msgs = num_errors;
+    et->table->base = base;
+    et->next = *list;
+    *list = et;
+}
+			
+
+void
+free_error_table(struct et_list *et)
+{
+    while(et){
+	struct et_list *p = et;
+	et = et->next;
+	free(p);
+    }
+}
diff --git a/crypto/heimdal/lib/com_err/lex.h b/crypto/heimdal/lib/com_err/lex.h
new file mode 100644
index 0000000..9912bf4
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/lex.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: lex.h,v 1.1 2000/06/22 00:42:52 assar Exp $ */
+
+void error_message (const char *, ...)
+__attribute__ ((format (printf, 1, 2)));
+
+int yylex(void);
diff --git a/crypto/heimdal/lib/com_err/lex.l b/crypto/heimdal/lib/com_err/lex.l
new file mode 100644
index 0000000..e98db6f
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/lex.l
@@ -0,0 +1,126 @@
+%{
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/*
+ * This is to handle the definition of this symbol in some AIX
+ * headers, which will conflict with the definition that lex will
+ * generate for it.  It's only a problem for AIX lex.
+ */
+
+#undef ECHO
+
+#include "compile_et.h"
+#include "parse.h"
+#include "lex.h"
+
+RCSID("$Id: lex.l,v 1.6 2000/06/22 00:42:52 assar Exp $");
+
+static unsigned lineno = 1;
+static int getstring(void);
+
+#define YY_NO_UNPUT
+
+#undef ECHO
+
+%}
+
+
+%%
+et			{ return ET; }
+error_table		{ return ET; }
+ec			{ return EC; }
+error_code		{ return EC; }
+prefix			{ return PREFIX; }
+index			{ return INDEX; }
+id			{ return ID; }
+end			{ return END; }
+[0-9]+			{ yylval.number = atoi(yytext); return NUMBER; }
+#[^\n]*			;
+[ \t]			;
+\n			{ lineno++; }
+\"			{ return getstring(); }
+[a-zA-Z0-9_]+		{ yylval.string = strdup(yytext); return STRING; }
+.			{ return *yytext; }
+%%
+
+#ifndef yywrap /* XXX */
+int
+yywrap () 
+{
+     return 1;
+}
+#endif
+
+static int
+getstring(void)
+{
+    char x[128];
+    int i = 0;
+    int c;
+    int quote = 0;
+    while((c = input()) != EOF){
+	if(quote) {
+	    x[i++] = c;
+	    quote = 0;
+	    continue;
+	}
+	if(c == '\n'){
+	    error_message("unterminated string");
+	    lineno++;
+	    break;
+	}
+	if(c == '\\'){
+	    quote++;
+	    continue;
+	}
+	if(c == '\"')
+	    break;
+	x[i++] = c;
+    }
+    x[i] = '\0';
+    yylval.string = strdup(x);
+    return STRING;
+}
+
+void
+error_message (const char *format, ...)
+{
+     va_list args;
+
+     va_start (args, format);
+     fprintf (stderr, "%s:%d:", filename, lineno);
+     vfprintf (stderr, format, args);
+     va_end (args);
+     numerror++;
+}
diff --git a/crypto/heimdal/lib/com_err/parse.y b/crypto/heimdal/lib/com_err/parse.y
new file mode 100644
index 0000000..82e99ff
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/parse.y
@@ -0,0 +1,167 @@
+%{
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "compile_et.h"
+#include "lex.h"
+
+RCSID("$Id: parse.y,v 1.11 2000/06/22 00:42:52 assar Exp $");
+
+void yyerror (char *s);
+static long name2number(const char *str);
+
+extern char *yytext;
+
+/* This is for bison */
+
+#if !defined(alloca) && !defined(HAVE_ALLOCA)
+#define alloca(x) malloc(x)
+#endif
+
+%}
+
+%union {
+  char *string;
+  int number;
+}
+
+%token ET INDEX PREFIX EC ID END
+%token <string> STRING
+%token <number> NUMBER
+
+%%
+
+file		: /* */ 
+		| header statements
+		;
+
+header		: id et
+		| et
+		;
+
+id		: ID STRING
+		{
+		    id_str = $2;
+		}
+		;
+
+et		: ET STRING
+		{
+		    base = name2number($2);
+		    strncpy(name, $2, sizeof(name));
+		    name[sizeof(name) - 1] = '\0';
+		    free($2);
+		}
+		| ET STRING STRING
+		{
+		    base = name2number($2);
+		    strncpy(name, $3, sizeof(name));
+		    name[sizeof(name) - 1] = '\0';
+		    free($2);
+		    free($3);
+		}
+		;
+
+statements	: statement
+		| statements statement
+		;
+
+statement	: INDEX NUMBER 
+		{
+			number = $2;
+		}
+		| PREFIX STRING
+		{
+		    prefix = realloc(prefix, strlen($2) + 2);
+		    strcpy(prefix, $2);
+		    strcat(prefix, "_");
+		    free($2);
+		}
+		| PREFIX
+		{
+		    prefix = realloc(prefix, 1);
+		    *prefix = '\0';
+		}
+		| EC STRING ',' STRING
+		{
+		    struct error_code *ec = malloc(sizeof(*ec));
+
+		    ec->next = NULL;
+		    ec->number = number;
+		    if(prefix && *prefix != '\0') {
+			asprintf (&ec->name, "%s%s", prefix, $2);
+			free($2);
+		    } else
+			ec->name = $2;
+		    ec->string = $4;
+		    APPEND(codes, ec);
+		    number++;
+		}
+		| END
+		{
+			YYACCEPT;
+		}
+		;
+
+%%
+
+static long
+name2number(const char *str)
+{
+    const char *p;
+    long base = 0;
+    const char *x = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+	"abcdefghijklmnopqrstuvwxyz0123456789_";
+    if(strlen(str) > 4) {
+	yyerror("table name too long");
+	return 0;
+    }
+    for(p = str; *p; p++){
+	char *q = strchr(x, *p);
+	if(q == NULL) {
+	    yyerror("invalid character in table name");
+	    return 0;
+	}
+	base = (base << 6) + (q - x) + 1;
+    }
+    base <<= 8;
+    if(base > 0x7fffffff)
+	base = -(0xffffffff - base + 1);
+    return base;
+}
+
+void
+yyerror (char *s)
+{
+     error_message ("%s\n", s);
+}
diff --git a/crypto/heimdal/lib/com_err/roken_rename.h b/crypto/heimdal/lib/com_err/roken_rename.h
new file mode 100644
index 0000000..173c9a7
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/roken_rename.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: roken_rename.h,v 1.3 1999/12/02 16:58:38 joda Exp $ */
+
+#ifndef __roken_rename_h__
+#define __roken_rename_h__
+
+#endif /* __roken_rename_h__ */
diff --git a/crypto/heimdal/lib/gssapi/8003.c b/crypto/heimdal/lib/gssapi/8003.c
index f37fe04..c0d8881 100644
--- a/crypto/heimdal/lib/gssapi/8003.c
+++ b/crypto/heimdal/lib/gssapi/8003.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$Id: 8003.c,v 1.6 2000/01/25 23:10:13 assar Exp $");
+RCSID("$Id: 8003.c,v 1.8 2001/01/29 02:08:58 assar Exp $");
 
 static krb5_error_code
 encode_om_uint32(OM_uint32 n, u_char *p)
@@ -59,30 +59,30 @@ hash_input_chan_bindings (const gss_channel_bindings_t b,
   u_char num[4];
   MD5_CTX md5;
 
-  MD5Init(&md5);
+  MD5_Init(&md5);
   encode_om_uint32 (b->initiator_addrtype, num);
-  MD5Update (&md5, num, sizeof(num));
+  MD5_Update (&md5, num, sizeof(num));
   encode_om_uint32 (b->initiator_address.length, num);
-  MD5Update (&md5, num, sizeof(num));
+  MD5_Update (&md5, num, sizeof(num));
   if (b->initiator_address.length)
-    MD5Update (&md5,
+    MD5_Update (&md5,
 		b->initiator_address.value,
 		b->initiator_address.length);
   encode_om_uint32 (b->acceptor_addrtype, num);
-  MD5Update (&md5, num, sizeof(num));
+  MD5_Update (&md5, num, sizeof(num));
   encode_om_uint32 (b->acceptor_address.length, num);
-  MD5Update (&md5, num, sizeof(num));
+  MD5_Update (&md5, num, sizeof(num));
   if (b->acceptor_address.length)
-    MD5Update (&md5,
+    MD5_Update (&md5,
 		b->acceptor_address.value,
 		b->acceptor_address.length);
   encode_om_uint32 (b->application_data.length, num);
-  MD5Update (&md5, num, sizeof(num));
+  MD5_Update (&md5, num, sizeof(num));
   if (b->application_data.length)
-    MD5Update (&md5,
+    MD5_Update (&md5,
 		b->application_data.value,
 		b->application_data.length);
-  MD5Final (p, &md5);
+  MD5_Final (p, &md5);
   return 0;
 }
 
@@ -90,12 +90,20 @@ krb5_error_code
 gssapi_krb5_create_8003_checksum (
 		      const gss_channel_bindings_t input_chan_bindings,
 		      OM_uint32 flags,
+		      krb5_data *fwd_data,
 		      Checksum *result)
 {
   u_char *p;
 
+  /* 
+   * see rfc1964 (section 1.1.1 (Initial Token), and the checksum value 
+   * field's format)
+   */
   result->cksumtype = 0x8003;
-  result->checksum.length = 24;
+  if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG))
+    result->checksum.length = 24 + 4 + fwd_data->length;
+  else 
+    result->checksum.length = 24;
   result->checksum.data   = malloc (result->checksum.length);
   if (result->checksum.data == NULL)
     return ENOMEM;
@@ -111,8 +119,31 @@ gssapi_krb5_create_8003_checksum (
   p += 16;
   encode_om_uint32 (flags, p);
   p += 4;
+
+  if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG)) {
+#if 0
+     u_char *tmp;
+
+     result->checksum.length = 28 + fwd_data->length;
+     tmp = realloc(result->checksum.data, result->checksum.length);
+     if (tmp == NULL)
+        return ENOMEM;
+     result->checksum.data = tmp;
+
+     p = (u_char*)result->checksum.data + 24;  
+#endif
+     *p++ = (1 >> 0) & 0xFF;                   /* DlgOpt */ /* == 1 */
+     *p++ = (1 >> 8) & 0xFF;                   /* DlgOpt */ /* == 0 */
+     *p++ = (fwd_data->length >> 0) & 0xFF;    /* Dlgth  */
+     *p++ = (fwd_data->length >> 8) & 0xFF;    /* Dlgth  */
+     memcpy(p, (unsigned char *) fwd_data->data, fwd_data->length);
+
+     p += fwd_data->length;
+     
   if (p - (u_char *)result->checksum.data != result->checksum.length)
-    abort ();
+        abort();
+  }
+  
   return 0;
 }
 
@@ -120,14 +151,16 @@ krb5_error_code
 gssapi_krb5_verify_8003_checksum(
 		      const gss_channel_bindings_t input_chan_bindings,
 		      Checksum *cksum,
-		      OM_uint32 *flags)
+		      OM_uint32 *flags,
+		      krb5_data *fwd_data)
 {
     unsigned char hash[16];
     unsigned char *p;
     OM_uint32 length;
+    int DlgOpt;
 
     /* XXX should handle checksums > 24 bytes */
-    if(cksum->cksumtype != 0x8003 || cksum->checksum.length != 24)
+    if(cksum->cksumtype != 0x8003)
 	return GSS_S_BAD_BINDINGS;
     
     p = cksum->checksum.data;
@@ -147,6 +180,24 @@ gssapi_krb5_verify_8003_checksum(
     p += sizeof(hash);
     
     decode_om_uint32(p, flags);
+
+    if (cksum->checksum.length > 24 && (*flags & GSS_C_DELEG_FLAG)) {
+    
+      p += 4;
+    
+      DlgOpt = (p[0] << 0) | (p[1] << 8 );
+      if (DlgOpt != 1)
+         return GSS_S_BAD_BINDINGS;
+      
+      p += 2;
+      fwd_data->length = (p[0] << 0) | (p[1] << 8);
+      fwd_data->data = malloc(fwd_data->length);
+      if (fwd_data->data == NULL)
+         return ENOMEM;
+
+      p += 2;
+      memcpy(fwd_data->data, p, fwd_data->length);
+    }
     
     return 0;
 }
diff --git a/crypto/heimdal/lib/gssapi/ChangeLog b/crypto/heimdal/lib/gssapi/ChangeLog
index ba765ba..e335d4db 100644
--- a/crypto/heimdal/lib/gssapi/ChangeLog
+++ b/crypto/heimdal/lib/gssapi/ChangeLog
@@ -1,3 +1,106 @@
+2001-01-30  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libgssapi_la_LDFLAGS): bump version to 3:0:2
+	* acquire_cred.c, init_sec_context.c, release_cred.c: add support
+	for getting creds from a keytab, from fvdl@netbsd.org
+
+	* copy_ccache.c: add gss_krb5_copy_ccache
+
+2001-01-27  Assar Westerlund  <assar@sics.se>
+
+	* get_mic.c: cast parameters to des function to non-const pointers
+ 	to handle the case where these functions actually take non-const
+ 	des_cblock *
+
+2001-01-09  Assar Westerlund  <assar@sics.se>
+
+	* accept_sec_context.c (gss_accept_sec_context): use krb5_rd_cred2
+	instead of krb5_rd_cred
+
+2000-12-11  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libgssapi_la_LDFLAGS): bump to 2:3:1
+
+2000-12-08  Assar Westerlund  <assar@sics.se>
+
+	* wrap.c (wrap_des3): use the checksum as ivec when encrypting the
+	sequence number
+	* unwrap.c (unwrap_des3): use the checksum as ivec when encrypting
+	the sequence number
+	* init_sec_context.c (init_auth): always zero fwd_data
+
+2000-12-06  Johan Danielsson  <joda@pdc.kth.se>
+
+	* accept_sec_context.c: de-pointerise auth_context parameter to
+	krb5_mk_rep
+
+2000-11-15  Assar Westerlund  <assar@sics.se>
+
+	* init_sec_context.c (init_auth): update to new
+	krb5_build_authenticator
+
+2000-09-19  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libgssapi_la_LDFLAGS): bump to 2:2:1
+
+2000-08-27  Assar Westerlund  <assar@sics.se>
+
+	* init_sec_context.c: actually pay attention to `time_req'
+	* init_sec_context.c: re-organize.  leak less memory.
+	* gssapi_locl.h (gssapi_krb5_encapsulate, gss_krb5_getsomekey):
+	update prototypes add assert.h
+	* gssapi.h (GSS_KRB5_CONF_C_QOP_DES, GSS_KRB5_CONF_C_QOP_DES3_KD):
+	add
+	* verify_mic.c: re-organize and add 3DES code
+	* wrap.c: re-organize and add 3DES code
+	* unwrap.c: re-organize and add 3DES code
+	* get_mic.c: re-organize and add 3DES code
+	* encapsulate.c (gssapi_krb5_encapsulate): do not free `in_data',
+	let the caller do that.  fix the callers.
+
+2000-08-16  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 2:1:1
+
+2000-07-29  Assar Westerlund  <assar@sics.se>
+
+	* decapsulate.c (gssapi_krb5_verify_header): sanity-check length
+
+2000-07-25  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: bump version to 2:0:1
+
+2000-07-22  Assar Westerlund  <assar@sics.se>
+
+	* gssapi.h: update OID for GSS_C_NT_HOSTBASED_SERVICE and other
+	details from rfc2744
+
+2000-06-29  Assar Westerlund  <assar@sics.se>
+
+	* address_to_krb5addr.c (gss_address_to_krb5addr): actually use
+	`int' instead of `sa_family_t' for the address family.
+
+2000-06-21  Assar Westerlund  <assar@sics.se>
+
+	* add support for token delegation.  From Daniel Kouril
+	<kouril@ics.muni.cz> and Miroslav Ruda <ruda@ics.muni.cz>
+
+2000-05-15  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libgssapi_la_LDFLAGS): set version to 1:1:1
+
+2000-04-12  Assar Westerlund  <assar@sics.se>
+
+	* release_oid_set.c (gss_release_oid_set): clear set for
+	robustness.  From GOMBAS Gabor <gombasg@inf.elte.hu>
+	* release_name.c (gss_release_name): reset input_name for
+	robustness.  From GOMBAS Gabor <gombasg@inf.elte.hu>
+	* release_buffer.c (gss_release_buffer): set value to NULL to be
+	more robust.  From GOMBAS Gabor <gombasg@inf.elte.hu>
+	* add_oid_set_member.c (gss_add_oid_set_member): actually check if
+	the oid is a member first.  leave the oid_set unchanged if realloc
+	fails.
+
 2000-02-13  Assar Westerlund  <assar@sics.se>
 
 	* Makefile.am: set version to 1:0:1
diff --git a/crypto/heimdal/lib/gssapi/Makefile.am b/crypto/heimdal/lib/gssapi/Makefile.am
index 07d4e65..a086e29 100644
--- a/crypto/heimdal/lib/gssapi/Makefile.am
+++ b/crypto/heimdal/lib/gssapi/Makefile.am
@@ -1,11 +1,11 @@
-# $Id: Makefile.am,v 1.21 2000/02/13 20:34:49 assar Exp $
+# $Id: Makefile.am,v 1.30 2001/01/30 01:51:53 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += -I$(srcdir)/../krb5
+INCLUDES += -I$(srcdir)/../krb5 $(INCLUDE_krb4)
 
 lib_LTLIBRARIES = libgssapi.la
-libgssapi_la_LDFLAGS = -version-info 1:0:1
+libgssapi_la_LDFLAGS = -version-info 3:0:2
 
 include_HEADERS = gssapi.h
 
@@ -17,6 +17,7 @@ libgssapi_la_SOURCES =		\
 	canonicalize_name.c	\
 	compare_name.c		\
 	context_time.c		\
+	copy_ccache.c		\
 	create_emtpy_oid_set.c	\
 	decapsulate.c		\
 	delete_sec_context.c	\
@@ -45,4 +46,5 @@ libgssapi_la_SOURCES =		\
 	unwrap.c		\
 	v1.c			\
 	verify_mic.c		\
-	wrap.c
+        wrap.c                  \
+        address_to_krb5addr.c
diff --git a/crypto/heimdal/lib/gssapi/Makefile.in b/crypto/heimdal/lib/gssapi/Makefile.in
index 31ea813..4173934 100644
--- a/crypto/heimdal/lib/gssapi/Makefile.in
+++ b/crypto/heimdal/lib/gssapi/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.21 2000/02/13 20:34:49 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.30 2001/01/30 01:51:53 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include -I$(srcdir)/../krb5
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/../krb5 $(INCLUDE_krb4)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,34 +170,69 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
 lib_LTLIBRARIES = libgssapi.la
-libgssapi_la_LDFLAGS = -version-info 1:0:1
+libgssapi_la_LDFLAGS = -version-info 3:0:2
 
 include_HEADERS = gssapi.h
 
-libgssapi_la_SOURCES =  	8003.c				accept_sec_context.c		acquire_cred.c			add_oid_set_member.c		canonicalize_name.c		compare_name.c			context_time.c			create_emtpy_oid_set.c		decapsulate.c			delete_sec_context.c		display_name.c			display_status.c		duplicate_name.c		encapsulate.c			export_sec_context.c		export_name.c			external.c			get_mic.c			gssapi.h			gssapi_locl.h			import_name.c			import_sec_context.c		indicate_mechs.c		init.c				init_sec_context.c		inquire_context.c		inquire_cred.c			release_buffer.c		release_cred.c			release_name.c			release_oid_set.c		test_oid_set_member.c		unwrap.c			v1.c				verify_mic.c			wrap.c
+libgssapi_la_SOURCES = \
+	8003.c			\
+	accept_sec_context.c	\
+	acquire_cred.c		\
+	add_oid_set_member.c	\
+	canonicalize_name.c	\
+	compare_name.c		\
+	context_time.c		\
+	copy_ccache.c		\
+	create_emtpy_oid_set.c	\
+	decapsulate.c		\
+	delete_sec_context.c	\
+	display_name.c		\
+	display_status.c	\
+	duplicate_name.c	\
+	encapsulate.c		\
+	export_sec_context.c	\
+	export_name.c		\
+	external.c		\
+	get_mic.c		\
+	gssapi.h		\
+	gssapi_locl.h		\
+	import_name.c		\
+	import_sec_context.c	\
+	indicate_mechs.c	\
+	init.c			\
+	init_sec_context.c	\
+	inquire_context.c	\
+	inquire_cred.c		\
+	release_buffer.c	\
+	release_cred.c		\
+	release_name.c		\
+	release_oid_set.c	\
+	test_oid_set_member.c	\
+	unwrap.c		\
+	v1.c			\
+	verify_mic.c		\
+        wrap.c                  \
+        address_to_krb5addr.c
 
+subdir = lib/gssapi
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -189,42 +242,43 @@ LTLIBRARIES =  $(lib_LTLIBRARIES)
 DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
-LIBS = @LIBS@
 X_CFLAGS = @X_CFLAGS@
 X_LIBS = @X_LIBS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 libgssapi_la_LIBADD = 
-libgssapi_la_OBJECTS =  8003.lo accept_sec_context.lo acquire_cred.lo \
+am_libgssapi_la_OBJECTS =  8003.lo accept_sec_context.lo acquire_cred.lo \
 add_oid_set_member.lo canonicalize_name.lo compare_name.lo \
-context_time.lo create_emtpy_oid_set.lo decapsulate.lo \
+context_time.lo copy_ccache.lo create_emtpy_oid_set.lo decapsulate.lo \
 delete_sec_context.lo display_name.lo display_status.lo \
 duplicate_name.lo encapsulate.lo export_sec_context.lo export_name.lo \
 external.lo get_mic.lo import_name.lo import_sec_context.lo \
 indicate_mechs.lo init.lo init_sec_context.lo inquire_context.lo \
 inquire_cred.lo release_buffer.lo release_cred.lo release_name.lo \
 release_oid_set.lo test_oid_set_member.lo unwrap.lo v1.lo verify_mic.lo \
-wrap.lo
-CFLAGS = @CFLAGS@
+wrap.lo address_to_krb5addr.lo
+libgssapi_la_OBJECTS =  $(am_libgssapi_la_OBJECTS)
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(libgssapi_la_SOURCES)
 HEADERS =  $(include_HEADERS)
 
-DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+depcomp = 
+DIST_COMMON =  $(include_HEADERS) ChangeLog Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
 SOURCES = $(libgssapi_la_SOURCES)
-OBJECTS = $(libgssapi_la_OBJECTS)
+OBJECTS = $(am_libgssapi_la_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/gssapi/Makefile
 
@@ -247,31 +301,18 @@ install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 	$(mkinstalldirs) $(DESTDIR)$(libdir)
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo "$(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p; \
 	  else :; fi; \
 	done
 
 uninstall-libLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  echo " $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \
 	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
 	done
 
-.c.o:
-	$(COMPILE) -c $<
-
-# FIXME: We should only use cygpath when building on Windows,
-# and only if it is available.
-.c.obj:
-	$(COMPILE) -c `cygpath -w $<`
-
-.s.o:
-	$(COMPILE) -c $<
-
-.S.o:
-	$(COMPILE) -c $<
-
 mostlyclean-compile:
 	-rm -f *.o core *.core
 	-rm -f *.$(OBJEXT)
@@ -283,15 +324,6 @@ distclean-compile:
 
 maintainer-clean-compile:
 
-.c.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.s.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.S.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -304,41 +336,54 @@ maintainer-clean-libtool:
 
 libgssapi.la: $(libgssapi_la_OBJECTS) $(libgssapi_la_DEPENDENCIES)
 	$(LINK) -rpath $(libdir) $(libgssapi_la_LDFLAGS) $(libgssapi_la_OBJECTS) $(libgssapi_la_LIBADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
 
 install-includeHEADERS: $(include_HEADERS)
 	@$(NORMAL_INSTALL)
 	$(mkinstalldirs) $(DESTDIR)$(includedir)
 	@list='$(include_HEADERS)'; for p in $$list; do \
 	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
-	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p"; \
-	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f; \
 	done
 
 uninstall-includeHEADERS:
 	@$(NORMAL_UNINSTALL)
-	list='$(include_HEADERS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(includedir)/$$p; \
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(includedir)/$$f"; \
+	  rm -f $(DESTDIR)$(includedir)/$$f; \
 	done
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -351,17 +396,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = lib/gssapi
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
@@ -390,7 +434,7 @@ uninstall: uninstall-am
 all-am: Makefile $(LTLIBRARIES) $(HEADERS) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
 	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(includedir)
 
@@ -404,6 +448,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-libLTLIBRARIES mostlyclean-compile \
 		mostlyclean-libtool mostlyclean-tags \
 		mostlyclean-generic
@@ -441,8 +486,8 @@ install-includeHEADERS tags mostlyclean-tags distclean-tags clean-tags \
 maintainer-clean-tags distdir info-am info dvi-am dvi check-local check \
 check-am installcheck-am installcheck install-exec-am install-exec \
 install-data-local install-data-am install-data install-am install \
-uninstall-am uninstall all-local all-redirect all-am all installdirs \
-mostlyclean-generic distclean-generic clean-generic \
+uninstall-am uninstall all-local all-redirect all-am all install-strip \
+installdirs mostlyclean-generic distclean-generic clean-generic \
 maintainer-clean-generic clean mostlyclean distclean maintainer-clean
 
 
@@ -451,7 +496,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -463,8 +511,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -533,87 +581,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/lib/gssapi/accept_sec_context.c b/crypto/heimdal/lib/gssapi/accept_sec_context.c
index 3f61ae1..a606c55 100644
--- a/crypto/heimdal/lib/gssapi/accept_sec_context.c
+++ b/crypto/heimdal/lib/gssapi/accept_sec_context.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$Id: accept_sec_context.c,v 1.17 2000/02/12 21:24:08 assar Exp $");
+RCSID("$Id: accept_sec_context.c,v 1.21 2001/01/09 18:47:11 assar Exp $");
 
 static krb5_keytab gss_keytab;
 
@@ -75,9 +75,11 @@ gss_accept_sec_context
   OM_uint32 flags;
   krb5_ticket *ticket = NULL;
   krb5_keytab keytab = NULL;
+  krb5_data fwd_data;
 
   gssapi_krb5_init ();
 
+  krb5_data_zero (&fwd_data);
   output_token->length = 0;
   output_token->value   = NULL;
 
@@ -103,6 +105,70 @@ gss_accept_sec_context
     goto failure;
   }
 
+  if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS
+      && input_chan_bindings->application_data.length ==
+           2 * sizeof((*context_handle)->auth_context->local_port)
+           ) {
+     
+     /* Port numbers are expected to be in application_data.value,
+      * initator's port first */
+     
+     krb5_address initiator_addr, acceptor_addr;
+     
+     memset(&initiator_addr, 0, sizeof(initiator_addr));
+     memset(&acceptor_addr, 0, sizeof(acceptor_addr));
+
+     (*context_handle)->auth_context->remote_port = 
+        *(int16_t *) input_chan_bindings->application_data.value; 
+     
+     (*context_handle)->auth_context->local_port =
+        *((int16_t *) input_chan_bindings->application_data.value + 1);
+
+     
+     kret = gss_address_to_krb5addr(input_chan_bindings->acceptor_addrtype,
+                               &input_chan_bindings->acceptor_address,
+                               (*context_handle)->auth_context->local_port,
+                               &acceptor_addr); 
+     if (kret) {
+        *minor_status = kret;
+        ret = GSS_S_BAD_BINDINGS;
+        goto failure;
+     }
+                             
+     kret = gss_address_to_krb5addr(input_chan_bindings->initiator_addrtype,
+                               &input_chan_bindings->initiator_address, 
+                               (*context_handle)->auth_context->remote_port,
+                               &initiator_addr); 
+     if (kret) {
+        krb5_free_address (gssapi_krb5_context, &acceptor_addr);
+        *minor_status = kret;
+        ret = GSS_S_BAD_BINDINGS;
+        goto failure;
+     }
+     
+     kret = krb5_auth_con_setaddrs(gssapi_krb5_context,
+                                   (*context_handle)->auth_context,
+                                   &acceptor_addr,    /* local address */
+                                   &initiator_addr);  /* remote address */
+     
+     krb5_free_address (gssapi_krb5_context, &initiator_addr);
+     krb5_free_address (gssapi_krb5_context, &acceptor_addr);
+     
+#if 0
+     free(input_chan_bindings->application_data.value);
+     input_chan_bindings->application_data.value = NULL;
+     input_chan_bindings->application_data.length = 0;
+#endif
+     
+     if (kret) {
+        *minor_status = kret;
+        ret = GSS_S_BAD_BINDINGS;
+        goto failure;
+     }
+  }
+  
+
+
   {
     int32_t tmp;
 
@@ -183,7 +249,8 @@ gss_accept_sec_context
 
       kret = gssapi_krb5_verify_8003_checksum(input_chan_bindings,
 					      authenticator->cksum,
-					      &flags);
+					      &flags,
+					      &fwd_data);
       krb5_free_authenticator(gssapi_krb5_context, &authenticator);
       if (kret) {
 	  ret = GSS_S_FAILURE;
@@ -191,6 +258,49 @@ gss_accept_sec_context
       }
   }
 
+  if (fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) {
+      
+      krb5_ccache ccache;
+      
+      if (delegated_cred_handle == NULL || *delegated_cred_handle == NULL)
+         /* XXX Create a new delegated_cred_handle? */
+         kret = krb5_cc_default (gssapi_krb5_context, &ccache);
+      
+      else {
+         if ((*delegated_cred_handle)->ccache == NULL)
+            kret = krb5_cc_gen_new (gssapi_krb5_context,
+                                    &krb5_mcc_ops,
+                                    &(*delegated_cred_handle)->ccache);
+         ccache = (*delegated_cred_handle)->ccache;
+      }
+      
+      if (kret) {
+         flags &= ~GSS_C_DELEG_FLAG;
+         goto end_fwd;
+      }
+      
+      kret = krb5_cc_initialize(gssapi_krb5_context,
+                                ccache,
+                                *src_name);
+      if (kret) {
+         flags &= ~GSS_C_DELEG_FLAG;
+         goto end_fwd;
+      }
+      
+      kret = krb5_rd_cred2(gssapi_krb5_context,
+			   (*context_handle)->auth_context,
+			   ccache,
+			   &fwd_data);
+      if (kret) {
+         flags &= ~GSS_C_DELEG_FLAG;
+         goto end_fwd;
+      }
+
+end_fwd:
+      free(fwd_data.data);
+  }
+         
+
   flags |= GSS_C_TRANS_FLAG;
 
   if (ret_flags)
@@ -208,16 +318,16 @@ gss_accept_sec_context
     krb5_data outbuf;
 
     kret = krb5_mk_rep (gssapi_krb5_context,
-			&(*context_handle)->auth_context,
+			(*context_handle)->auth_context,
 			&outbuf);
     if (kret) {
-      krb5_data_free (&outbuf);
       ret = GSS_S_FAILURE;
       goto failure;
     }
     ret = gssapi_krb5_encapsulate (&outbuf,
 				   output_token,
 				   "\x02\x00");
+    krb5_data_free (&outbuf);
     if (ret) {
 	kret = 0;
       goto failure;
@@ -236,6 +346,8 @@ gss_accept_sec_context
   return GSS_S_COMPLETE;
 
 failure:
+  if (fwd_data.length > 0)
+    free(fwd_data.data);
   if (ticket != NULL)
     krb5_free_ticket (gssapi_krb5_context, ticket);
   krb5_auth_con_free (gssapi_krb5_context,
diff --git a/crypto/heimdal/lib/gssapi/acquire_cred.c b/crypto/heimdal/lib/gssapi/acquire_cred.c
index 821bbc3..341d06d 100644
--- a/crypto/heimdal/lib/gssapi/acquire_cred.c
+++ b/crypto/heimdal/lib/gssapi/acquire_cred.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$Id: acquire_cred.c,v 1.3 1999/12/02 17:05:03 joda Exp $");
+RCSID("$Id: acquire_cred.c,v 1.4 2001/01/30 00:49:05 assar Exp $");
 
 OM_uint32 gss_acquire_cred
            (OM_uint32 * minor_status,
@@ -48,21 +48,67 @@ OM_uint32 gss_acquire_cred
 {
     gss_cred_id_t handle;
     OM_uint32 ret;
+    krb5_principal def_princ;
+    krb5_ccache ccache;
+    krb5_error_code pret = -1, kret = 0;
+    krb5_keytab kt;
+    krb5_creds cred;
+    krb5_get_init_creds_opt opt;
 
     handle = (gss_cred_id_t)malloc(sizeof(*handle));
     if (handle == GSS_C_NO_CREDENTIAL) {
         return GSS_S_FAILURE;
     }
+    memset(handle, 0, sizeof (*handle));
 
     ret = gss_duplicate_name(minor_status, desired_name, &handle->principal);
     if (ret) {
         return ret;
     }
 
+    if (krb5_cc_default(gssapi_krb5_context, &ccache) == 0 &&
+      (pret = krb5_cc_get_principal(gssapi_krb5_context, ccache,
+					 &def_princ)) == 0 &&
+      krb5_principal_compare(gssapi_krb5_context, handle->principal,
+				 def_princ) == TRUE) {
+	handle->ccache = ccache;
+	handle->keytab = NULL;
+    } else {
+	kret = krb5_kt_default(gssapi_krb5_context, &kt);
+	if (kret != 0)
+	    goto out;
+	krb5_get_init_creds_opt_init(&opt);
+	memset(&cred, 0, sizeof(cred));
+	kret = krb5_get_init_creds_keytab(gssapi_krb5_context, &cred,
+	  handle->principal, kt, 0, NULL, &opt);
+	if (kret != 0) {
+	    krb5_kt_close(gssapi_krb5_context, kt);
+	    goto out;
+	}
+	kret = krb5_cc_gen_new(gssapi_krb5_context, &krb5_mcc_ops, &ccache);
+	if (kret != 0) {
+	    krb5_kt_close(gssapi_krb5_context, kt);
+	    goto out;
+	}
+	kret = krb5_cc_initialize(gssapi_krb5_context, ccache, cred.client);
+	if (kret != 0) {
+	    krb5_kt_close(gssapi_krb5_context, kt);
+	    krb5_cc_close(gssapi_krb5_context, ccache);
+	    goto out;
+	}
+	kret = krb5_cc_store_cred(gssapi_krb5_context, ccache, &cred);
+	if (kret != 0) {
+	    krb5_kt_close(gssapi_krb5_context, kt);
+	    krb5_cc_close(gssapi_krb5_context, ccache);
+	    goto out;
+	}
+	handle->ccache = ccache;
+	handle->keytab = kt;
+    }
+
+
     /* XXX */
     handle->lifetime = time_req;
-
-    handle->keytab = NULL;
     handle->usage = cred_usage;
 
     ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
@@ -83,5 +129,14 @@ OM_uint32 gss_acquire_cred
 
     *output_cred_handle = handle;
 
+out:
+    if (pret == 0)
+	krb5_free_principal(gssapi_krb5_context, def_princ);
+
+    if (kret != 0) {
+	*minor_status = kret;
+	return GSS_S_FAILURE;
+    }
+
     return GSS_S_COMPLETE;
 }
diff --git a/crypto/heimdal/lib/gssapi/add_oid_set_member.c b/crypto/heimdal/lib/gssapi/add_oid_set_member.c
index 996c5cf..b8144ff 100644
--- a/crypto/heimdal/lib/gssapi/add_oid_set_member.c
+++ b/crypto/heimdal/lib/gssapi/add_oid_set_member.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$Id: add_oid_set_member.c,v 1.3 1999/12/02 17:05:03 joda Exp $");
+RCSID("$Id: add_oid_set_member.c,v 1.6 2000/07/02 04:44:11 assar Exp $");
 
 OM_uint32 gss_add_oid_set_member (
             OM_uint32 * minor_status,
@@ -41,13 +41,23 @@ OM_uint32 gss_add_oid_set_member (
             gss_OID_set * oid_set
            )
 {
-  size_t n = (*oid_set)->count;
+  gss_OID tmp;
+  size_t n;
+  OM_uint32 res;
+  int present;
 
-  (*oid_set)->elements = realloc ((*oid_set)->elements,
-				  n * sizeof(gss_OID_desc));
-  if ((*oid_set)->elements == NULL) {
+  res = gss_test_oid_set_member(minor_status, member_oid, *oid_set, &present);
+  if (res != GSS_S_COMPLETE)
+    return res;
+
+  if (present)
+    return GSS_S_COMPLETE;
+
+  n = (*oid_set)->count + 1;
+  tmp = realloc ((*oid_set)->elements, n * sizeof(gss_OID_desc));
+  if (tmp == NULL)
     return GSS_S_FAILURE;
-  }
+  (*oid_set)->elements = tmp;
   (*oid_set)->count = n;
   (*oid_set)->elements[n-1] = *member_oid;
   return GSS_S_COMPLETE;
diff --git a/crypto/heimdal/lib/gssapi/address_to_krb5addr.c b/crypto/heimdal/lib/gssapi/address_to_krb5addr.c
new file mode 100644
index 0000000..1d8c1b6
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/address_to_krb5addr.c
@@ -0,0 +1,75 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+#include <roken.h>
+
+krb5_error_code
+gss_address_to_krb5addr(OM_uint32 gss_addr_type,
+                        gss_buffer_desc *gss_addr,
+                        int16_t port,
+                        krb5_address *address)
+{
+   int addr_type;
+   struct sockaddr sa;
+   int sa_size = sizeof(sa);
+   krb5_error_code problem;
+   
+   if (gss_addr == NULL)
+      return GSS_S_FAILURE; 
+   
+   switch (gss_addr_type) {
+#ifdef HAVE_IPV6
+      case GSS_C_AF_INET6: addr_type = AF_INET6;
+                           break;
+#endif /* HAVE_IPV6 */
+                           
+      case GSS_C_AF_INET:  addr_type = AF_INET;
+                           break;
+      default:
+                           return GSS_S_FAILURE;
+   }
+                      
+   problem = krb5_h_addr2sockaddr (addr_type,
+                                   gss_addr->value, 
+                                   &sa, 
+                                   &sa_size, 
+                                   port);
+   if (problem)
+      return GSS_S_FAILURE;
+
+   problem = krb5_sockaddr2address (&sa, address);
+
+   return problem;  
+}
diff --git a/crypto/heimdal/lib/gssapi/copy_ccache.c b/crypto/heimdal/lib/gssapi/copy_ccache.c
new file mode 100644
index 0000000..f91acab
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/copy_ccache.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: copy_ccache.c,v 1.1 2001/01/30 00:35:47 assar Exp $");
+
+OM_uint32
+gss_krb5_copy_ccache(OM_uint32 *minor,
+		     gss_cred_id_t cred,
+		     krb5_ccache out)
+{
+    krb5_error_code kret;
+
+    if (cred->ccache == NULL) {
+	*minor = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    kret = krb5_cc_copy_cache(gssapi_krb5_context, cred->ccache, out);
+    if (kret) {
+	*minor = kret;
+	return GSS_S_FAILURE;
+    }
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/decapsulate.c b/crypto/heimdal/lib/gssapi/decapsulate.c
index e3603c7..b0a0f1e 100644
--- a/crypto/heimdal/lib/gssapi/decapsulate.c
+++ b/crypto/heimdal/lib/gssapi/decapsulate.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$Id: decapsulate.c,v 1.5 1999/12/02 17:05:03 joda Exp $");
+RCSID("$Id: decapsulate.c,v 1.6 2000/07/29 05:48:13 assar Exp $");
 
 OM_uint32
 gssapi_krb5_verify_header(u_char **str,
@@ -44,18 +44,20 @@ gssapi_krb5_verify_header(u_char **str,
     int e;
     u_char *p = *str;
 
+    if (total_len < 1)
+	return GSS_S_DEFECTIVE_TOKEN;
     if (*p++ != 0x60)
 	return GSS_S_DEFECTIVE_TOKEN;
     e = der_get_length (p, total_len - 1, &len, &len_len);
     if (e || 1 + len_len + len != total_len)
-	abort ();
+	return GSS_S_DEFECTIVE_TOKEN;
     p += len_len;
     if (*p++ != 0x06)
 	return GSS_S_DEFECTIVE_TOKEN;
     e = der_get_length (p, total_len - 1 - len_len - 1,
 			&mech_len, &foo);
     if (e)
-	abort ();
+	return GSS_S_DEFECTIVE_TOKEN;
     p += foo;
     if (mech_len != GSS_KRB5_MECHANISM->length)
 	return GSS_S_BAD_MECH;
diff --git a/crypto/heimdal/lib/gssapi/encapsulate.c b/crypto/heimdal/lib/gssapi/encapsulate.c
index 1b8636bc..2732b23 100644
--- a/crypto/heimdal/lib/gssapi/encapsulate.c
+++ b/crypto/heimdal/lib/gssapi/encapsulate.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$Id: encapsulate.c,v 1.4 1999/12/02 17:05:03 joda Exp $");
+RCSID("$Id: encapsulate.c,v 1.5 2000/08/27 02:46:23 assar Exp $");
 
 void
 gssapi_krb5_encap_length (size_t data_len,
@@ -78,7 +78,7 @@ gssapi_krb5_make_header (u_char *p,
 
 OM_uint32
 gssapi_krb5_encapsulate(
-			krb5_data *in_data,
+			const krb5_data *in_data,
 			gss_buffer_t output_token,
 			u_char *type
 )
@@ -95,6 +95,5 @@ gssapi_krb5_encapsulate(
 
     p = gssapi_krb5_make_header (output_token->value, len, type);
     memcpy (p, in_data->data, in_data->length);
-    krb5_data_free (in_data);
     return GSS_S_COMPLETE;
 }
diff --git a/crypto/heimdal/lib/gssapi/export_sec_context.c b/crypto/heimdal/lib/gssapi/export_sec_context.c
index d982be7..7116f95 100644
--- a/crypto/heimdal/lib/gssapi/export_sec_context.c
+++ b/crypto/heimdal/lib/gssapi/export_sec_context.c
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$Id: export_sec_context.c,v 1.2 2000/02/12 21:25:24 assar Exp $");
+RCSID("$Id: export_sec_context.c,v 1.3 2000/07/08 11:42:22 assar Exp $");
 
 OM_uint32
 gss_export_sec_context (
@@ -44,8 +44,6 @@ gss_export_sec_context (
 {
     krb5_storage *sp;
     krb5_auth_context ac;
-    unsigned char auth_buf[1024];
-    size_t sz;
     int ret;
     krb5_data data;
     gss_buffer_desc buffer;
@@ -97,16 +95,21 @@ gss_export_sec_context (
     krb5_store_int32 (sp, ac->remote_seqnumber);
 
 #if 0
-    ret = encode_Authenticator (auth_buf, sizeof(auth_buf),
-				ac->authenticator, &sz);
-    if (ret) {
-	krb5_storage_free (sp);
-	*minor_status = ret;
-	return GSS_S_FAILURE;
+    {
+	size_t sz;
+	unsigned char auth_buf[1024];
+
+	ret = encode_Authenticator (auth_buf, sizeof(auth_buf),
+				    ac->authenticator, &sz);
+	if (ret) {
+	    krb5_storage_free (sp);
+	    *minor_status = ret;
+	    return GSS_S_FAILURE;
+	}
+	data.data   = auth_buf;
+	data.length = sz;
+	krb5_store_data (sp, data);
     }
-    data.data   = auth_buf;
-    data.length = sz;
-    krb5_store_data (sp, data);
 #endif
     krb5_store_int32 (sp, ac->keytype);
     krb5_store_int32 (sp, ac->cksumtype);
diff --git a/crypto/heimdal/lib/gssapi/external.c b/crypto/heimdal/lib/gssapi/external.c
index 19e8306..dca35ea 100644
--- a/crypto/heimdal/lib/gssapi/external.c
+++ b/crypto/heimdal/lib/gssapi/external.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$Id: external.c,v 1.4 1999/12/02 17:05:03 joda Exp $");
+RCSID("$Id: external.c,v 1.5 2000/07/22 03:45:28 assar Exp $");
 
 /*
  * The implementation must reserve static storage for a
@@ -94,15 +94,38 @@ gss_OID GSS_C_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc;
  * gss_OID_desc object containing the value
  * {6, (void *)"\x2b\x06\x01\x05\x06\x02"},
  * corresponding to an object-identifier value of
- * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
- * 6(nametypes), 2(gss-host-based-services)}.  The constant
- * GSS_C_NT_HOSTBASED_SERVICE should be initialized to point
- * to that gss_OID_desc.
+ * {iso(1) org(3) dod(6) internet(1) security(5)
+ * nametypes(6) gss-host-based-services(2)).  The constant
+ * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point
+ * to that gss_OID_desc.  This is a deprecated OID value, and
+ * implementations wishing to support hostbased-service names
+ * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID,
+ * defined below, to identify such names;
+ * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym
+ * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input
+ * parameter, but should not be emitted by GSS-API
+ * implementations
  */
 
-static gss_OID_desc gss_c_nt_hostbased_service_oid_desc =
+static gss_OID_desc gss_c_nt_hostbased_service_x_oid_desc =
 {6, (void *)"\x2b\x06\x01\x05\x06\x02"};
 
+gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = &gss_c_nt_hostbased_service_x_oid_desc;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ *              "\x01\x02\x01\x04"}, corresponding to an
+ * object-identifier value of {iso(1) member-body(2)
+ * Unites States(840) mit(113554) infosys(1) gssapi(2)
+ * generic(1) service_name(4)}.  The constant
+ * GSS_C_NT_HOSTBASED_SERVICE should be initialized
+ * to point to that gss_OID_desc.
+ */
+static gss_OID_desc gss_c_nt_hostbased_service_oid_desc =
+{10, (void *)"\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x04"};
+
 gss_OID GSS_C_NT_HOSTBASED_SERVICE = &gss_c_nt_hostbased_service_oid_desc;
 
 /*
diff --git a/crypto/heimdal/lib/gssapi/get_mic.c b/crypto/heimdal/lib/gssapi/get_mic.c
index 8dd1b6f..a211004 100644
--- a/crypto/heimdal/lib/gssapi/get_mic.c
+++ b/crypto/heimdal/lib/gssapi/get_mic.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,21 +33,23 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$Id: get_mic.c,v 1.11 2000/01/25 23:19:22 assar Exp $");
+RCSID("$Id: get_mic.c,v 1.15 2001/01/29 02:08:58 assar Exp $");
 
-OM_uint32 gss_get_mic
+static OM_uint32
+mic_des
            (OM_uint32 * minor_status,
             const gss_ctx_id_t context_handle,
             gss_qop_t qop_req,
             const gss_buffer_t message_buffer,
-            gss_buffer_t message_token
+            gss_buffer_t message_token,
+	    krb5_keyblock *key
            )
 {
   u_char *p;
   MD5_CTX md5;
   u_char hash[16];
   des_key_schedule schedule;
-  des_cblock key;
+  des_cblock deskey;
   des_cblock zero;
   int32_t seq_number;
   size_t len, total_len;
@@ -56,42 +58,44 @@ OM_uint32 gss_get_mic
 
   message_token->length = total_len;
   message_token->value  = malloc (total_len);
-  if (message_token->value == NULL)
+  if (message_token->value == NULL) {
+    *minor_status = ENOMEM;
     return GSS_S_FAILURE;
+  }
 
   p = gssapi_krb5_make_header(message_token->value,
 			      len,
-			      "\x01\x01");
+			      "\x01\x01"); /* TOK_ID */
 
-  memcpy (p, "\x00\x00", 2);
+  memcpy (p, "\x00\x00", 2);	/* SGN_ALG = DES MAC MD5 */
   p += 2;
-  memcpy (p, "\xff\xff\xff\xff", 4);
+
+  memcpy (p, "\xff\xff\xff\xff", 4); /* Filler */
   p += 4;
 
-  /* Fill in later */
+  /* Fill in later (SND-SEQ) */
   memset (p, 0, 16);
   p += 16;
 
   /* checksum */
-  MD5Init (&md5);
-  MD5Update (&md5, p - 24, 8);
-  MD5Update (&md5, message_buffer->value,
-	     message_buffer->length);
-  MD5Final (hash, &md5);
+  MD5_Init (&md5);
+  MD5_Update (&md5, p - 24, 8);
+  MD5_Update (&md5, message_buffer->value, message_buffer->length);
+  MD5_Final (hash, &md5);
 
   memset (&zero, 0, sizeof(zero));
-  gss_krb5_getsomekey(context_handle, &key);
-  des_set_key (&key, schedule);
-  des_cbc_cksum ((const void *)hash, (void *)hash, sizeof(hash),
+  memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
+  des_set_key (&deskey, schedule);
+  des_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
 		 schedule, &zero);
-  memcpy (p - 8, hash, 8);
+  memcpy (p - 8, hash, 8);	/* SGN_CKSUM */
 
   /* sequence number */
   krb5_auth_getlocalseqnumber (gssapi_krb5_context,
 			       context_handle->auth_context,
 			       &seq_number);
 
-  p -= 16;
+  p -= 16;			/* SND_SEQ */
   p[0] = (seq_number >> 0)  & 0xFF;
   p[1] = (seq_number >> 8)  & 0xFF;
   p[2] = (seq_number >> 16) & 0xFF;
@@ -100,16 +104,178 @@ OM_uint32 gss_get_mic
 	  (context_handle->more_flags & LOCAL) ? 0 : 0xFF,
 	  4);
 
-  des_set_key (&key, schedule);
-  des_cbc_encrypt ((const void *)p, (void *)p, 8,
+  des_set_key (&deskey, schedule);
+  des_cbc_encrypt ((void *)p, (void *)p, 8,
 		   schedule, (des_cblock *)(p + 8), DES_ENCRYPT);
 
   krb5_auth_setlocalseqnumber (gssapi_krb5_context,
 			       context_handle->auth_context,
 			       ++seq_number);
   
-  memset (key, 0, sizeof(key));
+  memset (deskey, 0, sizeof(deskey));
   memset (schedule, 0, sizeof(schedule));
   
   return GSS_S_COMPLETE;
 }
+
+static OM_uint32
+mic_des3
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            gss_qop_t qop_req,
+            const gss_buffer_t message_buffer,
+            gss_buffer_t message_token,
+	    krb5_keyblock *key
+           )
+{
+  u_char *p;
+  Checksum cksum;
+  u_char seq[8];
+
+  int32_t seq_number;
+  size_t len, total_len;
+
+  krb5_crypto crypto;
+  krb5_error_code kret;
+  krb5_data encdata;
+  char *tmp;
+
+  gssapi_krb5_encap_length (36, &len, &total_len);
+
+  message_token->length = total_len;
+  message_token->value  = malloc (total_len);
+  if (message_token->value == NULL) {
+      *minor_status = ENOMEM;
+      return GSS_S_FAILURE;
+  }
+
+  p = gssapi_krb5_make_header(message_token->value,
+			      len,
+			      "\x01\x01"); /* TOK-ID */
+
+  memcpy (p, "\x04\x00", 2);	/* SGN_ALG = HMAC SHA1 DES3-KD */
+  p += 2;
+
+  memcpy (p, "\xff\xff\xff\xff", 4); /* filler */
+  p += 4;
+
+  /* this should be done in parts */
+
+  tmp = malloc (message_buffer->length + 8);
+  if (tmp == NULL) {
+      free (message_token->value);
+      *minor_status = ENOMEM;
+      return GSS_S_FAILURE;
+  }
+  memcpy (tmp, p - 8, 8);
+  memcpy (tmp + 8, message_buffer->value, message_buffer->length);
+
+  kret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto);
+  if (kret) {
+      free (message_token->value);
+      free (tmp);
+      *minor_status = kret;
+      return GSS_S_FAILURE;
+  }
+
+  kret = krb5_create_checksum (gssapi_krb5_context,
+			       crypto,
+			       KRB5_KU_USAGE_SIGN,
+			       tmp,
+			       message_buffer->length + 8,
+			       &cksum);
+  free (tmp);
+  krb5_crypto_destroy (gssapi_krb5_context, crypto);
+  if (kret) {
+      free (message_token->value);
+      *minor_status = kret;
+      return GSS_S_FAILURE;
+  }
+
+  memcpy (p + 8, cksum.checksum.data, cksum.checksum.length);
+
+  /* sequence number */
+  krb5_auth_getlocalseqnumber (gssapi_krb5_context,
+			       context_handle->auth_context,
+			       &seq_number);
+
+  seq[0] = (seq_number >> 0)  & 0xFF;
+  seq[1] = (seq_number >> 8)  & 0xFF;
+  seq[2] = (seq_number >> 16) & 0xFF;
+  seq[3] = (seq_number >> 24) & 0xFF;
+  memset (seq + 4,
+	  (context_handle->more_flags & LOCAL) ? 0 : 0xFF,
+	  4);
+
+  kret = krb5_crypto_init(gssapi_krb5_context, key,
+			  ETYPE_DES3_CBC_NONE, &crypto);
+  if (kret) {
+      free (message_token->value);
+      *minor_status = kret;
+      return GSS_S_FAILURE;
+  }
+
+  kret = krb5_encrypt (gssapi_krb5_context,
+		       crypto,
+		       KRB5_KU_USAGE_SEQ,
+		       seq, 8, &encdata);
+  krb5_crypto_destroy (gssapi_krb5_context, crypto);
+  if (kret) {
+      free (message_token->value);
+      *minor_status = kret;
+      return GSS_S_FAILURE;
+  }
+  
+  assert (encdata.length == 8);
+
+  memcpy (p, encdata.data, encdata.length);
+  krb5_data_free (&encdata);
+
+  p += 8 + cksum.checksum.length;
+
+  memcpy (p, message_buffer->value, message_buffer->length);
+
+  krb5_auth_setlocalseqnumber (gssapi_krb5_context,
+			       context_handle->auth_context,
+			       ++seq_number);
+  
+  free_Checksum (&cksum);
+  return GSS_S_COMPLETE;
+}
+
+OM_uint32 gss_get_mic
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            gss_qop_t qop_req,
+            const gss_buffer_t message_buffer,
+            gss_buffer_t message_token
+           )
+{
+  krb5_keyblock *key;
+  OM_uint32 ret;
+  krb5_keytype keytype;
+
+  ret = gss_krb5_getsomekey(context_handle, &key);
+  if (ret) {
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+  krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype);
+
+  switch (keytype) {
+  case KEYTYPE_DES :
+      ret = mic_des (minor_status, context_handle, qop_req,
+		     message_buffer, message_token, key);
+      break;
+  case KEYTYPE_DES3 :
+      ret = mic_des3 (minor_status, context_handle, qop_req,
+		      message_buffer, message_token, key);
+      break;
+  default :
+      *minor_status = KRB5_PROG_ETYPE_NOSUPP;
+      ret = GSS_S_FAILURE;
+      break;
+  }
+  krb5_free_keyblock (gssapi_krb5_context, key);
+  return ret;
+}
diff --git a/crypto/heimdal/lib/gssapi/gssapi.h b/crypto/heimdal/lib/gssapi/gssapi.h
index 4c1b606..156a511 100644
--- a/crypto/heimdal/lib/gssapi/gssapi.h
+++ b/crypto/heimdal/lib/gssapi/gssapi.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: gssapi.h,v 1.14 1999/12/02 17:05:03 joda Exp $ */
+/* $Id: gssapi.h,v 1.20 2001/01/30 00:35:48 assar Exp $ */
 
 #ifndef GSSAPI_H_
 #define GSSAPI_H_
@@ -55,6 +55,8 @@
 
 typedef u_int32_t OM_uint32;
 
+typedef u_int32_t gss_uint32;
+
 /*
  * This is to avoid having to include <krb5.h>
  */
@@ -89,6 +91,8 @@ typedef struct gss_OID_set_desc_struct  {
 
 struct krb5_keytab_data;
 
+struct krb5_ccache_data;
+
 typedef int gss_cred_usage_t;
 
 typedef struct gss_cred_id_t_desc_struct {
@@ -97,6 +101,7 @@ typedef struct gss_cred_id_t_desc_struct {
   OM_uint32 lifetime;
   gss_cred_usage_t usage;
   gss_OID_set mechanisms;
+  struct krb5_ccache_data *ccache;
 } gss_cred_id_t_desc;
 
 typedef gss_cred_id_t_desc *gss_cred_id_t;
@@ -203,6 +208,9 @@ typedef OM_uint32 gss_qop_t;
  */
 #define GSS_C_QOP_DEFAULT 0
 
+#define GSS_KRB5_CONF_C_QOP_DES		0x0100
+#define GSS_KRB5_CONF_C_QOP_DES3_KD	0x0200
+
 /*
  * Expiration time of 2^32-1 seconds means infinite lifetime for a
  * credential or security context
@@ -253,10 +261,30 @@ extern gss_OID GSS_C_NT_STRING_UID_NAME;
  * gss_OID_desc object containing the value
  * {6, (void *)"\x2b\x06\x01\x05\x06\x02"},
  * corresponding to an object-identifier value of
- * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
- * 6(nametypes), 2(gss-host-based-services)}.  The constant
- * GSS_C_NT_HOSTBASED_SERVICE should be initialized to point
- * to that gss_OID_desc.
+ * {iso(1) org(3) dod(6) internet(1) security(5)
+ * nametypes(6) gss-host-based-services(2)).  The constant
+ * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point
+ * to that gss_OID_desc.  This is a deprecated OID value, and
+ * implementations wishing to support hostbased-service names
+ * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID,
+ * defined below, to identify such names;
+ * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym
+ * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input
+ * parameter, but should not be emitted by GSS-API
+ * implementations
+ */
+extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ *              "\x01\x02\x01\x04"}, corresponding to an
+ * object-identifier value of {iso(1) member-body(2)
+ * Unites States(840) mit(113554) infosys(1) gssapi(2)
+ * generic(1) service_name(4)}.  The constant
+ * GSS_C_NT_HOSTBASED_SERVICE should be initialized
+ * to point to that gss_OID_desc.
  */
 extern gss_OID GSS_C_NT_HOSTBASED_SERVICE;
 
@@ -295,6 +323,10 @@ extern gss_OID GSS_KRB5_NT_STRING_UID_NAME;
 
 extern gss_OID GSS_KRB5_MECHANISM;
 
+/* for compatibility with MIT api */
+
+#define gss_mech_krb5 GSS_KRB5_MECHANISM
+
 /* Major status codes */
 
 #define GSS_S_COMPLETE 0
@@ -739,4 +771,9 @@ OM_uint32 gss_unseal
 OM_uint32 gsskrb5_register_acceptor_identity
         (char *identity);
 
+OM_uint32 gss_krb5_copy_ccache
+	(OM_uint32 *minor,
+	 gss_cred_id_t cred,
+	 struct krb5_ccache_data *out);
+
 #endif /* GSSAPI_H_ */
diff --git a/crypto/heimdal/lib/gssapi/gssapi_locl.h b/crypto/heimdal/lib/gssapi/gssapi_locl.h
index 53f9cdc..d8d0624 100644
--- a/crypto/heimdal/lib/gssapi/gssapi_locl.h
+++ b/crypto/heimdal/lib/gssapi/gssapi_locl.h
@@ -31,13 +31,14 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: gssapi_locl.h,v 1.12 2000/02/12 21:26:26 assar Exp $ */
+/* $Id: gssapi_locl.h,v 1.14 2000/08/27 04:19:00 assar Exp $ */
 
 #ifndef GSSAPI_LOCL_H
 #define GSSAPI_LOCL_H
 
 #include <krb5_locl.h>
 #include <gssapi.h>
+#include <assert.h>
 
 extern krb5_context gssapi_krb5_context;
 
@@ -47,17 +48,19 @@ krb5_error_code
 gssapi_krb5_create_8003_checksum (
 		      const gss_channel_bindings_t input_chan_bindings,
 		      OM_uint32 flags,
+                      krb5_data *fwd_data,
 		      Checksum *result);
 
 krb5_error_code
 gssapi_krb5_verify_8003_checksum (
 		      const gss_channel_bindings_t input_chan_bindings,
 		      Checksum *cksum,
-		      OM_uint32 *flags);
+		      OM_uint32 *flags,
+                      krb5_data *fwd_data);
 
 OM_uint32
 gssapi_krb5_encapsulate(
-			krb5_data *in_data,
+			const krb5_data *in_data,
 			gss_buffer_t output_token,
 			u_char *type);
 
@@ -84,7 +87,13 @@ gssapi_krb5_verify_header(u_char **str,
 
 OM_uint32
 gss_krb5_getsomekey(const gss_ctx_id_t context_handle,
-		    des_cblock *key);
+		    krb5_keyblock **key);
+
+krb5_error_code
+gss_address_to_krb5addr(OM_uint32 gss_addr_type,
+                        gss_buffer_desc *gss_addr,
+                        int16_t port,
+                        krb5_address *address);
 
 /* sec_context flags */
 
diff --git a/crypto/heimdal/lib/gssapi/import_sec_context.c b/crypto/heimdal/lib/gssapi/import_sec_context.c
index 2667637..7d177a8 100644
--- a/crypto/heimdal/lib/gssapi/import_sec_context.c
+++ b/crypto/heimdal/lib/gssapi/import_sec_context.c
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$Id: import_sec_context.c,v 1.2 2000/02/12 21:26:00 assar Exp $");
+RCSID("$Id: import_sec_context.c,v 1.3 2000/07/08 11:56:03 assar Exp $");
 
 OM_uint32
 gss_import_sec_context (
@@ -51,7 +51,6 @@ gss_import_sec_context (
     krb5_data data;
     gss_buffer_desc buffer;
     krb5_keyblock keyblock;
-    size_t sz;
     int32_t tmp;
     int32_t flags;
 
@@ -121,21 +120,25 @@ gss_import_sec_context (
     krb5_ret_int32 (sp, &ac->remote_seqnumber);
 
 #if 0
-    krb5_ret_data (sp, &data);
-    ac->authenticator = malloc (sizeof (*ac->authenticator));
-    if (ac->authenticator == NULL) {
-	*minor_status = ENOMEM;
-	ret = GSS_S_FAILURE;
-	goto failure;
-    }
-
-    kret = decode_Authenticator (data.data, data.length,
-				 ac->authenticator, &sz);
-    krb5_data_free (&data);
-    if (kret) {
-	*minor_status = kret;
-	ret = GSS_S_FAILURE;
-	goto failure;
+    {
+	    size_t sz;
+
+	    krb5_ret_data (sp, &data);
+	    ac->authenticator = malloc (sizeof (*ac->authenticator));
+	    if (ac->authenticator == NULL) {
+		*minor_status = ENOMEM;
+		ret = GSS_S_FAILURE;
+		goto failure;
+	    }
+
+	    kret = decode_Authenticator (data.data, data.length,
+					 ac->authenticator, &sz);
+	    krb5_data_free (&data);
+	    if (kret) {
+		*minor_status = kret;
+		ret = GSS_S_FAILURE;
+		goto failure;
+	    }
     }
 #endif
 
diff --git a/crypto/heimdal/lib/gssapi/init.c b/crypto/heimdal/lib/gssapi/init.c
index 2c01490..6b19c46 100644
--- a/crypto/heimdal/lib/gssapi/init.c
+++ b/crypto/heimdal/lib/gssapi/init.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,11 +33,15 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$Id: init.c,v 1.4 1999/12/02 17:05:04 joda Exp $");
+RCSID("$Id: init.c,v 1.5 2000/12/31 07:58:37 assar Exp $");
 
 void
 gssapi_krb5_init (void)
 {
-    if(gssapi_krb5_context == NULL)
-	krb5_init_context (&gssapi_krb5_context);
+    krb5_error_code ret;
+
+    if(gssapi_krb5_context == NULL) {
+	ret = krb5_init_context (&gssapi_krb5_context);
+	/* and what do we do when that failed? */
+    }
 }
diff --git a/crypto/heimdal/lib/gssapi/init_sec_context.c b/crypto/heimdal/lib/gssapi/init_sec_context.c
index 2f9bbc9..7b05d91 100644
--- a/crypto/heimdal/lib/gssapi/init_sec_context.c
+++ b/crypto/heimdal/lib/gssapi/init_sec_context.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,24 +33,163 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$Id: init_sec_context.c,v 1.18 1999/12/26 18:31:36 assar Exp $");
+RCSID("$Id: init_sec_context.c,v 1.25 2001/01/30 22:49:56 assar Exp $");
+
+/*
+ * copy the addresses from `input_chan_bindings' (if any) to
+ * the auth context `ac'
+ */
+
+static OM_uint32
+set_addresses (krb5_auth_context ac,
+	       const gss_channel_bindings_t input_chan_bindings)	       
+{
+    /* Port numbers are expected to be in application_data.value, 
+     * initator's port first */ 
+
+    krb5_address initiator_addr, acceptor_addr;
+    krb5_error_code kret;
+       
+    if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS
+	|| input_chan_bindings->application_data.length !=
+	2 * sizeof(ac->local_port))
+	return 0;
+
+    memset(&initiator_addr, 0, sizeof(initiator_addr));
+    memset(&acceptor_addr, 0, sizeof(acceptor_addr));
+       
+    ac->local_port =
+	*(int16_t *) input_chan_bindings->application_data.value;
+       
+    ac->remote_port =
+	*((int16_t *) input_chan_bindings->application_data.value + 1);
+       
+    kret = gss_address_to_krb5addr(input_chan_bindings->acceptor_addrtype,
+				   &input_chan_bindings->acceptor_address,
+				   ac->remote_port,
+				   &acceptor_addr);
+    if (kret)
+	return kret;
+           
+    kret = gss_address_to_krb5addr(input_chan_bindings->initiator_addrtype,
+				   &input_chan_bindings->initiator_address,
+				   ac->local_port,
+				   &initiator_addr);
+    if (kret) {
+	krb5_free_address (gssapi_krb5_context, &acceptor_addr);
+	return kret;
+    }
+       
+    kret = krb5_auth_con_setaddrs(gssapi_krb5_context,
+				  ac,
+				  &initiator_addr,  /* local address */
+				  &acceptor_addr);  /* remote address */
+       
+    krb5_free_address (gssapi_krb5_context, &initiator_addr);
+    krb5_free_address (gssapi_krb5_context, &acceptor_addr);
+       
+#if 0
+    free(input_chan_bindings->application_data.value);
+    input_chan_bindings->application_data.value = NULL;
+    input_chan_bindings->application_data.length = 0;
+#endif
+
+    return kret;
+}
+
+/*
+ * handle delegated creds in init-sec-context
+ */
+
+static void
+do_delegation (krb5_auth_context ac,
+	       krb5_ccache ccache,
+	       krb5_creds *cred,
+	       const gss_name_t target_name,
+	       krb5_data *fwd_data,
+	       int *flags)
+{
+    krb5_creds creds;
+    krb5_kdc_flags fwd_flags;
+    krb5_keyblock *subkey;
+    krb5_error_code kret;
+       
+    memset (&creds, 0, sizeof(creds));
+    krb5_data_zero (fwd_data);
+       
+    kret = krb5_generate_subkey (gssapi_krb5_context, &cred->session, &subkey);
+    if (kret)
+	goto out;
+       
+    kret = krb5_auth_con_setlocalsubkey(gssapi_krb5_context, ac, subkey);
+    krb5_free_keyblock (gssapi_krb5_context, subkey);
+    if (kret)
+	goto out;
+       
+    kret = krb5_cc_get_principal(gssapi_krb5_context, ccache, &creds.client);
+    if (kret) 
+	goto out;
+       
+    kret = krb5_build_principal(gssapi_krb5_context,
+				&creds.server,
+				strlen(creds.client->realm),
+				creds.client->realm,
+				KRB5_TGS_NAME,
+				creds.client->realm,
+				NULL);
+    if (kret)
+	goto out; 
+       
+    creds.times.endtime = 0;
+       
+    fwd_flags.i = 0;
+    fwd_flags.b.forwarded = 1;
+    fwd_flags.b.forwardable = 1;
+       
+    if ( /*target_name->name.name_type != KRB5_NT_SRV_HST ||*/
+	target_name->name.name_string.len < 2) 
+	goto out;
+       
+    kret = krb5_get_forwarded_creds(gssapi_krb5_context,
+				    ac,
+				    ccache,
+				    fwd_flags.i,
+				    target_name->name.name_string.val[1],
+				    &creds,
+				    fwd_data);
+       
+ out:
+    if (kret)
+	*flags &= ~GSS_C_DELEG_FLAG;
+    else
+	*flags |= GSS_C_DELEG_FLAG;
+       
+    if (creds.client)
+	krb5_free_principal(gssapi_krb5_context, creds.client);
+    if (creds.server)
+	krb5_free_principal(gssapi_krb5_context, creds.server);
+}
+
+/*
+ * first stage of init-sec-context
+ */
 
 static OM_uint32
 init_auth
-           (OM_uint32 * minor_status,
-            const gss_cred_id_t initiator_cred_handle,
-            gss_ctx_id_t * context_handle,
-            const gss_name_t target_name,
-            const gss_OID mech_type,
-            OM_uint32 req_flags,
-            OM_uint32 time_req,
-            const gss_channel_bindings_t input_chan_bindings,
-            const gss_buffer_t input_token,
-            gss_OID * actual_mech_type,
-            gss_buffer_t output_token,
-            OM_uint32 * ret_flags,
-            OM_uint32 * time_rec
-           )
+(OM_uint32 * minor_status,
+ const gss_cred_id_t initiator_cred_handle,
+ gss_ctx_id_t * context_handle,
+ const gss_name_t target_name,
+ const gss_OID mech_type,
+ OM_uint32 req_flags,
+ OM_uint32 time_req,
+ const gss_channel_bindings_t input_chan_bindings,
+ const gss_buffer_t input_token,
+ gss_OID * actual_mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 * ret_flags,
+ OM_uint32 * time_rec
+    )
 {
     OM_uint32 ret = GSS_S_FAILURE;
     krb5_error_code kret;
@@ -63,12 +202,13 @@ init_auth
     krb5_data authenticator;
     Checksum cksum;
     krb5_enctype enctype;
+    krb5_data fwd_data;
 
     output_token->length = 0;
     output_token->value  = NULL;
 
-    outbuf.length = 0;
-    outbuf.data   = NULL;
+    krb5_data_zero(&outbuf);
+    krb5_data_zero(&fwd_data);
 
     *minor_status = 0;
 
@@ -78,12 +218,12 @@ init_auth
 	return GSS_S_FAILURE;
     }
 
-    (*context_handle)->auth_context =  NULL;
-    (*context_handle)->source = NULL;
-    (*context_handle)->target = NULL;
-    (*context_handle)->flags = 0;
-    (*context_handle)->more_flags = 0;
-    (*context_handle)->ticket = NULL;
+    (*context_handle)->auth_context = NULL;
+    (*context_handle)->source       = NULL;
+    (*context_handle)->target       = NULL;
+    (*context_handle)->flags        = 0;
+    (*context_handle)->more_flags   = 0;
+    (*context_handle)->ticket       = NULL;
 
     kret = krb5_auth_con_init (gssapi_krb5_context,
 			       &(*context_handle)->auth_context);
@@ -93,6 +233,14 @@ init_auth
 	goto failure;
     }
 
+    kret = set_addresses ((*context_handle)->auth_context,
+			  input_chan_bindings);
+    if (kret) {
+	*minor_status = kret;
+	ret = GSS_S_BAD_BINDINGS;
+	goto failure;
+    }
+       
     {
 	int32_t tmp;
 
@@ -108,36 +256,15 @@ init_auth
     if (actual_mech_type)
 	*actual_mech_type = GSS_KRB5_MECHANISM;
 
-    flags = 0;
-    ap_options = 0;
-    if (req_flags & GSS_C_DELEG_FLAG)
-	;				/* XXX */
-    if (req_flags & GSS_C_MUTUAL_FLAG) {
-	flags |= GSS_C_MUTUAL_FLAG;
-	ap_options |= AP_OPTS_MUTUAL_REQUIRED;
-    }
-    if (req_flags & GSS_C_REPLAY_FLAG)
-	;				/* XXX */
-    if (req_flags & GSS_C_SEQUENCE_FLAG)
-	;				/* XXX */
-    if (req_flags & GSS_C_ANON_FLAG)
-	;				/* XXX */
-    flags |= GSS_C_CONF_FLAG;
-    flags |= GSS_C_INTEG_FLAG;
-    flags |= GSS_C_SEQUENCE_FLAG;
-    flags |= GSS_C_TRANS_FLAG;
-
-    if (ret_flags)
-	*ret_flags = flags;
-    (*context_handle)->flags = flags;
-    (*context_handle)->more_flags = LOCAL;
-
-    kret = krb5_cc_default (gssapi_krb5_context, &ccache);
-    if (kret) {
-	*minor_status = kret;
-	ret = GSS_S_FAILURE;
-	goto failure;
-    }
+    if (initiator_cred_handle == GSS_C_NO_CREDENTIAL) {
+	kret = krb5_cc_default (gssapi_krb5_context, &ccache);
+	if (kret) {
+	    *minor_status = kret;
+	    ret = GSS_S_FAILURE;
+	    goto failure;
+	}
+    } else
+	ccache = initiator_cred_handle->ccache;
 
     kret = krb5_cc_get_principal (gssapi_krb5_context,
 				  ccache,
@@ -160,8 +287,14 @@ init_auth
     memset(&this_cred, 0, sizeof(this_cred));
     this_cred.client          = (*context_handle)->source;
     this_cred.server          = (*context_handle)->target;
-    this_cred.times.endtime   = 0;
-    this_cred.session.keytype = ETYPE_DES_CBC_CRC;
+    if (time_req) {
+	krb5_timestamp ts;
+
+	krb5_timeofday (gssapi_krb5_context, &ts);
+	this_cred.times.endtime = ts + time_req;
+    } else
+	this_cred.times.endtime   = 0;
+    this_cred.session.keytype = 0;
   
     kret = krb5_get_credentials (gssapi_krb5_context,
 				 KRB5_TC_MATCH_KEYTYPE,
@@ -179,9 +312,38 @@ init_auth
 			 (*context_handle)->auth_context, 
 			 &cred->session);
   
+    flags = 0;
+    ap_options = 0;
+    if (req_flags & GSS_C_DELEG_FLAG)
+	do_delegation ((*context_handle)->auth_context,
+		       ccache, cred, target_name, &fwd_data, &flags);
+       
+    if (req_flags & GSS_C_MUTUAL_FLAG) {
+	flags |= GSS_C_MUTUAL_FLAG;
+	ap_options |= AP_OPTS_MUTUAL_REQUIRED;
+    }
+    
+    if (req_flags & GSS_C_REPLAY_FLAG)
+	;                               /* XXX */
+    if (req_flags & GSS_C_SEQUENCE_FLAG)
+	;                               /* XXX */
+    if (req_flags & GSS_C_ANON_FLAG)
+	;                               /* XXX */
+    flags |= GSS_C_CONF_FLAG;
+    flags |= GSS_C_INTEG_FLAG;
+    flags |= GSS_C_SEQUENCE_FLAG;
+    flags |= GSS_C_TRANS_FLAG;
+    
+    if (ret_flags)
+	*ret_flags = flags;
+    (*context_handle)->flags = flags;
+    (*context_handle)->more_flags = LOCAL;
+    
     kret = gssapi_krb5_create_8003_checksum (input_chan_bindings,
 					     flags,
+					     &fwd_data,
 					     &cksum);
+    krb5_data_free (&fwd_data);
     if (kret) {
 	*minor_status = kret;
 	ret = GSS_S_FAILURE;
@@ -202,15 +364,14 @@ init_auth
     }
 #endif
 
-
-
     kret = krb5_build_authenticator (gssapi_krb5_context,
 				     (*context_handle)->auth_context,
 				     enctype,
 				     cred,
 				     &cksum,
 				     &auth,
-				     &authenticator);
+				     &authenticator,
+				     KRB5_KU_AP_REQ_AUTH);
 
     if (kret) {
 	*minor_status = kret;
@@ -231,14 +392,14 @@ init_auth
 	goto failure;
     }
 
-    ret = gssapi_krb5_encapsulate (&outbuf,
-				   output_token,
-				   "\x01\x00");
+    ret = gssapi_krb5_encapsulate (&outbuf, output_token, "\x01\x00");
     if (ret) {
 	*minor_status = kret;
 	goto failure;
     }
 
+    krb5_data_free (&outbuf);
+
     if (flags & GSS_C_MUTUAL_FLAG) {
 	return GSS_S_CONTINUE_NEEDED;
     } else {
@@ -246,7 +407,7 @@ init_auth
 	return GSS_S_COMPLETE;
     }
 
-failure:
+ failure:
     krb5_auth_con_free (gssapi_krb5_context,
 			(*context_handle)->auth_context);
     if((*context_handle)->source)
@@ -278,33 +439,31 @@ repl_mutual
             OM_uint32 * time_rec
            )
 {
-  OM_uint32 ret;
-  krb5_error_code kret;
-  krb5_data indata;
-  krb5_ap_rep_enc_part *repl;
-
-  ret = gssapi_krb5_decapsulate (input_token,
-				 &indata,
-				 "\x02\x00");
-  if (ret) {
+    OM_uint32 ret;
+    krb5_error_code kret;
+    krb5_data indata;
+    krb5_ap_rep_enc_part *repl;
+
+    ret = gssapi_krb5_decapsulate (input_token, &indata, "\x02\x00");
+    if (ret) {
 				/* XXX - Handle AP_ERROR */
-    return GSS_S_FAILURE;
-  }
+	return GSS_S_FAILURE;
+    }
 
-  kret = krb5_rd_rep (gssapi_krb5_context,
-		      (*context_handle)->auth_context,
-		      &indata,
-		      &repl);
-  if (kret)
-    return GSS_S_FAILURE;
-  krb5_free_ap_rep_enc_part (gssapi_krb5_context,
-			     repl);
+    kret = krb5_rd_rep (gssapi_krb5_context,
+			(*context_handle)->auth_context,
+			&indata,
+			&repl);
+    if (kret)
+	return GSS_S_FAILURE;
+    krb5_free_ap_rep_enc_part (gssapi_krb5_context,
+			       repl);
 
-  output_token->length = 0;
+    output_token->length = 0;
 
-  (*context_handle)->more_flags |= OPEN;
+    (*context_handle)->more_flags |= OPEN;
 
-  return GSS_S_COMPLETE;
+    return GSS_S_COMPLETE;
 }
 
 /*
@@ -327,34 +486,34 @@ OM_uint32 gss_init_sec_context
             OM_uint32 * time_rec
            )
 {
-  gssapi_krb5_init ();
-
-  if (input_token == GSS_C_NO_BUFFER || input_token->length == 0)
-    return init_auth (minor_status,
-		      initiator_cred_handle,
-		      context_handle,
-		      target_name,
-		      mech_type,
-		      req_flags,
-		      time_req,
-		      input_chan_bindings,
-		      input_token,
-		      actual_mech_type,
-		      output_token,
-		      ret_flags,
-		      time_rec);
-  else
-    return repl_mutual(minor_status,
-		       initiator_cred_handle,
-		       context_handle,
-		       target_name,
-		       mech_type,
-		       req_flags,
-		       time_req,
-		       input_chan_bindings,
-		       input_token,
-		       actual_mech_type,
-		       output_token,
-		       ret_flags,
-		       time_rec);
+    gssapi_krb5_init ();
+
+    if (input_token == GSS_C_NO_BUFFER || input_token->length == 0)
+	return init_auth (minor_status,
+			  initiator_cred_handle,
+			  context_handle,
+			  target_name,
+			  mech_type,
+			  req_flags,
+			  time_req,
+			  input_chan_bindings,
+			  input_token,
+			  actual_mech_type,
+			  output_token,
+			  ret_flags,
+			  time_rec);
+    else
+	return repl_mutual(minor_status,
+			   initiator_cred_handle,
+			   context_handle,
+			   target_name,
+			   mech_type,
+			   req_flags,
+			   time_req,
+			   input_chan_bindings,
+			   input_token,
+			   actual_mech_type,
+			   output_token,
+			   ret_flags,
+			   time_rec);
 }
diff --git a/crypto/heimdal/lib/gssapi/release_buffer.c b/crypto/heimdal/lib/gssapi/release_buffer.c
index 85f971f..f399a18 100644
--- a/crypto/heimdal/lib/gssapi/release_buffer.c
+++ b/crypto/heimdal/lib/gssapi/release_buffer.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$Id: release_buffer.c,v 1.3 1999/12/02 17:05:04 joda Exp $");
+RCSID("$Id: release_buffer.c,v 1.4 2000/04/12 09:47:23 assar Exp $");
 
 OM_uint32 gss_release_buffer
            (OM_uint32 * minor_status,
@@ -41,6 +41,7 @@ OM_uint32 gss_release_buffer
            )
 {
   free (buffer->value);
+  buffer->value  = NULL;
   buffer->length = 0;
   return GSS_S_COMPLETE;
 }
diff --git a/crypto/heimdal/lib/gssapi/release_cred.c b/crypto/heimdal/lib/gssapi/release_cred.c
index 0ee876e..87ad512 100644
--- a/crypto/heimdal/lib/gssapi/release_cred.c
+++ b/crypto/heimdal/lib/gssapi/release_cred.c
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$Id: release_cred.c,v 1.4 1999/12/02 17:05:04 joda Exp $");
+RCSID("$Id: release_cred.c,v 1.5 2001/01/30 00:49:05 assar Exp $");
 
 OM_uint32 gss_release_cred
            (OM_uint32 * minor_status,
@@ -49,6 +49,8 @@ OM_uint32 gss_release_cred
     krb5_free_principal(gssapi_krb5_context, (*cred_handle)->principal);
     if ((*cred_handle)->keytab != NULL)
 	krb5_kt_close(gssapi_krb5_context, (*cred_handle)->keytab);
+    if ((*cred_handle)->ccache != NULL)
+	krb5_cc_close(gssapi_krb5_context, (*cred_handle)->ccache);
     gss_release_oid_set(NULL, &(*cred_handle)->mechanisms);
     free(*cred_handle);
     *cred_handle = GSS_C_NO_CREDENTIAL;
diff --git a/crypto/heimdal/lib/gssapi/release_name.c b/crypto/heimdal/lib/gssapi/release_name.c
index 7c0fcd3..ce18a91 100644
--- a/crypto/heimdal/lib/gssapi/release_name.c
+++ b/crypto/heimdal/lib/gssapi/release_name.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$Id: release_name.c,v 1.4 1999/12/02 17:05:04 joda Exp $");
+RCSID("$Id: release_name.c,v 1.5 2000/04/12 09:48:27 assar Exp $");
 
 OM_uint32 gss_release_name
            (OM_uint32 * minor_status,
@@ -43,5 +43,6 @@ OM_uint32 gss_release_name
   gssapi_krb5_init ();
   krb5_free_principal(gssapi_krb5_context,
 		      *input_name);
+  *input_name = GSS_C_NO_NAME;
   return GSS_S_COMPLETE;
 }
diff --git a/crypto/heimdal/lib/gssapi/release_oid_set.c b/crypto/heimdal/lib/gssapi/release_oid_set.c
index fe7171e..4225788 100644
--- a/crypto/heimdal/lib/gssapi/release_oid_set.c
+++ b/crypto/heimdal/lib/gssapi/release_oid_set.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$Id: release_oid_set.c,v 1.3 1999/12/02 17:05:04 joda Exp $");
+RCSID("$Id: release_oid_set.c,v 1.4 2000/04/19 13:06:13 assar Exp $");
 
 OM_uint32 gss_release_oid_set
            (OM_uint32 * minor_status,
@@ -42,5 +42,6 @@ OM_uint32 gss_release_oid_set
 {
   free ((*set)->elements);
   free (*set);
+  *set = GSS_C_NO_OID_SET;
   return GSS_S_COMPLETE;
 }
diff --git a/crypto/heimdal/lib/gssapi/unwrap.c b/crypto/heimdal/lib/gssapi/unwrap.c
index 210bab1..588517e 100644
--- a/crypto/heimdal/lib/gssapi/unwrap.c
+++ b/crypto/heimdal/lib/gssapi/unwrap.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,11 +33,11 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$Id: unwrap.c,v 1.11 2000/01/25 23:13:38 assar Exp $");
+RCSID("$Id: unwrap.c,v 1.15 2001/01/29 02:08:58 assar Exp $");
 
 OM_uint32
 gss_krb5_getsomekey(const gss_ctx_id_t context_handle,
-		    des_cblock *key)
+		    krb5_keyblock **key)
 {
     /* XXX this is ugly, and probably incorrect... */
     krb5_keyblock *skey;
@@ -54,18 +54,19 @@ gss_krb5_getsomekey(const gss_ctx_id_t context_handle,
 			     &skey);
     if(skey == NULL)
 	return GSS_S_FAILURE;
-    memcpy(key, skey->keyvalue.data, sizeof(*key));
-    krb5_free_keyblock(gssapi_krb5_context, skey);
+    *key = skey;
     return 0;
 }
 
-OM_uint32 gss_unwrap
+static OM_uint32
+unwrap_des
            (OM_uint32 * minor_status,
             const gss_ctx_id_t context_handle,
             const gss_buffer_t input_message_buffer,
             gss_buffer_t output_message_buffer,
             int * conf_state,
-            gss_qop_t * qop_state
+            gss_qop_t * qop_state,
+	    krb5_keyblock *key
            )
 {
   u_char *p, *pad;
@@ -73,7 +74,7 @@ OM_uint32 gss_unwrap
   MD5_CTX md5;
   u_char hash[16], seq_data[8];
   des_key_schedule schedule;
-  des_cblock key;
+  des_cblock deskey;
   des_cblock zero;
   int i;
   int32_t seq_number;
@@ -109,19 +110,20 @@ OM_uint32 gss_unwrap
 
   if(cstate) {
       /* decrypt data */
-      gss_krb5_getsomekey(context_handle, &key);
-      for (i = 0; i < sizeof(key); ++i)
-	  key[i] ^= 0xf0;
-      des_set_key (&key, schedule);
+      memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
+
+      for (i = 0; i < sizeof(deskey); ++i)
+	  deskey[i] ^= 0xf0;
+      des_set_key (&deskey, schedule);
       memset (&zero, 0, sizeof(zero));
-      des_cbc_encrypt ((const void *)p,
+      des_cbc_encrypt ((void *)p,
 		       (void *)p,
 		       input_message_buffer->length - len,
 		       schedule,
 		       &zero,
 		       DES_DECRYPT);
       
-      memset (key, 0, sizeof(key));
+      memset (deskey, 0, sizeof(deskey));
       memset (schedule, 0, sizeof(schedule));
   }
   /* check pad */
@@ -134,15 +136,15 @@ OM_uint32 gss_unwrap
   if (i != 0)
     return GSS_S_BAD_MIC;
 
-  MD5Init (&md5);
-  MD5Update (&md5, p - 24, 8);
-  MD5Update (&md5, p, input_message_buffer->length - len);
-  MD5Final (hash, &md5);
+  MD5_Init (&md5);
+  MD5_Update (&md5, p - 24, 8);
+  MD5_Update (&md5, p, input_message_buffer->length - len);
+  MD5_Final (hash, &md5);
 
   memset (&zero, 0, sizeof(zero));
-  gss_krb5_getsomekey(context_handle, &key);
-  des_set_key (&key, schedule);
-  des_cbc_cksum ((const void *)hash, (void *)hash, sizeof(hash),
+  memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
+  des_set_key (&deskey, schedule);
+  des_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
 		 schedule, &zero);
   if (memcmp (p - 8, hash, 8) != 0)
     return GSS_S_BAD_MIC;
@@ -161,11 +163,11 @@ OM_uint32 gss_unwrap
 	  4);
 
   p -= 16;
-  des_set_key (&key, schedule);
-  des_cbc_encrypt ((const void *)p, (void *)p, 8,
+  des_set_key (&deskey, schedule);
+  des_cbc_encrypt ((void *)p, (void *)p, 8,
 		   schedule, (des_cblock *)hash, DES_DECRYPT);
 
-  memset (key, 0, sizeof(key));
+  memset (deskey, 0, sizeof(deskey));
   memset (schedule, 0, sizeof(schedule));
 
   if (memcmp (p, seq_data, 8) != 0) {
@@ -179,7 +181,7 @@ OM_uint32 gss_unwrap
   /* copy out data */
 
   output_message_buffer->length = input_message_buffer->length
-    - len - 8 - padlength;
+    - len - padlength - 8;
   output_message_buffer->value  = malloc(output_message_buffer->length);
   if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
       return GSS_S_FAILURE;
@@ -188,3 +190,217 @@ OM_uint32 gss_unwrap
 	  output_message_buffer->length);
   return GSS_S_COMPLETE;
 }
+
+static OM_uint32
+unwrap_des3
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            const gss_buffer_t input_message_buffer,
+            gss_buffer_t output_message_buffer,
+            int * conf_state,
+            gss_qop_t * qop_state,
+	    krb5_keyblock *key
+           )
+{
+  u_char *p, *pad;
+  size_t len;
+  u_char seq[8];
+  krb5_data seq_data;
+  u_char cksum[20];
+  int i;
+  int32_t seq_number;
+  size_t padlength;
+  OM_uint32 ret;
+  int cstate;
+  krb5_crypto crypto;
+  Checksum csum;
+  int cmp;
+
+  p = input_message_buffer->value;
+  ret = gssapi_krb5_verify_header (&p,
+				   input_message_buffer->length,
+				   "\x02\x01");
+  if (ret)
+      return ret;
+
+  if (memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
+    return GSS_S_BAD_SIG;
+  p += 2;
+  if (memcmp (p, "\x02\x00", 2) == 0) {
+    cstate = 1;
+  } else if (memcmp (p, "\xff\xff", 2) == 0) {
+    cstate = 0;
+  } else
+    return GSS_S_BAD_MIC;
+  p += 2;
+  if(conf_state != NULL)
+    *conf_state = cstate;
+  if (memcmp (p, "\xff\xff", 2) != 0)
+    return GSS_S_DEFECTIVE_TOKEN;
+  p += 2;
+  p += 28;
+
+  len = p - (u_char *)input_message_buffer->value;
+
+  if(cstate) {
+      /* decrypt data */
+      krb5_data tmp;
+
+      ret = krb5_crypto_init(gssapi_krb5_context, key,
+			     ETYPE_DES3_CBC_NONE, &crypto);
+      if (ret) {
+	  *minor_status = ret;
+	  return GSS_S_FAILURE;
+      }
+      ret = krb5_decrypt(gssapi_krb5_context, crypto, KRB5_KU_USAGE_SEAL,
+			 p, input_message_buffer->length - len, &tmp);
+      krb5_crypto_destroy(gssapi_krb5_context, crypto);
+      if (ret) {
+	  *minor_status = ret;
+	  return GSS_S_FAILURE;
+      }
+      assert (tmp.length == input_message_buffer->length - len);
+
+      memcpy (p, tmp.data, tmp.length);
+      krb5_data_free(&tmp);
+  }
+  /* check pad */
+
+  pad = (u_char *)input_message_buffer->value + input_message_buffer->length - 1;
+  padlength = *pad;
+
+  for (i = padlength; i > 0 && *pad == padlength; i--, pad--)
+    ;
+  if (i != 0)
+    return GSS_S_BAD_MIC;
+
+  /* verify sequence number */
+  
+  krb5_auth_getremoteseqnumber (gssapi_krb5_context,
+				context_handle->auth_context,
+				&seq_number);
+  seq[0] = (seq_number >> 0)  & 0xFF;
+  seq[1] = (seq_number >> 8)  & 0xFF;
+  seq[2] = (seq_number >> 16) & 0xFF;
+  seq[3] = (seq_number >> 24) & 0xFF;
+  memset (seq + 4,
+	  (context_handle->more_flags & LOCAL) ? 0xFF : 0,
+	  4);
+
+  p -= 28;
+
+  ret = krb5_crypto_init(gssapi_krb5_context, key,
+			 ETYPE_DES3_CBC_NONE_IVEC, &crypto);
+  if (ret) {
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+  {
+      des_cblock ivec;
+
+      memcpy(&ivec, p + 8, 8);
+      ret = krb5_decrypt_ivec (gssapi_krb5_context,
+			       crypto,
+			       KRB5_KU_USAGE_SEQ,
+			       p, 8, &seq_data,
+			       &ivec);
+  }
+  krb5_crypto_destroy (gssapi_krb5_context, crypto);
+  if (ret) {
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+  if (seq_data.length != 8) {
+      krb5_data_free (&seq_data);
+      return GSS_S_BAD_MIC;
+  }
+
+  cmp = memcmp (seq, seq_data.data, seq_data.length);
+  krb5_data_free (&seq_data);
+  if (cmp != 0) {
+      return GSS_S_BAD_MIC;
+  }
+
+  krb5_auth_setremoteseqnumber (gssapi_krb5_context,
+				context_handle->auth_context,
+				++seq_number);
+
+  /* verify checksum */
+
+  memcpy (cksum, p + 8, 20);
+
+  memcpy (p + 20, p - 8, 8);
+
+  csum.cksumtype = CKSUMTYPE_HMAC_SHA1_DES3;
+  csum.checksum.length = 20;
+  csum.checksum.data   = cksum;
+
+  ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto);
+  if (ret) {
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+
+  ret = krb5_verify_checksum (gssapi_krb5_context, crypto,
+			      KRB5_KU_USAGE_SIGN,
+			      p + 20,
+			      input_message_buffer->length - len + 8,
+			      &csum);
+  krb5_crypto_destroy (gssapi_krb5_context, crypto);
+  if (ret) {
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+
+  /* copy out data */
+
+  output_message_buffer->length = input_message_buffer->length
+    - len - padlength - 8;
+  output_message_buffer->value  = malloc(output_message_buffer->length);
+  if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
+      return GSS_S_FAILURE;
+  memcpy (output_message_buffer->value,
+	  p + 36,
+	  output_message_buffer->length);
+  return GSS_S_COMPLETE;
+}
+
+OM_uint32 gss_unwrap
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            const gss_buffer_t input_message_buffer,
+            gss_buffer_t output_message_buffer,
+            int * conf_state,
+            gss_qop_t * qop_state
+           )
+{
+  krb5_keyblock *key;
+  OM_uint32 ret;
+  krb5_keytype keytype;
+
+  ret = gss_krb5_getsomekey(context_handle, &key);
+  if (ret) {
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+  krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype);
+
+  switch (keytype) {
+  case KEYTYPE_DES :
+      ret = unwrap_des (minor_status, context_handle,
+			input_message_buffer, output_message_buffer,
+			conf_state, qop_state, key);
+      break;
+  case KEYTYPE_DES3 :
+      ret = unwrap_des3 (minor_status, context_handle,
+			 input_message_buffer, output_message_buffer,
+			 conf_state, qop_state, key);
+      break;
+  default :
+      *minor_status = KRB5_PROG_ETYPE_NOSUPP;
+      ret = GSS_S_FAILURE;
+      break;
+  }
+  krb5_free_keyblock (gssapi_krb5_context, key);
+  return ret;
+}
diff --git a/crypto/heimdal/lib/gssapi/verify_mic.c b/crypto/heimdal/lib/gssapi/verify_mic.c
index 1cc4c52..608de67 100644
--- a/crypto/heimdal/lib/gssapi/verify_mic.c
+++ b/crypto/heimdal/lib/gssapi/verify_mic.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,22 +33,24 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$Id: verify_mic.c,v 1.9 2000/01/25 23:14:47 assar Exp $");
+RCSID("$Id: verify_mic.c,v 1.12 2001/01/29 02:08:59 assar Exp $");
 
-OM_uint32 gss_verify_mic
+static OM_uint32
+verify_mic_des
            (OM_uint32 * minor_status,
             const gss_ctx_id_t context_handle,
             const gss_buffer_t message_buffer,
             const gss_buffer_t token_buffer,
-            gss_qop_t * qop_state
+            gss_qop_t * qop_state,
+	    krb5_keyblock *key
 	    )
 {
   u_char *p;
   MD5_CTX md5;
   u_char hash[16], seq_data[8];
   des_key_schedule schedule;
-  des_cblock key;
   des_cblock zero;
+  des_cblock deskey;
   int32_t seq_number;
   OM_uint32 ret;
 
@@ -68,25 +70,20 @@ OM_uint32 gss_verify_mic
   p += 16;
 
   /* verify checksum */
-  MD5Init (&md5);
-  MD5Update (&md5, p - 24, 8);
-  MD5Update (&md5, message_buffer->value,
+  MD5_Init (&md5);
+  MD5_Update (&md5, p - 24, 8);
+  MD5_Update (&md5, message_buffer->value,
 	     message_buffer->length);
-  MD5Final (hash, &md5);
+  MD5_Final (hash, &md5);
 
   memset (&zero, 0, sizeof(zero));
-#if 0
-  memcpy (&key, context_handle->auth_context->key.keyvalue.data,
-	  sizeof(key));
-#endif
-  memcpy (&key, context_handle->auth_context->remote_subkey->keyvalue.data,
-	  sizeof(key));
-
-  des_set_key (&key, schedule);
-  des_cbc_cksum ((const void *)hash, (void *)hash, sizeof(hash),
+  memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
+
+  des_set_key (&deskey, schedule);
+  des_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
 		 schedule, &zero);
   if (memcmp (p - 8, hash, 8) != 0) {
-    memset (key, 0, sizeof(key));
+    memset (deskey, 0, sizeof(deskey));
     memset (schedule, 0, sizeof(schedule));
     return GSS_S_BAD_MIC;
   }
@@ -105,11 +102,11 @@ OM_uint32 gss_verify_mic
 	  4);
 
   p -= 16;
-  des_set_key (&key, schedule);
-  des_cbc_encrypt ((const void *)p, (void *)p, 8,
+  des_set_key (&deskey, schedule);
+  des_cbc_encrypt ((void *)p, (void *)p, 8,
 		   schedule, (des_cblock *)hash, DES_DECRYPT);
 
-  memset (key, 0, sizeof(key));
+  memset (deskey, 0, sizeof(deskey));
   memset (schedule, 0, sizeof(schedule));
 
   if (memcmp (p, seq_data, 8) != 0) {
@@ -122,3 +119,153 @@ OM_uint32 gss_verify_mic
 
   return GSS_S_COMPLETE;
 }
+
+static OM_uint32
+verify_mic_des3
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            const gss_buffer_t message_buffer,
+            const gss_buffer_t token_buffer,
+            gss_qop_t * qop_state,
+	    krb5_keyblock *key
+	    )
+{
+  u_char *p;
+  u_char seq[8];
+  int32_t seq_number;
+  OM_uint32 ret;
+  krb5_crypto crypto;
+  krb5_data seq_data;
+  int cmp;
+  Checksum csum;
+  char *tmp;
+  
+  p = token_buffer->value;
+  ret = gssapi_krb5_verify_header (&p,
+				   token_buffer->length,
+				   "\x01\x01");
+  if (ret)
+      return ret;
+
+  if (memcmp(p, "\x04\x00", 2) != 0) /* SGN_ALG = HMAC SHA1 DES3-KD */
+      return GSS_S_BAD_SIG;
+  p += 2;
+  if (memcmp (p, "\xff\xff\xff\xff", 4) != 0)
+    return GSS_S_BAD_MIC;
+  p += 4;
+
+  ret = krb5_crypto_init(gssapi_krb5_context, key,
+			 ETYPE_DES3_CBC_NONE, &crypto);
+  if (ret){
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+
+  /* verify sequence number */
+
+  ret = krb5_decrypt (gssapi_krb5_context,
+		      crypto,
+		      KRB5_KU_USAGE_SEQ,
+		      p, 8, &seq_data);
+  if (ret) {
+      krb5_crypto_destroy (gssapi_krb5_context, crypto);
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+
+  if (seq_data.length != 8) {
+      krb5_crypto_destroy (gssapi_krb5_context, crypto);
+      krb5_data_free (&seq_data);
+      return GSS_S_BAD_MIC;
+  }
+
+  krb5_auth_getremoteseqnumber (gssapi_krb5_context,
+				context_handle->auth_context,
+				&seq_number);
+  seq[0] = (seq_number >> 0)  & 0xFF;
+  seq[1] = (seq_number >> 8)  & 0xFF;
+  seq[2] = (seq_number >> 16) & 0xFF;
+  seq[3] = (seq_number >> 24) & 0xFF;
+  memset (seq + 4,
+	  (context_handle->more_flags & LOCAL) ? 0xFF : 0,
+	  4);
+  cmp = memcmp (seq, seq_data.data, seq_data.length);
+  krb5_data_free (&seq_data);
+  if (cmp != 0) {
+      krb5_crypto_destroy (gssapi_krb5_context, crypto);
+      return GSS_S_BAD_MIC;
+  }
+
+  /* verify checksum */
+
+  tmp = malloc (message_buffer->length + 8);
+  if (tmp == NULL) {
+      krb5_crypto_destroy (gssapi_krb5_context, crypto);
+      *minor_status = ENOMEM;
+      return GSS_S_FAILURE;
+  }
+
+  memcpy (tmp, p - 8, 8);
+  memcpy (tmp + 8, message_buffer->value, message_buffer->length);
+
+  csum.cksumtype = CKSUMTYPE_HMAC_SHA1_DES3;
+  csum.checksum.length = 20;
+  csum.checksum.data   = p + 8;
+
+  ret = krb5_verify_checksum (gssapi_krb5_context, crypto,
+			      KRB5_KU_USAGE_SIGN,
+			      tmp, message_buffer->length + 8,
+			      &csum);
+  free (tmp);
+  if (ret) {
+      krb5_crypto_destroy (gssapi_krb5_context, crypto);
+      *minor_status = ret;
+      return GSS_S_BAD_MIC;
+  }
+
+  krb5_auth_setremoteseqnumber (gssapi_krb5_context,
+				context_handle->auth_context,
+				++seq_number);
+
+  krb5_crypto_destroy (gssapi_krb5_context, crypto);
+  return GSS_S_COMPLETE;
+}
+
+OM_uint32
+gss_verify_mic
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            const gss_buffer_t message_buffer,
+            const gss_buffer_t token_buffer,
+            gss_qop_t * qop_state
+	    )
+{
+    krb5_keyblock *key;
+    OM_uint32 ret;
+    krb5_keytype keytype;
+
+    ret = krb5_auth_con_getremotesubkey (gssapi_krb5_context,
+					 context_handle->auth_context,
+					 &key);
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+    krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype);
+    switch (keytype) {
+    case KEYTYPE_DES :
+	ret = verify_mic_des (minor_status, context_handle,
+			      message_buffer, token_buffer, qop_state, key);
+	break;
+    case KEYTYPE_DES3 :
+	ret = verify_mic_des3 (minor_status, context_handle,
+			       message_buffer, token_buffer, qop_state, key);
+	break;
+    default :
+	*minor_status = KRB5_PROG_ETYPE_NOSUPP;
+	ret = GSS_S_FAILURE;
+	break;
+    }
+    krb5_free_keyblock (gssapi_krb5_context, key);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/gssapi/wrap.c b/crypto/heimdal/lib/gssapi/wrap.c
index c71f2b1..1d9f51d 100644
--- a/crypto/heimdal/lib/gssapi/wrap.c
+++ b/crypto/heimdal/lib/gssapi/wrap.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,9 +33,26 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$Id: wrap.c,v 1.11 2000/01/25 23:15:44 assar Exp $");
+RCSID("$Id: wrap.c,v 1.15 2001/01/29 02:08:59 assar Exp $");
 
-OM_uint32 gss_wrap_size_limit (
+static OM_uint32
+sub_wrap_size (
+            OM_uint32 req_output_size,
+            OM_uint32 * max_input_size,
+	    int blocksize,
+	    int extrasize
+           )
+{
+  size_t len, total_len, padlength;
+  padlength = blocksize - (req_output_size % blocksize);
+  len = req_output_size + 8 + padlength + extrasize;
+  gssapi_krb5_encap_length(len, &len, &total_len);
+  *max_input_size = (OM_uint32)total_len;
+  return GSS_S_COMPLETE;
+}
+
+OM_uint32
+gss_wrap_size_limit (
             OM_uint32 * minor_status,
             const gss_ctx_id_t context_handle,
             int conf_req_flag,
@@ -44,36 +61,58 @@ OM_uint32 gss_wrap_size_limit (
             OM_uint32 * max_input_size
            )
 {
-  size_t len, total_len, padlength;
-  padlength = 8 - (req_output_size % 8);
-  len = req_output_size + 8 + padlength + 22;
-  gssapi_krb5_encap_length(len, &len, &total_len);
-  *max_input_size = (OM_uint32)total_len;
-  return GSS_S_COMPLETE;
+  krb5_keyblock *key;
+  OM_uint32 ret;
+  krb5_keytype keytype;
+
+  ret = gss_krb5_getsomekey(context_handle, &key);
+  if (ret) {
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+  krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype);
+
+  switch (keytype) {
+  case KEYTYPE_DES :
+      ret = sub_wrap_size(req_output_size, max_input_size, 8, 22);
+      break;
+  case KEYTYPE_DES3 :
+      ret = sub_wrap_size(req_output_size, max_input_size, 8, 34);
+      break;
+  default :
+      *minor_status = KRB5_PROG_ETYPE_NOSUPP;
+      ret = GSS_S_FAILURE;
+      break;
+  }
+  krb5_free_keyblock (gssapi_krb5_context, key);
+  return ret;
 }
 
-OM_uint32 gss_wrap
+static OM_uint32
+wrap_des
            (OM_uint32 * minor_status,
             const gss_ctx_id_t context_handle,
             int conf_req_flag,
             gss_qop_t qop_req,
             const gss_buffer_t input_message_buffer,
             int * conf_state,
-            gss_buffer_t output_message_buffer
+            gss_buffer_t output_message_buffer,
+	    krb5_keyblock *key
            )
 {
   u_char *p;
   MD5_CTX md5;
   u_char hash[16];
   des_key_schedule schedule;
-  des_cblock key;
+  des_cblock deskey;
   des_cblock zero;
   int i;
   int32_t seq_number;
-  size_t len, total_len, padlength;
+  size_t len, total_len, padlength, datalen;
 
   padlength = 8 - (input_message_buffer->length % 8);
-  len = input_message_buffer->length + 8 + padlength + 22;
+  datalen = input_message_buffer->length + padlength + 8;
+  len = datalen + 22;
   gssapi_krb5_encap_length (len, &len, &total_len);
 
   output_message_buffer->length = total_len;
@@ -83,8 +122,7 @@ OM_uint32 gss_wrap
 
   p = gssapi_krb5_make_header(output_message_buffer->value,
 			      len,
-			      "\x02\x01");
-
+			      "\x02\x01"); /* TOK_ID */
 
   /* SGN_ALG */
   memcpy (p, "\x00\x00", 2);
@@ -110,15 +148,15 @@ OM_uint32 gss_wrap
   memset (p + 8 + input_message_buffer->length, padlength, padlength);
 
   /* checksum */
-  MD5Init (&md5);
-  MD5Update (&md5, p - 24, 8);
-  MD5Update (&md5, p, input_message_buffer->length + padlength + 8);
-  MD5Final (hash, &md5);
+  MD5_Init (&md5);
+  MD5_Update (&md5, p - 24, 8);
+  MD5_Update (&md5, p, datalen);
+  MD5_Final (hash, &md5);
 
   memset (&zero, 0, sizeof(zero));
-  gss_krb5_getsomekey(context_handle, &key);
-  des_set_key (&key, schedule);
-  des_cbc_cksum ((const void *)hash, (void *)hash, sizeof(hash),
+  memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
+  des_set_key (&deskey, schedule);
+  des_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
 		 schedule, &zero);
   memcpy (p - 8, hash, 8);
 
@@ -136,8 +174,8 @@ OM_uint32 gss_wrap
 	  (context_handle->more_flags & LOCAL) ? 0 : 0xFF,
 	  4);
 
-  des_set_key (&key, schedule);
-  des_cbc_encrypt ((const void *)p, (void *)p, 8,
+  des_set_key (&deskey, schedule);
+  des_cbc_encrypt ((void *)p, (void *)p, 8,
 		   schedule, (des_cblock *)(p + 8), DES_ENCRYPT);
 
   krb5_auth_setlocalseqnumber (gssapi_krb5_context,
@@ -148,22 +186,225 @@ OM_uint32 gss_wrap
   p += 16;
 
   if(conf_req_flag) {
-      gss_krb5_getsomekey(context_handle, &key);
-      for (i = 0; i < sizeof(key); ++i)
-	  key[i] ^= 0xf0;
-      des_set_key (&key, schedule);
+      memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
+
+      for (i = 0; i < sizeof(deskey); ++i)
+	  deskey[i] ^= 0xf0;
+      des_set_key (&deskey, schedule);
       memset (&zero, 0, sizeof(zero));
-      des_cbc_encrypt ((const void *)p,
+      des_cbc_encrypt ((void *)p,
 		       (void *)p,
-		       8 + input_message_buffer->length + padlength,
+		       datalen,
 		       schedule,
 		       &zero,
 		       DES_ENCRYPT);
       
-      memset (key, 0, sizeof(key));
+      memset (deskey, 0, sizeof(deskey));
       memset (schedule, 0, sizeof(schedule));
   }
   if(conf_state != NULL)
       *conf_state = conf_req_flag;
   return GSS_S_COMPLETE;
 }
+
+static OM_uint32
+wrap_des3
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            int conf_req_flag,
+            gss_qop_t qop_req,
+            const gss_buffer_t input_message_buffer,
+            int * conf_state,
+            gss_buffer_t output_message_buffer,
+	    krb5_keyblock *key
+           )
+{
+  u_char *p;
+  u_char seq[8];
+  int32_t seq_number;
+  size_t len, total_len, padlength, datalen;
+  u_int32_t ret;
+  krb5_crypto crypto;
+  Checksum cksum;
+  krb5_data encdata;
+
+  padlength = 8 - (input_message_buffer->length % 8);
+  datalen = input_message_buffer->length + padlength + 8;
+  len = datalen + 34;
+  gssapi_krb5_encap_length (len, &len, &total_len);
+
+  output_message_buffer->length = total_len;
+  output_message_buffer->value  = malloc (total_len);
+  if (output_message_buffer->value == NULL)
+    return GSS_S_FAILURE;
+
+  p = gssapi_krb5_make_header(output_message_buffer->value,
+			      len,
+			      "\x02\x01"); /* TOK_ID */
+
+  /* SGN_ALG */
+  memcpy (p, "\x04\x00", 2);	/* HMAC SHA1 DES3-KD */
+  p += 2;
+  /* SEAL_ALG */
+  if(conf_req_flag)
+      memcpy (p, "\x02\x00", 2); /* DES3-KD */
+  else
+      memcpy (p, "\xff\xff", 2);
+  p += 2;
+  /* Filler */
+  memcpy (p, "\xff\xff", 2);
+  p += 2;
+
+  /* calculate checksum (the above + confounder + data + pad) */
+
+  memcpy (p + 20, p - 8, 8);
+  des_new_random_key((des_cblock*)(p + 28));
+  memcpy (p + 28 + 8, input_message_buffer->value,
+	  input_message_buffer->length);
+  memset (p + 28 + 8 + input_message_buffer->length, padlength, padlength);
+
+  ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto);
+  if (ret) {
+      free (output_message_buffer->value);
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+
+  ret = krb5_create_checksum (gssapi_krb5_context,
+			      crypto,
+			      KRB5_KU_USAGE_SIGN,
+			      p + 20,
+			      datalen + 8,
+			      &cksum);
+  krb5_crypto_destroy (gssapi_krb5_context, crypto);
+  if (ret) {
+      free (output_message_buffer->value);
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+
+  /* zero out SND_SEQ + SGN_CKSUM in case */
+  memset (p, 0, 28);
+
+  memcpy (p + 8, cksum.checksum.data, cksum.checksum.length);
+  free_Checksum (&cksum);
+
+  /* sequence number */
+  krb5_auth_getlocalseqnumber (gssapi_krb5_context,
+			       context_handle->auth_context,
+			       &seq_number);
+
+  seq[0] = (seq_number >> 0)  & 0xFF;
+  seq[1] = (seq_number >> 8)  & 0xFF;
+  seq[2] = (seq_number >> 16) & 0xFF;
+  seq[3] = (seq_number >> 24) & 0xFF;
+  memset (seq + 4,
+	  (context_handle->more_flags & LOCAL) ? 0 : 0xFF,
+	  4);
+
+
+  ret = krb5_crypto_init(gssapi_krb5_context, key, ETYPE_DES3_CBC_NONE_IVEC,
+			 &crypto);
+  if (ret) {
+      free (output_message_buffer->value);
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+
+  {
+      des_cblock ivec;
+
+      memcpy (&ivec, p + 8, 8);
+      ret = krb5_encrypt_ivec (gssapi_krb5_context,
+			       crypto,
+			       KRB5_KU_USAGE_SEQ,
+			       seq, 8, &encdata,
+			       &ivec);
+  }
+  krb5_crypto_destroy (gssapi_krb5_context, crypto);
+  if (ret) {
+      free (output_message_buffer->value);
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+  
+  assert (encdata.length == 8);
+
+  memcpy (p, encdata.data, encdata.length);
+  krb5_data_free (&encdata);
+
+  krb5_auth_setlocalseqnumber (gssapi_krb5_context,
+			       context_handle->auth_context,
+			       ++seq_number);
+
+  /* encrypt the data */
+  p += 28;
+
+  if(conf_req_flag) {
+      krb5_data tmp;
+
+      ret = krb5_crypto_init(gssapi_krb5_context, key,
+			     ETYPE_DES3_CBC_NONE, &crypto);
+      if (ret) {
+	  free (output_message_buffer->value);
+	  *minor_status = ret;
+	  return GSS_S_FAILURE;
+      }
+      ret = krb5_encrypt(gssapi_krb5_context, crypto, KRB5_KU_USAGE_SEAL,
+			 p, datalen, &tmp);
+      krb5_crypto_destroy(gssapi_krb5_context, crypto);
+      if (ret) {
+	  free (output_message_buffer->value);
+	  *minor_status = ret;
+	  return GSS_S_FAILURE;
+      }
+      assert (tmp.length == datalen);
+
+      memcpy (p, tmp.data, datalen);
+      krb5_data_free(&tmp);
+  }
+  if(conf_state != NULL)
+      *conf_state = conf_req_flag;
+  return GSS_S_COMPLETE;
+}
+
+OM_uint32 gss_wrap
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            int conf_req_flag,
+            gss_qop_t qop_req,
+            const gss_buffer_t input_message_buffer,
+            int * conf_state,
+            gss_buffer_t output_message_buffer
+           )
+{
+  krb5_keyblock *key;
+  OM_uint32 ret;
+  krb5_keytype keytype;
+
+  ret = gss_krb5_getsomekey(context_handle, &key);
+  if (ret) {
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+  krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype);
+
+  switch (keytype) {
+  case KEYTYPE_DES :
+      ret = wrap_des (minor_status, context_handle, conf_req_flag,
+		      qop_req, input_message_buffer, conf_state,
+		      output_message_buffer, key);
+      break;
+  case KEYTYPE_DES3 :
+      ret = wrap_des3 (minor_status, context_handle, conf_req_flag,
+		       qop_req, input_message_buffer, conf_state,
+		       output_message_buffer, key);
+      break;
+  default :
+      *minor_status = KRB5_PROG_ETYPE_NOSUPP;
+      ret = GSS_S_FAILURE;
+      break;
+  }
+  krb5_free_keyblock (gssapi_krb5_context, key);
+  return ret;
+}
diff --git a/crypto/heimdal/lib/hdb/Makefile.am b/crypto/heimdal/lib/hdb/Makefile.am
index 6c4341e..f3aba3b 100644
--- a/crypto/heimdal/lib/hdb/Makefile.am
+++ b/crypto/heimdal/lib/hdb/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.33 2000/01/06 21:45:41 assar Exp $
+# $Id: Makefile.am,v 1.43 2001/01/30 01:49:16 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
@@ -13,27 +13,33 @@ CLEANFILES = $(BUILT_SOURCES) $(foo) hdb_asn1.h asn1_files
 
 noinst_PROGRAMS = convert_db
 LDADD = libhdb.la \
+	$(LIB_openldap) \
 	../krb5/libkrb5.la \
 	../asn1/libasn1.la \
-	../des/libdes.la \
+	$(LIB_des) \
 	$(LIB_roken) \
 	$(DBLIB)
 
 lib_LTLIBRARIES = libhdb.la
-libhdb_la_LDFLAGS = -version-info 4:1:1
-
-libhdb_la_SOURCES = 				\
-		    keytab.c			\
-		    hdb.c			\
-		    common.c			\
-		    db.c			\
-		    ndbm.c			\
-		    print.c			\
-		    $(BUILT_SOURCES)
+libhdb_la_LDFLAGS = -version-info 7:0:0
+
+libhdb_la_SOURCES =				\
+	common.c				\
+	db.c					\
+	db3.c					\
+	hdb-ldap.c				\
+	hdb.c					\
+	keytab.c				\
+	mkey.c					\
+	ndbm.c					\
+	print.c					\
+	$(BUILT_SOURCES)
+
+INCLUDES += $(INCLUDE_openldap)
 
 include_HEADERS = hdb.h hdb_err.h hdb_asn1.h hdb-protos.h hdb-private.h
 
-libhdb_la_LIBADD = 
+libhdb_la_LIBADD = $(LIB_openldap)
 
 $(libhdb_la_OBJECTS): $(srcdir)/hdb-protos.h $(srcdir)/hdb-private.h
 
diff --git a/crypto/heimdal/lib/hdb/Makefile.in b/crypto/heimdal/lib/hdb/Makefile.in
index ef92550..ad12e78 100644
--- a/crypto/heimdal/lib/hdb/Makefile.in
+++ b/crypto/heimdal/lib/hdb/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.33 2000/01/06 21:45:41 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.43 2001/01/30 01:49:16 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include -I../asn1 -I$(srcdir)/../asn1
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I../asn1 -I$(srcdir)/../asn1 $(INCLUDE_openldap)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,28 +170,25 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
-BUILT_SOURCES = asn1_Key.c asn1_Event.c asn1_HDBFlags.c asn1_hdb_entry.c 	asn1_Salt.c hdb_err.c hdb_err.h
+BUILT_SOURCES = asn1_Key.c asn1_Event.c asn1_HDBFlags.c asn1_hdb_entry.c \
+	asn1_Salt.c hdb_err.c hdb_err.h
 
 
 foo = asn1_Key.x asn1_Event.x asn1_HDBFlags.x asn1_hdb_entry.x asn1_Salt.x
@@ -181,18 +196,35 @@ foo = asn1_Key.x asn1_Event.x asn1_HDBFlags.x asn1_hdb_entry.x asn1_Salt.x
 CLEANFILES = $(BUILT_SOURCES) $(foo) hdb_asn1.h asn1_files
 
 noinst_PROGRAMS = convert_db
-LDADD = libhdb.la 	../krb5/libkrb5.la 	../asn1/libasn1.la 	../des/libdes.la 	$(LIB_roken) 	$(DBLIB)
+LDADD = libhdb.la \
+	$(LIB_openldap) \
+	../krb5/libkrb5.la \
+	../asn1/libasn1.la \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(DBLIB)
 
 
 lib_LTLIBRARIES = libhdb.la
-libhdb_la_LDFLAGS = -version-info 4:1:1
+libhdb_la_LDFLAGS = -version-info 7:0:0
 
-libhdb_la_SOURCES =  		    keytab.c					    hdb.c					    common.c					    db.c					    ndbm.c					    print.c					    $(BUILT_SOURCES)
+libhdb_la_SOURCES = \
+	common.c				\
+	db.c					\
+	db3.c					\
+	hdb-ldap.c				\
+	hdb.c					\
+	keytab.c				\
+	mkey.c					\
+	ndbm.c					\
+	print.c					\
+	$(BUILT_SOURCES)
 
 
 include_HEADERS = hdb.h hdb_err.h hdb_asn1.h hdb-protos.h hdb-private.h
 
-libhdb_la_LIBADD = 
+libhdb_la_LIBADD = $(LIB_openldap)
+subdir = lib/hdb
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -202,15 +234,15 @@ LTLIBRARIES =  $(lib_LTLIBRARIES)
 DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
-LIBS = @LIBS@
 X_CFLAGS = @X_CFLAGS@
 X_LIBS = @X_LIBS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 libhdb_la_DEPENDENCIES = 
-libhdb_la_OBJECTS =  keytab.lo hdb.lo common.lo db.lo ndbm.lo print.lo \
-asn1_Key.lo asn1_Event.lo asn1_HDBFlags.lo asn1_hdb_entry.lo \
-asn1_Salt.lo hdb_err.lo
+am_libhdb_la_OBJECTS =  common.lo db.lo db3.lo hdb-ldap.lo hdb.lo \
+keytab.lo mkey.lo ndbm.lo print.lo asn1_Key.lo asn1_Event.lo \
+asn1_HDBFlags.lo asn1_hdb_entry.lo asn1_Salt.lo hdb_err.lo
+libhdb_la_OBJECTS =  $(am_libhdb_la_OBJECTS)
 noinst_PROGRAMS =  convert_db$(EXEEXT)
 PROGRAMS =  $(noinst_PROGRAMS)
 
@@ -218,28 +250,29 @@ convert_db_SOURCES = convert_db.c
 convert_db_OBJECTS =  convert_db.$(OBJEXT)
 convert_db_LDADD = $(LDADD)
 convert_db_DEPENDENCIES =  libhdb.la ../krb5/libkrb5.la \
-../asn1/libasn1.la ../des/libdes.la
+../asn1/libasn1.la
 convert_db_LDFLAGS = 
-CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(libhdb_la_SOURCES) convert_db.c
 HEADERS =  $(include_HEADERS)
 
-DIST_COMMON =  Makefile.am Makefile.in
+depcomp = 
+DIST_COMMON =  $(include_HEADERS) Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
 SOURCES = $(libhdb_la_SOURCES) convert_db.c
-OBJECTS = $(libhdb_la_OBJECTS) convert_db.$(OBJEXT)
+OBJECTS = $(am_libhdb_la_OBJECTS) convert_db.$(OBJEXT)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/hdb/Makefile
 
@@ -262,31 +295,18 @@ install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 	$(mkinstalldirs) $(DESTDIR)$(libdir)
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo "$(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p; \
 	  else :; fi; \
 	done
 
 uninstall-libLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  echo " $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \
 	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
 	done
 
-.c.o:
-	$(COMPILE) -c $<
-
-# FIXME: We should only use cygpath when building on Windows,
-# and only if it is available.
-.c.obj:
-	$(COMPILE) -c `cygpath -w $<`
-
-.s.o:
-	$(COMPILE) -c $<
-
-.S.o:
-	$(COMPILE) -c $<
-
 mostlyclean-compile:
 	-rm -f *.o core *.core
 	-rm -f *.$(OBJEXT)
@@ -298,15 +318,6 @@ distclean-compile:
 
 maintainer-clean-compile:
 
-.c.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.s.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.S.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -332,41 +343,54 @@ maintainer-clean-noinstPROGRAMS:
 convert_db$(EXEEXT): $(convert_db_OBJECTS) $(convert_db_DEPENDENCIES)
 	@rm -f convert_db$(EXEEXT)
 	$(LINK) $(convert_db_LDFLAGS) $(convert_db_OBJECTS) $(convert_db_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
 
 install-includeHEADERS: $(include_HEADERS)
 	@$(NORMAL_INSTALL)
 	$(mkinstalldirs) $(DESTDIR)$(includedir)
 	@list='$(include_HEADERS)'; for p in $$list; do \
 	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
-	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p"; \
-	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f; \
 	done
 
 uninstall-includeHEADERS:
 	@$(NORMAL_UNINSTALL)
-	list='$(include_HEADERS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(includedir)/$$p; \
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(includedir)/$$f"; \
+	  rm -f $(DESTDIR)$(includedir)/$$f; \
 	done
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -379,17 +403,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = lib/hdb
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
@@ -418,7 +441,7 @@ uninstall: uninstall-am
 all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
 	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(includedir)
 
@@ -433,6 +456,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 	-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
 mostlyclean-am:  mostlyclean-libLTLIBRARIES mostlyclean-compile \
 		mostlyclean-libtool mostlyclean-noinstPROGRAMS \
@@ -474,8 +498,8 @@ install-includeHEADERS tags mostlyclean-tags distclean-tags clean-tags \
 maintainer-clean-tags distdir info-am info dvi-am dvi check-local check \
 check-am installcheck-am installcheck install-exec-am install-exec \
 install-data-local install-data-am install-data install-am install \
-uninstall-am uninstall all-local all-redirect all-am all installdirs \
-mostlyclean-generic distclean-generic clean-generic \
+uninstall-am uninstall all-local all-redirect all-am all install-strip \
+installdirs mostlyclean-generic distclean-generic clean-generic \
 maintainer-clean-generic clean mostlyclean distclean maintainer-clean
 
 
@@ -484,7 +508,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -496,8 +523,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -566,87 +593,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/lib/hdb/common.c b/crypto/heimdal/lib/hdb/common.c
index 6e95667..befde78 100644
--- a/crypto/heimdal/lib/hdb/common.c
+++ b/crypto/heimdal/lib/hdb/common.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "hdb_locl.h"
 
-RCSID("$Id: common.c,v 1.6 1999/12/02 17:05:04 joda Exp $");
+RCSID("$Id: common.c,v 1.8 2001/01/30 01:22:17 assar Exp $");
 
 int
 hdb_principal2key(krb5_context context, krb5_principal p, krb5_data *key)
@@ -102,7 +102,7 @@ krb5_error_code
 _hdb_fetch(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
 {
     krb5_data key, value;
-    int code;
+    int code = 0;
 
     hdb_principal2key(context, entry->principal, &key);
     code = db->_get(context, db, key, &value);
@@ -110,10 +110,13 @@ _hdb_fetch(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
     if(code)
 	return code;
     hdb_value2entry(context, &value, entry);
-    if (db->master_key_set && (flags & HDB_F_DECRYPT))
-	hdb_unseal_keys (db, entry);
+    if (db->master_key_set && (flags & HDB_F_DECRYPT)) {
+	code = hdb_unseal_keys (context, db, entry);
+	if (code)
+	    hdb_free_entry(context, entry);
+    }
     krb5_data_free(&value);
-    return 0;
+    return code;
 }
 
 krb5_error_code
@@ -123,7 +126,11 @@ _hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
     int code;
 
     hdb_principal2key(context, entry->principal, &key);
-    hdb_seal_keys(db, entry);
+    code = hdb_seal_keys(context, db, entry);
+    if (code) {
+	krb5_data_free(&key);
+	return code;
+    }
     hdb_entry2value(context, entry, &value);
     code = db->_put(context, db, flags & HDB_F_REPLACE, key, value);
     krb5_data_free(&value);
diff --git a/crypto/heimdal/lib/hdb/convert_db.c b/crypto/heimdal/lib/hdb/convert_db.c
index b257809..1a7ebb4 100644
--- a/crypto/heimdal/lib/hdb/convert_db.c
+++ b/crypto/heimdal/lib/hdb/convert_db.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -38,9 +38,10 @@
  */
 
 #include "hdb_locl.h"
-#include "getarg.h"
+#include <getarg.h>
+#include <err.h>
 
-RCSID("$Id: convert_db.c,v 1.8 1999/05/09 22:47:47 assar Exp $");
+RCSID("$Id: convert_db.c,v 1.11 2001/01/25 12:45:01 assar Exp $");
 
 static krb5_error_code
 update_keytypes(krb5_context context, HDB *db, hdb_entry *entry, void *data)
@@ -132,7 +133,6 @@ main(int argc, char **argv)
     krb5_error_code ret;
     krb5_context context;
     HDB *db, *new;
-    EncryptionKey key;
     int optind = 0;
     int master_key_set = 0;
     
@@ -151,29 +151,23 @@ main(int argc, char **argv)
 
     ret = krb5_init_context(&context);
     if(ret != 0)
-	krb5_err(NULL, 1, ret, "krb5_init_context");
+	errx(1, "krb5_init_context failed: %d", ret);
     
     ret = hdb_create(context, &db, old_database);
     if(ret != 0)
 	krb5_err(context, 1, ret, "hdb_create");
 
-    ret = hdb_read_master_key(context, mkeyfile, &key);
-    if(ret == 0) {
-	if(key.keytype == KEYTYPE_DES)
-	    key.keytype = ETYPE_DES_CBC_MD5;
-    
-	ret = hdb_set_master_key(context, db, key);
-	if (ret)
-	    krb5_err(context, 1, ret, "hdb_set_master_key");
-	master_key_set = 1;
-    }
+    ret = hdb_set_master_keyfile(context, db, mkeyfile);
+    if (ret)
+	krb5_err(context, 1, ret, "hdb_set_master_keyfile");
+    master_key_set = 1;
     ret = hdb_create(context, &new, new_database);
     if(ret != 0)
 	krb5_err(context, 1, ret, "hdb_create");
     if (master_key_set) {
-	ret = hdb_set_master_key(context, new, key);
+	ret = hdb_set_master_keyfile(context, new, mkeyfile);
 	if (ret)
-	    krb5_err(context, 1, ret, "hdb_set_master_key");
+	    krb5_err(context, 1, ret, "hdb_set_master_keyfile");
     }
     ret = db->open(context, db, O_RDONLY, 0);
     if(ret == HDB_ERR_BADVERSION) {
diff --git a/crypto/heimdal/lib/hdb/db.c b/crypto/heimdal/lib/hdb/db.c
index 4699437..6f9c688 100644
--- a/crypto/heimdal/lib/hdb/db.c
+++ b/crypto/heimdal/lib/hdb/db.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,9 +33,9 @@
 
 #include "hdb_locl.h"
 
-RCSID("$Id: db.c,v 1.25 1999/12/02 17:05:04 joda Exp $");
+RCSID("$Id: db.c,v 1.28 2001/01/30 01:24:00 assar Exp $");
 
-#ifdef HAVE_DB_H
+#if defined(HAVE_DB_H) && DB_VERSION_MAJOR < 3
 
 static krb5_error_code
 DB_close(krb5_context context, HDB *db)
@@ -102,13 +102,21 @@ DB_seq(krb5_context context, HDB *db,
     data.length = value.size;
     if (hdb_value2entry(context, &data, entry))
 	return DB_seq(context, db, flags, entry, R_NEXT);
-    if (db->master_key_set && (flags & HDB_F_DECRYPT))
-	hdb_unseal_keys (db, entry);
-    if (entry->principal == NULL) {
+    if (db->master_key_set && (flags & HDB_F_DECRYPT)) {
+	code = hdb_unseal_keys (context, db, entry);
+	if (code)
+	    hdb_free_entry (context, entry);
+    }
+    if (code == 0 && entry->principal == NULL) {
 	entry->principal = malloc(sizeof(*entry->principal));
-	hdb_key2principal(context, &key_data, entry->principal);
+	if (entry->principal == NULL) {
+	    code = ENOMEM;
+	    hdb_free_entry (context, entry);
+	} else {
+	    hdb_key2principal(context, &key_data, entry->principal);
+	}
     }
-    return 0;
+    return code;
 }
 
 
diff --git a/crypto/heimdal/lib/hdb/db3.c b/crypto/heimdal/lib/hdb/db3.c
new file mode 100644
index 0000000..a682071
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/db3.c
@@ -0,0 +1,310 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hdb_locl.h"
+
+RCSID("$Id: db3.c,v 1.6 2001/01/30 01:24:00 assar Exp $");
+
+#if defined(HAVE_DB_H) && DB_VERSION_MAJOR == 3
+static krb5_error_code
+DB_close(krb5_context context, HDB *db)
+{
+    DB *d = (DB*)db->db;
+    DBC *dbcp = (DBC*)db->dbc;
+
+    dbcp->c_close(dbcp);
+    db->dbc = 0;
+    d->close(d, 0);
+    return 0;
+}
+
+static krb5_error_code
+DB_destroy(krb5_context context, HDB *db)
+{
+    krb5_error_code ret;
+
+    ret = hdb_clear_master_key (context, db);
+    free(db->name);
+    free(db);
+    return ret;
+}
+
+static krb5_error_code
+DB_lock(krb5_context context, HDB *db, int operation)
+{
+    DB *d = (DB*)db->db;
+    int fd;
+    if ((*d->fd)(d, &fd))
+	return HDB_ERR_CANT_LOCK_DB;
+    return hdb_lock(fd, operation);
+}
+
+static krb5_error_code
+DB_unlock(krb5_context context, HDB *db)
+{
+    DB *d = (DB*)db->db;
+    int fd;
+    if ((*d->fd)(d, &fd))
+	return HDB_ERR_CANT_LOCK_DB;
+    return hdb_unlock(fd);
+}
+
+
+static krb5_error_code
+DB_seq(krb5_context context, HDB *db,
+       unsigned flags, hdb_entry *entry, int flag)
+{
+    DB *d = (DB*)db->db;
+    DBT key, value;
+    DBC *dbcp = db->dbc;
+    krb5_data key_data, data;
+    int code;
+
+    memset(&key, 0, sizeof(DBT));
+    memset(&value, 0, sizeof(DBT));
+    if (db->lock(context, db, HDB_RLOCK))
+	return HDB_ERR_DB_INUSE;
+    code = dbcp->c_get(dbcp, &key, &value, flag);
+    db->unlock(context, db); /* XXX check value */
+    if (code == DB_NOTFOUND)
+	return HDB_ERR_NOENTRY;
+    if (code)
+	return code;
+
+    key_data.data = key.data;
+    key_data.length = key.size;
+    data.data = value.data;
+    data.length = value.size;
+    if (hdb_value2entry(context, &data, entry))
+	return DB_seq(context, db, flags, entry, DB_NEXT);
+    if (db->master_key_set && (flags & HDB_F_DECRYPT)) {
+	code = hdb_unseal_keys (context, db, entry);
+	if (code)
+	    hdb_free_entry (context, entry);
+    }
+    if (entry->principal == NULL) {
+	entry->principal = malloc(sizeof(*entry->principal));
+	if (entry->principal == NULL) {
+	    code = ENOMEM;
+	    hdb_free_entry (context, entry);
+	} else {
+	    hdb_key2principal(context, &key_data, entry->principal);
+	}
+    }
+    return 0;
+}
+
+
+static krb5_error_code
+DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
+{
+    return DB_seq(context, db, flags, entry, DB_FIRST);
+}
+
+
+static krb5_error_code
+DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
+{
+    return DB_seq(context, db, flags, entry, DB_NEXT);
+}
+
+static krb5_error_code
+DB_rename(krb5_context context, HDB *db, const char *new_name)
+{
+    int ret;
+    char *old, *new;
+
+    asprintf(&old, "%s.db", db->name);
+    asprintf(&new, "%s.db", new_name);
+    ret = rename(old, new);
+    free(old);
+    free(new);
+    if(ret)
+	return errno;
+    
+    free(db->name);
+    db->name = strdup(new_name);
+    return 0;
+}
+
+static krb5_error_code
+DB__get(krb5_context context, HDB *db, krb5_data key, krb5_data *reply)
+{
+    DB *d = (DB*)db->db;
+    DBT k, v;
+    int code;
+
+    memset(&k, 0, sizeof(DBT));
+    memset(&v, 0, sizeof(DBT));
+    k.data = key.data;
+    k.size = key.length;
+    k.flags = 0;
+    if ((code = db->lock(context, db, HDB_RLOCK)))
+	return code;
+    code = d->get(d, NULL, &k, &v, 0);
+    db->unlock(context, db);
+    if(code == DB_NOTFOUND)
+	return HDB_ERR_NOENTRY;
+    if(code)
+	return code;
+
+    krb5_data_copy(reply, v.data, v.size);
+    return 0;
+}
+
+static krb5_error_code
+DB__put(krb5_context context, HDB *db, int replace, 
+	krb5_data key, krb5_data value)
+{
+    DB *d = (DB*)db->db;
+    DBT k, v;
+    int code;
+
+    memset(&k, 0, sizeof(DBT));
+    memset(&v, 0, sizeof(DBT));
+    k.data = key.data;
+    k.size = key.length;
+    k.flags = 0;
+    v.data = value.data;
+    v.size = value.length;
+    v.flags = 0;
+    if ((code = db->lock(context, db, HDB_WLOCK)))
+	return code;
+    code = d->put(d, NULL, &k, &v, replace ? 0 : DB_NOOVERWRITE);
+    db->unlock(context, db);
+    if(code == DB_KEYEXIST)
+	return HDB_ERR_EXISTS;
+    if(code)
+	return errno;
+    return 0;
+}
+
+static krb5_error_code
+DB__del(krb5_context context, HDB *db, krb5_data key)
+{
+    DB *d = (DB*)db->db;
+    DBT k;
+    krb5_error_code code;
+    memset(&k, 0, sizeof(DBT));
+    k.data = key.data;
+    k.size = key.length;
+    k.flags = 0;
+    code = db->lock(context, db, HDB_WLOCK);
+    if(code)
+	return code;
+    code = d->del(d, NULL, &k, 0);
+    db->unlock(context, db);
+    if(code == DB_NOTFOUND)
+	return HDB_ERR_NOENTRY;
+    if(code)
+	return code;
+    return 0;
+}
+
+static krb5_error_code
+DB_open(krb5_context context, HDB *db, int flags, mode_t mode)
+{
+    char *fn;
+    krb5_error_code ret;
+    DB *d;
+    int myflags = 0;
+
+    if (flags & O_CREAT)
+      myflags |= DB_CREATE;
+
+    if (flags & O_EXCL)
+      myflags |= DB_EXCL;
+
+    if (flags & O_RDONLY)
+      myflags |= DB_RDONLY;
+
+    if (flags & O_TRUNC)
+      myflags |= DB_TRUNCATE;
+
+    asprintf(&fn, "%s.db", db->name);
+    if (fn == NULL)
+	return ENOMEM;
+    db_create(&d, NULL, 0);
+    db->db = d;
+    if ((ret = d->open(db->db, fn, NULL, DB_BTREE, myflags, mode))) {
+      if(ret == ENOENT)
+	/* try to open without .db extension */
+	if (d->open(db->db, db->name, NULL, DB_BTREE, myflags, mode)) {
+	  free(fn);
+	  return ret;
+	}
+    }
+    free(fn);
+
+    ret = d->cursor(d, NULL, (DBC **)&db->dbc, 0);
+    if (ret)
+        return ret;
+
+    if((flags & O_ACCMODE) == O_RDONLY)
+	ret = hdb_check_db_format(context, db);
+    else
+	ret = hdb_init_db(context, db);
+    if(ret == HDB_ERR_NOENTRY)
+	return 0;
+    return ret;
+}
+
+krb5_error_code
+hdb_db_create(krb5_context context, HDB **db, 
+	      const char *filename)
+{
+    *db = malloc(sizeof(**db));
+    if (*db == NULL)
+	return ENOMEM;
+
+    (*db)->db = NULL;
+    (*db)->name = strdup(filename);
+    (*db)->master_key_set = 0;
+    (*db)->openp = 0;
+    (*db)->open  = DB_open;
+    (*db)->close = DB_close;
+    (*db)->fetch = _hdb_fetch;
+    (*db)->store = _hdb_store;
+    (*db)->remove = _hdb_remove;
+    (*db)->firstkey = DB_firstkey;
+    (*db)->nextkey= DB_nextkey;
+    (*db)->lock = DB_lock;
+    (*db)->unlock = DB_unlock;
+    (*db)->rename = DB_rename;
+    (*db)->_get = DB__get;
+    (*db)->_put = DB__put;
+    (*db)->_del = DB__del;
+    (*db)->destroy = DB_destroy;
+    return 0;
+}
+#endif
diff --git a/crypto/heimdal/lib/hdb/hdb-ldap.c b/crypto/heimdal/lib/hdb/hdb-ldap.c
new file mode 100644
index 0000000..6d264b4
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/hdb-ldap.c
@@ -0,0 +1,1344 @@
+/*
+ * Copyright (c) 1999 - 2001, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software  nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "hdb_locl.h"
+
+RCSID("$Id: hdb-ldap.c,v 1.7 2001/01/30 16:59:08 assar Exp $");
+
+#ifdef OPENLDAP
+
+#include <ldap.h>
+#include <lber.h>
+#include <ctype.h>
+#include <sys/un.h>
+
+static krb5_error_code LDAP__connect(krb5_context context, HDB * db);
+
+static krb5_error_code
+LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
+		   hdb_entry * ent);
+
+static char *krb5kdcentry_attrs[] =
+    { "krb5PrincipalName", "cn", "krb5PrincipalRealm",
+    "krb5KeyVersionNumber", "krb5Key",
+    "krb5ValidStart", "krb5ValidEnd", "krb5PasswordEnd",
+    "krb5MaxLife", "krb5MaxRenew", "krb5KDCFlags", "krb5EncryptionType",
+    "modifiersName", "modifyTimestamp", "creatorsName", "createTimestamp",
+    NULL
+};
+
+static char *krb5principal_attrs[] =
+    { "krb5PrincipalName", "cn", "krb5PrincipalRealm",
+    "modifiersName", "modifyTimestamp", "creatorsName", "createTimestamp",
+    NULL
+};
+
+/* based on samba: source/passdb/ldap.c */
+static krb5_error_code
+LDAP_addmod_len(LDAPMod *** modlist, int modop, const char *attribute,
+		unsigned char *value, size_t len)
+{
+    LDAPMod **mods = *modlist;
+    int i, j;
+
+    if (mods == NULL) {
+	mods = (LDAPMod **) calloc(1, sizeof(LDAPMod *));
+	if (mods == NULL) {
+	    return ENOMEM;
+	}
+	mods[0] = NULL;
+    }
+
+    for (i = 0; mods[i] != NULL; ++i) {
+	if ((mods[i]->mod_op & (~LDAP_MOD_BVALUES)) == modop
+	    && (!strcasecmp(mods[i]->mod_type, attribute))) {
+	    break;
+	}
+    }
+
+    if (mods[i] == NULL) {
+	mods = (LDAPMod **) realloc(mods, (i + 2) * sizeof(LDAPMod *));
+	if (mods == NULL) {
+	    return ENOMEM;
+	}
+	mods[i] = (LDAPMod *) malloc(sizeof(LDAPMod));
+	if (mods[i] == NULL) {
+	    return ENOMEM;
+	}
+	mods[i]->mod_op = modop | LDAP_MOD_BVALUES;
+	mods[i]->mod_bvalues = NULL;
+	mods[i]->mod_type = strdup(attribute);
+	if (mods[i]->mod_type == NULL) {
+	    return ENOMEM;
+	}
+	mods[i + 1] = NULL;
+    }
+
+    if (value != NULL) {
+	j = 0;
+	if (mods[i]->mod_bvalues != NULL) {
+	    for (; mods[i]->mod_bvalues[j] != NULL; j++);
+	}
+	mods[i]->mod_bvalues =
+	    (struct berval **) realloc(mods[i]->mod_bvalues,
+				       (j + 2) * sizeof(struct berval *));
+	if (mods[i]->mod_bvalues == NULL) {
+	    return ENOMEM;
+	}
+	/* Caller allocates memory on our behalf, unlike LDAP_addmod. */
+	mods[i]->mod_bvalues[j] =
+	    (struct berval *) malloc(sizeof(struct berval));
+	if (mods[i]->mod_bvalues[j] == NULL) {
+	    return ENOMEM;
+	}
+	mods[i]->mod_bvalues[j]->bv_val = value;
+	mods[i]->mod_bvalues[j]->bv_len = len;
+	mods[i]->mod_bvalues[j + 1] = NULL;
+    }
+    *modlist = mods;
+    return 0;
+}
+
+static krb5_error_code
+LDAP_addmod(LDAPMod *** modlist, int modop, const char *attribute,
+	    const char *value)
+{
+    LDAPMod **mods = *modlist;
+    int i, j;
+
+    if (mods == NULL) {
+	mods = (LDAPMod **) calloc(1, sizeof(LDAPMod *));
+	if (mods == NULL) {
+	    return ENOMEM;
+	}
+	mods[0] = NULL;
+    }
+
+    for (i = 0; mods[i] != NULL; ++i) {
+	if (mods[i]->mod_op == modop
+	    && (!strcasecmp(mods[i]->mod_type, attribute))) {
+	    break;
+	}
+    }
+
+    if (mods[i] == NULL) {
+	mods = (LDAPMod **) realloc(mods, (i + 2) * sizeof(LDAPMod *));
+	if (mods == NULL) {
+	    return ENOMEM;
+	}
+	mods[i] = (LDAPMod *) malloc(sizeof(LDAPMod));
+	if (mods[i] == NULL) {
+	    return ENOMEM;
+	}
+	mods[i]->mod_op = modop;
+	mods[i]->mod_values = NULL;
+	mods[i]->mod_type = strdup(attribute);
+	if (mods[i]->mod_type == NULL) {
+	    return ENOMEM;
+	}
+	mods[i + 1] = NULL;
+    }
+
+    if (value != NULL) {
+	j = 0;
+	if (mods[i]->mod_values != NULL) {
+	    for (; mods[i]->mod_values[j] != NULL; j++);
+	}
+	mods[i]->mod_values = (char **) realloc(mods[i]->mod_values,
+						(j + 2) * sizeof(char *));
+	if (mods[i]->mod_values == NULL) {
+	    return ENOMEM;
+	}
+	mods[i]->mod_values[j] = strdup(value);
+	if (mods[i]->mod_values[j] == NULL) {
+	    return ENOMEM;
+	}
+	mods[i]->mod_values[j + 1] = NULL;
+    }
+    *modlist = mods;
+    return 0;
+}
+
+static krb5_error_code
+LDAP_addmod_generalized_time(LDAPMod *** mods, int modop,
+			     const char *attribute, KerberosTime * time)
+{
+    char buf[22];
+    struct tm *tm;
+
+    /* XXX not threadsafe */
+    tm = gmtime(time);
+    strftime(buf, sizeof(buf), "%Y%m%d%H%M%SZ", tm);
+
+    return LDAP_addmod(mods, modop, attribute, buf);
+}
+
+static krb5_error_code
+LDAP_get_string_value(HDB * db, LDAPMessage * entry,
+		      const char *attribute, char **ptr)
+{
+    char **vals;
+    int ret;
+
+    vals = ldap_get_values((LDAP *) db->db, entry, (char *) attribute);
+    if (vals == NULL) {
+	return HDB_ERR_NOENTRY;
+    }
+    *ptr = strdup(vals[0]);
+    if (*ptr == NULL) {
+	ret = ENOMEM;
+    } else {
+	ret = 0;
+    }
+
+    ldap_value_free(vals);
+
+    return ret;
+}
+
+static krb5_error_code
+LDAP_get_integer_value(HDB * db, LDAPMessage * entry,
+		       const char *attribute, int *ptr)
+{
+    char **vals;
+
+    vals = ldap_get_values((LDAP *) db->db, entry, (char *) attribute);
+    if (vals == NULL) {
+	return HDB_ERR_NOENTRY;
+    }
+    *ptr = atoi(vals[0]);
+    ldap_value_free(vals);
+    return 0;
+}
+
+static krb5_error_code
+LDAP_get_generalized_time_value(HDB * db, LDAPMessage * entry,
+				const char *attribute, KerberosTime * kt)
+{
+    char *tmp, *gentime;
+    struct tm tm;
+    int ret;
+
+    *kt = 0;
+
+    ret = LDAP_get_string_value(db, entry, attribute, &gentime);
+    if (ret != 0) {
+	return ret;
+    }
+
+    tmp = strptime(gentime, "%Y%m%d%H%M%SZ", &tm);
+    if (tmp == NULL) {
+	free(gentime);
+	return HDB_ERR_NOENTRY;
+    }
+
+    free(gentime);
+
+    *kt = timegm(&tm);
+
+    return 0;
+}
+
+static krb5_error_code
+LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry * ent,
+		LDAPMessage * msg, LDAPMod *** pmods)
+{
+    krb5_error_code ret;
+    krb5_boolean is_new_entry;
+    int rc, i;
+    char *tmp = NULL;
+    LDAPMod **mods = NULL;
+    hdb_entry orig;
+    unsigned long oflags, nflags;
+
+    if (msg != NULL) {
+	ret = LDAP_message2entry(context, db, msg, &orig);
+	if (ret != 0) {
+	    goto out;
+	}
+	is_new_entry = FALSE;
+    } else {
+	/* to make it perfectly obvious we're depending on
+	 * orig being intiialized to zero */
+	memset(&orig, 0, sizeof(orig));
+	is_new_entry = TRUE;
+    }
+
+    if (is_new_entry) {
+	ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "top");
+	if (ret != 0) {
+	    goto out;
+	}
+	/* person is the structural object class */
+	ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "person");
+	if (ret != 0) {
+	    goto out;
+	}
+	ret =
+	    LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass",
+			"krb5Principal");
+	if (ret != 0) {
+	    goto out;
+	}
+	ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass",
+			  "krb5KDCEntry");
+	if (ret != 0) {
+	    goto out;
+	}
+    }
+
+    if (is_new_entry ||
+	krb5_principal_compare(context, ent->principal, orig.principal) ==
+	FALSE) {
+	ret = krb5_unparse_name(context, ent->principal, &tmp);
+	if (ret != 0) {
+	    goto out;
+	}
+	ret =
+	    LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5PrincipalName", tmp);
+	if (ret != 0) {
+	    free(tmp);
+	    goto out;
+	}
+	free(tmp);
+    }
+
+    if (ent->kvno != orig.kvno) {
+	rc = asprintf(&tmp, "%d", ent->kvno);
+	if (rc < 0) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+	ret =
+	    LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5KeyVersionNumber",
+			tmp);
+	free(tmp);
+	if (ret != 0) {
+	    goto out;
+	}
+    }
+
+    if (ent->valid_start) {
+	if (orig.valid_end == NULL
+	    || (*(ent->valid_start) != *(orig.valid_start))) {
+	    ret =
+		LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
+					     "krb5ValidStart",
+					     ent->valid_start);
+	    if (ret != 0) {
+		goto out;
+	    }
+	}
+    }
+
+    if (ent->valid_end) {
+	if (orig.valid_end == NULL
+	    || (*(ent->valid_end) != *(orig.valid_end))) {
+	    ret =
+		LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
+					     "krb5ValidEnd",
+					     ent->valid_end);
+	    if (ret != 0) {
+		goto out;
+	    }
+	}
+    }
+
+    if (ent->pw_end) {
+	if (orig.pw_end == NULL || (*(ent->pw_end) != *(orig.pw_end))) {
+	    ret =
+		LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
+					     "krb5PasswordEnd",
+					     ent->pw_end);
+	    if (ret != 0) {
+		goto out;
+	    }
+	}
+    }
+
+    if (ent->max_life) {
+	if (orig.max_life == NULL
+	    || (*(ent->max_life) != *(orig.max_life))) {
+	    rc = asprintf(&tmp, "%d", *(ent->max_life));
+	    if (rc < 0) {
+		ret = ENOMEM;
+		goto out;
+	    }
+	    ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5MaxLife", tmp);
+	    free(tmp);
+	    if (ret != 0) {
+		goto out;
+	    }
+	}
+    }
+
+    if (ent->max_renew) {
+	if (orig.max_renew == NULL
+	    || (*(ent->max_renew) != *(orig.max_renew))) {
+	    rc = asprintf(&tmp, "%d", *(ent->max_renew));
+	    if (rc < 0) {
+		ret = ENOMEM;
+		goto out;
+	    }
+	    ret =
+		LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5MaxRenew", tmp);
+	    free(tmp);
+	    if (ret != 0) {
+		goto out;
+	    }
+	}
+    }
+
+    memset(&oflags, 0, sizeof(oflags));
+    memcpy(&oflags, &orig.flags, sizeof(HDBFlags));
+    memset(&nflags, 0, sizeof(nflags));
+    memcpy(&nflags, &ent->flags, sizeof(HDBFlags));
+
+    if (memcmp(&oflags, &nflags, sizeof(HDBFlags))) {
+	rc = asprintf(&tmp, "%lu", nflags);
+	if (rc < 0) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+	ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5KDCFlags", tmp);
+	free(tmp);
+	if (ret != 0) {
+	    goto out;
+	}
+    }
+
+    if (is_new_entry == FALSE && orig.keys.len > 0) {
+	/* for the moment, clobber and replace keys. */
+	ret = LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5Key", NULL);
+	if (ret != 0) {
+	    goto out;
+	}
+    }
+
+    for (i = 0; i < ent->keys.len; i++) {
+	unsigned char *buf;
+	size_t len;
+	Key new;
+
+	ret = copy_Key(&ent->keys.val[i], &new);
+	if (ret != 0) {
+	    goto out;
+	}
+
+	len = length_Key(&new);
+	buf = malloc(len);
+	if (buf == NULL) {
+	    ret = ENOMEM;
+	    free_Key(&new);
+	    goto out;
+	}
+
+	ret = encode_Key(buf + len - 1, len, &new, &len);
+	if (ret != 0) {
+	    free(buf);
+	    free_Key(&new);
+	    goto out;
+	}
+	free_Key(&new);
+
+	/* addmod_len _owns_ the key, doesn't need to copy it */
+	ret = LDAP_addmod_len(&mods, LDAP_MOD_ADD, "krb5Key", buf, len);
+	if (ret != 0) {
+	    goto out;
+	}
+    }
+
+    if (ent->etypes) {
+	/* clobber and replace encryption types. */
+	if (is_new_entry == FALSE) {
+	    ret =
+		LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5EncryptionType",
+			    NULL);
+	}
+	for (i = 0; i < ent->etypes->len; i++) {
+	    rc = asprintf(&tmp, "%d", ent->etypes->val[i]);
+	    if (rc < 0) {
+		ret = ENOMEM;
+		goto out;
+	    }
+	    free(tmp);
+	    ret =
+		LDAP_addmod(&mods, LDAP_MOD_ADD, "krb5EncryptionType",
+			    tmp);
+	    if (ret != 0) {
+		goto out;
+	    }
+	}
+    }
+
+    /* for clarity */
+    ret = 0;
+
+  out:
+
+    if (ret == 0) {
+	*pmods = mods;
+    } else if (mods != NULL) {
+	ldap_mods_free(mods, 1);
+	*pmods = NULL;
+    }
+
+    if (msg != NULL) {
+	hdb_free_entry(context, &orig);
+    }
+
+    return ret;
+}
+
+static krb5_error_code
+LDAP_dn2principal(krb5_context context, HDB * db, const char *dn,
+		  krb5_principal * principal)
+{
+    krb5_error_code ret;
+    int rc;
+    char **values;
+    LDAPMessage *res = NULL, *e;
+
+    rc = 1;
+    (void) ldap_set_option((LDAP *) db->db, LDAP_OPT_SIZELIMIT, &rc);
+    rc = ldap_search_s((LDAP *) db->db, db->name, LDAP_SCOPE_BASE,
+		       "(objectclass=krb5Principal)", krb5principal_attrs,
+		       0, &res);
+
+    if (rc != LDAP_SUCCESS) {
+	ret = HDB_ERR_NOENTRY;
+	goto out;
+    }
+
+    e = ldap_first_entry((LDAP *) db->db, res);
+    if (e == NULL) {
+	ret = HDB_ERR_NOENTRY;
+	goto out;
+    }
+
+    values = ldap_get_values((LDAP *) db->db, e, "krb5PrincipalName");
+    if (values == NULL) {
+	ret = HDB_ERR_NOENTRY;
+	goto out;
+    }
+
+    ret = krb5_parse_name(context, values[0], principal);
+    ldap_value_free(values);
+
+  out:
+    if (res != NULL) {
+	ldap_msgfree(res);
+    }
+    return ret;
+}
+
+static krb5_error_code
+LDAP__lookup_princ(krb5_context context, HDB * db, const char *princname,
+		   LDAPMessage ** msg)
+{
+    krb5_error_code ret;
+    int rc;
+    char *filter = NULL;
+
+    (void) LDAP__connect(context, db);
+
+    rc =
+	asprintf(&filter,
+		 "(&(objectclass=krb5KDCEntry)(krb5PrincipalName=%s))",
+		 princname);
+    if (rc < 0) {
+	ret = ENOMEM;
+	goto out;
+    }
+
+    rc = 1;
+    (void) ldap_set_option((LDAP *) db->db, LDAP_OPT_SIZELIMIT, (void *) &rc);
+
+    rc = ldap_search_s((LDAP *) db->db, db->name, LDAP_SCOPE_ONELEVEL, filter, 
+		       krb5kdcentry_attrs, 0, msg);
+    if (rc != LDAP_SUCCESS) {
+	ret = HDB_ERR_NOENTRY;
+	goto out;
+    }
+
+    ret = 0;
+
+  out:
+    if (filter != NULL) {
+	free(filter);
+    }
+    return ret;
+}
+
+static krb5_error_code
+LDAP_principal2message(krb5_context context, HDB * db,
+		       krb5_principal princ, LDAPMessage ** msg)
+{
+    char *princname = NULL;
+    krb5_error_code ret;
+
+    ret = krb5_unparse_name(context, princ, &princname);
+    if (ret != 0) {
+	return ret;
+    }
+
+    ret = LDAP__lookup_princ(context, db, princname, msg);
+    free(princname);
+
+    return ret;
+}
+
+/*
+ * Construct an hdb_entry from a directory entry.
+ */
+static krb5_error_code
+LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
+		   hdb_entry * ent)
+{
+    char *unparsed_name = NULL, *dn = NULL;
+    int ret;
+    unsigned long tmp;
+    struct berval **keys;
+    char **values;
+
+    memset(ent, 0, sizeof(*ent));
+    memset(&ent->flags, 0, sizeof(HDBFlags));
+
+    ret =
+	LDAP_get_string_value(db, msg, "krb5PrincipalName",
+			      &unparsed_name);
+    if (ret != 0) {
+	return ret;
+    }
+
+    ret = krb5_parse_name(context, unparsed_name, &ent->principal);
+    if (ret != 0) {
+	goto out;
+    }
+
+    ret =
+	LDAP_get_integer_value(db, msg, "krb5KeyVersionNumber",
+			       &ent->kvno);
+    if (ret != 0) {
+	ent->kvno = 0;
+    }
+
+    keys = ldap_get_values_len((LDAP *) db->db, msg, "krb5Key");
+    if (keys != NULL) {
+	int i;
+	size_t l;
+
+	ent->keys.len = ldap_count_values_len(keys);
+	ent->keys.val = (Key *) calloc(ent->keys.len, sizeof(Key));
+	for (i = 0; i < ent->keys.len; i++) {
+	    decode_Key((unsigned char *) keys[i]->bv_val,
+		       (size_t) keys[i]->bv_len, &ent->keys.val[i], &l);
+	}
+	ber_bvecfree(keys);
+    } else {
+#if 1
+	/*
+	 * This violates the ASN1 but it allows a principal to
+	 * be related to a general directory entry without creating
+	 * the keys. Hopefully it's OK.
+	 */
+	ent->keys.len = 0;
+	ent->keys.val = NULL;
+#else
+	ret = HDB_ERR_NOENTRY;
+	goto out;
+#endif
+    }
+
+    ret =
+	LDAP_get_generalized_time_value(db, msg, "createTimestamp",
+					&ent->created_by.time);
+    if (ret != 0) {
+	ent->created_by.time = time(NULL);
+    }
+
+    ent->created_by.principal = NULL;
+
+    ret = LDAP_get_string_value(db, msg, "creatorsName", &dn);
+    if (ret == 0) {
+	if (LDAP_dn2principal(context, db, dn, &ent->created_by.principal)
+	    != 0) {
+	    ent->created_by.principal = NULL;
+	}
+	free(dn);
+    }
+
+    ent->modified_by = (Event *) malloc(sizeof(Event));
+    if (ent->modified_by == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+    ret =
+	LDAP_get_generalized_time_value(db, msg, "modifyTimestamp",
+					&ent->modified_by->time);
+    if (ret == 0) {
+	ret = LDAP_get_string_value(db, msg, "modifiersName", &dn);
+	if (LDAP_dn2principal
+	    (context, db, dn, &ent->modified_by->principal) != 0) {
+	    ent->modified_by->principal = NULL;
+	}
+	free(dn);
+    } else {
+	free(ent->modified_by);
+	ent->modified_by = NULL;
+    }
+
+    if ((ent->valid_start = (KerberosTime *) malloc(sizeof(KerberosTime)))
+	== NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+    ret =
+	LDAP_get_generalized_time_value(db, msg, "krb5ValidStart",
+					ent->valid_start);
+    if (ret != 0) {
+	/* OPTIONAL */
+	free(ent->valid_start);
+	ent->valid_start = NULL;
+    }
+
+    if ((ent->valid_end = (KerberosTime *) malloc(sizeof(KerberosTime))) ==
+	NULL) {ret = ENOMEM;
+	goto out;
+    }
+    ret =
+	LDAP_get_generalized_time_value(db, msg, "krb5ValidEnd",
+					ent->valid_end);
+    if (ret != 0) {
+	/* OPTIONAL */
+	free(ent->valid_end);
+	ent->valid_end = NULL;
+    }
+
+    if ((ent->pw_end = (KerberosTime *) malloc(sizeof(KerberosTime))) ==
+	NULL) {ret = ENOMEM;
+	goto out;
+    }
+    ret =
+	LDAP_get_generalized_time_value(db, msg, "krb5PasswordEnd",
+					ent->pw_end);
+    if (ret != 0) {
+	/* OPTIONAL */
+	free(ent->pw_end);
+	ent->pw_end = NULL;
+    }
+
+    ent->max_life = (int *) malloc(sizeof(int));
+    if (ent->max_life == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+    ret = LDAP_get_integer_value(db, msg, "krb5MaxLife", ent->max_life);
+    if (ret != 0) {
+	free(ent->max_life);
+	ent->max_life = NULL;
+    }
+
+    ent->max_renew = (int *) malloc(sizeof(int));
+    if (ent->max_renew == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+    ret = LDAP_get_integer_value(db, msg, "krb5MaxRenew", ent->max_renew);
+    if (ret != 0) {
+	free(ent->max_renew);
+	ent->max_renew = NULL;
+    }
+
+    values = ldap_get_values((LDAP *) db->db, msg, "krb5KDCFlags");
+    if (values != NULL) {
+	tmp = strtoul(values[0], (char **) NULL, 10);
+	if (tmp == ULONG_MAX && errno == ERANGE) {
+	    ret = ERANGE;
+	    goto out;
+	}
+    } else {
+	tmp = 0;
+    }
+    memcpy(&ent->flags, &tmp, sizeof(HDBFlags));
+
+    values = ldap_get_values((LDAP *) db->db, msg, "krb5EncryptionType");
+    if (values != NULL) {
+	int i;
+
+	ent->etypes = malloc(sizeof(*(ent->etypes)));
+	if (ent->etypes == NULL) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+	ent->etypes->len = ldap_count_values(values);
+	ent->etypes->val = calloc(ent->etypes->len, sizeof(int));
+	for (i = 0; i < ent->etypes->len; i++) {
+	    ent->etypes->val[i] = atoi(values[i]);
+	}
+	ldap_value_free(values);
+    }
+
+    ret = 0;
+
+  out:
+    if (unparsed_name != NULL) {
+	free(unparsed_name);
+    }
+
+    if (ret != 0) {
+	/* I don't think this frees ent itself. */
+	hdb_free_entry(context, ent);
+    }
+
+    return ret;
+}
+
+static krb5_error_code LDAP_close(krb5_context context, HDB * db)
+{
+    LDAP *ld = (LDAP *) db->db;
+
+    ldap_unbind(ld);
+    db->db = NULL;
+    return 0;
+}
+
+static krb5_error_code
+LDAP_lock(krb5_context context, HDB * db, int operation)
+{
+    return 0;
+}
+
+static krb5_error_code LDAP_unlock(krb5_context context, HDB * db)
+{
+    return 0;
+}
+
+static krb5_error_code
+LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry * entry)
+{
+    int msgid, rc, parserc;
+    krb5_error_code ret;
+    LDAPMessage *e;
+
+    msgid = db->openp;		/* BOGUS OVERLOADING */
+    if (msgid < 0) {
+	return HDB_ERR_NOENTRY;
+    }
+
+    do {
+	rc = ldap_result((LDAP *) db->db, msgid, LDAP_MSG_ONE, NULL, &e);
+	switch (rc) {
+	case LDAP_RES_SEARCH_ENTRY:
+	    /* We have an entry. Parse it. */
+	    ret = LDAP_message2entry(context, db, e, entry);
+	    ldap_msgfree(e);
+	    break;
+	case LDAP_RES_SEARCH_RESULT:
+	    /* We're probably at the end of the results. If not, abandon. */
+	    parserc =
+		ldap_parse_result((LDAP *) db->db, e, NULL, NULL, NULL,
+				  NULL, NULL, 1);
+	    if (parserc != LDAP_SUCCESS
+		&& parserc != LDAP_MORE_RESULTS_TO_RETURN) {
+		ldap_abandon((LDAP *) db->db, msgid);
+	    }
+	    ret = HDB_ERR_NOENTRY;
+	    db->openp = -1;
+	    break;
+	case 0:
+	case -1:
+	default:
+	    /* Some unspecified error (timeout?). Abandon. */
+	    ldap_msgfree(e);
+	    ldap_abandon((LDAP *) db->db, msgid);
+	    ret = HDB_ERR_NOENTRY;
+	    db->openp = -1;
+	    break;
+	}
+    } while (rc == LDAP_RES_SEARCH_REFERENCE);
+
+    if (ret == 0) {
+	if (db->master_key_set && (flags & HDB_F_DECRYPT)) {
+	    ret = hdb_unseal_keys(context, db, entry);
+	    if (ret)
+		hdb_free_entry(context,entry);
+	}
+    }
+
+    return ret;
+}
+
+static krb5_error_code
+LDAP_firstkey(krb5_context context, HDB * db, unsigned flags,
+	      hdb_entry * entry)
+{
+    int msgid;
+
+    (void) LDAP__connect(context, db);
+
+    msgid = LDAP_NO_LIMIT;
+    (void) ldap_set_option((LDAP *) db->db, LDAP_OPT_SIZELIMIT, &msgid);
+
+    msgid = ldap_search((LDAP *) db->db, db->name,
+			LDAP_SCOPE_ONELEVEL, "(objectclass=krb5KDCEntry)",
+			krb5kdcentry_attrs, 0);
+    if (msgid < 0) {
+	return HDB_ERR_NOENTRY;
+    }
+
+    db->openp = msgid;
+
+    return LDAP_seq(context, db, flags, entry);
+}
+
+static krb5_error_code
+LDAP_nextkey(krb5_context context, HDB * db, unsigned flags,
+	     hdb_entry * entry)
+{
+    return LDAP_seq(context, db, flags, entry);
+}
+
+static krb5_error_code
+LDAP_rename(krb5_context context, HDB * db, const char *new_name)
+{
+    return HDB_ERR_DB_INUSE;
+}
+
+static krb5_boolean LDAP__is_user_namingcontext(const char *ctx,
+						char *const *subschema)
+{
+    char *const *p;
+
+    if (!strcasecmp(ctx, "CN=MONITOR")
+	|| !strcasecmp(ctx, "CN=CONFIG")) {
+	return FALSE;
+    }
+
+    if (subschema != NULL) {
+	for (p = subschema; *p != NULL; p++) {
+	    if (!strcasecmp(ctx, *p)) {
+		return FALSE;
+	    }
+	}
+    }
+
+    return TRUE;
+}
+
+static krb5_error_code LDAP__connect(krb5_context context, HDB * db)
+{
+    int rc;
+    krb5_error_code ret;
+    char *attrs[] = { "namingContexts", "subschemaSubentry", NULL };
+    LDAPMessage *res = NULL, *e;
+
+    if (db->db != NULL) {
+	/* connection has been opened. ping server. */
+	struct sockaddr_un addr;
+	socklen_t len;
+	int sd;
+
+	if (ldap_get_option((LDAP *) db->db, LDAP_OPT_DESC, &sd) == 0 &&
+	    getpeername(sd, (struct sockaddr *) &addr, &len) < 0) {
+	    /* the other end has died. reopen. */
+	    LDAP_close(context, db);
+	}
+    }
+
+    if (db->db != NULL) {
+	/* server is UP */
+	return 0;
+    }
+
+    rc = ldap_initialize((LDAP **) & db->db, "ldapi:///");
+    if (rc != LDAP_SUCCESS) {
+	return HDB_ERR_NOENTRY;
+    }
+
+    rc = LDAP_VERSION3;
+    (void) ldap_set_option((LDAP *) db->db, LDAP_OPT_PROTOCOL_VERSION, &rc);
+
+    /* XXX set db->name to the search base */
+    rc = ldap_search_s((LDAP *) db->db, "", LDAP_SCOPE_BASE,
+		       "(objectclass=*)", attrs, 0, &res);
+    if (rc != LDAP_SUCCESS) {
+	ret = HDB_ERR_BADVERSION;
+	goto out;
+    }
+
+    e = ldap_first_entry((LDAP *) db->db, res);
+    if (e == NULL) {
+	ret = HDB_ERR_NOENTRY;
+	goto out;
+    }
+
+    if (db->name == NULL) {
+	char **contexts = NULL, **schema_contexts, **p;
+
+	contexts = ldap_get_values((LDAP *) db->db, e, "namingContexts");
+	if (contexts == NULL) {
+	    ret = HDB_ERR_NOENTRY;
+	    goto out;
+	}
+
+	schema_contexts =
+	    ldap_get_values((LDAP *) db->db, e, "subschemaSubentry");
+
+	if (db->name != NULL) {
+	    free(db->name);
+	    db->name = NULL;
+	}
+
+	for (p = contexts; *p != NULL; p++) {
+	    if (LDAP__is_user_namingcontext(*p, schema_contexts)) {
+		break;
+	    }
+	}
+
+	db->name = strdup(*p);
+	if (db->name == NULL) {
+	    ldap_value_free(contexts);
+	    ret = ENOMEM;
+	    goto out;
+	}
+
+	ldap_value_free(contexts);
+	if (schema_contexts != NULL) {
+	    ldap_value_free(schema_contexts);
+	}
+    }
+
+    ret = 0;
+
+  out:
+
+    if (res != NULL) {
+	ldap_msgfree(res);
+    }
+
+    if (ret != 0) {
+	if (db->db != NULL) {
+	    ldap_unbind((LDAP *) db->db);
+	    db->db = NULL;
+	}
+    }
+
+    return ret;
+}
+
+static krb5_error_code
+LDAP_open(krb5_context context, HDB * db, int flags, mode_t mode)
+{
+    krb5_error_code ret;
+
+    /* Not the right place for this. */
+#ifdef HAVE_SIGACTION
+    {
+	struct sigaction sa;
+
+	sa.sa_flags = 0;
+	sa.sa_handler = SIG_IGN;
+	sigemptyset(&sa.sa_mask);
+
+	sigaction(SIGPIPE, &sa, NULL);
+    }
+#else
+    signal(SIGPIPE, SIG_IGN);
+#endif
+
+    if (db->name != NULL) {
+	free(db->name);
+	db->name = NULL;
+    }
+
+    ret = LDAP__connect(context, db);
+    if (ret != 0) {
+	return ret;
+    }
+
+    return ret;
+}
+
+static krb5_error_code
+LDAP_fetch(krb5_context context, HDB * db, unsigned flags,
+	   hdb_entry * entry)
+{
+    LDAPMessage *msg, *e;
+    krb5_error_code ret;
+
+    ret = LDAP_principal2message(context, db, entry->principal, &msg);
+    if (ret != 0) {
+	return ret;
+    }
+
+    e = ldap_first_entry((LDAP *) db->db, msg);
+    if (e == NULL) {
+	ret = HDB_ERR_NOENTRY;
+	goto out;
+    }
+
+    ret = LDAP_message2entry(context, db, e, entry);
+    if (ret == 0) {
+	if (db->master_key_set && (flags & HDB_F_DECRYPT)) {
+	    ret = hdb_unseal_keys(context, db, entry);
+	    if (ret)
+		hdb_free_entry(context,entry);
+	}
+    }
+
+  out:
+    ldap_msgfree(msg);
+
+    return ret;
+}
+
+static krb5_error_code
+LDAP_store(krb5_context context, HDB * db, unsigned flags,
+	   hdb_entry * entry)
+{
+    LDAPMod **mods = NULL;
+    krb5_error_code ret;
+    LDAPMessage *msg = NULL, *e = NULL;
+    char *dn = NULL, *name = NULL;
+
+    ret = krb5_unparse_name(context, entry->principal, &name);
+    if (ret != 0) {
+	goto out;
+    }
+
+    ret = LDAP__lookup_princ(context, db, name, &msg);
+    if (ret == 0) {
+	e = ldap_first_entry((LDAP *) db->db, msg);
+    }
+
+    ret = hdb_seal_keys(context, db, entry);
+    if (ret)
+	goto out;
+
+    /* turn new entry into LDAPMod array */
+    ret = LDAP_entry2mods(context, db, entry, e, &mods);
+    if (ret != 0) {
+	goto out;
+    }
+
+    if (e == NULL) {
+	/* Doesn't exist yet. */
+	char *p;
+
+	e = NULL;
+
+	/* normalize the naming attribute */
+	for (p = name; *p != '\0'; p++) {
+	    *p = (char) tolower((int) *p);
+	}
+
+	/*
+	 * We could do getpwnam() on the local component of
+	 * the principal to find cn/sn but that's probably
+	 * bad thing to do from inside a KDC. Better leave
+	 * it to management tools.
+	 */
+	ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "cn", name);
+	if (ret < 0) {
+	    goto out;
+	}
+
+	ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "sn", name);
+	if (ret < 0) {
+	    goto out;
+	}
+
+	ret = asprintf(&dn, "cn=%s,%s", name, db->name);
+	if (ret < 0) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+    } else if (flags & HDB_F_REPLACE) {
+	/* Entry exists, and we're allowed to replace it. */
+	dn = ldap_get_dn((LDAP *) db->db, e);
+    } else {
+	/* Entry exists, but we're not allowed to replace it. Bail. */
+	ret = HDB_ERR_EXISTS;
+	goto out;
+    }
+
+    /* write entry into directory */
+    if (e == NULL) {
+	/* didn't exist before */
+	ret = ldap_add_s((LDAP *) db->db, dn, mods);
+    } else {
+	/* already existed, send deltas only */
+	ret = ldap_modify_s((LDAP *) db->db, dn, mods);
+    }
+
+    if (ret == LDAP_SUCCESS) {
+	ret = 0;
+    } else {
+	ret = HDB_ERR_CANT_LOCK_DB;
+    }
+
+  out:
+    /* free stuff */
+    if (dn != NULL) {
+	free(dn);
+    }
+
+    if (msg != NULL) {
+	ldap_msgfree(msg);
+    }
+
+    if (mods != NULL) {
+	ldap_mods_free(mods, 1);
+    }
+
+    if (name != NULL) {
+	free(name);
+    }
+
+    return ret;
+}
+
+static krb5_error_code
+LDAP_remove(krb5_context context, HDB * db, hdb_entry * entry)
+{
+    krb5_error_code ret;
+    LDAPMessage *msg, *e;
+    char *dn = NULL;
+
+    ret = LDAP_principal2message(context, db, entry->principal, &msg);
+    if (ret != 0) {
+	goto out;
+    }
+
+    e = ldap_first_entry((LDAP *) db->db, msg);
+    if (e == NULL) {
+	ret = HDB_ERR_NOENTRY;
+	goto out;
+    }
+
+    dn = ldap_get_dn((LDAP *) db->db, e);
+    if (dn == NULL) {
+	ret = HDB_ERR_NOENTRY;
+	goto out;
+    }
+
+    ret = LDAP_NO_LIMIT;
+    (void) ldap_set_option((LDAP *) db->db, LDAP_OPT_SIZELIMIT, &ret);
+
+    ret = ldap_delete_s((LDAP *) db->db, dn);
+    if (ret == LDAP_SUCCESS) {
+	ret = 0;
+    } else {
+	ret = HDB_ERR_CANT_LOCK_DB;
+    }
+
+  out:
+    if (dn != NULL) {
+	free(dn);
+    }
+
+    if (msg != NULL) {
+	ldap_msgfree(msg);
+    }
+
+    return ret;
+}
+
+static krb5_error_code
+LDAP__get(krb5_context context, HDB * db, krb5_data key, krb5_data * reply)
+{
+    fprintf(stderr, "LDAP__get not implemented\n");
+    abort();
+    return 0;
+}
+
+static krb5_error_code
+LDAP__put(krb5_context context, HDB * db, int replace,
+	  krb5_data key, krb5_data value)
+{
+    fprintf(stderr, "LDAP__put not implemented\n");
+    abort();
+    return 0;
+}
+
+static krb5_error_code
+LDAP__del(krb5_context context, HDB * db, krb5_data key)
+{
+    fprintf(stderr, "LDAP__del not implemented\n");
+    abort();
+    return 0;
+}
+
+static krb5_error_code LDAP_destroy(krb5_context context, HDB * db)
+{
+    krb5_error_code ret;
+
+    ret = hdb_clear_master_key(context, db);
+    free(db->name);
+    free(db);
+
+    return ret;
+}
+
+krb5_error_code
+hdb_ldap_create(krb5_context context, HDB ** db, const char *filename)
+{
+    *db = malloc(sizeof(**db));
+    if (*db == NULL)
+	return ENOMEM;
+
+    (*db)->db = NULL;
+/*    (*db)->name = strdup(filename); */
+    (*db)->name = NULL;
+    (*db)->master_key_set = 0;
+    (*db)->openp = 0;
+    (*db)->open = LDAP_open;
+    (*db)->close = LDAP_close;
+    (*db)->fetch = LDAP_fetch;
+    (*db)->store = LDAP_store;
+    (*db)->remove = LDAP_remove;
+    (*db)->firstkey = LDAP_firstkey;
+    (*db)->nextkey = LDAP_nextkey;
+    (*db)->lock = LDAP_lock;
+    (*db)->unlock = LDAP_unlock;
+    (*db)->rename = LDAP_rename;
+    /* can we ditch these? */
+    (*db)->_get = LDAP__get;
+    (*db)->_put = LDAP__put;
+    (*db)->_del = LDAP__del;
+    (*db)->destroy = LDAP_destroy;
+
+    return 0;
+}
+
+#endif				/* OPENLDAP */
diff --git a/crypto/heimdal/lib/hdb/hdb-private.h b/crypto/heimdal/lib/hdb/hdb-private.h
index ce868bd..7563d36 100644
--- a/crypto/heimdal/lib/hdb/hdb-private.h
+++ b/crypto/heimdal/lib/hdb/hdb-private.h
@@ -26,12 +26,6 @@ _hdb_remove __P((
 	HDB *db,
 	hdb_entry *entry));
 
-void
-_hdb_seal_keys_int __P((
-	hdb_entry *ent,
-	int key_version,
-	krb5_data schedule));
-
 krb5_error_code
 _hdb_store __P((
 	krb5_context context,
@@ -39,10 +33,4 @@ _hdb_store __P((
 	unsigned flags,
 	hdb_entry *entry));
 
-void
-_hdb_unseal_keys_int __P((
-	hdb_entry *ent,
-	int key_version,
-	krb5_data schedule));
-
 #endif /* __hdb_private_h__ */
diff --git a/crypto/heimdal/lib/hdb/hdb-protos.h b/crypto/heimdal/lib/hdb/hdb-protos.h
index e0f15b1..dbb00a5 100644
--- a/crypto/heimdal/lib/hdb/hdb-protos.h
+++ b/crypto/heimdal/lib/hdb/hdb-protos.h
@@ -14,6 +14,12 @@
 #endif
 
 krb5_error_code
+hdb_add_master_key __P((
+	krb5_context context,
+	krb5_keyblock *key,
+	hdb_master_key *inout));
+
+krb5_error_code
 hdb_check_db_format __P((
 	krb5_context context,
 	HDB *db));
@@ -70,6 +76,11 @@ hdb_free_entry __P((
 void
 hdb_free_key __P((Key *key));
 
+void
+hdb_free_master_key __P((
+	krb5_context context,
+	hdb_master_key mkey));
+
 krb5_error_code
 hdb_init_db __P((
 	krb5_context context,
@@ -82,6 +93,12 @@ hdb_key2principal __P((
 	krb5_principal p));
 
 krb5_error_code
+hdb_ldap_create __P((
+	krb5_context context,
+	HDB ** db,
+	const char *filename));
+
+krb5_error_code
 hdb_lock __P((
 	int fd,
 	int operation));
@@ -95,7 +112,7 @@ hdb_ndbm_create __P((
 krb5_error_code
 hdb_next_enctype2key __P((
 	krb5_context context,
-	hdb_entry *e,
+	const hdb_entry *e,
 	krb5_enctype enctype,
 	Key **key));
 
@@ -115,25 +132,34 @@ hdb_print_entry __P((
 krb5_error_code
 hdb_process_master_key __P((
 	krb5_context context,
-	EncryptionKey key,
-	krb5_data *schedule));
+	int kvno,
+	krb5_keyblock *key,
+	krb5_enctype etype,
+	hdb_master_key *mkey));
 
 krb5_error_code
 hdb_read_master_key __P((
 	krb5_context context,
 	const char *filename,
-	EncryptionKey *key));
+	hdb_master_key *mkey));
 
-void
+krb5_error_code
 hdb_seal_keys __P((
+	krb5_context context,
 	HDB *db,
 	hdb_entry *ent));
 
 krb5_error_code
+hdb_seal_keys_mkey __P((
+	krb5_context context,
+	hdb_entry *ent,
+	hdb_master_key mkey));
+
+krb5_error_code
 hdb_set_master_key __P((
 	krb5_context context,
 	HDB *db,
-	EncryptionKey key));
+	krb5_keyblock *key));
 
 krb5_error_code
 hdb_set_master_keyfile __P((
@@ -144,15 +170,28 @@ hdb_set_master_keyfile __P((
 krb5_error_code
 hdb_unlock __P((int fd));
 
-void
+krb5_error_code
 hdb_unseal_keys __P((
+	krb5_context context,
 	HDB *db,
 	hdb_entry *ent));
 
+krb5_error_code
+hdb_unseal_keys_mkey __P((
+	krb5_context context,
+	hdb_entry *ent,
+	hdb_master_key mkey));
+
 int
 hdb_value2entry __P((
 	krb5_context context,
 	krb5_data *value,
 	hdb_entry *ent));
 
+krb5_error_code
+hdb_write_master_key __P((
+	krb5_context context,
+	const char *filename,
+	hdb_master_key mkey));
+
 #endif /* __hdb_protos_h__ */
diff --git a/crypto/heimdal/lib/hdb/hdb.asn1 b/crypto/heimdal/lib/hdb/hdb.asn1
index 99537d6..2a20cd1 100644
--- a/crypto/heimdal/lib/hdb/hdb.asn1
+++ b/crypto/heimdal/lib/hdb/hdb.asn1
@@ -1,10 +1,8 @@
--- $Id: hdb.asn1,v 1.7 1999/05/03 16:48:52 joda Exp $
+-- $Id: hdb.asn1,v 1.8 2000/06/19 15:22:22 joda Exp $
 HDB DEFINITIONS ::=
 BEGIN
 
-EncryptionKey EXTERNAL
-KerberosTime EXTERNAL
-Principal EXTERNAL
+IMPORTS EncryptionKey, KerberosTime, Principal FROM krb5;
 
 HDB_DB_FORMAT INTEGER ::= 2	-- format of database, 
 				-- update when making changes
diff --git a/crypto/heimdal/lib/hdb/hdb.c b/crypto/heimdal/lib/hdb/hdb.c
index edf6677..1565f03 100644
--- a/crypto/heimdal/lib/hdb/hdb.c
+++ b/crypto/heimdal/lib/hdb/hdb.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,17 +33,42 @@
 
 #include "hdb_locl.h"
 
-RCSID("$Id: hdb.c,v 1.35 1999/12/02 17:05:05 joda Exp $");
+RCSID("$Id: hdb.c,v 1.42 2000/11/15 23:12:15 assar Exp $");
+
+struct hdb_method {
+    const char *prefix;
+    krb5_error_code (*create)(krb5_context, HDB **, const char *filename);
+};
+
+static struct hdb_method methods[] = {
+#ifdef HAVE_DB_H
+    {"db:",	hdb_db_create},
+#endif
+#if defined(HAVE_NDBM_H) || defined(HAVE_GDBM_NDBM_H)
+    {"ndbm:",	hdb_ndbm_create},
+#endif
+#ifdef OPENLDAP
+    {"ldap:",	hdb_ldap_create},
+#endif
+#ifdef HAVE_DB_H
+    {"",	hdb_db_create},
+#elif defined(HAVE_NDBM_H)
+    {"",	hdb_ndbm_create},
+#elif defined(OPENLDAP)
+    {"",	hdb_ldap_create},
+#endif
+    {NULL,	NULL}
+};
 
 krb5_error_code
 hdb_next_enctype2key(krb5_context context,
-		     hdb_entry *e,
+		     const hdb_entry *e,
 		     krb5_enctype enctype,
 		     Key **key)
 {
     Key *k;
     
-    for (k = *key ? *key : e->keys.val; 
+    for (k = *key ? (*key) + 1 : e->keys.val;
 	 k < e->keys.val + e->keys.len; 
 	 k++)
 	if(k->key.keytype == enctype){
@@ -63,108 +88,6 @@ hdb_enctype2key(krb5_context context,
     return hdb_next_enctype2key(context, e, enctype, key);
 }
 
-/* this is a bit ugly, but will get better when the crypto framework
-   gets fixed */
-
-krb5_error_code
-hdb_process_master_key(krb5_context context, EncryptionKey key, 
-		       krb5_data *schedule)
-{
-    krb5_error_code ret;
-
-    if(key.keytype != ETYPE_DES_CBC_MD5)
-	return KRB5_PROG_KEYTYPE_NOSUPP;
-
-    ret = krb5_data_alloc (schedule, sizeof(des_key_schedule));
-    if (ret)
-	return ret;
-
-    des_set_key((des_cblock*)key.keyvalue.data, schedule->data);
-    return 0;
-}
-
-krb5_error_code
-hdb_read_master_key(krb5_context context, const char *filename, 
-		    EncryptionKey *key)
-{
-    FILE *f;
-    unsigned char buf[256];
-    size_t len;
-    krb5_error_code ret;
-    if(filename == NULL)
-	filename = HDB_DB_DIR "/m-key";
-    f = fopen(filename, "r");
-    if(f == NULL)
-	return errno;
-    len = fread(buf, 1, sizeof(buf), f);
-    if(ferror(f))
-	ret = errno;
-    else
-	ret = decode_EncryptionKey(buf, len, key, &len);
-    fclose(f);
-    memset(buf, 0, sizeof(buf));
-    return ret;
-}
-
-void
-_hdb_unseal_keys_int(hdb_entry *ent, int key_version, krb5_data schedule)
-{
-    int i;
-    for(i = 0; i < ent->keys.len; i++){
-	des_cblock iv;
-	int num = 0;
-	if(ent->keys.val[i].mkvno == NULL)
-	    continue;
-	if(*ent->keys.val[i].mkvno != key_version)
-	    ;
-	memset(&iv, 0, sizeof(iv));
-	
-	des_cfb64_encrypt(ent->keys.val[i].key.keyvalue.data, 
-			  ent->keys.val[i].key.keyvalue.data, 
-			  ent->keys.val[i].key.keyvalue.length, 
-			  schedule.data, &iv, &num, 0);
-	free(ent->keys.val[i].mkvno);
-	ent->keys.val[i].mkvno = NULL;
-    }
-}
-
-void
-hdb_unseal_keys(HDB *db, hdb_entry *ent)
-{
-    if (db->master_key_set == 0)
-	return;
-    _hdb_unseal_keys_int(ent, db->master_key_version, db->master_key);
-}
-
-void
-_hdb_seal_keys_int(hdb_entry *ent, int key_version, krb5_data schedule)
-{
-    int i;
-    for(i = 0; i < ent->keys.len; i++){
-	des_cblock iv;
-	int num = 0;
-
-	if(ent->keys.val[i].mkvno != NULL)
-	    continue;
-	memset(&iv, 0, sizeof(iv));
-	des_cfb64_encrypt(ent->keys.val[i].key.keyvalue.data, 
-			  ent->keys.val[i].key.keyvalue.data, 
-			  ent->keys.val[i].key.keyvalue.length, 
-			  schedule.data, &iv, &num, 1);
-	ent->keys.val[i].mkvno = malloc(sizeof(*ent->keys.val[i].mkvno));
-	*ent->keys.val[i].mkvno = key_version;
-    }
-}
-
-void
-hdb_seal_keys(HDB *db, hdb_entry *ent)
-{
-    if (db->master_key_set == 0)
-	return;
-    
-    _hdb_seal_keys_int(ent, db->master_key_version, db->master_key);
-}
-
 void
 hdb_free_key(Key *key)
 {
@@ -179,7 +102,8 @@ hdb_free_key(Key *key)
 krb5_error_code
 hdb_lock(int fd, int operation)
 {
-    int i, code;
+    int i, code = 0;
+
     for(i = 0; i < 3; i++){
 	code = flock(fd, (operation == HDB_RLOCK ? LOCK_SH : LOCK_EX) | LOCK_NB);
 	if(code == 0 || errno != EWOULDBLOCK)
@@ -281,69 +205,36 @@ hdb_init_db(krb5_context context, HDB *db)
     return ret;
 }
 
-krb5_error_code
-hdb_create(krb5_context context, HDB **db, const char *filename)
-{
-    krb5_error_code ret = 0;
-    if(filename == NULL)
-	filename = HDB_DEFAULT_DB;
-    initialize_hdb_error_table_r(&context->et_list);
-#ifdef HAVE_DB_H
-    ret = hdb_db_create(context, db, filename);
-#elif HAVE_NDBM_H
-    ret = hdb_ndbm_create(context, db, filename);
-#else
-    krb5_errx(context, 1, "No database support! (hdb_create)");
-#endif
-    return ret;
-}
+/*
+ * find the relevant method for `filename', returning a pointer to the
+ * rest in `rest'.
+ * return NULL if there's no such method.
+ */
 
-krb5_error_code
-hdb_set_master_key (krb5_context context,
-		    HDB *db,
-		    EncryptionKey key)
+static const struct hdb_method *
+find_method (const char *filename, const char **rest)
 {
-    krb5_error_code ret;
+    const struct hdb_method *h;
 
-    ret = hdb_process_master_key(context, key, &db->master_key);
-    if (ret)
-	return ret;
-#if 0 /* XXX - why? */
-    des_set_random_generator_seed(key.keyvalue.data);
-#endif
-    db->master_key_set = 1;
-    db->master_key_version = 0; /* XXX */
-    return 0;
+    for (h = methods; h->prefix != NULL; ++h)
+	if (strncmp (filename, h->prefix, strlen(h->prefix)) == 0) {
+	    *rest = filename + strlen(h->prefix);
+	    return h;
+	}
+    return NULL;
 }
 
 krb5_error_code
-hdb_set_master_keyfile (krb5_context context,
-			HDB *db,
-			const char *keyfile)
+hdb_create(krb5_context context, HDB **db, const char *filename)
 {
-    EncryptionKey key;
-    krb5_error_code ret;
-
-    ret = hdb_read_master_key(context, keyfile, &key);
-    if (ret) {
-	if (ret != ENOENT)
-	    return ret;
-	return 0;
-    }
-    ret = hdb_set_master_key(context, db, key);
-    memset(key.keyvalue.data, 0, key.keyvalue.length);
-    free_EncryptionKey(&key);
-    return ret;
-}
+    const struct hdb_method *h;
+    const char *residual;
 
-krb5_error_code
-hdb_clear_master_key (krb5_context context,
-		      HDB *db)
-{
-    if (db->master_key_set) {
-	memset(db->master_key.data, 0, db->master_key.length);
-	krb5_data_free(&db->master_key);
-	db->master_key_set = 0;
-    }
-    return 0;
+    if(filename == NULL)
+	filename = HDB_DEFAULT_DB;
+    initialize_hdb_error_table_r(&context->et_list);
+    h = find_method (filename, &residual);
+    if (h == NULL)
+	krb5_errx(context, 1, "No database support! (hdb_create)");
+    return (*h->create)(context, db, residual);
 }
diff --git a/crypto/heimdal/lib/hdb/hdb.h b/crypto/heimdal/lib/hdb/hdb.h
index f4cb001..21d739b 100644
--- a/crypto/heimdal/lib/hdb/hdb.h
+++ b/crypto/heimdal/lib/hdb/hdb.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: hdb.h,v 1.26 1999/12/02 17:05:05 joda Exp $ */
+/* $Id: hdb.h,v 1.31 2000/07/08 16:03:37 joda Exp $ */
 
 #ifndef __HDB_H__
 #define __HDB_H__
@@ -46,12 +46,17 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
 #define HDB_F_DECRYPT	1 /* decrypt keys */
 #define HDB_F_REPLACE	2 /* replace entry */
 
+/* key usage for master key */
+#define HDB_KU_MKEY	0x484442
+
+typedef struct hdb_master_key_data *hdb_master_key;
+
 typedef struct HDB{
     void *db;
+    void *dbc;
     char *name;
     int master_key_set;
-    krb5_data master_key;
-    int master_key_version;
+    hdb_master_key master_key;
     int openp;
 
     krb5_error_code (*open)(krb5_context, struct HDB*, int, mode_t);
diff --git a/crypto/heimdal/lib/hdb/hdb_err.et b/crypto/heimdal/lib/hdb/hdb_err.et
index a08a2d4..9929a56 100644
--- a/crypto/heimdal/lib/hdb/hdb_err.et
+++ b/crypto/heimdal/lib/hdb/hdb_err.et
@@ -3,7 +3,7 @@
 #
 # This might look like a com_err file, but is not
 #
-id "$Id: hdb_err.et,v 1.4 1998/02/16 16:29:15 joda Exp $"
+id "$Id: hdb_err.et,v 1.5 2001/01/28 23:05:52 assar Exp $"
 
 error_table hdb
 
@@ -22,5 +22,6 @@ error_code BADLOCKMODE,		"Invalid kdb lock mode"
 error_code CANT_LOCK_DB,	"Insufficient access to lock database"
 error_code EXISTS,		"Entry already exists in database"
 error_code BADVERSION,		"Wrong database version"
+error_code NO_MKEY,		"No correct master key"
 
 end
diff --git a/crypto/heimdal/lib/hdb/keytab.c b/crypto/heimdal/lib/hdb/keytab.c
index d9be75d..5de3cc5 100644
--- a/crypto/heimdal/lib/hdb/keytab.c
+++ b/crypto/heimdal/lib/hdb/keytab.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -35,20 +35,24 @@
 
 /* keytab backend for HDB databases */
 
-RCSID("$Id: keytab.c,v 1.2 1999/08/26 13:24:05 joda Exp $");
+RCSID("$Id: keytab.c,v 1.3 2000/08/27 04:31:42 assar Exp $");
 
 struct hdb_data {
     char *dbname;
     char *mkey;
-    HDB *db;
 };
 
+/*
+ * the format for HDB keytabs is:
+ * HDB:[database:mkey]
+ */
+
 static krb5_error_code
 hdb_resolve(krb5_context context, const char *name, krb5_keytab id)
 {
-    krb5_error_code ret;
     struct hdb_data *d;
     const char *db, *mkey;
+
     d = malloc(sizeof(*d));
     if(d == NULL)
 	return ENOMEM;
@@ -74,7 +78,7 @@ hdb_resolve(krb5_context context, const char *name, krb5_keytab id)
 		free(d);
 		return ENOMEM;
 	    }
-	    strncpy(d->dbname, db, mkey - db);
+	    memmove(d->dbname, db, mkey - db);
 	    d->dbname[mkey - db] = '\0';
 	}
 	d->mkey = strdup(mkey + 1);
@@ -84,21 +88,6 @@ hdb_resolve(krb5_context context, const char *name, krb5_keytab id)
 	    return ENOMEM;
 	}
     }
-    ret = hdb_create(context, &d->db, d->dbname);
-    if(ret) {
-	free(d->dbname);
-	free(d->mkey);
-	free(d);
-	return ret;
-    }
-    ret = hdb_set_master_keyfile (context, d->db, d->mkey);
-    if(ret) {
-	(*d->db->destroy)(context, d->db);
-	free(d->dbname);
-	free(d->mkey);
-	free(d);
-	return ret;
-    }
     id->data = d;
     return 0;
 }
@@ -107,7 +96,9 @@ static krb5_error_code
 hdb_close(krb5_context context, krb5_keytab id)
 {
     struct hdb_data *d = id->data;
-    (*d->db->destroy)(context, d->db);
+
+    free(d->dbname);
+    free(d->mkey);
     free(d);
     return 0;
 }
@@ -119,6 +110,7 @@ hdb_get_name(krb5_context context,
 	     size_t namesize)
 {
     struct hdb_data *d = id->data;
+
     snprintf(name, namesize, "%s%s%s", 
 	     d->dbname ? d->dbname : "",
 	     (d->dbname || d->mkey) ? ":" : "",
@@ -126,6 +118,68 @@ hdb_get_name(krb5_context context,
     return 0;
 }
 
+static void
+set_config (krb5_context context,
+	    krb5_config_binding *binding,
+	    const char **dbname,
+	    const char **mkey)
+{
+    *dbname = krb5_config_get_string(context, binding, "dbname", NULL);
+    *mkey   = krb5_config_get_string(context, binding, "mkey_file", NULL);
+}
+
+/*
+ * try to figure out the database (`dbname') and master-key (`mkey')
+ * that should be used for `principal'.
+ */
+
+static void
+find_db (krb5_context context,
+	 const char **dbname,
+	 const char **mkey,
+	 krb5_const_principal principal)
+{
+    krb5_config_binding *top_bind = NULL;
+    krb5_config_binding *default_binding = NULL;
+    krb5_config_binding *db;
+    krb5_realm *prealm = krb5_princ_realm(context, (krb5_principal)principal);
+
+    *dbname = *mkey = NULL;
+
+    while ((db = (krb5_config_binding *)
+	    krb5_config_get_next(context,
+				 NULL,
+				 &top_bind,
+				 krb5_config_list,
+				 "kdc",
+				 "database",
+				 NULL)) != NULL) {
+	const char *p;
+	
+	p = krb5_config_get_string (context, db, "realm", NULL);
+	if (p == NULL) {
+	    if(default_binding) {
+		krb5_warnx(context, "WARNING: more than one realm-less "
+			   "database specification");
+		krb5_warnx(context, "WARNING: using the first encountered");
+	    } else
+		default_binding = db;
+	} else if (strcmp (*prealm, p) == 0) {
+	    set_config (context, db, dbname, mkey);
+	    break;
+	}
+    }
+    if (*dbname == NULL && default_binding != NULL)
+	set_config (context, default_binding, dbname, mkey);
+    if (*dbname == NULL)
+	*dbname = HDB_DEFAULT_DB;
+}
+
+/*
+ * find the keytab entry in `id' for `principal, kvno, enctype' and return
+ * it in `entry'.  return 0 or an error code
+ */
+
 static krb5_error_code
 hdb_get_entry(krb5_context context,
 	      krb5_keytab id,
@@ -138,13 +192,32 @@ hdb_get_entry(krb5_context context,
     krb5_error_code ret;
     struct hdb_data *d = id->data;
     int i;
+    HDB *db;
+    const char *dbname = d->dbname;
+    const char *mkey   = d->mkey;
+
+    if (dbname == NULL)
+	find_db (context, &dbname, &mkey, principal);
 
-    ret = (*d->db->open)(context, d->db, O_RDONLY, 0);
+    ret = hdb_create (context, &db, dbname);
     if (ret)
 	return ret;
+    ret = hdb_set_master_keyfile (context, db, mkey);
+    if (ret) {
+	(*db->destroy)(context, db);
+	return ret;
+    }
+	
+    ret = (*db->open)(context, db, O_RDONLY, 0);
+    if (ret) {
+	(*db->destroy)(context, db);
+	return ret;
+    }
     ent.principal = (krb5_principal)principal;
-    ret = (*d->db->fetch)(context, d->db, HDB_F_DECRYPT, &ent);
-    (*d->db->close)(context, d->db);
+    ret = (*db->fetch)(context, db, HDB_F_DECRYPT, &ent);
+    (*db->close)(context, db);
+    (*db->destroy)(context, db);
+
     if(ret == HDB_ERR_NOENTRY)
 	return KRB5_KT_NOTFOUND;
     else if(ret)
@@ -184,4 +257,3 @@ krb5_kt_ops hdb_kt_ops = {
     NULL,		/* add */
     NULL		/* remove */
 };
-
diff --git a/crypto/heimdal/lib/hdb/mkey.c b/crypto/heimdal/lib/hdb/mkey.c
new file mode 100644
index 0000000..2c85333
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/mkey.c
@@ -0,0 +1,475 @@
+/*
+ * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hdb_locl.h"
+#ifndef O_BINARY
+#define O_BINARY 0
+#endif
+
+RCSID("$Id: mkey.c,v 1.8 2001/01/30 01:20:57 assar Exp $");
+
+struct hdb_master_key_data {
+    krb5_keytab_entry keytab;
+    krb5_crypto crypto;
+    struct hdb_master_key_data *next;
+};
+
+void
+hdb_free_master_key(krb5_context context, hdb_master_key mkey)
+{
+    struct hdb_master_key_data *ptr;
+    while(mkey) {
+	krb5_kt_free_entry(context, &mkey->keytab);
+	krb5_crypto_destroy(context, mkey->crypto);
+	ptr = mkey;
+	mkey = mkey->next;
+	free(ptr);
+    }
+}
+
+krb5_error_code
+hdb_process_master_key(krb5_context context,
+		       int kvno, krb5_keyblock *key, krb5_enctype etype,
+		       hdb_master_key *mkey)
+{
+    krb5_error_code ret;
+    *mkey = calloc(1, sizeof(**mkey));
+    if(*mkey == NULL)
+	return ENOMEM;
+    (*mkey)->keytab.vno = kvno;
+    ret = krb5_parse_name(context, "K/M", &(*mkey)->keytab.principal);
+    ret = krb5_copy_keyblock_contents(context, key, &(*mkey)->keytab.keyblock);
+    if(ret) {
+	free(*mkey);
+	*mkey = NULL;
+	return ret;
+    }
+    if(etype != 0)
+	(*mkey)->keytab.keyblock.keytype = etype;
+    (*mkey)->keytab.timestamp = time(NULL);
+    ret = krb5_crypto_init(context, key, etype, &(*mkey)->crypto);
+    if(ret) {
+	krb5_free_keyblock_contents(context, &(*mkey)->keytab.keyblock);
+	free(*mkey);
+	*mkey = NULL;
+    }
+    return ret;
+}
+
+krb5_error_code
+hdb_add_master_key(krb5_context context, krb5_keyblock *key,
+		   hdb_master_key *inout)
+{
+    int vno = 0;
+    hdb_master_key p;
+    krb5_error_code ret;
+
+    for(p = *inout; p; p = p->next)
+	vno = max(vno, p->keytab.vno);
+    vno++;
+    ret = hdb_process_master_key(context, vno, key, 0, &p);
+    if(ret)
+	return ret;
+    p->next = *inout;
+    *inout = p;
+    return 0;
+}
+
+static krb5_error_code
+read_master_keytab(krb5_context context, const char *filename, 
+		   hdb_master_key *mkey)
+{
+    krb5_error_code ret;
+    krb5_keytab id;
+    krb5_kt_cursor cursor;
+    krb5_keytab_entry entry;
+    hdb_master_key p;
+    
+    ret = krb5_kt_resolve(context, filename, &id);
+    if(ret)
+	return ret;
+
+    ret = krb5_kt_start_seq_get(context, id, &cursor);
+    if(ret)
+	goto out;
+    *mkey = NULL;
+    while(krb5_kt_next_entry(context, id, &entry, &cursor) == 0) {
+	p = calloc(1, sizeof(*p));
+	p->keytab = entry;
+	ret = krb5_crypto_init(context, &p->keytab.keyblock, 0, &p->crypto);
+	p->next = *mkey;
+	*mkey = p;
+    }
+    krb5_kt_end_seq_get(context, id, &cursor);
+  out:
+    krb5_kt_close(context, id);
+    return ret;
+}
+
+/* read a MIT master keyfile */
+static krb5_error_code
+read_master_mit(krb5_context context, const char *filename, 
+		hdb_master_key *mkey)
+{
+    int fd;
+    krb5_error_code ret;
+    krb5_storage *sp;
+    u_int16_t enctype;
+    krb5_keyblock key;
+	       
+    fd = open(filename, O_RDONLY | O_BINARY);
+    if(fd < 0)
+	return errno;
+    sp = krb5_storage_from_fd(fd);
+    if(sp == NULL) {
+	close(fd);
+	return errno;
+    }
+    krb5_storage_set_flags(sp, KRB5_STORAGE_HOST_BYTEORDER);
+#if 0
+    /* could possibly use ret_keyblock here, but do it with more
+       checks for now */
+    ret = krb5_ret_keyblock(sp, &key);
+#else
+    ret = krb5_ret_int16(sp, &enctype);
+    if((htons(enctype) & 0xff00) == 0x3000) {
+	ret = HEIM_ERR_BAD_MKEY;
+	goto out;
+    }
+    key.keytype = enctype;
+    ret = krb5_ret_data(sp, &key.keyvalue);
+    if(ret)
+	goto out;
+#endif
+    ret = hdb_process_master_key(context, 0, &key, 0, mkey);
+    krb5_free_keyblock_contents(context, &key);
+  out:
+    krb5_storage_free(sp);
+    close(fd);
+    return ret;
+}
+
+/* read an old master key file */
+static krb5_error_code
+read_master_encryptionkey(krb5_context context, const char *filename, 
+			  hdb_master_key *mkey)
+{
+    int fd;
+    krb5_keyblock key;
+    krb5_error_code ret;
+    unsigned char buf[256];
+    ssize_t len;
+	       
+    fd = open(filename, O_RDONLY | O_BINARY);
+    if(fd < 0)
+	return errno;
+    
+    len = read(fd, buf, sizeof(buf));
+    close(fd);
+    if(len < 0)
+	return errno;
+
+    ret = decode_EncryptionKey(buf, len, &key, &len);
+    memset(buf, 0, sizeof(buf));
+    if(ret)
+	return ret;
+
+    /* Originally, the keytype was just that, and later it got changed
+       to des-cbc-md5, but we always used des in cfb64 mode. This
+       should cover all cases, but will break if someone has hacked
+       this code to really use des-cbc-md5 -- but then that's not my
+       problem. */
+    if(key.keytype == KEYTYPE_DES || key.keytype == ETYPE_DES_CBC_MD5)
+	key.keytype = ETYPE_DES_CFB64_NONE;
+    
+    ret = hdb_process_master_key(context, 0, &key, 0, mkey);
+    krb5_free_keyblock_contents(context, &key);
+    return ret;
+}
+
+/* read a krb4 /.k style file */
+static krb5_error_code
+read_master_krb4(krb5_context context, const char *filename, 
+		 hdb_master_key *mkey)
+{
+    int fd;
+    krb5_keyblock key;
+    krb5_error_code ret;
+    unsigned char buf[256];
+    ssize_t len;
+	       
+    fd = open(filename, O_RDONLY | O_BINARY);
+    if(fd < 0)
+	return errno;
+    
+    len = read(fd, buf, sizeof(buf));
+    close(fd);
+    if(len < 0)
+	return errno;
+
+    memset(&key, 0, sizeof(key));
+    key.keytype = ETYPE_DES_PCBC_NONE;
+    ret = krb5_data_copy(&key.keyvalue, buf, len);
+    memset(buf, 0, sizeof(buf));
+    if(ret) 
+	return ret;
+
+    ret = hdb_process_master_key(context, 0, &key, 0, mkey);
+    krb5_free_keyblock_contents(context, &key);
+    return ret;
+}
+
+krb5_error_code
+hdb_read_master_key(krb5_context context, const char *filename, 
+		    hdb_master_key *mkey)
+{
+    FILE *f;
+    unsigned char buf[16];
+    krb5_error_code ret;
+
+    off_t len;
+
+    *mkey = NULL;
+
+    if(filename == NULL)
+	filename = HDB_DB_DIR "/m-key";
+
+    f = fopen(filename, "r");
+    if(f == NULL)
+	return errno;
+    
+    if(fread(buf, 1, 2, f) != 2) {
+	fclose(f);
+	return HEIM_ERR_EOF;
+    }
+    
+    fseek(f, 0, SEEK_END);
+    len = ftell(f);
+
+    if(fclose(f) != 0)
+	return errno;
+    
+    if(len < 0)
+	return errno;
+    
+    if(len == 8) {
+	ret = read_master_krb4(context, filename, mkey);
+    } else if(buf[0] == 0x30 && len <= 127 && buf[1] == len - 2) {
+	ret = read_master_encryptionkey(context, filename, mkey);
+    } else if(buf[0] == 5 && buf[1] >= 1 && buf[1] <= 2) {
+	ret = read_master_keytab(context, filename, mkey);
+    } else {
+	ret = read_master_mit(context, filename, mkey);
+    }
+    return ret;
+}
+
+krb5_error_code
+hdb_write_master_key(krb5_context context, const char *filename, 
+		     hdb_master_key mkey)
+{
+    krb5_error_code ret;
+    hdb_master_key p;
+    krb5_keytab kt;
+
+    if(filename == NULL)
+	filename = HDB_DB_DIR "/m-key";
+
+    ret = krb5_kt_resolve(context, filename, &kt);
+    if(ret)
+	return ret;
+
+    for(p = mkey; p; p = p->next) {
+	ret = krb5_kt_add_entry(context, kt, &p->keytab);
+    }
+
+    krb5_kt_close(context, kt);
+
+    return ret;
+}
+
+static hdb_master_key
+find_master_key(Key *key, hdb_master_key mkey)
+{
+    hdb_master_key ret = NULL;
+    while(mkey) {
+	if(ret == NULL && mkey->keytab.vno == 0)
+	    ret = mkey;
+	if(key->mkvno == NULL) {
+	    if(ret == NULL || mkey->keytab.vno > ret->keytab.vno)
+		ret = mkey;
+	} else if(mkey->keytab.vno == *key->mkvno)
+	    return mkey;
+	mkey = mkey->next;
+    }
+    return ret;
+}
+
+krb5_error_code
+hdb_unseal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey)
+{
+    int i;
+    krb5_error_code ret;
+    krb5_data res;
+    Key *k;
+
+    for(i = 0; i < ent->keys.len; i++){
+	hdb_master_key key;
+
+	k = &ent->keys.val[i];
+	if(k->mkvno == NULL)
+	    continue;
+
+	key = find_master_key(&ent->keys.val[i], mkey);
+
+	if (key == NULL)
+	    return HDB_ERR_NO_MKEY;
+
+	ret = krb5_decrypt(context, key->crypto, HDB_KU_MKEY,
+			   k->key.keyvalue.data,
+			   k->key.keyvalue.length,
+			   &res);
+	if (ret)
+	    return ret;
+
+	memset(k->key.keyvalue.data, 0, k->key.keyvalue.length);
+	free(k->key.keyvalue.data);
+	k->key.keyvalue = res;
+	free(k->mkvno);
+	k->mkvno = NULL;
+    }
+    return 0;
+}
+
+krb5_error_code
+hdb_unseal_keys(krb5_context context, HDB *db, hdb_entry *ent)
+{
+    if (db->master_key_set == 0)
+	return 0;
+    return hdb_unseal_keys_mkey(context, ent, db->master_key);
+}
+
+krb5_error_code
+hdb_seal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey)
+{
+    int i;
+    krb5_error_code ret;
+    krb5_data res;
+    for(i = 0; i < ent->keys.len; i++){
+	Key *k = &ent->keys.val[i];
+	hdb_master_key key;
+
+	if(k->mkvno != NULL)
+	    continue;
+
+	key = find_master_key(k, mkey);
+
+	if (key == NULL)
+	    return HDB_ERR_NO_MKEY;
+
+	ret = krb5_encrypt(context, key->crypto, HDB_KU_MKEY,
+			   k->key.keyvalue.data,
+			   k->key.keyvalue.length,
+			   &res);
+	if (ret)
+	    return ret;
+
+	memset(k->key.keyvalue.data, 0, k->key.keyvalue.length);
+	free(k->key.keyvalue.data);
+	k->key.keyvalue = res;
+
+	k->mkvno = malloc(sizeof(*k->mkvno));
+	if (k->mkvno == NULL)
+	    return ENOMEM;
+	*k->mkvno = key->keytab.vno;
+    }
+    return 0;
+}
+
+krb5_error_code
+hdb_seal_keys(krb5_context context, HDB *db, hdb_entry *ent)
+{
+    if (db->master_key_set == 0)
+	return 0;
+    
+    return hdb_seal_keys_mkey(context, ent, db->master_key);
+}
+
+krb5_error_code
+hdb_set_master_key (krb5_context context,
+		    HDB *db,
+		    krb5_keyblock *key)
+{
+    krb5_error_code ret;
+    hdb_master_key mkey;
+
+    ret = hdb_process_master_key(context, 0, key, 0, &mkey);
+    if (ret)
+	return ret;
+    db->master_key = mkey;
+#if 0 /* XXX - why? */
+    des_set_random_generator_seed(key.keyvalue.data);
+#endif
+    db->master_key_set = 1;
+    return 0;
+}
+
+krb5_error_code
+hdb_set_master_keyfile (krb5_context context,
+			HDB *db,
+			const char *keyfile)
+{
+    hdb_master_key key;
+    krb5_error_code ret;
+
+    ret = hdb_read_master_key(context, keyfile, &key);
+    if (ret) {
+	if (ret != ENOENT)
+	    return ret;
+	return 0;
+    }
+    db->master_key = key;
+    db->master_key_set = 1;
+    return ret;
+}
+
+krb5_error_code
+hdb_clear_master_key (krb5_context context,
+		      HDB *db)
+{
+    if (db->master_key_set) {
+	hdb_free_master_key(context, db->master_key);
+	db->master_key_set = 0;
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/lib/hdb/ndbm.c b/crypto/heimdal/lib/hdb/ndbm.c
index 79ca978..b4335f9 100644
--- a/crypto/heimdal/lib/hdb/ndbm.c
+++ b/crypto/heimdal/lib/hdb/ndbm.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,9 +33,9 @@
 
 #include "hdb_locl.h"
 
-RCSID("$Id: ndbm.c,v 1.26 1999/12/02 17:05:05 joda Exp $");
+RCSID("$Id: ndbm.c,v 1.30 2001/01/30 01:24:00 assar Exp $");
 
-#ifdef HAVE_NDBM_H
+#if defined(HAVE_NDBM_H) || defined(HAVE_GDBM_NDBM_H)
 
 struct ndbm_db {
     DBM *db;
@@ -75,7 +75,7 @@ NDBM_seq(krb5_context context, HDB *db,
     struct ndbm_db *d = (struct ndbm_db *)db->db;
     datum key, value;
     krb5_data key_data, data;
-    krb5_error_code ret;
+    krb5_error_code ret = 0;
 
     if(first)
 	key = dbm_firstkey(d->db);
@@ -93,13 +93,21 @@ NDBM_seq(krb5_context context, HDB *db,
     data.length = value.dsize;
     if(hdb_value2entry(context, &data, entry))
 	return NDBM_seq(context, db, flags, entry, 0);
-    if (db->master_key_set && (flags & HDB_F_DECRYPT))
-	hdb_unseal_keys (db, entry);
+    if (db->master_key_set && (flags & HDB_F_DECRYPT)) {
+	ret = hdb_unseal_keys (context, db, entry);
+	if (ret)
+	    hdb_free_entry (context, entry);
+    }
     if (entry->principal == NULL) {
 	entry->principal = malloc (sizeof(*entry->principal));
-	hdb_key2principal (context, &key_data, entry->principal);
+	if (entry->principal == NULL) {
+	    ret = ENOMEM;
+	    hdb_free_entry (context, entry);
+	} else {
+	    hdb_key2principal (context, &key_data, entry->principal);
+	}
     }
-    return 0;
+    return ret;
 }
 
 
@@ -312,5 +320,4 @@ hdb_ndbm_create(krb5_context context, HDB **db,
     return 0;
 }
 
-
 #endif
diff --git a/crypto/heimdal/lib/hdb/print.c b/crypto/heimdal/lib/hdb/print.c
index 5db3166..903e78b 100644
--- a/crypto/heimdal/lib/hdb/print.c
+++ b/crypto/heimdal/lib/hdb/print.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1999-2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 #include "hdb_locl.h"
 #include <ctype.h>
 
-RCSID("$Id: print.c,v 1.4 1999/12/26 13:50:22 assar Exp $");
+RCSID("$Id: print.c,v 1.5 2001/01/26 15:08:36 joda Exp $");
 
 /* 
    This is the present contents of a dump line. This might change at
@@ -75,9 +75,14 @@ append_hex(char *str, krb5_data *data)
 	p[data->length + 1] = '\"';
 	memcpy(p + 1, data->data, data->length);
     }else{
-	p = calloc(1, data->length * 2 + 1);
-	for(i = 0; i < data->length; i++)
-	    sprintf(p + 2 * i, "%02x", ((u_char*)data->data)[i]);
+	const char *xchars = "0123456789abcdef";
+	char *q = p = malloc(data->length * 2 + 1);
+	for(i = 0; i < data->length; i++) {
+	    unsigned char c = ((u_char*)data->data)[i];
+	    *q++ = xchars[(c & 0xf0) >> 4];
+	    *q++ = xchars[(c & 0xf)];
+	}
+	*q = '\0';
     }
     strcat(str, p);
     free(p);
@@ -123,6 +128,7 @@ hdb_entry2string(krb5_context context, hdb_entry *ent, char **str)
 {
     char *p;
     char buf[1024] = "";
+    char tmp[32];
     int i;
     krb5_error_code ret;
 
@@ -134,29 +140,26 @@ hdb_entry2string(krb5_context context, hdb_entry *ent, char **str)
     strlcat(buf, " ", sizeof(buf));
     free(p);
     /* --- kvno */
-    asprintf(&p, "%d", ent->kvno);
-    strlcat(buf, p, sizeof(buf));
-    free(p);
+    snprintf(tmp, sizeof(tmp), "%d", ent->kvno);
+    strlcat(buf, tmp, sizeof(buf));
     /* --- keys */
     for(i = 0; i < ent->keys.len; i++){
 	/* --- mkvno, keytype */
 	if(ent->keys.val[i].mkvno)
-	    asprintf(&p, ":%d:%d:", 
+	    snprintf(tmp, sizeof(tmp), ":%d:%d:", 
 		     *ent->keys.val[i].mkvno, 
 		     ent->keys.val[i].key.keytype);
 	else
-	    asprintf(&p, "::%d:", 
+	    snprintf(tmp, sizeof(tmp), "::%d:", 
 		     ent->keys.val[i].key.keytype);
-	strlcat(buf, p, sizeof(buf));
-	free(p);
+	strlcat(buf, tmp, sizeof(buf));
 	/* --- keydata */
 	append_hex(buf, &ent->keys.val[i].key.keyvalue);
 	strlcat(buf, ":", sizeof(buf));
 	/* --- salt */
 	if(ent->keys.val[i].salt){
-	    asprintf(&p, "%u/", ent->keys.val[i].salt->type);
-	    strlcat(buf, p, sizeof(buf));
-	    free(p);
+	    snprintf(tmp, sizeof(tmp), "%u/", ent->keys.val[i].salt->type);
+	    strlcat(buf, tmp, sizeof(buf));
 	    append_hex(buf, &ent->keys.val[i].salt->salt);
 	}else
 	    strlcat(buf, "-", sizeof(buf));
@@ -196,28 +199,25 @@ hdb_entry2string(krb5_context context, hdb_entry *ent, char **str)
 
     /* --- max life */
     if(ent->max_life){
-	asprintf(&p, "%d", *ent->max_life);
-	strlcat(buf, p, sizeof(buf));
-	free(p);
+	snprintf(tmp, sizeof(tmp), "%d", *ent->max_life);
+	strlcat(buf, tmp, sizeof(buf));
     }else
 	strlcat(buf, "-", sizeof(buf));
     strlcat(buf, " ", sizeof(buf));
 
     /* --- max renewable life */
     if(ent->max_renew){
-	asprintf(&p, "%d", *ent->max_renew);
-	strlcat(buf, p, sizeof(buf));
-	free(p);
+	snprintf(tmp, sizeof(tmp), "%d", *ent->max_renew);
+	strlcat(buf, tmp, sizeof(buf));
     }else
 	strlcat(buf, "-", sizeof(buf));
     
     strlcat(buf, " ", sizeof(buf));
 
     /* --- flags */
-    asprintf(&p, "%d", HDBFlags2int(ent->flags));
-    strlcat(buf, p, sizeof(buf));
-    free(p);
-
+    snprintf(tmp, sizeof(tmp), "%d", HDBFlags2int(ent->flags));
+    strlcat(buf, tmp, sizeof(buf));
+    
     *str = strdup(buf);
     
     return 0;
diff --git a/crypto/heimdal/lib/kadm5/ChangeLog b/crypto/heimdal/lib/kadm5/ChangeLog
index f5a6ee4..0d2699d 100644
--- a/crypto/heimdal/lib/kadm5/ChangeLog
+++ b/crypto/heimdal/lib/kadm5/ChangeLog
@@ -1,3 +1,204 @@
+2001-01-30  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump versions
+
+2000-12-31  Assar Westerlund  <assar@sics.se>
+
+	* init_s.c (*): handle krb5_init_context failure consistently
+	* init_c.c (init_context): handle krb5_init_context failure
+	consistently
+
+2000-12-11  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libkadm5srv_la_LDFLAGS): bump version to 7:2:0
+
+2000-11-16  Assar Westerlund  <assar@sics.se>
+
+	* set_keys.c (make_keys): clean-up salting loop and try not to
+	leak memory
+
+	* ipropd_master.c (main): check for fd's being too large to select
+	on
+
+2000-08-16  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libkadm5srv_la_LDFLAGS): bump version to 7:1:0
+
+2000-08-10  Assar Westerlund  <assar@sics.se>
+
+	* acl.c (fetch_acl): fix wrong cases, use krb5_principal_match
+
+2000-08-07  Assar Westerlund  <assar@sics.se>
+
+	* ipropd_master.c (main): ignore SIGPIPE
+
+2000-08-06  Assar Westerlund  <assar@sics.se>
+
+	* ipropd_slave.c (receive_everything): make `fd' an int instead of
+	a pointer.  From Derrick J Brashear <shadow@dementia.org>
+
+2000-08-04  Johan Danielsson  <joda@pdc.kth.se>
+
+	* admin.h: change void** to void*
+
+2000-07-25  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: bump versions to 7:0:0 and 6:0:2
+
+2000-07-24  Assar Westerlund  <assar@sics.se>
+
+	* log.c (kadm5_log_get_version): rename kadm5_log_get_version_fd
+	and make a new that takes a context
+	(kadm5_log_nop): add logging of missing lengths
+	(kadm5_log_truncate): new function
+
+	* dump_log.c (print_entry): update and correct
+	* randkey_s.c: call _kadm5_bump_pw_expire
+	* truncate_log.c: new program for truncating the log
+	* Makefile.am (sbin_PROGRAMS): add truncate_log
+	(C_SOURCES): add bump_pw_expire.c
+	* bump_pw_expire.c: new function for extending password expiration
+
+2000-07-22  Assar Westerlund  <assar@sics.se>
+
+	* keys.c: new file with _kadm5_free_keys, _kadm5_init_keys
+
+	* set_keys.c (free_keys, init_keys): elevate to internal kadm5
+	functions
+
+	* chpass_s.c (kadm5_s_chpass_principal_cond): new function
+	* Makefile.am (C_SOURCES): add keys.c
+	* init_c.c: remove unused variable and handle some parameters
+	being NULL
+
+2000-07-22  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ipropd_slave.c: use krb5_read_priv_message
+
+	* ipropd_master.c: use krb5_{read,write}_priv_message
+
+	* init_c.c: use krb5_write_priv_message
+
+2000-07-11  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ipropd_slave.c: no need to call gethostname, since
+	sname_to_principal will
+
+	* send_recv.c: assert that we have a connected socket
+
+	* get_princs_c.c: call _kadm5_connect
+
+	* rename_c.c: call _kadm5_connect
+
+	* randkey_c.c: call _kadm5_connect
+
+	* privs_c.c: call _kadm5_connect
+
+	* modify_c.c: call _kadm5_connect
+
+	* get_c.c: call _kadm5_connect
+
+	* delete_c.c: call _kadm5_connect
+
+	* create_c.c: call _kadm5_connect
+
+	* chpass_c.c: call _kadm5_connect
+
+	* private.h: add more fields to client context; remove prototypes
+
+	* admin.h: remove prototypes
+
+	* kadm5-protos.h: move public prototypes here
+
+	* kadm5-private.h: move private prototypes here
+
+	* init_c.c: break out connection code to separate function, and
+	defer calling it until we actually do something
+
+2000-07-07  Assar Westerlund  <assar@sics.se>
+
+	* set_keys.c (make_keys): also support `[kadmin]use_v4_salt' for
+	backwards compatability
+
+2000-06-26  Johan Danielsson  <joda@pdc.kth.se>
+
+	* set_keys.c (_kadm5_set_keys): rewrite this to be more easily
+	adaptable to different salts
+	
+2000-06-19  Johan Danielsson  <joda@pdc.kth.se>
+
+	* get_s.c: pa_* -> KRB5_PADATA_*
+
+2000-06-16  Assar Westerlund  <assar@sics.se>
+
+	* ipropd_slave.c: change default keytab to default keytab (as in
+	typically FILE:/etc/krb5.keytab)
+
+2000-06-08  Assar Westerlund  <assar@sics.se>
+
+	* ipropd_slave.c: bug fixes, for actually writing the full dump to
+	the database.  based on a patch from Love <lha@stacken.kth.se>
+
+2000-06-07  Assar Westerlund  <assar@sics.se>
+
+	* acl.c: add support for patterns of principals
+	* log.c (kadm5_log_replay_create): handle more NULL pointers
+	(should they really happen?)
+	* log.c (kadm5_log_replay_modify): handle max_life == NULL and
+	max_renew == NULL
+
+	* ipropd_master.c: use syslog.  be less verbose
+	* ipropd_slave.c: use syslog
+
+2000-06-05  Assar Westerlund  <assar@sics.se>
+
+	* private.h (kadm_ops): add kadm_nop more prototypes
+	* log.c (kadm5_log_set_version, kadm5_log_reinit, kadm5_log_nop,
+	kadm5_log_replay_nop): add
+	* ipropd_slave.c: and some more improvements
+	* ipropd_master.c: lots of improvements
+	* iprop.h (IPROP_PORT, IPROP_SERVICE): add
+	(iprop_cmd): add new commands
+
+	* dump_log.c: add nop
+
+2000-05-15  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libkadm5clnt_la_LDFLAGS): set version to 5:1:1
+
+2000-05-12  Assar Westerlund  <assar@sics.se>
+
+	* get_s.c (kadm5_s_get_principal): set life, rlife to INT_MAX as a
+	fallback.  handle not having any creator.
+	* destroy_s.c (kadm5_s_destroy): free all allocated memory
+	* context_s.c (set_field): free variable if it's already set
+	(find_db_spec): malloc space for all strings
+
+2000-04-05  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (LDADD): add LIB_openldap
+
+2000-04-03  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libkadm5srv_la_LDFLAGS): set version to 6:0:1
+	(libkadm5clnt_la_LDFLAGS): set version to 5:0:1
+
+2000-03-24  Assar Westerlund  <assar@sics.se>
+
+	* set_keys.c (_kadm5_set_keys2): rewrite
+	(_kadm5_set_keys3): add
+
+	* private.h (struct kadm_func): add chpass_principal_with_key
+	* init_c.c (set_funcs): add chpass_principal_with_key
+
+2000-03-23  Assar Westerlund  <assar@sics.se>
+
+	* context_s.c (set_funcs): add chpass_principal_with_key
+	* common_glue.c (kadm5_chpass_principal_with_key): add
+	* chpass_s.c: comment-ize and change calling convention for
+	_kadm5_set_keys*
+	* chpass_c.c (kadm5_c_chpass_principal_with_key): add
+
 2000-02-07  Assar Westerlund  <assar@sics.se>
 
 	* Makefile.am (libkadm5clnt_la_LDFLAGS): set version to 4:2:0
diff --git a/crypto/heimdal/lib/kadm5/Makefile.am b/crypto/heimdal/lib/kadm5/Makefile.am
index 89399d4..d554b18 100644
--- a/crypto/heimdal/lib/kadm5/Makefile.am
+++ b/crypto/heimdal/lib/kadm5/Makefile.am
@@ -1,18 +1,19 @@
-# $Id: Makefile.am,v 1.33 2000/02/07 03:37:27 assar Exp $
+# $Id: Makefile.am,v 1.44 2001/01/30 01:56:00 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
 lib_LTLIBRARIES = libkadm5srv.la libkadm5clnt.la
-libkadm5srv_la_LDFLAGS = -version-info 5:1:0
-libkadm5clnt_la_LDFLAGS = -version-info 4:2:0
-sbin_PROGRAMS = dump_log replay_log
+libkadm5srv_la_LDFLAGS = -version-info 7:3:0
+libkadm5clnt_la_LDFLAGS = -version-info 6:1:2
+sbin_PROGRAMS = dump_log replay_log truncate_log
 
 libexec_PROGRAMS = ipropd-master ipropd-slave
 
 kadm5includedir = $(includedir)/kadm5
 buildkadm5include = $(buildinclude)/kadm5
 
-kadm5include_HEADERS = kadm5_err.h admin.h private.h
+kadm5include_HEADERS = kadm5_err.h admin.h private.h \
+	kadm5-protos.h kadm5-private.h
 
 install-build-headers:: $(kadm5include_HEADERS)
 	@foo='$(kadm5include_HEADERS)'; \
@@ -27,55 +28,57 @@ install-build-headers:: $(kadm5include_HEADERS)
 		fi ; \
 	done
 
-C_SOURCES =		\
-	admin.h		\
-	chpass_c.c	\
-	common_glue.c	\
-	create_c.c	\
-	delete_c.c	\
-	destroy_c.c	\
-	flush_c.c	\
-	free.c		\
-	get_c.c		\
-	get_princs_c.c	\
-	init_c.c	\
-	kadm5_err.c	\
-	kadm5_locl.h	\
-	marshall.c	\
-	modify_c.c	\
-	private.h	\
-	privs_c.c	\
-	randkey_c.c	\
-	rename_c.c	\
+C_SOURCES =					\
+	admin.h					\
+	chpass_c.c				\
+	common_glue.c				\
+	create_c.c				\
+	delete_c.c				\
+	destroy_c.c				\
+	flush_c.c				\
+	free.c					\
+	get_c.c					\
+	get_princs_c.c				\
+	init_c.c				\
+	kadm5_err.c				\
+	kadm5_locl.h				\
+	marshall.c				\
+	modify_c.c				\
+	private.h				\
+	privs_c.c				\
+	randkey_c.c				\
+	rename_c.c				\
 	send_recv.c
 
-S_SOURCES =		\
-	acl.c		\
-	admin.h		\
-	chpass_s.c	\
-	common_glue.c	\
-	context_s.c	\
-	create_s.c	\
-	delete_s.c	\
-	destroy_s.c	\
-	ent_setup.c	\
-	error.c		\
-	flush_s.c	\
-	free.c		\
-	get_princs_s.c	\
-	get_s.c		\
-	init_s.c	\
-	kadm5_err.c	\
-	kadm5_locl.h	\
-	log.c		\
-	marshall.c	\
-	modify_s.c	\
-	private.h	\
-	privs_s.c	\
-	randkey_s.c	\
-	rename_s.c	\
-	set_keys.c	\
-	set_modifier.c	\
+S_SOURCES =					\
+	acl.c					\
+	admin.h					\
+	bump_pw_expire.c			\
+	chpass_s.c				\
+	common_glue.c				\
+	context_s.c				\
+	create_s.c				\
+	delete_s.c				\
+	destroy_s.c				\
+	ent_setup.c				\
+	error.c					\
+	flush_s.c				\
+	free.c					\
+	get_princs_s.c				\
+	get_s.c					\
+	init_s.c				\
+	kadm5_err.c				\
+	kadm5_locl.h				\
+	keys.c					\
+	log.c					\
+	marshall.c				\
+	modify_s.c				\
+	private.h				\
+	privs_s.c				\
+	randkey_s.c				\
+	rename_s.c				\
+	set_keys.c				\
+	set_modifier.c				\
 	password_quality.c
 
 libkadm5srv_la_SOURCES = $(S_SOURCES) server_glue.c
@@ -89,12 +92,15 @@ ipropd_master_SOURCES = ipropd_master.c iprop.h kadm5_locl.h
 
 ipropd_slave_SOURCES = ipropd_slave.c iprop.h kadm5_locl.h
 
+truncate_log_SOURCES = truncate_log.c
+
 LDADD = \
 	libkadm5srv.la \
 	$(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_des) \
 	$(LIB_roken) \
 	$(DBLIB) \
 	$(LIB_dlopen)
diff --git a/crypto/heimdal/lib/kadm5/Makefile.in b/crypto/heimdal/lib/kadm5/Makefile.in
index 233ef9d..a281b23 100644
--- a/crypto/heimdal/lib/kadm5/Makefile.in
+++ b/crypto/heimdal/lib/kadm5/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.33 2000/02/07 03:37:27 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.44 2001/01/30 01:56:00 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,43 +170,90 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
 lib_LTLIBRARIES = libkadm5srv.la libkadm5clnt.la
-libkadm5srv_la_LDFLAGS = -version-info 5:1:0
-libkadm5clnt_la_LDFLAGS = -version-info 4:2:0
-sbin_PROGRAMS = dump_log replay_log
+libkadm5srv_la_LDFLAGS = -version-info 7:3:0
+libkadm5clnt_la_LDFLAGS = -version-info 6:1:2
+sbin_PROGRAMS = dump_log replay_log truncate_log
 
 libexec_PROGRAMS = ipropd-master ipropd-slave
 
 kadm5includedir = $(includedir)/kadm5
 buildkadm5include = $(buildinclude)/kadm5
 
-kadm5include_HEADERS = kadm5_err.h admin.h private.h
-
-C_SOURCES =  	admin.h			chpass_c.c		common_glue.c		create_c.c		delete_c.c		destroy_c.c		flush_c.c		free.c			get_c.c			get_princs_c.c		init_c.c		kadm5_err.c		kadm5_locl.h		marshall.c		modify_c.c		private.h		privs_c.c		randkey_c.c		rename_c.c		send_recv.c
-
-
-S_SOURCES =  	acl.c			admin.h			chpass_s.c		common_glue.c		context_s.c		create_s.c		delete_s.c		destroy_s.c		ent_setup.c		error.c			flush_s.c		free.c			get_princs_s.c		get_s.c			init_s.c		kadm5_err.c		kadm5_locl.h		log.c			marshall.c		modify_s.c		private.h		privs_s.c		randkey_s.c		rename_s.c		set_keys.c		set_modifier.c		password_quality.c
+kadm5include_HEADERS = kadm5_err.h admin.h private.h \
+	kadm5-protos.h kadm5-private.h
+
+
+C_SOURCES = \
+	admin.h					\
+	chpass_c.c				\
+	common_glue.c				\
+	create_c.c				\
+	delete_c.c				\
+	destroy_c.c				\
+	flush_c.c				\
+	free.c					\
+	get_c.c					\
+	get_princs_c.c				\
+	init_c.c				\
+	kadm5_err.c				\
+	kadm5_locl.h				\
+	marshall.c				\
+	modify_c.c				\
+	private.h				\
+	privs_c.c				\
+	randkey_c.c				\
+	rename_c.c				\
+	send_recv.c
+
+
+S_SOURCES = \
+	acl.c					\
+	admin.h					\
+	bump_pw_expire.c			\
+	chpass_s.c				\
+	common_glue.c				\
+	context_s.c				\
+	create_s.c				\
+	delete_s.c				\
+	destroy_s.c				\
+	ent_setup.c				\
+	error.c					\
+	flush_s.c				\
+	free.c					\
+	get_princs_s.c				\
+	get_s.c					\
+	init_s.c				\
+	kadm5_err.c				\
+	kadm5_locl.h				\
+	keys.c					\
+	log.c					\
+	marshall.c				\
+	modify_s.c				\
+	private.h				\
+	privs_s.c				\
+	randkey_s.c				\
+	rename_s.c				\
+	set_keys.c				\
+	set_modifier.c				\
+	password_quality.c
 
 
 libkadm5srv_la_SOURCES = $(S_SOURCES) server_glue.c
@@ -202,10 +267,22 @@ ipropd_master_SOURCES = ipropd_master.c iprop.h kadm5_locl.h
 
 ipropd_slave_SOURCES = ipropd_slave.c iprop.h kadm5_locl.h
 
-LDADD =  	libkadm5srv.la 	$(top_builddir)/lib/hdb/libhdb.la 	$(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la 	$(top_builddir)/lib/des/libdes.la 	$(LIB_roken) 	$(DBLIB) 	$(LIB_dlopen)
+truncate_log_SOURCES = truncate_log.c
+
+LDADD = \
+	libkadm5srv.la \
+	$(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(DBLIB) \
+	$(LIB_dlopen)
 
 
 CLEANFILES = kadm5_err.c kadm5_err.h
+subdir = lib/kadm5
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -215,70 +292,87 @@ LTLIBRARIES =  $(lib_LTLIBRARIES)
 DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
-LIBS = @LIBS@
 X_CFLAGS = @X_CFLAGS@
 X_LIBS = @X_LIBS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
-libkadm5srv_la_LIBADD = 
-libkadm5srv_la_OBJECTS =  acl.lo chpass_s.lo common_glue.lo context_s.lo \
-create_s.lo delete_s.lo destroy_s.lo ent_setup.lo error.lo flush_s.lo \
-free.lo get_princs_s.lo get_s.lo init_s.lo kadm5_err.lo log.lo \
-marshall.lo modify_s.lo privs_s.lo randkey_s.lo rename_s.lo set_keys.lo \
-set_modifier.lo password_quality.lo server_glue.lo
 libkadm5clnt_la_LIBADD = 
-libkadm5clnt_la_OBJECTS =  chpass_c.lo common_glue.lo create_c.lo \
+am_libkadm5clnt_la_OBJECTS =  chpass_c.lo common_glue.lo create_c.lo \
 delete_c.lo destroy_c.lo flush_c.lo free.lo get_c.lo get_princs_c.lo \
 init_c.lo kadm5_err.lo marshall.lo modify_c.lo privs_c.lo randkey_c.lo \
 rename_c.lo send_recv.lo client_glue.lo
+libkadm5clnt_la_OBJECTS =  $(am_libkadm5clnt_la_OBJECTS)
+libkadm5srv_la_LIBADD = 
+am_libkadm5srv_la_OBJECTS =  acl.lo bump_pw_expire.lo chpass_s.lo \
+common_glue.lo context_s.lo create_s.lo delete_s.lo destroy_s.lo \
+ent_setup.lo error.lo flush_s.lo free.lo get_princs_s.lo get_s.lo \
+init_s.lo kadm5_err.lo keys.lo log.lo marshall.lo modify_s.lo \
+privs_s.lo randkey_s.lo rename_s.lo set_keys.lo set_modifier.lo \
+password_quality.lo server_glue.lo
+libkadm5srv_la_OBJECTS =  $(am_libkadm5srv_la_OBJECTS)
 libexec_PROGRAMS =  ipropd-master$(EXEEXT) ipropd-slave$(EXEEXT)
-sbin_PROGRAMS =  dump_log$(EXEEXT) replay_log$(EXEEXT)
+sbin_PROGRAMS =  dump_log$(EXEEXT) replay_log$(EXEEXT) \
+truncate_log$(EXEEXT)
 PROGRAMS =  $(libexec_PROGRAMS) $(sbin_PROGRAMS)
 
-ipropd_master_OBJECTS =  ipropd_master.$(OBJEXT)
+am_dump_log_OBJECTS =  dump_log.$(OBJEXT)
+dump_log_OBJECTS =  $(am_dump_log_OBJECTS)
+dump_log_LDADD = $(LDADD)
+dump_log_DEPENDENCIES =  libkadm5srv.la \
+$(top_builddir)/lib/hdb/libhdb.la $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+dump_log_LDFLAGS = 
+am_ipropd_master_OBJECTS =  ipropd_master.$(OBJEXT)
+ipropd_master_OBJECTS =  $(am_ipropd_master_OBJECTS)
 ipropd_master_LDADD = $(LDADD)
 ipropd_master_DEPENDENCIES =  libkadm5srv.la \
 $(top_builddir)/lib/hdb/libhdb.la $(top_builddir)/lib/krb5/libkrb5.la \
-$(top_builddir)/lib/asn1/libasn1.la $(top_builddir)/lib/des/libdes.la
+$(top_builddir)/lib/asn1/libasn1.la
 ipropd_master_LDFLAGS = 
-ipropd_slave_OBJECTS =  ipropd_slave.$(OBJEXT)
+am_ipropd_slave_OBJECTS =  ipropd_slave.$(OBJEXT)
+ipropd_slave_OBJECTS =  $(am_ipropd_slave_OBJECTS)
 ipropd_slave_LDADD = $(LDADD)
 ipropd_slave_DEPENDENCIES =  libkadm5srv.la \
 $(top_builddir)/lib/hdb/libhdb.la $(top_builddir)/lib/krb5/libkrb5.la \
-$(top_builddir)/lib/asn1/libasn1.la $(top_builddir)/lib/des/libdes.la
+$(top_builddir)/lib/asn1/libasn1.la
 ipropd_slave_LDFLAGS = 
-dump_log_OBJECTS =  dump_log.$(OBJEXT)
-dump_log_LDADD = $(LDADD)
-dump_log_DEPENDENCIES =  libkadm5srv.la \
-$(top_builddir)/lib/hdb/libhdb.la $(top_builddir)/lib/krb5/libkrb5.la \
-$(top_builddir)/lib/asn1/libasn1.la $(top_builddir)/lib/des/libdes.la
-dump_log_LDFLAGS = 
-replay_log_OBJECTS =  replay_log.$(OBJEXT)
+am_replay_log_OBJECTS =  replay_log.$(OBJEXT)
+replay_log_OBJECTS =  $(am_replay_log_OBJECTS)
 replay_log_LDADD = $(LDADD)
 replay_log_DEPENDENCIES =  libkadm5srv.la \
 $(top_builddir)/lib/hdb/libhdb.la $(top_builddir)/lib/krb5/libkrb5.la \
-$(top_builddir)/lib/asn1/libasn1.la $(top_builddir)/lib/des/libdes.la
+$(top_builddir)/lib/asn1/libasn1.la
 replay_log_LDFLAGS = 
-CFLAGS = @CFLAGS@
+am_truncate_log_OBJECTS =  truncate_log.$(OBJEXT)
+truncate_log_OBJECTS =  $(am_truncate_log_OBJECTS)
+truncate_log_LDADD = $(LDADD)
+truncate_log_DEPENDENCIES =  libkadm5srv.la \
+$(top_builddir)/lib/hdb/libhdb.la $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+truncate_log_LDFLAGS = 
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(libkadm5clnt_la_SOURCES) $(libkadm5srv_la_SOURCES) \
+$(dump_log_SOURCES) $(ipropd_master_SOURCES) $(ipropd_slave_SOURCES) \
+$(replay_log_SOURCES) $(truncate_log_SOURCES)
 HEADERS =  $(kadm5include_HEADERS)
 
-DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+depcomp = 
+DIST_COMMON =  $(kadm5include_HEADERS) ChangeLog Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
-SOURCES = $(libkadm5srv_la_SOURCES) $(libkadm5clnt_la_SOURCES) $(ipropd_master_SOURCES) $(ipropd_slave_SOURCES) $(dump_log_SOURCES) $(replay_log_SOURCES)
-OBJECTS = $(libkadm5srv_la_OBJECTS) $(libkadm5clnt_la_OBJECTS) $(ipropd_master_OBJECTS) $(ipropd_slave_OBJECTS) $(dump_log_OBJECTS) $(replay_log_OBJECTS)
+SOURCES = $(libkadm5clnt_la_SOURCES) $(libkadm5srv_la_SOURCES) $(dump_log_SOURCES) $(ipropd_master_SOURCES) $(ipropd_slave_SOURCES) $(replay_log_SOURCES) $(truncate_log_SOURCES)
+OBJECTS = $(am_libkadm5clnt_la_OBJECTS) $(am_libkadm5srv_la_OBJECTS) $(am_dump_log_OBJECTS) $(am_ipropd_master_OBJECTS) $(am_ipropd_slave_OBJECTS) $(am_replay_log_OBJECTS) $(am_truncate_log_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/kadm5/Makefile
 
@@ -301,31 +395,18 @@ install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 	$(mkinstalldirs) $(DESTDIR)$(libdir)
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo "$(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p; \
 	  else :; fi; \
 	done
 
 uninstall-libLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  echo " $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \
 	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
 	done
 
-.c.o:
-	$(COMPILE) -c $<
-
-# FIXME: We should only use cygpath when building on Windows,
-# and only if it is available.
-.c.obj:
-	$(COMPILE) -c `cygpath -w $<`
-
-.s.o:
-	$(COMPILE) -c $<
-
-.S.o:
-	$(COMPILE) -c $<
-
 mostlyclean-compile:
 	-rm -f *.o core *.core
 	-rm -f *.$(OBJEXT)
@@ -337,15 +418,6 @@ distclean-compile:
 
 maintainer-clean-compile:
 
-.c.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.s.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.S.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -356,12 +428,12 @@ distclean-libtool:
 
 maintainer-clean-libtool:
 
-libkadm5srv.la: $(libkadm5srv_la_OBJECTS) $(libkadm5srv_la_DEPENDENCIES)
-	$(LINK) -rpath $(libdir) $(libkadm5srv_la_LDFLAGS) $(libkadm5srv_la_OBJECTS) $(libkadm5srv_la_LIBADD) $(LIBS)
-
 libkadm5clnt.la: $(libkadm5clnt_la_OBJECTS) $(libkadm5clnt_la_DEPENDENCIES)
 	$(LINK) -rpath $(libdir) $(libkadm5clnt_la_LDFLAGS) $(libkadm5clnt_la_OBJECTS) $(libkadm5clnt_la_LIBADD) $(LIBS)
 
+libkadm5srv.la: $(libkadm5srv_la_OBJECTS) $(libkadm5srv_la_DEPENDENCIES)
+	$(LINK) -rpath $(libdir) $(libkadm5srv_la_LDFLAGS) $(libkadm5srv_la_OBJECTS) $(libkadm5srv_la_LIBADD) $(LIBS)
+
 mostlyclean-libexecPROGRAMS:
 
 clean-libexecPROGRAMS:
@@ -376,15 +448,18 @@ install-libexecPROGRAMS: $(libexec_PROGRAMS)
 	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
 	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f; \
 	  else :; fi; \
 	done
 
 uninstall-libexecPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	list='$(libexec_PROGRAMS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \
+	  rm -f $(DESTDIR)$(libexecdir)/$$f; \
 	done
 
 mostlyclean-sbinPROGRAMS:
@@ -401,17 +476,24 @@ install-sbinPROGRAMS: $(sbin_PROGRAMS)
 	$(mkinstalldirs) $(DESTDIR)$(sbindir)
 	@list='$(sbin_PROGRAMS)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(sbindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(sbindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(sbindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(sbindir)/$$f; \
 	  else :; fi; \
 	done
 
 uninstall-sbinPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	list='$(sbin_PROGRAMS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(sbindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	@list='$(sbin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(sbindir)/$$f"; \
+	  rm -f $(DESTDIR)$(sbindir)/$$f; \
 	done
 
+dump_log$(EXEEXT): $(dump_log_OBJECTS) $(dump_log_DEPENDENCIES)
+	@rm -f dump_log$(EXEEXT)
+	$(LINK) $(dump_log_LDFLAGS) $(dump_log_OBJECTS) $(dump_log_LDADD) $(LIBS)
+
 ipropd-master$(EXEEXT): $(ipropd_master_OBJECTS) $(ipropd_master_DEPENDENCIES)
 	@rm -f ipropd-master$(EXEEXT)
 	$(LINK) $(ipropd_master_LDFLAGS) $(ipropd_master_OBJECTS) $(ipropd_master_LDADD) $(LIBS)
@@ -420,48 +502,61 @@ ipropd-slave$(EXEEXT): $(ipropd_slave_OBJECTS) $(ipropd_slave_DEPENDENCIES)
 	@rm -f ipropd-slave$(EXEEXT)
 	$(LINK) $(ipropd_slave_LDFLAGS) $(ipropd_slave_OBJECTS) $(ipropd_slave_LDADD) $(LIBS)
 
-dump_log$(EXEEXT): $(dump_log_OBJECTS) $(dump_log_DEPENDENCIES)
-	@rm -f dump_log$(EXEEXT)
-	$(LINK) $(dump_log_LDFLAGS) $(dump_log_OBJECTS) $(dump_log_LDADD) $(LIBS)
-
 replay_log$(EXEEXT): $(replay_log_OBJECTS) $(replay_log_DEPENDENCIES)
 	@rm -f replay_log$(EXEEXT)
 	$(LINK) $(replay_log_LDFLAGS) $(replay_log_OBJECTS) $(replay_log_LDADD) $(LIBS)
 
+truncate_log$(EXEEXT): $(truncate_log_OBJECTS) $(truncate_log_DEPENDENCIES)
+	@rm -f truncate_log$(EXEEXT)
+	$(LINK) $(truncate_log_LDFLAGS) $(truncate_log_OBJECTS) $(truncate_log_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
 install-kadm5includeHEADERS: $(kadm5include_HEADERS)
 	@$(NORMAL_INSTALL)
 	$(mkinstalldirs) $(DESTDIR)$(kadm5includedir)
 	@list='$(kadm5include_HEADERS)'; for p in $$list; do \
 	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
-	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(kadm5includedir)/$$p"; \
-	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(kadm5includedir)/$$p; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(kadm5includedir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(kadm5includedir)/$$f; \
 	done
 
 uninstall-kadm5includeHEADERS:
 	@$(NORMAL_UNINSTALL)
-	list='$(kadm5include_HEADERS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(kadm5includedir)/$$p; \
+	@list='$(kadm5include_HEADERS)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(kadm5includedir)/$$f"; \
+	  rm -f $(DESTDIR)$(kadm5includedir)/$$f; \
 	done
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -474,17 +569,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = lib/kadm5
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
@@ -515,7 +609,7 @@ uninstall: uninstall-am
 all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
 	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(libexecdir) \
 		$(DESTDIR)$(sbindir) $(DESTDIR)$(kadm5includedir)
@@ -531,6 +625,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-libLTLIBRARIES mostlyclean-compile \
 		mostlyclean-libtool mostlyclean-libexecPROGRAMS \
 		mostlyclean-sbinPROGRAMS mostlyclean-tags \
@@ -578,8 +673,9 @@ clean-tags maintainer-clean-tags distdir info-am info dvi-am dvi \
 check-local check check-am installcheck-am installcheck install-exec-am \
 install-exec install-data-local install-data-am install-data install-am \
 install uninstall-am uninstall all-local all-redirect all-am all \
-installdirs mostlyclean-generic distclean-generic clean-generic \
-maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+install-strip installdirs mostlyclean-generic distclean-generic \
+clean-generic maintainer-clean-generic clean mostlyclean distclean \
+maintainer-clean
 
 
 install-suid-programs:
@@ -587,7 +683,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -599,8 +698,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -669,87 +768,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/lib/kadm5/acl.c b/crypto/heimdal/lib/kadm5/acl.c
index 3f42c60..c963171 100644
--- a/crypto/heimdal/lib/kadm5/acl.c
+++ b/crypto/heimdal/lib/kadm5/acl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: acl.c,v 1.10 1999/12/02 17:05:05 joda Exp $");
+RCSID("$Id: acl.c,v 1.12 2000/08/10 19:24:08 assar Exp $");
 
 static struct units acl_units[] = {
     { "all",		KADM5_PRIV_ALL },
@@ -68,58 +68,112 @@ _kadm5_privs_to_string(u_int32_t privs, char *string, size_t len)
     return 0;
 }
 
-kadm5_ret_t
-_kadm5_acl_init(kadm5_server_context *context)
+/*
+ * retrieve the right for the current caller on `princ' (NULL means all)
+ * and store them in `ret_flags'
+ * return 0 or an error.
+ */
+
+static kadm5_ret_t
+fetch_acl (kadm5_server_context *context,
+	   krb5_const_principal princ,
+	   unsigned *ret_flags)
 {
-    FILE *f;
-    char buf[128];
-    krb5_principal princ;
-    int flags;
-    krb5_error_code ret;
-    
-    krb5_parse_name(context->context, KADM5_ADMIN_SERVICE, &princ);
-    ret = krb5_principal_compare(context->context, context->caller, princ);
-    krb5_free_principal(context->context, princ);
-    if(ret != 0){
-	context->acl_flags = KADM5_PRIV_ALL;
-	return 0;
-    }
+    unsigned flags = -1;
+    FILE *f = fopen(context->config.acl_file, "r");
+    krb5_error_code ret = 0;
+
+    if(f != NULL) {
+	char buf[256];
 
-    flags = -1;
-    f = fopen(context->config.acl_file, "r");
-    if(f){
-	while(fgets(buf, sizeof(buf), f)){
+	while(fgets(buf, sizeof(buf), f) != NULL){
 	    char *foo = NULL, *p;
+	    krb5_principal this_princ;
+
+	    flags = -1;
 	    p = strtok_r(buf, " \t\n", &foo);
 	    if(p == NULL)
 		continue;
-	    ret = krb5_parse_name(context->context, p, &princ);
+	    ret = krb5_parse_name(context->context, p, &this_princ);
 	    if(ret)
 		continue;
 	    if(!krb5_principal_compare(context->context, 
-				       context->caller,  princ)){
-		krb5_free_principal(context->context, princ);
+				       context->caller, this_princ)) {
+		krb5_free_principal(context->context, this_princ);
 		continue;
 	    }
-	    krb5_free_principal(context->context, princ);
-	    p = strtok_r(NULL, "\n", &foo);
+	    krb5_free_principal(context->context, this_princ);
+	    p = strtok_r(NULL, " \t\n", &foo);
 	    if(p == NULL)
 		continue;
 	    ret = _kadm5_string_to_privs(p, &flags);
-	    break;
+	    if (ret)
+		break;
+	    p = strtok_r(NULL, "\n", &foo);
+	    if (p == NULL) {
+		ret = 0;
+		break;
+	    }
+	    if (princ != NULL) {
+		krb5_principal pattern_princ;
+		krb5_boolean tmp;
+
+		ret = krb5_parse_name (context->context, p, &pattern_princ);
+		if (ret)
+		    break;
+		tmp = krb5_principal_match (context->context,
+					    princ, pattern_princ);
+		krb5_free_principal (context->context, pattern_princ);
+		if (tmp) {
+		    ret = 0;
+		    break;
+		}
+	    }
 	}
 	fclose(f);
     }
     if(flags == -1)
 	flags = 0;
-    context->acl_flags = flags;
-    return 0;
+    if (ret == 0)
+	*ret_flags = flags;
+    return ret;
 }
 
+/*
+ * set global acl flags in `context' for the current caller.
+ * return 0 on success or an error
+ */
+
 kadm5_ret_t
-_kadm5_acl_check_permission(kadm5_server_context *context, unsigned op)
+_kadm5_acl_init(kadm5_server_context *context)
 {
-    unsigned res = ~context->acl_flags & op;
+    krb5_principal princ;
+    krb5_error_code ret;
+    
+    ret = krb5_parse_name(context->context, KADM5_ADMIN_SERVICE, &princ);
+    if (ret)
+	return ret;
+    ret = krb5_principal_compare(context->context, context->caller, princ);
+    krb5_free_principal(context->context, princ);
+    if(ret != 0) {
+	context->acl_flags = KADM5_PRIV_ALL;
+	return 0;
+    }
+
+    return fetch_acl (context, NULL, &context->acl_flags);
+}
+
+/*
+ * check if `flags' allows `op'
+ * return 0 if OK or an error
+ */
+
+static kadm5_ret_t
+check_flags (unsigned op,
+	     unsigned flags)
+{
+    unsigned res = ~flags & op;
+
     if(res & KADM5_PRIV_GET)
 	return KADM5_AUTH_GET;
     if(res & KADM5_PRIV_ADD)
@@ -136,3 +190,26 @@ _kadm5_acl_check_permission(kadm5_server_context *context, unsigned op)
 	return KADM5_AUTH_INSUFFICIENT;
     return 0;
 }
+
+/*
+ * return 0 if the current caller in `context' is allowed to perform
+ * `op' on `princ' and otherwise an error
+ * princ == NULL if it's not relevant.
+ */
+
+kadm5_ret_t
+_kadm5_acl_check_permission(kadm5_server_context *context,
+			    unsigned op,
+			    krb5_const_principal princ)
+{
+    kadm5_ret_t ret;
+    unsigned princ_flags;
+
+    ret = check_flags (op, context->acl_flags);
+    if (ret == 0)
+	return ret;
+    ret = fetch_acl (context, princ, &princ_flags);
+    if (ret)
+	return ret;
+    return check_flags (op, princ_flags);
+}
diff --git a/crypto/heimdal/lib/kadm5/admin.h b/crypto/heimdal/lib/kadm5/admin.h
index 6cb08a3..d9bd85f 100644
--- a/crypto/heimdal/lib/kadm5/admin.h
+++ b/crypto/heimdal/lib/kadm5/admin.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -30,7 +30,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
  * SUCH DAMAGE. 
  */
-/* $Id: admin.h,v 1.15 1999/12/02 17:05:05 joda Exp $ */
+/* $Id: admin.h,v 1.18 2000/08/04 11:26:21 joda Exp $ */
 
 #ifndef __KADM5_ADMIN_H__
 #define __KADM5_ADMIN_H__
@@ -105,14 +105,14 @@ typedef struct _krb5_key_data {
     int16_t key_data_kvno;	/* Key Version */
     int16_t key_data_type[2];	/* Array of types */
     int16_t key_data_length[2];	/* Array of lengths */
-    void** key_data_contents[2];/* Array of pointers */
+    void*   key_data_contents[2];/* Array of pointers */
 } krb5_key_data;
 
 typedef struct _krb5_tl_data {
     struct _krb5_tl_data* tl_data_next;
     int16_t tl_data_type;         
     int16_t tl_data_length;       
-    void **tl_data_contents;     
+    void*   tl_data_contents;     
 } krb5_tl_data;
 
 typedef struct _kadm5_principal_ent_t {
@@ -204,462 +204,7 @@ typedef struct _kadm5_config_params {
 
 typedef krb5_error_code kadm5_ret_t;
 
-kadm5_ret_t
-kadm5_c_chpass_principal __P((
-	void *server_handle,
-	krb5_principal princ,
-	char *password));
-
-kadm5_ret_t
-kadm5_c_create_principal __P((
-	void *server_handle,
-	kadm5_principal_ent_t princ,
-	u_int32_t mask,
-	char *password));
-
-kadm5_ret_t
-kadm5_c_delete_principal __P((
-	void *server_handle,
-	krb5_principal princ));
-
-kadm5_ret_t
-kadm5_c_destroy __P((void *server_handle));
-
-kadm5_ret_t
-kadm5_c_flush __P((void *server_handle));
-
-kadm5_ret_t
-kadm5_c_get_principal __P((
-	void *server_handle,
-	krb5_principal princ,
-	kadm5_principal_ent_t out,
-	u_int32_t mask));
-
-kadm5_ret_t
-kadm5_c_get_principals __P((
-	void *server_handle,
-	const char *exp,
-	char ***princs,
-	int *count));
-
-kadm5_ret_t
-kadm5_c_get_privs __P((
-	void *server_handle,
-	u_int32_t *privs));
-
-kadm5_ret_t
-kadm5_c_init_with_creds __P((
-	const char *client_name,
-	krb5_ccache ccache,
-	const char *service_name,
-	kadm5_config_params *realm_params,
-	unsigned long struct_version,
-	unsigned long api_version,
-	void **server_handle));
-
-kadm5_ret_t
-kadm5_c_init_with_creds_ctx __P((
-	krb5_context context,
-	const char *client_name,
-	krb5_ccache ccache,
-	const char *service_name,
-	kadm5_config_params *realm_params,
-	unsigned long struct_version,
-	unsigned long api_version,
-	void **server_handle));
-
-kadm5_ret_t
-kadm5_c_init_with_password __P((
-	const char *client_name,
-	const char *password,
-	const char *service_name,
-	kadm5_config_params *realm_params,
-	unsigned long struct_version,
-	unsigned long api_version,
-	void **server_handle));
-
-kadm5_ret_t
-kadm5_c_init_with_password_ctx __P((
-	krb5_context context,
-	const char *client_name,
-	const char *password,
-	const char *service_name,
-	kadm5_config_params *realm_params,
-	unsigned long struct_version,
-	unsigned long api_version,
-	void **server_handle));
-
-kadm5_ret_t
-kadm5_c_init_with_skey __P((
-	const char *client_name,
-	const char *keytab,
-	const char *service_name,
-	kadm5_config_params *realm_params,
-	unsigned long struct_version,
-	unsigned long api_version,
-	void **server_handle));
-
-kadm5_ret_t
-kadm5_c_init_with_skey_ctx __P((
-	krb5_context context,
-	const char *client_name,
-	const char *keytab,
-	const char *service_name,
-	kadm5_config_params *realm_params,
-	unsigned long struct_version,
-	unsigned long api_version,
-	void **server_handle));
-
-kadm5_ret_t
-kadm5_c_modify_principal __P((
-	void *server_handle,
-	kadm5_principal_ent_t princ,
-	u_int32_t mask));
-
-kadm5_ret_t
-kadm5_c_randkey_principal __P((
-	void *server_handle,
-	krb5_principal princ,
-	krb5_keyblock **new_keys,
-	int *n_keys));
-
-kadm5_ret_t
-kadm5_c_rename_principal __P((
-	void *server_handle,
-	krb5_principal source,
-	krb5_principal target));
-
-kadm5_ret_t
-kadm5_chpass_principal __P((
-	void *server_handle,
-	krb5_principal princ,
-	char *password));
-
-kadm5_ret_t
-kadm5_create_principal __P((
-	void *server_handle,
-	kadm5_principal_ent_t princ,
-	u_int32_t mask,
-	char *password));
-
-kadm5_ret_t
-kadm5_delete_principal __P((
-	void *server_handle,
-	krb5_principal princ));
-
-kadm5_ret_t
-kadm5_destroy __P((void *server_handle));
-
-kadm5_ret_t
-kadm5_flush __P((void *server_handle));
-
-void
-kadm5_free_key_data __P((
-	void *server_handle,
-	int16_t *n_key_data,
-	krb5_key_data *key_data));
-
-void
-kadm5_free_name_list __P((
-	void *server_handle,
-	char **names,
-	int *count));
-
-void
-kadm5_free_principal_ent __P((
-	void *server_handle,
-	kadm5_principal_ent_t princ));
-
-kadm5_ret_t
-kadm5_get_principal __P((
-	void *server_handle,
-	krb5_principal princ,
-	kadm5_principal_ent_t out,
-	u_int32_t mask));
-
-kadm5_ret_t
-kadm5_get_principals __P((
-	void *server_handle,
-	const char *exp,
-	char ***princs,
-	int *count));
-
-kadm5_ret_t
-kadm5_get_privs __P((
-	void *server_handle,
-	u_int32_t *privs));
-
-kadm5_ret_t
-kadm5_init_with_creds __P((
-	const char *client_name,
-	krb5_ccache ccache,
-	const char *service_name,
-	kadm5_config_params *realm_params,
-	unsigned long struct_version,
-	unsigned long api_version,
-	void **server_handle));
-
-kadm5_ret_t
-kadm5_init_with_creds_ctx __P((
-	krb5_context context,
-	const char *client_name,
-	krb5_ccache ccache,
-	const char *service_name,
-	kadm5_config_params *realm_params,
-	unsigned long struct_version,
-	unsigned long api_version,
-	void **server_handle));
-
-kadm5_ret_t
-kadm5_init_with_password __P((
-	const char *client_name,
-	const char *password,
-	const char *service_name,
-	kadm5_config_params *realm_params,
-	unsigned long struct_version,
-	unsigned long api_version,
-	void **server_handle));
-
-kadm5_ret_t
-kadm5_init_with_password_ctx __P((
-	krb5_context context,
-	const char *client_name,
-	const char *password,
-	const char *service_name,
-	kadm5_config_params *realm_params,
-	unsigned long struct_version,
-	unsigned long api_version,
-	void **server_handle));
-
-kadm5_ret_t
-kadm5_init_with_skey __P((
-	const char *client_name,
-	const char *keytab,
-	const char *service_name,
-	kadm5_config_params *realm_params,
-	unsigned long struct_version,
-	unsigned long api_version,
-	void **server_handle));
-
-kadm5_ret_t
-kadm5_init_with_skey_ctx __P((
-	krb5_context context,
-	const char *client_name,
-	const char *keytab,
-	const char *service_name,
-	kadm5_config_params *realm_params,
-	unsigned long struct_version,
-	unsigned long api_version,
-	void **server_handle));
-
-kadm5_ret_t
-kadm5_modify_principal __P((
-	void *server_handle,
-	kadm5_principal_ent_t princ,
-	u_int32_t mask));
-
-kadm5_ret_t
-kadm5_randkey_principal __P((
-	void *server_handle,
-	krb5_principal princ,
-	krb5_keyblock **new_keys,
-	int *n_keys));
-
-kadm5_ret_t
-kadm5_rename_principal __P((
-	void *server_handle,
-	krb5_principal source,
-	krb5_principal target));
-
-kadm5_ret_t
-kadm5_ret_key_data __P((
-	krb5_storage *sp,
-	krb5_key_data *key));
-
-kadm5_ret_t
-kadm5_ret_principal_ent __P((
-	krb5_storage *sp,
-	kadm5_principal_ent_t princ));
-
-kadm5_ret_t
-kadm5_ret_principal_ent_mask __P((
-	krb5_storage *sp,
-	kadm5_principal_ent_t princ,
-	u_int32_t *mask));
-
-kadm5_ret_t
-kadm5_ret_tl_data __P((
-	krb5_storage *sp,
-	krb5_tl_data *tl));
-
-kadm5_ret_t
-kadm5_s_chpass_principal __P((
-	void *server_handle,
-	krb5_principal princ,
-	char *password));
-
-kadm5_ret_t
-kadm5_s_chpass_principal_with_key __P((
-	void *server_handle,
-	krb5_principal princ,
-	int n_key_data,
-	krb5_key_data *key_data));
-
-kadm5_ret_t
-kadm5_s_create_principal __P((
-	void *server_handle,
-	kadm5_principal_ent_t princ,
-	u_int32_t mask,
-	char *password));
-
-kadm5_ret_t
-kadm5_s_create_principal_with_key __P((
-	void *server_handle,
-	kadm5_principal_ent_t princ,
-	u_int32_t mask));
-
-kadm5_ret_t
-kadm5_s_delete_principal __P((
-	void *server_handle,
-	krb5_principal princ));
-
-kadm5_ret_t
-kadm5_s_destroy __P((void *server_handle));
-
-kadm5_ret_t
-kadm5_s_flush __P((void *server_handle));
-
-kadm5_ret_t
-kadm5_s_get_principal __P((
-	void *server_handle,
-	krb5_principal princ,
-	kadm5_principal_ent_t out,
-	u_int32_t mask));
-
-kadm5_ret_t
-kadm5_s_get_principals __P((
-	void *server_handle,
-	const char *exp,
-	char ***princs,
-	int *count));
-
-kadm5_ret_t
-kadm5_s_get_privs __P((
-	void *server_handle,
-	u_int32_t *privs));
-
-kadm5_ret_t
-kadm5_s_init_with_creds __P((
-	const char *client_name,
-	krb5_ccache ccache,
-	const char *service_name,
-	kadm5_config_params *realm_params,
-	unsigned long struct_version,
-	unsigned long api_version,
-	void **server_handle));
-
-kadm5_ret_t
-kadm5_s_init_with_creds_ctx __P((
-	krb5_context context,
-	const char *client_name,
-	krb5_ccache ccache,
-	const char *service_name,
-	kadm5_config_params *realm_params,
-	unsigned long struct_version,
-	unsigned long api_version,
-	void **server_handle));
-
-kadm5_ret_t
-kadm5_s_init_with_password __P((
-	const char *client_name,
-	const char *password,
-	const char *service_name,
-	kadm5_config_params *realm_params,
-	unsigned long struct_version,
-	unsigned long api_version,
-	void **server_handle));
-
-kadm5_ret_t
-kadm5_s_init_with_password_ctx __P((
-	krb5_context context,
-	const char *client_name,
-	const char *password,
-	const char *service_name,
-	kadm5_config_params *realm_params,
-	unsigned long struct_version,
-	unsigned long api_version,
-	void **server_handle));
-
-kadm5_ret_t
-kadm5_s_init_with_skey __P((
-	const char *client_name,
-	const char *keytab,
-	const char *service_name,
-	kadm5_config_params *realm_params,
-	unsigned long struct_version,
-	unsigned long api_version,
-	void **server_handle));
-
-kadm5_ret_t
-kadm5_s_init_with_skey_ctx __P((
-	krb5_context context,
-	const char *client_name,
-	const char *keytab,
-	const char *service_name,
-	kadm5_config_params *realm_params,
-	unsigned long struct_version,
-	unsigned long api_version,
-	void **server_handle));
-
-kadm5_ret_t
-kadm5_s_modify_principal __P((
-	void *server_handle,
-	kadm5_principal_ent_t princ,
-	u_int32_t mask));
-
-kadm5_ret_t
-kadm5_s_randkey_principal __P((
-	void *server_handle,
-	krb5_principal princ,
-	krb5_keyblock **new_keys,
-	int *n_keys));
-
-kadm5_ret_t
-kadm5_s_rename_principal __P((
-	void *server_handle,
-	krb5_principal source,
-	krb5_principal target));
-
-kadm5_ret_t
-kadm5_store_key_data __P((
-	krb5_storage *sp,
-	krb5_key_data *key));
-
-kadm5_ret_t
-kadm5_store_principal_ent __P((
-	krb5_storage *sp,
-	kadm5_principal_ent_t princ));
-
-kadm5_ret_t
-kadm5_store_principal_ent_mask __P((
-	krb5_storage *sp,
-	kadm5_principal_ent_t princ,
-	u_int32_t mask));
-
-kadm5_ret_t
-kadm5_store_tl_data __P((
-	krb5_storage *sp,
-	krb5_tl_data *tl));
-
-void
-kadm5_setup_passwd_quality_check(krb5_context context,
-				 const char *check_library,
-				 const char *check_function);
-
-const char *
-kadm5_check_password_quality (krb5_context context,
-			      krb5_principal principal,
-			      krb5_data *pwd_data);
+#include "kadm5-protos.h"
 
 #if 0
 /* unimplemented functions */
diff --git a/crypto/heimdal/lib/kadm5/bump_pw_expire.c b/crypto/heimdal/lib/kadm5/bump_pw_expire.c
new file mode 100644
index 0000000..a185c20
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/bump_pw_expire.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: bump_pw_expire.c,v 1.1 2000/07/24 03:47:54 assar Exp $");
+
+/*
+ * extend password_expiration if it's defined
+ */
+
+kadm5_ret_t
+_kadm5_bump_pw_expire(kadm5_server_context *context,
+		      hdb_entry *ent)
+{
+    if (ent->pw_end != NULL) {
+	time_t life;
+
+	life = krb5_config_get_time_default(context->context,
+					    NULL,
+					    365 * 24 * 60 * 60,
+					    "kadmin",
+					    "password_lifetime",
+					    NULL);
+
+	*(ent->pw_end) = time(NULL) + life;
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/chpass_c.c b/crypto/heimdal/lib/kadm5/chpass_c.c
index aaec48f..b06b8cd 100644
--- a/crypto/heimdal/lib/kadm5/chpass_c.c
+++ b/crypto/heimdal/lib/kadm5/chpass_c.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: chpass_c.c,v 1.3 1999/12/02 17:05:05 joda Exp $");
+RCSID("$Id: chpass_c.c,v 1.5 2000/07/11 15:59:14 joda Exp $");
 
 kadm5_ret_t
 kadm5_c_chpass_principal(void *server_handle, 
@@ -47,6 +47,10 @@ kadm5_c_chpass_principal(void *server_handle,
     int32_t tmp;
     krb5_data reply;
 
+    ret = _kadm5_connect(server_handle);
+    if(ret)
+	return ret;
+
     sp = krb5_storage_from_mem(buf, sizeof(buf));
     if (sp == NULL)
 	return ENOMEM;
@@ -68,3 +72,45 @@ kadm5_c_chpass_principal(void *server_handle,
     krb5_data_free (&reply);
     return tmp;
 }
+
+kadm5_ret_t
+kadm5_c_chpass_principal_with_key(void *server_handle, 
+				  krb5_principal princ,
+				  int n_key_data,
+				  krb5_key_data *key_data)
+{
+    kadm5_client_context *context = server_handle;
+    kadm5_ret_t ret;
+    krb5_storage *sp;
+    unsigned char buf[1024];
+    int32_t tmp;
+    krb5_data reply;
+    int i;
+
+    ret = _kadm5_connect(server_handle);
+    if(ret)
+	return ret;
+
+    sp = krb5_storage_from_mem(buf, sizeof(buf));
+    if (sp == NULL)
+	return ENOMEM;
+    krb5_store_int32(sp, kadm_chpass_with_key);
+    krb5_store_principal(sp, princ);
+    krb5_store_int32(sp, n_key_data);
+    for (i = 0; i < n_key_data; ++i)
+	kadm5_store_key_data (sp, &key_data[i]);
+    ret = _kadm5_client_send(context, sp);
+    krb5_storage_free(sp);
+    ret = _kadm5_client_recv(context, &reply);
+    if(ret)
+	return ret;
+    sp = krb5_storage_from_data (&reply);
+    if (sp == NULL) {
+	krb5_data_free (&reply);
+	return ENOMEM;
+    }
+    krb5_ret_int32(sp, &tmp);
+    krb5_storage_free(sp);
+    krb5_data_free (&reply);
+    return tmp;
+}
diff --git a/crypto/heimdal/lib/kadm5/chpass_s.c b/crypto/heimdal/lib/kadm5/chpass_s.c
index e915124..2133469 100644
--- a/crypto/heimdal/lib/kadm5/chpass_s.c
+++ b/crypto/heimdal/lib/kadm5/chpass_s.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,16 +33,21 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: chpass_s.c,v 1.8 1999/12/02 17:05:05 joda Exp $");
+RCSID("$Id: chpass_s.c,v 1.13 2001/01/30 01:24:28 assar Exp $");
 
-kadm5_ret_t
-kadm5_s_chpass_principal(void *server_handle, 
-			 krb5_principal princ,
-			 char *password)
+static kadm5_ret_t
+change(void *server_handle, 
+       krb5_principal princ,
+       char *password,
+       int cond)
 {
     kadm5_server_context *context = server_handle;
     hdb_entry ent;
     kadm5_ret_t ret;
+    Key *keys;
+    size_t num_keys;
+    int cmp = 1;
+
     ent.principal = princ;
     ret = context->db->open(context->context, context->db, O_RDWR, 0);
     if(ret)
@@ -51,19 +56,42 @@ kadm5_s_chpass_principal(void *server_handle,
 			     0, &ent);
     if(ret == HDB_ERR_NOENTRY)
 	goto out;
+
+    num_keys = ent.keys.len;
+    keys     = ent.keys.val;
+
+    ent.keys.len = 0;
+    ent.keys.val = NULL;
+
     ret = _kadm5_set_keys(context, &ent, password);
-    if(ret)
+    if(ret) {
+	_kadm5_free_keys (server_handle, num_keys, keys);
+	goto out2;
+    }
+    if (cond)
+	cmp = _kadm5_cmp_keys (ent.keys.val, ent.keys.len,
+			       keys, num_keys);
+    _kadm5_free_keys (server_handle, num_keys, keys);
+
+    if (cmp == 0)
 	goto out2;
+
     ret = _kadm5_set_modifier(context, &ent);
     if(ret)
 	goto out2;
 
-    hdb_seal_keys(context->db, &ent);
+    ret = _kadm5_bump_pw_expire(context, &ent);
+    if (ret)
+	goto out2;
+
+    ret = hdb_seal_keys(context->context, context->db, &ent);
+    if (ret)
+	goto out2;
 
     kadm5_log_modify (context,
 		      &ent,
 		      KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME |
-		      KADM5_KEY_DATA | KADM5_KVNO);
+		      KADM5_KEY_DATA | KADM5_KVNO | KADM5_PW_EXPIRATION);
     
     ret = context->db->store(context->context, context->db, 
 			     HDB_F_REPLACE, &ent);
@@ -74,6 +102,36 @@ out:
     return _kadm5_error_code(ret);
 }
 
+
+
+/*
+ * change the password of `princ' to `password' if it's not already that.
+ */
+
+kadm5_ret_t
+kadm5_s_chpass_principal_cond(void *server_handle, 
+			      krb5_principal princ,
+			      char *password)
+{
+    return change (server_handle, princ, password, 1);
+}
+
+/*
+ * change the password of `princ' to `password'
+ */
+
+kadm5_ret_t
+kadm5_s_chpass_principal(void *server_handle, 
+			 krb5_principal princ,
+			 char *password)
+{
+    return change (server_handle, princ, password, 0);
+}
+
+/*
+ * change keys for `princ' to `keys'
+ */
+
 kadm5_ret_t
 kadm5_s_chpass_principal_with_key(void *server_handle, 
 				  krb5_principal princ,
@@ -90,19 +148,24 @@ kadm5_s_chpass_principal_with_key(void *server_handle,
     ret = context->db->fetch(context->context, context->db, 0, &ent);
     if(ret == HDB_ERR_NOENTRY)
 	goto out;
-    ret = _kadm5_set_keys2(&ent, n_key_data, key_data);
+    ret = _kadm5_set_keys2(context, &ent, n_key_data, key_data);
     if(ret)
 	goto out2;
     ret = _kadm5_set_modifier(context, &ent);
     if(ret)
 	goto out2;
+    ret = _kadm5_bump_pw_expire(context, &ent);
+    if (ret)
+	goto out2;
 
-    hdb_seal_keys(context->db, &ent);
+    ret = hdb_seal_keys(context->context, context->db, &ent);
+    if (ret)
+	goto out2;
 
     kadm5_log_modify (context,
 		      &ent,
 		      KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME |
-		      KADM5_KEY_DATA | KADM5_KVNO);
+		      KADM5_KEY_DATA | KADM5_KVNO | KADM5_PW_EXPIRATION);
     
     ret = context->db->store(context->context, context->db, 
 			     HDB_F_REPLACE, &ent);
diff --git a/crypto/heimdal/lib/kadm5/common_glue.c b/crypto/heimdal/lib/kadm5/common_glue.c
index 38c551c..b508282 100644
--- a/crypto/heimdal/lib/kadm5/common_glue.c
+++ b/crypto/heimdal/lib/kadm5/common_glue.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: common_glue.c,v 1.4 1999/12/02 17:05:05 joda Exp $");
+RCSID("$Id: common_glue.c,v 1.5 2000/03/23 22:58:26 assar Exp $");
 
 #define __CALL(F, P) (*((kadm5_common_context*)server_handle)->funcs.F)P;
 
@@ -46,6 +46,16 @@ kadm5_chpass_principal(void *server_handle,
 }
 
 kadm5_ret_t
+kadm5_chpass_principal_with_key(void *server_handle,
+				krb5_principal princ,
+				int n_key_data,
+				krb5_key_data *key_data)
+{
+    return __CALL(chpass_principal_with_key,
+		  (server_handle, princ, n_key_data, key_data));
+}
+
+kadm5_ret_t
 kadm5_create_principal(void *server_handle,
 		       kadm5_principal_ent_t princ,
 		       u_int32_t mask,
diff --git a/crypto/heimdal/lib/kadm5/context_s.c b/crypto/heimdal/lib/kadm5/context_s.c
index fc52576..805f4f0 100644
--- a/crypto/heimdal/lib/kadm5/context_s.c
+++ b/crypto/heimdal/lib/kadm5/context_s.c
@@ -33,14 +33,14 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: context_s.c,v 1.13 2000/01/06 21:40:08 assar Exp $");
+RCSID("$Id: context_s.c,v 1.15 2000/05/12 15:22:33 assar Exp $");
 
 static void
 set_funcs(kadm5_server_context *c)
 {
 #define SET(C, F) (C)->funcs.F = kadm5_s_ ## F
     SET(c, chpass_principal);
-    SET(c, chpass_principal);
+    SET(c, chpass_principal_with_key);
     SET(c, create_principal);
     SET(c, delete_principal);
     SET(c, destroy);
@@ -66,6 +66,10 @@ set_field(krb5_context context, krb5_config_binding *binding,
 	  char **variable)
 {
     const char *p;
+
+    if (*variable != NULL)
+	free (*variable);
+
     p = krb5_config_get_string(context, binding, name, NULL);
     if(p)
 	*variable = strdup(p);
@@ -153,10 +157,10 @@ find_db_spec(kadm5_server_context *ctx)
     if(default_binding)
 	set_config(ctx, default_binding);
     else {
-	ctx->config.dbname = strdup(HDB_DEFAULT_DB);
-	ctx->config.acl_file = HDB_DB_DIR "/kadmind.acl";
-	ctx->config.stash_file = HDB_DB_DIR "/m-key";
-	ctx->log_context.log_file = HDB_DB_DIR "/log";
+	ctx->config.dbname        = strdup(HDB_DEFAULT_DB);
+	ctx->config.acl_file      = strdup(HDB_DB_DIR "/kadmind.acl");
+	ctx->config.stash_file    = strdup(HDB_DB_DIR "/m-key");
+	ctx->log_context.log_file = strdup(HDB_DB_DIR "/log");
 	memset(&ctx->log_context.socket_name, 0, 
 	       sizeof(ctx->log_context.socket_name));
 	ctx->log_context.socket_name.sun_family = AF_UNIX;
diff --git a/crypto/heimdal/lib/kadm5/create_c.c b/crypto/heimdal/lib/kadm5/create_c.c
index 45eb3e2..8d81cb3 100644
--- a/crypto/heimdal/lib/kadm5/create_c.c
+++ b/crypto/heimdal/lib/kadm5/create_c.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: create_c.c,v 1.3 1999/12/02 17:05:05 joda Exp $");
+RCSID("$Id: create_c.c,v 1.4 2000/07/11 15:59:21 joda Exp $");
 
 kadm5_ret_t
 kadm5_c_create_principal(void *server_handle,
@@ -48,6 +48,10 @@ kadm5_c_create_principal(void *server_handle,
     int32_t tmp;
     krb5_data reply;
 
+    ret = _kadm5_connect(server_handle);
+    if(ret)
+	return ret;
+
     sp = krb5_storage_from_mem(buf, sizeof(buf));
     if (sp == NULL)
 	return ENOMEM;
diff --git a/crypto/heimdal/lib/kadm5/create_s.c b/crypto/heimdal/lib/kadm5/create_s.c
index 6e352f6..287211b 100644
--- a/crypto/heimdal/lib/kadm5/create_s.c
+++ b/crypto/heimdal/lib/kadm5/create_s.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: create_s.c,v 1.16 1999/12/02 17:05:05 joda Exp $");
+RCSID("$Id: create_s.c,v 1.19 2001/01/30 01:24:28 assar Exp $");
 
 static kadm5_ret_t
 get_default(kadm5_server_context *context, krb5_principal princ, 
@@ -87,7 +87,8 @@ create_principal(kadm5_server_context *context,
 	def_mask = KADM5_ATTRIBUTES | KADM5_MAX_LIFE | KADM5_MAX_RLIFE;
     }
 
-    ret = _kadm5_setup_entry(ent, mask | def_mask,
+    ret = _kadm5_setup_entry(context,
+			     ent, mask | def_mask,
 			     princ, mask,
 			     defent, def_mask);
     if(defent)
@@ -119,11 +120,13 @@ kadm5_s_create_principal_with_key(void *server_handle,
     if(ret)
 	goto out;
 
-    ret = _kadm5_set_keys2(&ent, princ->n_key_data, princ->key_data);
+    ret = _kadm5_set_keys2(context, &ent, princ->n_key_data, princ->key_data);
     if(ret)
 	goto out;
     
-    hdb_seal_keys(context->db, &ent);
+    ret = hdb_seal_keys(context->context, context->db, &ent);
+    if (ret)
+	goto out;
     
     kadm5_log_create (context, &ent);
 
@@ -174,8 +177,12 @@ kadm5_s_create_principal(void *server_handle,
     ent.keys.val[2].salt->type = hdb_pw_salt;
     ent.keys.val[3].key.keytype = ETYPE_DES3_CBC_SHA1;
     ret = _kadm5_set_keys(context, &ent, password);
+    if (ret)
+	goto out;
 
-    hdb_seal_keys(context->db, &ent);
+    ret = hdb_seal_keys(context->context, context->db, &ent);
+    if (ret)
+	goto out;
     
     kadm5_log_create (context, &ent);
 
diff --git a/crypto/heimdal/lib/kadm5/delete_c.c b/crypto/heimdal/lib/kadm5/delete_c.c
index 71a3cf0..7575c5e 100644
--- a/crypto/heimdal/lib/kadm5/delete_c.c
+++ b/crypto/heimdal/lib/kadm5/delete_c.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: delete_c.c,v 1.3 1999/12/02 17:05:05 joda Exp $");
+RCSID("$Id: delete_c.c,v 1.4 2000/07/11 15:59:29 joda Exp $");
 
 kadm5_ret_t
 kadm5_c_delete_principal(void *server_handle, krb5_principal princ)
@@ -45,6 +45,10 @@ kadm5_c_delete_principal(void *server_handle, krb5_principal princ)
     int32_t tmp;
     krb5_data reply;
 
+    ret = _kadm5_connect(server_handle);
+    if(ret)
+	return ret;
+
     sp = krb5_storage_from_mem(buf, sizeof(buf));
     if (sp == NULL)
 	return ENOMEM;
diff --git a/crypto/heimdal/lib/kadm5/delete_s.c b/crypto/heimdal/lib/kadm5/delete_s.c
index ef326587b..2f2bf88 100644
--- a/crypto/heimdal/lib/kadm5/delete_s.c
+++ b/crypto/heimdal/lib/kadm5/delete_s.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: delete_s.c,v 1.7 1999/12/02 17:05:05 joda Exp $");
+RCSID("$Id: delete_s.c,v 1.9 2001/01/30 01:24:28 assar Exp $");
 
 kadm5_ret_t
 kadm5_s_delete_principal(void *server_handle, krb5_principal princ)
@@ -57,7 +57,9 @@ kadm5_s_delete_principal(void *server_handle, krb5_principal princ)
 	goto out;
     }
     
-    hdb_seal_keys(context->db, &ent);
+    ret = hdb_seal_keys(context->context, context->db, &ent);
+    if (ret)
+	goto out;
 
     kadm5_log_delete (context, princ);
     
diff --git a/crypto/heimdal/lib/kadm5/destroy_s.c b/crypto/heimdal/lib/kadm5/destroy_s.c
index 22158d0..a8ad328 100644
--- a/crypto/heimdal/lib/kadm5/destroy_s.c
+++ b/crypto/heimdal/lib/kadm5/destroy_s.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,35 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: destroy_s.c,v 1.5 1999/12/02 17:05:05 joda Exp $");
+RCSID("$Id: destroy_s.c,v 1.6 2000/05/12 15:23:13 assar Exp $");
+
+/*
+ * dealloc a `kadm5_config_params'
+ */
+
+static void
+destroy_config (kadm5_config_params *c)
+{
+    free (c->realm);
+    free (c->dbname);
+    free (c->acl_file);
+    free (c->stash_file);
+}
+
+/*
+ * dealloc a kadm5_log_context
+ */
+
+static void
+destroy_kadm5_log_context (kadm5_log_context *c)
+{
+    free (c->log_file);
+    close (c->socket_fd);
+}
+
+/*
+ * destroy a kadm5 handle
+ */
 
 kadm5_ret_t 
 kadm5_s_destroy(void *server_handle)
@@ -43,8 +71,11 @@ kadm5_s_destroy(void *server_handle)
     krb5_context kcontext = context->context;
 
     ret = context->db->destroy(kcontext, context->db);
+    destroy_kadm5_log_context (&context->log_context);
+    destroy_config (&context->config);
+    krb5_free_principal (kcontext, context->caller);
     if(context->my_context)
 	krb5_free_context(kcontext);
+    free (context);
     return ret;
 }
-
diff --git a/crypto/heimdal/lib/kadm5/dump_log.c b/crypto/heimdal/lib/kadm5/dump_log.c
index 68a3f53..691f2d3 100644
--- a/crypto/heimdal/lib/kadm5/dump_log.c
+++ b/crypto/heimdal/lib/kadm5/dump_log.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -34,7 +34,7 @@
 #include "iprop.h"
 #include "parse_time.h"
 
-RCSID("$Id: dump_log.c,v 1.9 1999/12/04 19:49:43 assar Exp $");
+RCSID("$Id: dump_log.c,v 1.11 2000/07/24 04:30:11 assar Exp $");
 
 static char *op_names[] = {
     "get",
@@ -45,7 +45,9 @@ static char *op_names[] = {
     "modify",
     "randkey",
     "get_privs",
-    "get_princs"
+    "get_princs",
+    "chpass_with_key",
+    "nop"
 };
 
 static void
@@ -70,7 +72,7 @@ print_entry(kadm5_server_context *server_context,
 
     strftime(t, sizeof(t), "%Y-%m-%d %H:%M:%S", localtime(&timestamp));
 
-    if(op < kadm_get || op > kadm_get_princs) {
+    if(op < kadm_get || op > kadm_nop) {
 	printf("unknown op: %d\n", op);
 	sp->seek(sp, end, SEEK_SET);
 	return;
@@ -130,11 +132,11 @@ print_entry(kadm5_server_context *server_context,
 	    printf("    expires = %s\n", t);
 	}
 	if(mask & KADM5_PW_EXPIRATION) {
-	    if(ent.valid_end == NULL) {
+	    if(ent.pw_end == NULL) {
 		strcpy(t, "never");
 	    } else {
 		strftime(t, sizeof(t), "%Y-%m-%d %H:%M:%S", 
-			 localtime(ent.valid_end));
+			 localtime(ent.pw_end));
 	    }
 	    printf("    password exp = %s\n", t);
 	}
@@ -197,16 +199,19 @@ print_entry(kadm5_server_context *server_context,
 	}
 	hdb_free_entry(context, &ent);
 	break;
+    case kadm_nop :
+	break;
     default:
 	abort();
     }
     sp->seek(sp, end, SEEK_SET);
 }
 
-char *realm;
-int version_flag;
-int help_flag;
-struct getargs args[] = {
+static char *realm;
+static int version_flag;
+static int help_flag;
+
+static struct getargs args[] = {
     { "realm", 'r', arg_string, &realm },
     { "version", 0, arg_flag, &version_flag },
     { "help", 0, arg_flag, &help_flag }
diff --git a/crypto/heimdal/lib/kadm5/ent_setup.c b/crypto/heimdal/lib/kadm5/ent_setup.c
index 46653c7..29fab74 100644
--- a/crypto/heimdal/lib/kadm5/ent_setup.c
+++ b/crypto/heimdal/lib/kadm5/ent_setup.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: ent_setup.c,v 1.11 1999/12/02 17:05:06 joda Exp $");
+RCSID("$Id: ent_setup.c,v 1.12 2000/03/23 23:02:35 assar Exp $");
 
 #define set_value(X, V) do { if((X) == NULL) (X) = malloc(sizeof(*(X))); *(X) = V; } while(0)
 #define set_null(X)     do { if((X) != NULL) free((X)); (X) = NULL; } while (0)
@@ -62,7 +62,8 @@ attr_to_flags(unsigned attr, HDBFlags *flags)
  */
 
 kadm5_ret_t
-_kadm5_setup_entry(hdb_entry *ent,
+_kadm5_setup_entry(kadm5_server_context *context,
+		   hdb_entry *ent,
 		   u_int32_t mask,
 		   kadm5_principal_ent_t princ, 
 		   u_int32_t princ_mask,
@@ -129,7 +130,7 @@ _kadm5_setup_entry(hdb_entry *ent,
     }
     if(mask & KADM5_KEY_DATA
        && princ_mask & KADM5_KEY_DATA) {
-	_kadm5_set_keys2(ent, princ->n_key_data, princ->key_data);
+	_kadm5_set_keys2(context, ent, princ->n_key_data, princ->key_data);
     }
     if(mask & KADM5_TL_DATA) {
 	/* XXX */
diff --git a/crypto/heimdal/lib/kadm5/get_c.c b/crypto/heimdal/lib/kadm5/get_c.c
index 9ca672a..279a77a 100644
--- a/crypto/heimdal/lib/kadm5/get_c.c
+++ b/crypto/heimdal/lib/kadm5/get_c.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: get_c.c,v 1.5 1999/12/02 17:05:06 joda Exp $");
+RCSID("$Id: get_c.c,v 1.6 2000/07/11 15:59:36 joda Exp $");
 
 kadm5_ret_t
 kadm5_c_get_principal(void *server_handle, 
@@ -48,6 +48,10 @@ kadm5_c_get_principal(void *server_handle,
     int32_t tmp;
     krb5_data reply;
 
+    ret = _kadm5_connect(server_handle);
+    if(ret)
+	return ret;
+
     sp = krb5_storage_from_mem(buf, sizeof(buf));
     if (sp == NULL)
 	return ENOMEM;
diff --git a/crypto/heimdal/lib/kadm5/get_princs_c.c b/crypto/heimdal/lib/kadm5/get_princs_c.c
index 0956052..3536cdf 100644
--- a/crypto/heimdal/lib/kadm5/get_princs_c.c
+++ b/crypto/heimdal/lib/kadm5/get_princs_c.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: get_princs_c.c,v 1.3 1999/12/02 17:05:06 joda Exp $");
+RCSID("$Id: get_princs_c.c,v 1.4 2000/07/11 16:00:19 joda Exp $");
 
 kadm5_ret_t
 kadm5_c_get_principals(void *server_handle, 
@@ -48,6 +48,10 @@ kadm5_c_get_principals(void *server_handle,
     int32_t tmp;
     krb5_data reply;
 
+    ret = _kadm5_connect(server_handle);
+    if(ret)
+	return ret;
+
     sp = krb5_storage_from_mem(buf, sizeof(buf));
     if (sp == NULL)
 	return ENOMEM;
diff --git a/crypto/heimdal/lib/kadm5/get_s.c b/crypto/heimdal/lib/kadm5/get_s.c
index 12613b6..0851900 100644
--- a/crypto/heimdal/lib/kadm5/get_s.c
+++ b/crypto/heimdal/lib/kadm5/get_s.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: get_s.c,v 1.11 1999/12/26 19:38:23 assar Exp $");
+RCSID("$Id: get_s.c,v 1.13 2000/06/19 16:11:31 joda Exp $");
 
 kadm5_ret_t
 kadm5_s_get_principal(void *server_handle, 
@@ -78,8 +78,12 @@ kadm5_s_get_principal(void *server_handle,
 	out->attributes |= ent.flags.server ? 0 : KRB5_KDB_DISALLOW_SVR;
 	out->attributes |= ent.flags.change_pw ? KRB5_KDB_PWCHANGE_SERVICE : 0;
     }
-    if(mask & KADM5_MAX_LIFE && ent.max_life)
-	out->max_life = *ent.max_life;
+    if(mask & KADM5_MAX_LIFE) {
+	if(ent.max_life)
+	    out->max_life = *ent.max_life;
+	else
+	    out->max_life = INT_MAX;
+    }
     if(mask & KADM5_MOD_TIME) {
 	if(ent.modified_by)
 	    out->mod_date = ent.modified_by->time;
@@ -92,10 +96,12 @@ kadm5_s_get_principal(void *server_handle,
 		ret = krb5_copy_principal(context->context, 
 					  ent.modified_by->principal,
 					  &out->mod_name);
-	} else
+	} else if(ent.created_by.principal != NULL)
 	    ret = krb5_copy_principal(context->context, 
 				      ent.created_by.principal,
 				      &out->mod_name);
+	else
+	    out->mod_name = NULL;
     }
     if(ret)
 	goto out;
@@ -115,8 +121,12 @@ kadm5_s_get_principal(void *server_handle,
 	/* XXX implement */;
     if(mask & KADM5_POLICY)
 	out->policy = NULL;
-    if(mask & KADM5_MAX_RLIFE && ent.max_renew)
-	out->max_renewable_life = *ent.max_renew;
+    if(mask & KADM5_MAX_RLIFE) {
+	if(ent.max_renew)
+	    out->max_renewable_life = *ent.max_renew;
+	else
+	    out->max_renewable_life = INT_MAX;
+    }
     if(mask & KADM5_LAST_SUCCESS)
 	/* XXX implement */;
     if(mask & KADM5_LAST_FAILED)
@@ -140,7 +150,7 @@ kadm5_s_get_principal(void *server_handle,
 	    if(key->salt)
 		kd->key_data_type[1] = key->salt->type;
 	    else
-		kd->key_data_type[1] = pa_pw_salt;
+		kd->key_data_type[1] = KRB5_PADATA_PW_SALT;
 	    /* setup key */
 	    kd->key_data_length[0] = key->key.keyvalue.length;
 	    kd->key_data_contents[0] = malloc(kd->key_data_length[0]);
diff --git a/crypto/heimdal/lib/kadm5/init_c.c b/crypto/heimdal/lib/kadm5/init_c.c
index 098e9c8..e4df034 100644
--- a/crypto/heimdal/lib/kadm5/init_c.c
+++ b/crypto/heimdal/lib/kadm5/init_c.c
@@ -37,14 +37,14 @@
 #include <netinet/in.h>
 #include <netdb.h>
 
-RCSID("$Id: init_c.c,v 1.35 2000/01/28 03:20:18 assar Exp $");
+RCSID("$Id: init_c.c,v 1.40 2000/12/31 08:00:23 assar Exp $");
 
 static void
 set_funcs(kadm5_client_context *c)
 {
 #define SET(C, F) (C)->funcs.F = kadm5 ## _c_ ## F
     SET(c, chpass_principal);
-    SET(c, chpass_principal);
+    SET(c, chpass_principal_with_key);
     SET(c, create_principal);
     SET(c, delete_principal);
     SET(c, destroy);
@@ -288,21 +288,10 @@ get_cred_cache(krb5_context context,
     return ret;
 }
 
-static kadm5_ret_t 
-kadm5_c_init_with_context(krb5_context context,
-			  const char *client_name, 
-			  const char *password,
-			  krb5_prompter_fct prompter,
-			  const char *keytab,
-			  krb5_ccache ccache,
-			  const char *service_name,
-			  kadm5_config_params *realm_params,
-			  unsigned long struct_version,
-			  unsigned long api_version,
-			  void **server_handle)
+static kadm5_ret_t
+kadm_connect(kadm5_client_context *ctx)
 {
     kadm5_ret_t ret;
-    kadm5_client_context *ctx;
     krb5_principal server;
     krb5_ccache cc;
     int s;
@@ -311,15 +300,12 @@ kadm5_c_init_with_context(krb5_context context,
     int error;
     char portstr[NI_MAXSERV];
     char *hostname, *slash;
+    krb5_context context = ctx->context;
 
     memset (&hints, 0, sizeof(hints));
     hints.ai_socktype = SOCK_STREAM;
     hints.ai_protocol = IPPROTO_TCP;
-
-    ret = _kadm5_c_init_context(&ctx, realm_params, context);
-    if(ret)
-	return ret;
-
+    
     snprintf (portstr, sizeof(portstr), "%u", ntohs(ctx->kadmind_port));
 
     hostname = ctx->admin_server;
@@ -347,8 +333,9 @@ kadm5_c_init_with_context(krb5_context context,
 	krb5_warnx (context, "failed to contact %s", hostname);
 	return KADM5_FAILURE;
     }
-    ret = get_cred_cache(context, client_name, service_name, 
-			 password, prompter, keytab, ccache, &cc);
+    ret = get_cred_cache(context, ctx->client_name, ctx->service_name, 
+			 NULL, ctx->prompter, ctx->keytab, 
+			 ctx->ccache, &cc);
     
     if(ret) {
 	freeaddrinfo (ai);
@@ -358,7 +345,7 @@ kadm5_c_init_with_context(krb5_context context,
     ret = krb5_parse_name(context, KADM5_ADMIN_SERVICE, &server);
     if(ret) {
 	freeaddrinfo (ai);
-	if(ccache == NULL)
+	if(ctx->ccache == NULL)
 	    krb5_cc_close(context, cc);
 	close(s);
 	return ret;
@@ -370,19 +357,18 @@ kadm5_c_init_with_context(krb5_context context,
 			server, AP_OPTS_MUTUAL_REQUIRED, 
 			NULL, NULL, cc, NULL, NULL, NULL);
     if(ret == 0) {
-	krb5_data params, enc_data;
-	ret = _kadm5_marshal_params(context, realm_params, &params);
-	
-	ret = krb5_mk_priv(context,
-			   ctx->ac,
-			   &params,
-			   &enc_data,
-			   NULL);
-
-	ret = krb5_write_message(context, &s, &enc_data);
+	krb5_data params;
+	ret = _kadm5_marshal_params(context, ctx->realm_params, &params);
 	
+	ret = krb5_write_priv_message(context, ctx->ac, &s, &params);
 	krb5_data_free(&params);
-	krb5_data_free(&enc_data);
+	if(ret) {
+	    freeaddrinfo (ai);
+	    close(s);
+	    if(ctx->ccache == NULL)
+		krb5_cc_close(context, cc);
+	    return ret;
+	}
     } else if(ret == KRB5_SENDAUTH_BADAPPLVERS) {
 	close(s);
 
@@ -396,8 +382,6 @@ kadm5_c_init_with_context(krb5_context context,
 	    freeaddrinfo (ai);
 	    return errno;
 	}
-	freeaddrinfo (ai);
-
 	ret = krb5_sendauth(context, &ctx->ac, &s, 
 			    KADMIN_OLD_APPL_VERSION, NULL, 
 			    server, AP_OPTS_MUTUAL_REQUIRED, 
@@ -410,13 +394,70 @@ kadm5_c_init_with_context(krb5_context context,
     }
     
     krb5_free_principal(context, server);
-    if(ccache == NULL)
+    if(ctx->ccache == NULL)
 	krb5_cc_close(context, cc);
     if(ret) {
 	close(s);
 	return ret;
     }
     ctx->sock = s;
+    
+    return 0;
+}
+
+kadm5_ret_t
+_kadm5_connect(void *handle)
+{
+    kadm5_client_context *ctx = handle;
+    if(ctx->sock == -1)
+	return kadm_connect(ctx);
+    return 0;
+}
+
+static kadm5_ret_t 
+kadm5_c_init_with_context(krb5_context context,
+			  const char *client_name, 
+			  const char *password,
+			  krb5_prompter_fct prompter,
+			  const char *keytab,
+			  krb5_ccache ccache,
+			  const char *service_name,
+			  kadm5_config_params *realm_params,
+			  unsigned long struct_version,
+			  unsigned long api_version,
+			  void **server_handle)
+{
+    kadm5_ret_t ret;
+    kadm5_client_context *ctx;
+    krb5_ccache cc;
+
+    ret = _kadm5_c_init_context(&ctx, realm_params, context);
+    if(ret)
+	return ret;
+
+    if(password != NULL && *password != '\0') {
+	ret = get_cred_cache(context, client_name, service_name, 
+			     password, prompter, keytab, ccache, &cc);
+	if(ret)
+	    return ret; /* XXX */
+	ccache = cc;
+    }
+    
+
+    if (client_name != NULL)
+	ctx->client_name = strdup(client_name);
+    else
+	ctx->client_name = NULL;
+    if (service_name != NULL)
+	ctx->service_name = strdup(service_name);
+    else
+	ctx->service_name = NULL;
+    ctx->prompter = prompter;
+    ctx->keytab = keytab;
+    ctx->ccache = ccache;
+    ctx->realm_params = realm_params;
+    ctx->sock = -1;
+    
     *server_handle = ctx;
     return 0;
 }
@@ -437,7 +478,9 @@ init_context(const char *client_name,
     kadm5_ret_t ret;
     kadm5_server_context *ctx;
     
-    krb5_init_context(&context);
+    ret = krb5_init_context(&context);
+    if (ret)
+	return ret;
     ret = kadm5_c_init_with_context(context,
 				    client_name,
 				    password,
diff --git a/crypto/heimdal/lib/kadm5/init_s.c b/crypto/heimdal/lib/kadm5/init_s.c
index 6c1f3d1..bf5d036 100644
--- a/crypto/heimdal/lib/kadm5/init_s.c
+++ b/crypto/heimdal/lib/kadm5/init_s.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: init_s.c,v 1.9 1999/12/02 17:05:06 joda Exp $");
+RCSID("$Id: init_s.c,v 1.10 2000/12/31 08:01:16 assar Exp $");
 
 
 static kadm5_ret_t 
@@ -113,7 +113,9 @@ kadm5_s_init_with_password(const char *client_name,
     kadm5_ret_t ret;
     kadm5_server_context *ctx;
 
-    krb5_init_context(&context);
+    ret = krb5_init_context(&context);
+    if (ret)
+	return ret;
     ret = kadm5_s_init_with_password_ctx(context, 
 					 client_name, 
 					 password, 
@@ -163,7 +165,9 @@ kadm5_s_init_with_skey(const char *client_name,
     kadm5_ret_t ret;
     kadm5_server_context *ctx;
 
-    krb5_init_context(&context);
+    ret = krb5_init_context(&context);
+    if (ret)
+	return ret;
     ret = kadm5_s_init_with_skey_ctx(context, 
 				     client_name, 
 				     keytab, 
@@ -213,7 +217,9 @@ kadm5_s_init_with_creds(const char *client_name,
     kadm5_ret_t ret;
     kadm5_server_context *ctx;
 
-    krb5_init_context(&context);
+    ret = krb5_init_context(&context);
+    if (ret)
+	return ret;
     ret = kadm5_s_init_with_creds_ctx(context, 
 				      client_name, 
 				      ccache, 
diff --git a/crypto/heimdal/lib/kadm5/iprop.h b/crypto/heimdal/lib/kadm5/iprop.h
index 499f515..a8f2b7f 100644
--- a/crypto/heimdal/lib/kadm5/iprop.h
+++ b/crypto/heimdal/lib/kadm5/iprop.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1998-2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: iprop.h,v 1.4 1999/12/02 17:05:06 joda Exp $ */
+/* $Id: iprop.h,v 1.5 2000/06/05 17:02:43 assar Exp $ */
 
 #ifndef __IPROP_H__
 #define __IPROP_H__
@@ -48,6 +48,15 @@
 
 #define IPROP_NAME "iprop"
 
-enum iprop_cmd { I_HAVE = 1, FOR_YOU = 2 };
+#define IPROP_SERVICE "iprop"
+
+#define IPROP_PORT 2121
+
+enum iprop_cmd { I_HAVE = 1,
+		 FOR_YOU = 2,
+		 TELL_YOU_EVERYTHING = 3,
+		 ONE_PRINC = 4,
+		 NOW_YOU_HAVE = 5
+};
 
 #endif /* __IPROP_H__ */
diff --git a/crypto/heimdal/lib/kadm5/ipropd_master.c b/crypto/heimdal/lib/kadm5/ipropd_master.c
index b2e71a7..99cddc4 100644
--- a/crypto/heimdal/lib/kadm5/ipropd_master.c
+++ b/crypto/heimdal/lib/kadm5/ipropd_master.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,9 @@
 
 #include "iprop.h"
 
-RCSID("$Id: ipropd_master.c,v 1.12 1999/12/02 17:05:06 joda Exp $");
+RCSID("$Id: ipropd_master.c,v 1.21 2000/11/15 23:12:45 assar Exp $");
+
+static krb5_log_facility *log_facility;
 
 static int
 make_signal_socket (krb5_context context)
@@ -46,8 +48,7 @@ make_signal_socket (krb5_context context)
 	krb5_err (context, 1, errno, "socket AF_UNIX");
     memset (&addr, 0, sizeof(addr));
     addr.sun_family = AF_UNIX;
-    strncpy (addr.sun_path, KADM5_LOG_SIGNAL, sizeof(addr.sun_path));
-    addr.sun_path[sizeof(addr.sun_path) - 1] = '\0';
+    strlcpy (addr.sun_path, KADM5_LOG_SIGNAL, sizeof(addr.sun_path));
     unlink (addr.sun_path);
     if (bind (fd, (struct sockaddr *)&addr, sizeof(addr)) < 0)
 	krb5_err (context, 1, errno, "bind %s", addr.sun_path);
@@ -67,7 +68,8 @@ make_listen_socket (krb5_context context)
     setsockopt (fd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one));
     memset (&addr, 0, sizeof(addr));
     addr.sin_family = AF_INET;
-    addr.sin_port   = htons(4711);
+    addr.sin_port   = krb5_getportbyname (context,
+					  IPROP_SERVICE, "tcp", IPROP_PORT);
     if(bind(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0)
 	krb5_err (context, 1, errno, "bind");
     if (listen(fd, SOMAXCONN) < 0)
@@ -109,12 +111,12 @@ check_acl (krb5_context context, const char *name)
 }
 
 static void
-add_slave (krb5_context context, slave **root, int fd)
+add_slave (krb5_context context, krb5_keytab keytab, slave **root, int fd)
 {
     krb5_principal server;
     krb5_error_code ret;
     slave *s;
-    int addr_len;
+    socklen_t addr_len;
     krb5_ticket *ticket = NULL;
     char hostname[128];
 
@@ -141,7 +143,7 @@ add_slave (krb5_context context, slave **root, int fd)
     }
 
     ret = krb5_recvauth (context, &s->ac, &s->fd,
-			 IPROP_VERSION, server, 0, NULL, &ticket);
+			 IPROP_VERSION, server, 0, keytab, &ticket);
     krb5_free_principal (context, server);
     if (ret) {
 	krb5_warn (context, ret, "krb5_recvauth");
@@ -157,7 +159,7 @@ add_slave (krb5_context context, slave **root, int fd)
 	goto error;
     }
     krb5_free_ticket (context, ticket);
-    printf ("connection from %s\n", s->name);
+    krb5_warnx (context, "connection from %s", s->name);
 
     s->version = 0;
     s->next = *root;
@@ -191,24 +193,87 @@ remove_slave (krb5_context context, slave *s, slave **root)
     free (s);
 }
 
+struct prop_context {
+    krb5_auth_context auth_context;
+    int fd;
+};
+
+static int
+prop_one (krb5_context context, HDB *db, hdb_entry *entry, void *v)
+{
+    krb5_error_code ret;
+    krb5_data data;
+    struct slave *slave = (struct slave *)v;
+
+    ret = hdb_entry2value (context, entry, &data);
+    if (ret)
+	return ret;
+    ret = krb5_data_realloc (&data, data.length + 4);
+    if (ret) {
+	krb5_data_free (&data);
+	return ret;
+    }
+    memmove ((char *)data.data + 4, data.data, data.length - 4);
+    _krb5_put_int (data.data, ONE_PRINC, 4);
+
+    ret = krb5_write_priv_message (context, slave->ac, &slave->fd, &data);
+    krb5_data_free (&data);
+    return ret;
+}
+
 static int
-send_complete (krb5_context context, slave *s)
+send_complete (krb5_context context, slave *s,
+	       const char *database, u_int32_t current_version)
 {
-    abort ();
+    krb5_error_code ret;
+    HDB *db;
+    krb5_data data;
+    char buf[8];
+
+    ret = hdb_create (context, &db, database);
+    if (ret)
+	krb5_err (context, 1, ret, "hdb_create: %s", database);
+    ret = db->open (context, db, O_RDONLY, 0);
+    if (ret)
+	krb5_err (context, 1, ret, "db->open");
+
+    _krb5_put_int(buf, TELL_YOU_EVERYTHING, 4);
+
+    data.data   = buf;
+    data.length = 4;
+
+    ret = krb5_write_priv_message(context, s->ac, &s->fd, &data);
+
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_write_priv_message");
+
+    ret = hdb_foreach (context, db, 0, prop_one, s);
+    if (ret)
+	krb5_err (context, 1, ret, "hdb_foreach");
+
+    _krb5_put_int (buf, NOW_YOU_HAVE, 4);
+    _krb5_put_int (buf + 4, current_version, 4);
+    data.length = 8;
+
+    ret = krb5_write_priv_message(context, s->ac, &s->fd, &data);
+
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_write_priv_message");
+
+    return 0;
 }
 
 static int
 send_diffs (krb5_context context, slave *s, int log_fd,
-	    u_int32_t current_version)
+	    const char *database, u_int32_t current_version)
 {
-    krb5_storage *sp, *data_sp;
+    krb5_storage *sp;
     u_int32_t ver;
     time_t timestamp;
     enum kadm_ops op;
     u_int32_t len;
     off_t right, left;
     krb5_data data;
-    krb5_data priv_data;
     int ret = 0;
 
     if (s->version == current_version)
@@ -216,18 +281,16 @@ send_diffs (krb5_context context, slave *s, int log_fd,
 
     sp = kadm5_log_goto_end (log_fd);
     right = sp->seek(sp, 0, SEEK_CUR);
-    printf ("%ld, looking for %d\n", (long)right, s->version);
     for (;;) {
 	if (kadm5_log_previous (sp, &ver, &timestamp, &op, &len))
 	    abort ();
-	printf ("version = %d\n", ver);
 	left = sp->seek(sp, -16, SEEK_CUR);
 	if (ver == s->version)
 	    return 0;
 	if (ver == s->version + 1)
 	    break;
 	if (left == 0)
-	    return send_complete (context, s);
+	    return send_complete (context, s, database, current_version);
     }
     krb5_data_alloc (&data, right - left + 4);
     sp->fetch (sp, (char *)data.data + 4, data.length - 4);
@@ -235,17 +298,10 @@ send_diffs (krb5_context context, slave *s, int log_fd,
 
     _krb5_put_int(data.data, FOR_YOU, 4);
 
-    ret = krb5_mk_priv (context, s->ac, &data, &priv_data, NULL);
-    krb5_data_free(&data);
-    if (ret) {
-	krb5_warn (context, ret, "krb_mk_priv");
-	return 0;
-    }
+    ret = krb5_write_priv_message(context, s->ac, &s->fd, &data);
 
-    ret = krb5_write_message (context, &s->fd, &priv_data);
-    krb5_data_free (&priv_data);
     if (ret) {
-	krb5_warn (context, ret, "krb5_write_message");
+	krb5_warn (context, ret, "krb5_write_priv_message");
 	return 1;
     }
     return 0;
@@ -253,26 +309,16 @@ send_diffs (krb5_context context, slave *s, int log_fd,
 
 static int
 process_msg (krb5_context context, slave *s, int log_fd,
-	     u_int32_t current_version)
+	     const char *database, u_int32_t current_version)
 {
     int ret = 0;
-    krb5_data in, out;
+    krb5_data out;
     krb5_storage *sp;
     int32_t tmp;
 
-    ret = krb5_read_message (context, &s->fd, &in);
-    if (ret)
-	return 1;
-
-    if(in.length == 0) {
-	krb5_warnx(context, "process_msg: short message");
-	return 1;
-    }
-
-    ret = krb5_rd_priv (context, s->ac, &in, &out, NULL);
-    krb5_data_free (&in);
-    if (ret) {
-	krb5_warn (context, ret, "krb5_rd_priv");
+    ret = krb5_read_priv_message(context, s->ac, &s->fd, &out);
+    if(ret) {
+	krb5_warn (context, ret, "error reading message from %s", s->name);
 	return 1;
     }
 
@@ -282,7 +328,7 @@ process_msg (krb5_context context, slave *s, int log_fd,
     case I_HAVE :
 	krb5_ret_int32 (sp, &tmp);
 	s->version = tmp;
-	ret = send_diffs (context, s, log_fd, current_version);
+	ret = send_diffs (context, s, log_fd, database, current_version);
 	break;
     case FOR_YOU :
     default :
@@ -294,15 +340,21 @@ process_msg (krb5_context context, slave *s, int log_fd,
     return ret;
 }
 
-char *realm;
-int version_flag;
-int help_flag;
-struct getargs args[] = {
+static char *realm;
+static int version_flag;
+static int help_flag;
+static char *keytab_str = "HDB:";
+static char *database;
+
+static struct getargs args[] = {
     { "realm", 'r', arg_string, &realm },
+    { "keytab", 'k', arg_string, &keytab_str,
+      "keytab to get authentication from", "kspec" },
+    { "database", 'd', arg_string, &database, "database", "file"},
     { "version", 0, arg_flag, &version_flag },
     { "help", 0, arg_flag, &help_flag }
 };
-int num_args = sizeof(args) / sizeof(args[0]);
+static int num_args = sizeof(args) / sizeof(args[0]);
 
 int
 main(int argc, char **argv)
@@ -316,7 +368,7 @@ main(int argc, char **argv)
     int log_fd;
     slave *slaves = NULL;
     u_int32_t current_version, old_version = 0;
-
+    krb5_keytab keytab;
     int optind;
     
     optind = krb5_program_setup(&context, argc, argv, args, num_args, NULL);
@@ -328,17 +380,28 @@ main(int argc, char **argv)
 	exit(0);
     }
 
+    krb5_openlog (context, "ipropd-master", &log_facility);
+    krb5_set_warn_dest(context, log_facility);
+
+    ret = krb5_kt_register(context, &hdb_kt_ops);
+    if(ret)
+	krb5_err(context, 1, ret, "krb5_kt_register");
+
+    ret = krb5_kt_resolve(context, keytab_str, &keytab);
+    if(ret)
+	krb5_err(context, 1, ret, "krb5_kt_resolve: %s", keytab_str);
+    
     memset(&conf, 0, sizeof(conf));
     if(realm) {
 	conf.mask |= KADM5_CONFIG_REALM;
 	conf.realm = realm;
     }
-    ret = kadm5_init_with_password_ctx (context,
-					KADM5_ADMIN_SERVICE,
-					NULL,
-					KADM5_ADMIN_SERVICE,
-					&conf, 0, 0, 
-					&kadm_handle);
+    ret = kadm5_init_with_skey_ctx (context,
+				    KADM5_ADMIN_SERVICE,
+				    NULL,
+				    KADM5_ADMIN_SERVICE,
+				    &conf, 0, 0, 
+				    &kadm_handle);
     if (ret)
 	krb5_err (context, 1, ret, "kadm5_init_with_password_ctx");
 
@@ -352,6 +415,8 @@ main(int argc, char **argv)
     signal_fd = make_signal_socket (context);
     listen_fd = make_listen_socket (context);
 
+    signal (SIGPIPE, SIG_IGN);
+
     for (;;) {
 	slave *p;
 	fd_set readset;
@@ -359,6 +424,9 @@ main(int argc, char **argv)
 	struct timeval to = {30, 0};
 	u_int32_t vers;
 
+	if (signal_fd >= FD_SETSIZE || listen_fd >= FD_SETSIZE)
+	    krb5_errx (context, 1, "fd too large");
+
 	FD_ZERO(&readset);
 	FD_SET(signal_fd, &readset);
 	max_fd = max(max_fd, signal_fd);
@@ -381,38 +449,37 @@ main(int argc, char **argv)
 
 	if (ret == 0) {
 	    old_version = current_version;
-	    kadm5_log_get_version (log_fd, &current_version);
+	    kadm5_log_get_version_fd (log_fd, &current_version);
 
 	    if (current_version > old_version)
 		for (p = slaves; p != NULL; p = p->next)
-		    send_diffs (context, p, log_fd, current_version);
+		    send_diffs (context, p, log_fd, database, current_version);
 	}
 
 	if (ret && FD_ISSET(signal_fd, &readset)) {
 	    struct sockaddr_un peer_addr;
-	    int peer_len = sizeof(peer_addr);
+	    socklen_t peer_len = sizeof(peer_addr);
 
 	    if(recvfrom(signal_fd, &vers, sizeof(vers), 0,
 			(struct sockaddr *)&peer_addr, &peer_len) < 0) {
 		krb5_warn (context, errno, "recvfrom");
 		continue;
 	    }
-	    printf ("signal: %u\n", vers);
 	    --ret;
 	    old_version = current_version;
-	    kadm5_log_get_version (log_fd, &current_version);
+	    kadm5_log_get_version_fd (log_fd, &current_version);
 	    for (p = slaves; p != NULL; p = p->next)
-		send_diffs (context, p, log_fd, current_version);
+		send_diffs (context, p, log_fd, database, current_version);
 	}
 
 	for(p = slaves; p != NULL && ret--; p = p->next)
 	    if (FD_ISSET(p->fd, &readset)) {
-		if(process_msg (context, p, log_fd, current_version))
+		if(process_msg (context, p, log_fd, database, current_version))
 		    remove_slave (context, p, &slaves);
 	    }
 
 	if (ret && FD_ISSET(listen_fd, &readset)) {
-	    add_slave (context, &slaves, listen_fd);
+	    add_slave (context, keytab, &slaves, listen_fd);
 	    --ret;
 	}
 
diff --git a/crypto/heimdal/lib/kadm5/ipropd_slave.c b/crypto/heimdal/lib/kadm5/ipropd_slave.c
index 76884eb..8d8bf25 100644
--- a/crypto/heimdal/lib/kadm5/ipropd_slave.c
+++ b/crypto/heimdal/lib/kadm5/ipropd_slave.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,9 @@
 
 #include "iprop.h"
 
-RCSID("$Id: ipropd_slave.c,v 1.10 1999/12/02 17:05:06 joda Exp $");
+RCSID("$Id: ipropd_slave.c,v 1.21 2000/08/06 02:06:19 assar Exp $");
+
+static krb5_log_facility *log_facility;
 
 static int
 connect_to_master (krb5_context context, const char *master)
@@ -47,7 +49,8 @@ connect_to_master (krb5_context context, const char *master)
 	krb5_err (context, 1, errno, "socket AF_INET");
     memset (&addr, 0, sizeof(addr));
     addr.sin_family = AF_INET;
-    addr.sin_port   = htons(4711);
+    addr.sin_port   = krb5_getportbyname (context,
+					  IPROP_SERVICE, "tcp", IPROP_PORT);
     he = roken_gethostbyname (master);
     if (he == NULL)
 	krb5_errx (context, 1, "gethostbyname: %s", hstrerror(h_errno));
@@ -58,31 +61,37 @@ connect_to_master (krb5_context context, const char *master)
 }
 
 static void
-get_creds(krb5_context context, krb5_ccache *cache, const char *host)
+get_creds(krb5_context context, const char *keytab_str,
+	  krb5_ccache *cache, const char *host)
 {
     krb5_keytab keytab;
     krb5_principal client;
     krb5_error_code ret;
     krb5_get_init_creds_opt init_opts;
-#if 0
-    krb5_preauthtype preauth = KRB5_PADATA_ENC_TIMESTAMP;
-#endif
     krb5_creds creds;
-    char my_hostname[128];
     char *server;
+    char keytab_buf[256];
     
-    ret = krb5_kt_default(context, &keytab);
-    if(ret) krb5_err(context, 1, ret, "krb5_kt_default");
+    ret = krb5_kt_register(context, &hdb_kt_ops);
+    if(ret)
+	krb5_err(context, 1, ret, "krb5_kt_register");
 
-    gethostname (my_hostname, sizeof(my_hostname));
-    ret = krb5_sname_to_principal (context, my_hostname, IPROP_NAME,
+    if (keytab_str == NULL) {
+	ret = krb5_kt_default_name (context, keytab_buf, sizeof(keytab_buf));
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_kt_default_name");
+	keytab_str = keytab_buf;
+    }
+
+    ret = krb5_kt_resolve(context, keytab_str, &keytab);
+    if(ret)
+	krb5_err(context, 1, ret, "%s", keytab_str);
+    
+    ret = krb5_sname_to_principal (context, NULL, IPROP_NAME,
 				   KRB5_NT_SRV_HST, &client);
     if (ret) krb5_err(context, 1, ret, "krb5_sname_to_principal");
 
     krb5_get_init_creds_opt_init(&init_opts);
-#if 0
-    krb5_get_init_creds_opt_set_preauth_list(&init_opts, &preauth, 1);
-#endif
 
     asprintf (&server, "%s/%s", IPROP_NAME, host);
     if (server == NULL)
@@ -134,21 +143,15 @@ ihave (krb5_context context, krb5_auth_context auth_context,
 }
 
 static void
-receive (krb5_context context,
-	 krb5_storage *sp,
-	 kadm5_server_context *server_context)
+receive_loop (krb5_context context,
+	      krb5_storage *sp,
+	      kadm5_server_context *server_context)
 {
     int ret;
     off_t left, right;
     void *buf;
     int32_t vers;
 
-    ret = server_context->db->open(context,
-				   server_context->db,
-				   O_RDWR | O_CREAT, 0);
-    if (ret)
-	krb5_err (context, 1, ret, "db->open");
-
     do {
 	int32_t len, timestamp, tmp;
 	enum kadm_ops op;
@@ -166,7 +169,7 @@ receive (krb5_context context,
     left  = sp->seek (sp, -16, SEEK_CUR);
     right = sp->seek (sp, 0, SEEK_END);
     buf = malloc (right - left);
-    if (buf == NULL) {
+    if (buf == NULL && (right - left) != 0) {
 	krb5_warnx (context, "malloc: no memory");
 	return;
     }
@@ -197,21 +200,120 @@ receive (krb5_context context,
 	    server_context->log_context.version = vers;
 	sp->seek (sp, 8, SEEK_CUR);
     }
+}
+
+static void
+receive (krb5_context context,
+	 krb5_storage *sp,
+	 kadm5_server_context *server_context)
+{
+    int ret;
+
+    ret = server_context->db->open(context,
+				   server_context->db,
+				   O_RDWR | O_CREAT, 0600);
+    if (ret)
+	krb5_err (context, 1, ret, "db->open");
+
+    receive_loop (context, sp, server_context);
+
+    ret = server_context->db->close (context, server_context->db);
+    if (ret)
+	krb5_err (context, 1, ret, "db->close");
+}
+
+static void
+receive_everything (krb5_context context, int fd,
+		    kadm5_server_context *server_context,
+		    krb5_auth_context auth_context)
+{
+    int ret;
+    krb5_data data;
+    int32_t vno;
+    int32_t opcode;
+
+    ret = server_context->db->open(context,
+				   server_context->db,
+				   O_RDWR | O_CREAT | O_TRUNC, 0600);
+    if (ret)
+	krb5_err (context, 1, ret, "db->open");
+
+    do {
+	krb5_storage *sp;
+
+	ret = krb5_read_priv_message(context, auth_context, &fd, &data);
+
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_read_priv_message");
+
+	sp = krb5_storage_from_data (&data);
+	krb5_ret_int32 (sp, &opcode);
+	if (opcode == ONE_PRINC) {
+	    krb5_data fake_data;
+	    hdb_entry entry;
+
+	    fake_data.data   = (char *)data.data + 4;
+	    fake_data.length = data.length - 4;
+
+	    ret = hdb_value2entry (context, &fake_data, &entry);
+	    if (ret)
+		krb5_err (context, 1, ret, "hdb_value2entry");
+	    ret = server_context->db->store(server_context->context,
+					    server_context->db,
+					    0, &entry);
+	    if (ret)
+		krb5_err (context, 1, ret, "hdb_store");
+
+	    hdb_free_entry (context, &entry);
+	    krb5_data_free (&data);
+	}
+    } while (opcode == ONE_PRINC);
+
+    if (opcode != NOW_YOU_HAVE)
+	krb5_errx (context, 1, "receive_everything: strange %d", opcode);
+
+    _krb5_get_int ((char *)data.data + 4, &vno, 4);
+
+    ret = kadm5_log_reinit (server_context);
+    if (ret)
+	krb5_err(context, 1, ret, "kadm5_log_reinit");
+
+    ret = kadm5_log_set_version (server_context, vno - 1);
+    if (ret)
+	krb5_err (context, 1, ret, "kadm5_log_set_version");
+
+    ret = kadm5_log_nop (server_context);
+    if (ret)
+	krb5_err (context, 1, ret, "kadm5_log_nop");
+
+    krb5_data_free (&data);
 
     ret = server_context->db->close (context, server_context->db);
     if (ret)
 	krb5_err (context, 1, ret, "db->close");
 }
 
-char *realm;
-int version_flag;
-int help_flag;
-struct getargs args[] = {
+static char *realm;
+static int version_flag;
+static int help_flag;
+static char *keytab_str;
+
+static struct getargs args[] = {
     { "realm", 'r', arg_string, &realm },
+    { "keytab", 'k', arg_string, &keytab_str,
+      "keytab to get authentication from", "kspec" },
     { "version", 0, arg_flag, &version_flag },
     { "help", 0, arg_flag, &help_flag }
 };
-int num_args = sizeof(args) / sizeof(args[0]);
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage (int code, struct getargs *args, int num_args)
+{
+    arg_printusage (args, num_args, NULL, "master");
+    exit (code);
+}
 
 int
 main(int argc, char **argv)
@@ -227,16 +329,32 @@ main(int argc, char **argv)
     krb5_principal server;
 
     int optind;
+    const char *master;
     
-    optind = krb5_program_setup(&context, argc, argv, args, num_args, NULL);
+    optind = krb5_program_setup(&context, argc, argv, args, num_args, usage);
     
     if(help_flag)
-	krb5_std_usage(0, args, num_args);
+	usage (0, args, num_args);
     if(version_flag) {
 	print_version(NULL);
 	exit(0);
     }
 
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 1)
+	usage (1, args, num_args);
+
+    master = argv[0];
+
+    krb5_openlog (context, "ipropd-master", &log_facility);
+    krb5_set_warn_dest(context, log_facility);
+
+    ret = krb5_kt_register(context, &hdb_kt_ops);
+    if(ret)
+	krb5_err(context, 1, ret, "krb5_kt_register");
+
     memset(&conf, 0, sizeof(conf));
     if(realm) {
 	conf.mask |= KADM5_CONFIG_REALM;
@@ -257,11 +375,11 @@ main(int argc, char **argv)
     if (ret)
 	krb5_err (context, 1, ret, "kadm5_log_init");
 
-    get_creds(context, &ccache, argv[1]);
+    get_creds(context, keytab_str, &ccache, master);
 
-    master_fd = connect_to_master (context, argv[1]);
+    master_fd = connect_to_master (context, master);
 
-    ret = krb5_sname_to_principal (context, argv[1], IPROP_NAME,
+    ret = krb5_sname_to_principal (context, master, IPROP_NAME,
 				   KRB5_NT_SRV_HST, &server);
     if (ret)
 	krb5_err (context, 1, ret, "krb5_sname_to_principal");
@@ -279,18 +397,14 @@ main(int argc, char **argv)
 
     for (;;) {
 	int ret;
-	krb5_data data, out;
+	krb5_data out;
 	krb5_storage *sp;
 	int32_t tmp;
 
-	ret = krb5_read_message (context, &master_fd, &data);
-	if (ret)
-	    krb5_err (context, 1, ret, "krb5_read_message");
+	ret = krb5_read_priv_message(context, auth_context, &master_fd, &out);
 
-	ret = krb5_rd_priv (context, auth_context,  &data, &out, NULL);
-	krb5_data_free (&data);
 	if (ret)
-	    krb5_err (context, 1, ret, "krb5_rd_priv");
+	    krb5_err (context, 1, ret, "krb5_read_priv_message");
 
 	sp = krb5_storage_from_mem (out.data, out.length);
 	krb5_ret_int32 (sp, &tmp);
@@ -300,7 +414,13 @@ main(int argc, char **argv)
 	    ihave (context, auth_context, master_fd,
 		   server_context->log_context.version);
 	    break;
+	case TELL_YOU_EVERYTHING :
+	    receive_everything (context, master_fd, server_context,
+				auth_context);
+	    break;
+	case NOW_YOU_HAVE :
 	case I_HAVE :
+	case ONE_PRINC :
 	default :
 	    krb5_warnx (context, "Ignoring command %d", tmp);
 	    break;
@@ -308,6 +428,6 @@ main(int argc, char **argv)
 	krb5_storage_free (sp);
 	krb5_data_free (&out);
     }
-
+    
     return 0;
-}
+    }
diff --git a/crypto/heimdal/lib/kadm5/kadm5-private.h b/crypto/heimdal/lib/kadm5/kadm5-private.h
new file mode 100644
index 0000000..4e74a2b
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/kadm5-private.h
@@ -0,0 +1,245 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: kadm5-private.h,v 1.3 2000/07/24 04:31:17 assar Exp $ */
+
+#ifndef __kadm5_privatex_h__
+#define __kadm5_privatex_h__
+
+kadm5_ret_t _kadm5_privs_to_string (u_int32_t, char*, size_t);
+
+kadm5_ret_t _kadm5_string_to_privs (const char*, u_int32_t*);
+
+HDB *_kadm5_s_get_db (void *);
+
+kadm5_ret_t
+_kadm5_acl_check_permission __P((
+	kadm5_server_context *context,
+	unsigned op,
+	krb5_const_principal princ));
+
+kadm5_ret_t
+_kadm5_acl_init __P((kadm5_server_context *context));
+
+kadm5_ret_t
+_kadm5_c_init_context __P((
+	kadm5_client_context **ctx,
+	kadm5_config_params *params,
+	krb5_context context));
+
+kadm5_ret_t
+_kadm5_client_recv __P((
+	kadm5_client_context *context,
+	krb5_data *reply));
+
+kadm5_ret_t
+_kadm5_client_send __P((
+	kadm5_client_context *context,
+	krb5_storage *sp));
+
+kadm5_ret_t
+_kadm5_connect __P((void*));
+
+kadm5_ret_t
+_kadm5_error_code __P((kadm5_ret_t code));
+
+kadm5_ret_t
+_kadm5_s_init_context __P((
+	kadm5_server_context **ctx,
+	kadm5_config_params *params,
+	krb5_context context));
+
+kadm5_ret_t
+_kadm5_set_keys __P((
+	kadm5_server_context *context,
+	hdb_entry *ent,
+	const char *password));
+
+kadm5_ret_t
+_kadm5_set_keys2 __P((
+	kadm5_server_context *context,
+	hdb_entry *ent, 
+	int16_t n_key_data, 
+	krb5_key_data *key_data));
+
+kadm5_ret_t
+_kadm5_set_keys3 __P((
+	kadm5_server_context *context,
+	hdb_entry *ent, 
+	int n_keys,
+	krb5_keyblock *keyblocks));
+
+kadm5_ret_t
+_kadm5_set_keys_randomly __P((kadm5_server_context *context,
+			      hdb_entry *ent,
+			      krb5_keyblock **new_keys,
+			      int *n_keys));
+
+kadm5_ret_t
+_kadm5_set_modifier __P((
+	kadm5_server_context *context,
+	hdb_entry *ent));
+
+kadm5_ret_t
+_kadm5_bump_pw_expire __P((kadm5_server_context *context,
+			   hdb_entry *ent));
+
+kadm5_ret_t
+_kadm5_setup_entry __P((
+	kadm5_server_context *context,
+	hdb_entry *ent,
+	u_int32_t mask,
+	kadm5_principal_ent_t princ,
+	u_int32_t princ_mask,
+	kadm5_principal_ent_t def,
+	u_int32_t def_mask));
+
+kadm5_ret_t
+kadm5_log_get_version_fd (int fd, u_int32_t *ver);
+
+kadm5_ret_t
+kadm5_log_get_version (kadm5_server_context *context, u_int32_t *ver);
+
+kadm5_ret_t
+kadm5_log_set_version (kadm5_server_context *context, u_int32_t vno);
+
+kadm5_ret_t
+kadm5_log_init (kadm5_server_context *context);
+
+kadm5_ret_t
+kadm5_log_reinit (kadm5_server_context *context);
+
+kadm5_ret_t
+kadm5_log_create (kadm5_server_context *context,
+		  hdb_entry *ent);
+
+kadm5_ret_t
+kadm5_log_delete (kadm5_server_context *context,
+		  krb5_principal princ);
+
+kadm5_ret_t
+kadm5_log_rename (kadm5_server_context *context,
+		  krb5_principal source,
+		  hdb_entry *ent);
+
+kadm5_ret_t
+kadm5_log_modify (kadm5_server_context *context,
+		  hdb_entry *ent,
+		  u_int32_t mask);
+
+kadm5_ret_t
+kadm5_log_nop (kadm5_server_context *context);
+
+kadm5_ret_t
+kadm5_log_end (kadm5_server_context *context);
+
+kadm5_ret_t
+kadm5_log_foreach (kadm5_server_context *context,
+		   void (*func)(kadm5_server_context *server_context,
+				u_int32_t ver,
+				time_t timestamp,
+				enum kadm_ops op,
+				u_int32_t len,
+				krb5_storage *sp));
+
+kadm5_ret_t
+kadm5_log_replay_create (kadm5_server_context *context,
+			 u_int32_t ver,
+			 u_int32_t len,
+			 krb5_storage *sp);
+
+kadm5_ret_t
+kadm5_log_replay_delete (kadm5_server_context *context,
+			 u_int32_t ver,
+			 u_int32_t len,
+			 krb5_storage *sp);
+
+kadm5_ret_t
+kadm5_log_replay_rename (kadm5_server_context *context,
+			 u_int32_t ver,
+			 u_int32_t len,
+			 krb5_storage *sp);
+
+kadm5_ret_t
+kadm5_log_replay_modify (kadm5_server_context *context,
+			 u_int32_t ver,
+			 u_int32_t len,
+			 krb5_storage *sp);
+
+kadm5_ret_t
+kadm5_log_replay_nop (kadm5_server_context *context,
+		      u_int32_t ver,
+		      u_int32_t len,
+		      krb5_storage *sp);
+
+kadm5_ret_t
+kadm5_log_replay (kadm5_server_context *context,
+		  enum kadm_ops op,
+		  u_int32_t ver,
+		  u_int32_t len,
+		  krb5_storage *sp);
+
+krb5_storage *
+kadm5_log_goto_end (int fd);
+
+kadm5_ret_t
+kadm5_log_previous (krb5_storage *sp,
+		    u_int32_t *ver,
+		    time_t *timestamp,
+		    enum kadm_ops *op,
+		    u_int32_t *len);
+
+kadm5_ret_t
+kadm5_log_truncate (kadm5_server_context *server_context);
+
+kadm5_ret_t
+_kadm5_marshal_params __P((krb5_context context, 
+			   kadm5_config_params *params, 
+			   krb5_data *out));
+
+kadm5_ret_t
+_kadm5_unmarshal_params __P((krb5_context context,
+			     krb5_data *in,
+			     kadm5_config_params *params));
+
+void
+_kadm5_free_keys (kadm5_server_context *context,
+		  int len, Key *keys);
+
+void
+_kadm5_init_keys (Key *keys, int len);
+
+int
+_kadm5_cmp_keys(Key *keys1, int len1, Key *keys2, int len2);
+
+#endif /* __kadm5_privatex_h__ */
diff --git a/crypto/heimdal/lib/kadm5/kadm5-protos.h b/crypto/heimdal/lib/kadm5/kadm5-protos.h
new file mode 100644
index 0000000..070492b
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/kadm5-protos.h
@@ -0,0 +1,516 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: kadm5-protos.h,v 1.2 2000/07/22 05:52:01 assar Exp $ */
+
+#ifndef __kadm5_protos_h__
+#define __kadm5_protos_h__
+
+kadm5_ret_t
+kadm5_c_chpass_principal __P((
+	void *server_handle,
+	krb5_principal princ,
+	char *password));
+
+kadm5_ret_t
+kadm5_c_chpass_principal_with_key __P((
+	void *server_handle,
+	krb5_principal princ,
+	int n_key_data,
+	krb5_key_data *key_data));
+
+kadm5_ret_t
+kadm5_c_create_principal __P((
+	void *server_handle,
+	kadm5_principal_ent_t princ,
+	u_int32_t mask,
+	char *password));
+
+kadm5_ret_t
+kadm5_c_delete_principal __P((
+	void *server_handle,
+	krb5_principal princ));
+
+kadm5_ret_t
+kadm5_c_destroy __P((void *server_handle));
+
+kadm5_ret_t
+kadm5_c_flush __P((void *server_handle));
+
+kadm5_ret_t
+kadm5_c_get_principal __P((
+	void *server_handle,
+	krb5_principal princ,
+	kadm5_principal_ent_t out,
+	u_int32_t mask));
+
+kadm5_ret_t
+kadm5_c_get_principals __P((
+	void *server_handle,
+	const char *exp,
+	char ***princs,
+	int *count));
+
+kadm5_ret_t
+kadm5_c_get_privs __P((
+	void *server_handle,
+	u_int32_t *privs));
+
+kadm5_ret_t
+kadm5_c_init_with_creds __P((
+	const char *client_name,
+	krb5_ccache ccache,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_c_init_with_creds_ctx __P((
+	krb5_context context,
+	const char *client_name,
+	krb5_ccache ccache,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_c_init_with_password __P((
+	const char *client_name,
+	const char *password,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_c_init_with_password_ctx __P((
+	krb5_context context,
+	const char *client_name,
+	const char *password,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_c_init_with_skey __P((
+	const char *client_name,
+	const char *keytab,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_c_init_with_skey_ctx __P((
+	krb5_context context,
+	const char *client_name,
+	const char *keytab,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_c_modify_principal __P((
+	void *server_handle,
+	kadm5_principal_ent_t princ,
+	u_int32_t mask));
+
+kadm5_ret_t
+kadm5_c_randkey_principal __P((
+	void *server_handle,
+	krb5_principal princ,
+	krb5_keyblock **new_keys,
+	int *n_keys));
+
+kadm5_ret_t
+kadm5_c_rename_principal __P((
+	void *server_handle,
+	krb5_principal source,
+	krb5_principal target));
+
+kadm5_ret_t
+kadm5_chpass_principal __P((
+	void *server_handle,
+	krb5_principal princ,
+	char *password));
+
+kadm5_ret_t
+kadm5_chpass_principal_with_key __P((
+	void *server_handle,
+	krb5_principal princ,
+	int n_key_data,
+	krb5_key_data *key_data));
+
+kadm5_ret_t
+kadm5_create_principal __P((
+	void *server_handle,
+	kadm5_principal_ent_t princ,
+	u_int32_t mask,
+	char *password));
+
+kadm5_ret_t
+kadm5_delete_principal __P((
+	void *server_handle,
+	krb5_principal princ));
+
+kadm5_ret_t
+kadm5_destroy __P((void *server_handle));
+
+kadm5_ret_t
+kadm5_flush __P((void *server_handle));
+
+void
+kadm5_free_key_data __P((
+	void *server_handle,
+	int16_t *n_key_data,
+	krb5_key_data *key_data));
+
+void
+kadm5_free_name_list __P((
+	void *server_handle,
+	char **names,
+	int *count));
+
+void
+kadm5_free_principal_ent __P((
+	void *server_handle,
+	kadm5_principal_ent_t princ));
+
+kadm5_ret_t
+kadm5_get_principal __P((
+	void *server_handle,
+	krb5_principal princ,
+	kadm5_principal_ent_t out,
+	u_int32_t mask));
+
+kadm5_ret_t
+kadm5_get_principals __P((
+	void *server_handle,
+	const char *exp,
+	char ***princs,
+	int *count));
+
+kadm5_ret_t
+kadm5_get_privs __P((
+	void *server_handle,
+	u_int32_t *privs));
+
+kadm5_ret_t
+kadm5_init_with_creds __P((
+	const char *client_name,
+	krb5_ccache ccache,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_init_with_creds_ctx __P((
+	krb5_context context,
+	const char *client_name,
+	krb5_ccache ccache,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_init_with_password __P((
+	const char *client_name,
+	const char *password,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_init_with_password_ctx __P((
+	krb5_context context,
+	const char *client_name,
+	const char *password,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_init_with_skey __P((
+	const char *client_name,
+	const char *keytab,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_init_with_skey_ctx __P((
+	krb5_context context,
+	const char *client_name,
+	const char *keytab,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_modify_principal __P((
+	void *server_handle,
+	kadm5_principal_ent_t princ,
+	u_int32_t mask));
+
+kadm5_ret_t
+kadm5_randkey_principal __P((
+	void *server_handle,
+	krb5_principal princ,
+	krb5_keyblock **new_keys,
+	int *n_keys));
+
+kadm5_ret_t
+kadm5_rename_principal __P((
+	void *server_handle,
+	krb5_principal source,
+	krb5_principal target));
+
+kadm5_ret_t
+kadm5_ret_key_data __P((
+	krb5_storage *sp,
+	krb5_key_data *key));
+
+kadm5_ret_t
+kadm5_ret_principal_ent __P((
+	krb5_storage *sp,
+	kadm5_principal_ent_t princ));
+
+kadm5_ret_t
+kadm5_ret_principal_ent_mask __P((
+	krb5_storage *sp,
+	kadm5_principal_ent_t princ,
+	u_int32_t *mask));
+
+kadm5_ret_t
+kadm5_ret_tl_data __P((
+	krb5_storage *sp,
+	krb5_tl_data *tl));
+
+kadm5_ret_t
+kadm5_s_chpass_principal __P((
+	void *server_handle,
+	krb5_principal princ,
+	char *password));
+
+kadm5_ret_t
+kadm5_s_chpass_principal_cond __P((
+	void *server_handle,
+	krb5_principal princ,
+	char *password));
+
+kadm5_ret_t
+kadm5_s_chpass_principal_with_key __P((
+	void *server_handle,
+	krb5_principal princ,
+	int n_key_data,
+	krb5_key_data *key_data));
+
+kadm5_ret_t
+kadm5_s_create_principal __P((
+	void *server_handle,
+	kadm5_principal_ent_t princ,
+	u_int32_t mask,
+	char *password));
+
+kadm5_ret_t
+kadm5_s_create_principal_with_key __P((
+	void *server_handle,
+	kadm5_principal_ent_t princ,
+	u_int32_t mask));
+
+kadm5_ret_t
+kadm5_s_delete_principal __P((
+	void *server_handle,
+	krb5_principal princ));
+
+kadm5_ret_t
+kadm5_s_destroy __P((void *server_handle));
+
+kadm5_ret_t
+kadm5_s_flush __P((void *server_handle));
+
+kadm5_ret_t
+kadm5_s_get_principal __P((
+	void *server_handle,
+	krb5_principal princ,
+	kadm5_principal_ent_t out,
+	u_int32_t mask));
+
+kadm5_ret_t
+kadm5_s_get_principals __P((
+	void *server_handle,
+	const char *exp,
+	char ***princs,
+	int *count));
+
+kadm5_ret_t
+kadm5_s_get_privs __P((
+	void *server_handle,
+	u_int32_t *privs));
+
+kadm5_ret_t
+kadm5_s_init_with_creds __P((
+	const char *client_name,
+	krb5_ccache ccache,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_s_init_with_creds_ctx __P((
+	krb5_context context,
+	const char *client_name,
+	krb5_ccache ccache,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_s_init_with_password __P((
+	const char *client_name,
+	const char *password,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_s_init_with_password_ctx __P((
+	krb5_context context,
+	const char *client_name,
+	const char *password,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_s_init_with_skey __P((
+	const char *client_name,
+	const char *keytab,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_s_init_with_skey_ctx __P((
+	krb5_context context,
+	const char *client_name,
+	const char *keytab,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_s_modify_principal __P((
+	void *server_handle,
+	kadm5_principal_ent_t princ,
+	u_int32_t mask));
+
+kadm5_ret_t
+kadm5_s_randkey_principal __P((
+	void *server_handle,
+	krb5_principal princ,
+	krb5_keyblock **new_keys,
+	int *n_keys));
+
+kadm5_ret_t
+kadm5_s_rename_principal __P((
+	void *server_handle,
+	krb5_principal source,
+	krb5_principal target));
+
+kadm5_ret_t
+kadm5_store_key_data __P((
+	krb5_storage *sp,
+	krb5_key_data *key));
+
+kadm5_ret_t
+kadm5_store_principal_ent __P((
+	krb5_storage *sp,
+	kadm5_principal_ent_t princ));
+
+kadm5_ret_t
+kadm5_store_principal_ent_mask __P((
+	krb5_storage *sp,
+	kadm5_principal_ent_t princ,
+	u_int32_t mask));
+
+kadm5_ret_t
+kadm5_store_tl_data __P((
+	krb5_storage *sp,
+	krb5_tl_data *tl));
+
+void
+kadm5_setup_passwd_quality_check(krb5_context context,
+				 const char *check_library,
+				 const char *check_function);
+
+const char *
+kadm5_check_password_quality (krb5_context context,
+			      krb5_principal principal,
+			      krb5_data *pwd_data);
+
+#endif /* __kadm5_protos_h__ */
diff --git a/crypto/heimdal/lib/kadm5/kadm5_locl.h b/crypto/heimdal/lib/kadm5/kadm5_locl.h
index 9344a2c..6f634ed 100644
--- a/crypto/heimdal/lib/kadm5/kadm5_locl.h
+++ b/crypto/heimdal/lib/kadm5/kadm5_locl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: kadm5_locl.h,v 1.21 1999/12/02 17:05:06 joda Exp $ */
+/* $Id: kadm5_locl.h,v 1.23 2000/07/08 11:57:40 assar Exp $ */
 
 #ifndef __KADM5_LOCL_H__
 #define __KADM5_LOCL_H__
@@ -45,6 +45,7 @@
 #include <string.h>
 #include <errno.h>
 #include <assert.h>
+#include <limits.h>
 #ifdef HAVE_UNISTD_H
 #include <unistd.h>
 #endif
@@ -76,6 +77,7 @@
 #include "admin.h"
 #include "kadm5_err.h"
 #include <hdb.h>
+#include <der.h>
 #include <roken.h>
 #include <parse_units.h>
 #include "private.h"
diff --git a/crypto/heimdal/lib/kadm5/keys.c b/crypto/heimdal/lib/kadm5/keys.c
new file mode 100644
index 0000000..3ae21ab
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/keys.c
@@ -0,0 +1,112 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: keys.c,v 1.1 2000/07/22 05:53:02 assar Exp $");
+
+/*
+ * free all the memory used by (len, keys)
+ */
+
+void
+_kadm5_free_keys (kadm5_server_context *context,
+		  int len, Key *keys)
+{
+    int i;
+
+    for (i = 0; i < len; ++i) {
+	free (keys[i].mkvno);
+	keys[i].mkvno = NULL;
+	if (keys[i].salt != NULL) {
+	    free_Salt(keys[i].salt);
+	    free(keys[i].salt);
+	    keys[i].salt = NULL;
+	}
+	krb5_free_keyblock_contents(context->context, &keys[i].key);
+    }
+    free (keys);
+}
+
+/*
+ * null-ify `len', `keys'
+ */
+
+void
+_kadm5_init_keys (Key *keys, int len)
+{
+    int i;
+
+    for (i = 0; i < len; ++i) {
+	keys[i].mkvno               = NULL;
+	keys[i].salt                = NULL;
+	keys[i].key.keyvalue.length = 0;
+	keys[i].key.keyvalue.data   = NULL;
+    }
+}
+
+/*
+ * return 0 iff `keys1, len1' and `keys2, len2' are identical
+ */
+
+int
+_kadm5_cmp_keys(Key *keys1, int len1, Key *keys2, int len2)
+{
+    int i;
+
+    if (len1 != len2)
+	return 1;
+
+    for (i = 0; i < len1; ++i) {
+	if ((keys1[i].salt != NULL && keys2[i].salt == NULL)
+	    || (keys1[i].salt == NULL && keys2[i].salt != NULL))
+	    return 1;
+	if (keys1[i].salt != NULL) {
+	    if (keys1[i].salt->type != keys2[i].salt->type)
+		return 1;
+	    if (keys1[i].salt->salt.length != keys2[i].salt->salt.length)
+		return 1;
+	    if (memcmp (keys1[i].salt->salt.data, keys2[i].salt->salt.data,
+			keys1[i].salt->salt.length) != 0)
+		return 1;
+	}
+	if (keys1[i].key.keytype != keys2[i].key.keytype)
+	    return 1;
+	if (keys1[i].key.keyvalue.length != keys2[i].key.keyvalue.length)
+	    return 1;
+	if (memcmp (keys1[i].key.keyvalue.data, keys2[i].key.keyvalue.data,
+		    keys1[i].key.keyvalue.length) != 0)
+	    return 1;
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/log.c b/crypto/heimdal/lib/kadm5/log.c
index e9dc38c..875f749 100644
--- a/crypto/heimdal/lib/kadm5/log.c
+++ b/crypto/heimdal/lib/kadm5/log.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: log.c,v 1.13 1999/12/04 19:50:35 assar Exp $");
+RCSID("$Id: log.c,v 1.18 2000/07/24 04:32:17 assar Exp $");
 
 /*
  * A log record consists of:
@@ -49,8 +49,8 @@ RCSID("$Id: log.c,v 1.13 1999/12/04 19:50:35 assar Exp $");
  */
 
 kadm5_ret_t
-kadm5_log_get_version (int fd,
-		       u_int32_t *ver)
+kadm5_log_get_version_fd (int fd,
+			  u_int32_t *ver)
 {
     int ret;
     krb5_storage *sp;
@@ -73,6 +73,21 @@ kadm5_log_get_version (int fd,
 }
 
 kadm5_ret_t
+kadm5_log_get_version (kadm5_server_context *context, u_int32_t *ver)
+{
+    return kadm5_log_get_version_fd (context->log_context.log_fd, ver);
+}
+
+kadm5_ret_t
+kadm5_log_set_version (kadm5_server_context *context, u_int32_t vno)
+{
+    kadm5_log_context *log_context = &context->log_context;
+
+    log_context->version = vno;
+    return 0;
+}
+
+kadm5_ret_t
 kadm5_log_init (kadm5_server_context *context)
 {
     int fd;
@@ -89,7 +104,7 @@ kadm5_log_init (kadm5_server_context *context)
 	return errno;
     }
 
-    ret = kadm5_log_get_version (fd, &log_context->version);
+    ret = kadm5_log_get_version_fd (fd, &log_context->version);
     if (ret)
 	return ret;
 
@@ -98,6 +113,30 @@ kadm5_log_init (kadm5_server_context *context)
 }
 
 kadm5_ret_t
+kadm5_log_reinit (kadm5_server_context *context)
+{
+    int fd;
+    kadm5_log_context *log_context = &context->log_context;
+
+    if (log_context->log_fd != -1) {
+	close (log_context->log_fd);
+	log_context->log_fd = -1;
+    }
+    fd = open (log_context->log_file, O_RDWR | O_CREAT | O_TRUNC, 0600);
+    if (fd < 0)
+	return errno;
+    if (flock (fd, LOCK_EX) < 0) {
+	close (fd);
+	return errno;
+    }
+
+    log_context->version = 0;
+    log_context->log_fd  = fd;
+    return 0;
+}
+
+
+kadm5_ret_t
 kadm5_log_end (kadm5_server_context *context)
 {
     kadm5_log_context *log_context = &context->log_context;
@@ -483,14 +522,22 @@ kadm5_log_replay_modify (kadm5_server_context *context,
     if (ret)
 	return ret;
     if (mask & KADM5_PRINC_EXPIRE_TIME) {
-	if (ent.valid_end == NULL)
-	    ent.valid_end = malloc(sizeof(*ent.valid_end));
-	*ent.valid_end = *log_ent.valid_end;
+	if (log_ent.valid_end == NULL) {
+	    ent.valid_end = NULL;
+	} else {
+	    if (ent.valid_end == NULL)
+		ent.valid_end = malloc(sizeof(*ent.valid_end));
+	    *ent.valid_end = *log_ent.valid_end;
+	}
     }
     if (mask & KADM5_PW_EXPIRATION) {
-	if (ent.pw_end == NULL)
-	    ent.pw_end = malloc(sizeof(*ent.pw_end));
-	*ent.pw_end = *log_ent.pw_end;
+	if (log_ent.pw_end == NULL) {
+	    ent.pw_end = NULL;
+	} else {
+	    if (ent.pw_end == NULL)
+		ent.pw_end = malloc(sizeof(*ent.pw_end));
+	    *ent.pw_end = *log_ent.pw_end;
+	}
     }
     if (mask & KADM5_LAST_PWD_CHANGE) {
 	abort ();		/* XXX */
@@ -499,9 +546,13 @@ kadm5_log_replay_modify (kadm5_server_context *context,
 	ent.flags = log_ent.flags;
     }
     if (mask & KADM5_MAX_LIFE) {
-	if (ent.max_life == NULL)
-	    ent.max_life = malloc (sizeof(*ent.max_life));
-	*ent.max_life = *log_ent.max_life;
+	if (log_ent.max_life == NULL) {
+	    ent.max_life = NULL;
+	} else {
+	    if (ent.max_life == NULL)
+		ent.max_life = malloc (sizeof(*ent.max_life));
+	    *ent.max_life = *log_ent.max_life;
+	}
     }
     if ((mask & KADM5_MOD_TIME) && (mask & KADM5_MOD_NAME)) {
 	if (ent.modified_by == NULL) {
@@ -526,9 +577,13 @@ kadm5_log_replay_modify (kadm5_server_context *context,
 	abort ();		/* XXX */
     }
     if (mask & KADM5_MAX_RLIFE) {
-	if (ent.max_renew == NULL)
-	    ent.max_renew = malloc (sizeof(*ent.max_renew));
-	*ent.max_renew = *log_ent.max_renew;
+	if (log_ent.max_renew == NULL) {
+	    ent.max_renew = NULL;
+	} else {
+	    if (ent.max_renew == NULL)
+		ent.max_renew = malloc (sizeof(*ent.max_renew));
+	    *ent.max_renew = *log_ent.max_renew;
+	}
     }
     if (mask & KADM5_LAST_SUCCESS) {
 	abort ();		/* XXX */
@@ -563,6 +618,51 @@ kadm5_log_replay_modify (kadm5_server_context *context,
 }
 
 /*
+ * Add a `nop' operation to the log.
+ */
+
+kadm5_ret_t
+kadm5_log_nop (kadm5_server_context *context)
+{
+    krb5_storage *sp;
+    kadm5_ret_t ret;
+    kadm5_log_context *log_context = &context->log_context;
+
+    sp = krb5_storage_emem();
+    ret = kadm5_log_preamble (context, sp, kadm_nop);
+    if (ret) {
+	krb5_storage_free (sp);
+	return ret;
+    }
+    krb5_store_int32 (sp, 0);
+    krb5_store_int32 (sp, 0);
+    ret = kadm5_log_postamble (log_context, sp);
+    if (ret) {
+	krb5_storage_free (sp);
+	return ret;
+    }
+    ret = kadm5_log_flush (log_context, sp);
+    krb5_storage_free (sp);
+    if (ret)
+	return ret;
+    ret = kadm5_log_end (context);
+    return ret;
+}
+
+/*
+ * Read a `nop' log operation from `sp' and apply it.
+ */
+
+kadm5_ret_t
+kadm5_log_replay_nop (kadm5_server_context *context,
+		      u_int32_t ver,
+		      u_int32_t len,
+		      krb5_storage *sp)
+{
+    return 0;
+}
+
+/*
  * Call `func' for each log record in the log in `context'
  */
 
@@ -660,7 +760,46 @@ kadm5_log_replay (kadm5_server_context *context,
 	return kadm5_log_replay_rename (context, ver, len, sp);
     case kadm_modify :
 	return kadm5_log_replay_modify (context, ver, len, sp);
+    case kadm_nop :
+	return kadm5_log_replay_nop (context, ver, len, sp);
     default :
 	return KADM5_FAILURE;
     }
 }
+
+/*
+ * truncate the log - i.e. create an empty file with just (nop vno + 2)
+ */
+
+kadm5_ret_t
+kadm5_log_truncate (kadm5_server_context *server_context)
+{
+    kadm5_ret_t ret;
+    u_int32_t vno;
+
+    ret = kadm5_log_init (server_context);
+    if (ret)
+	return ret;
+
+    ret = kadm5_log_get_version (server_context, &vno);
+    if (ret)
+	return ret;
+
+    ret = kadm5_log_reinit (server_context);
+    if (ret)
+	return ret;
+
+    ret = kadm5_log_set_version (server_context, vno + 1);
+    if (ret)
+	return ret;
+
+    ret = kadm5_log_nop (server_context);
+    if (ret)
+	return ret;
+
+    ret = kadm5_log_end (server_context);
+    if (ret)
+	return ret;
+    return 0;
+
+}
diff --git a/crypto/heimdal/lib/kadm5/modify_c.c b/crypto/heimdal/lib/kadm5/modify_c.c
index 2a64ccc..8d8ca56 100644
--- a/crypto/heimdal/lib/kadm5/modify_c.c
+++ b/crypto/heimdal/lib/kadm5/modify_c.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: modify_c.c,v 1.3 1999/12/02 17:05:06 joda Exp $");
+RCSID("$Id: modify_c.c,v 1.4 2000/07/11 15:59:46 joda Exp $");
 
 kadm5_ret_t
 kadm5_c_modify_principal(void *server_handle,
@@ -47,6 +47,10 @@ kadm5_c_modify_principal(void *server_handle,
     int32_t tmp;
     krb5_data reply;
 
+    ret = _kadm5_connect(server_handle);
+    if(ret)
+	return ret;
+
     sp = krb5_storage_from_mem(buf, sizeof(buf));
     if (sp == NULL)
 	return ENOMEM;
diff --git a/crypto/heimdal/lib/kadm5/modify_s.c b/crypto/heimdal/lib/kadm5/modify_s.c
index 4157202..8c595a9 100644
--- a/crypto/heimdal/lib/kadm5/modify_s.c
+++ b/crypto/heimdal/lib/kadm5/modify_s.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: modify_s.c,v 1.9 1999/12/02 17:05:06 joda Exp $");
+RCSID("$Id: modify_s.c,v 1.12 2001/01/30 01:24:28 assar Exp $");
 
 static kadm5_ret_t
 modify_principal(void *server_handle,
@@ -56,14 +56,16 @@ modify_principal(void *server_handle,
     ret = context->db->fetch(context->context, context->db, 0, &ent);
     if(ret)
 	goto out;
-    ret = _kadm5_setup_entry(&ent, mask, princ, mask, NULL, 0);
+    ret = _kadm5_setup_entry(context, &ent, mask, princ, mask, NULL, 0);
     if(ret)
 	goto out2;
     ret = _kadm5_set_modifier(context, &ent);
     if(ret)
 	goto out2;
 
-    hdb_seal_keys(context->db, &ent);
+    ret = hdb_seal_keys(context->context, context->db, &ent);
+    if (ret)
+	goto out2;
 
     kadm5_log_modify (context,
 		      &ent,
diff --git a/crypto/heimdal/lib/kadm5/password_quality.c b/crypto/heimdal/lib/kadm5/password_quality.c
index 86d35f3..bc1463f 100644
--- a/crypto/heimdal/lib/kadm5/password_quality.c
+++ b/crypto/heimdal/lib/kadm5/password_quality.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: password_quality.c,v 1.3 1999/12/02 17:05:06 joda Exp $");
+RCSID("$Id: password_quality.c,v 1.4 2000/07/05 13:14:45 joda Exp $");
 
 #ifdef HAVE_DLFCN_H
 #include <dlfcn.h>
@@ -57,8 +57,6 @@ typedef const char* (*passwd_quality_check_func)(krb5_context,
 static passwd_quality_check_func passwd_quality_check = simple_passwd_quality;
 
 #ifdef HAVE_DLOPEN
-extern const char *check_library;
-extern const char *check_function;
 
 #define PASSWD_VERSION 0
 
diff --git a/crypto/heimdal/lib/kadm5/private.h b/crypto/heimdal/lib/kadm5/private.h
index e56a0f5..bcdf363 100644
--- a/crypto/heimdal/lib/kadm5/private.h
+++ b/crypto/heimdal/lib/kadm5/private.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: private.h,v 1.10 1999/12/04 23:09:34 assar Exp $ */
+/* $Id: private.h,v 1.14 2000/07/11 15:58:57 joda Exp $ */
 
 #ifndef __kadm5_private_h__
 #define __kadm5_private_h__
@@ -51,6 +51,8 @@ struct kadm_func {
     kadm5_ret_t (*randkey_principal) (void*, krb5_principal, 
 				      krb5_keyblock**, int*);
     kadm5_ret_t (*rename_principal) (void*, krb5_principal, krb5_principal);
+    kadm5_ret_t (*chpass_principal_with_key) (void *, krb5_principal,
+					      int, krb5_key_data *);
 };
 
 /* XXX should be integrated */
@@ -86,7 +88,7 @@ typedef struct kadm5_server_context {
     krb5_principal caller;
     unsigned acl_flags;
     kadm5_log_context log_context;
-}kadm5_server_context;
+} kadm5_server_context;
 
 typedef struct kadm5_client_context {
     krb5_context context;
@@ -98,6 +100,12 @@ typedef struct kadm5_client_context {
     char *admin_server;
     int kadmind_port;
     int sock;
+    char *client_name;
+    char *service_name;
+    krb5_prompter_fct prompter;
+    const char *keytab;
+    krb5_ccache ccache;
+    kadm5_config_params *realm_params;
 }kadm5_client_context;
 
 enum kadm_ops {
@@ -109,7 +117,9 @@ enum kadm_ops {
     kadm_modify,
     kadm_randkey,
     kadm_get_privs,
-    kadm_get_princs
+    kadm_get_princs,
+    kadm_chpass_with_key,
+    kadm_nop
 };
 
 #define KADMIN_APPL_VERSION "KADM0.1"
@@ -117,165 +127,6 @@ enum kadm_ops {
 
 #define KADM5_LOG_SIGNAL HDB_DB_DIR "/signal"
 
-kadm5_ret_t _kadm5_privs_to_string (u_int32_t, char*, size_t);
-
-kadm5_ret_t _kadm5_string_to_privs (const char*, u_int32_t*);
-
-HDB *_kadm5_s_get_db (void *);
-
-kadm5_ret_t
-_kadm5_acl_check_permission __P((
-	kadm5_server_context *context,
-	unsigned op));
-
-kadm5_ret_t
-_kadm5_acl_init __P((kadm5_server_context *context));
-
-kadm5_ret_t
-_kadm5_c_init_context __P((
-	kadm5_client_context **ctx,
-	kadm5_config_params *params,
-	krb5_context context));
-
-kadm5_ret_t
-_kadm5_client_recv __P((
-	kadm5_client_context *context,
-	krb5_data *reply));
-
-kadm5_ret_t
-_kadm5_client_send __P((
-	kadm5_client_context *context,
-	krb5_storage *sp));
-
-kadm5_ret_t
-_kadm5_error_code __P((kadm5_ret_t code));
-
-kadm5_ret_t
-_kadm5_s_init_context __P((
-	kadm5_server_context **ctx,
-	kadm5_config_params *params,
-	krb5_context context));
-
-kadm5_ret_t
-_kadm5_set_keys __P((
-	kadm5_server_context *context,
-	hdb_entry *ent,
-	const char *password));
-
-kadm5_ret_t
-_kadm5_set_keys2 __P((
-	hdb_entry *ent, 
-	int16_t n_key_data, 
-	krb5_key_data *key_data));
-
-kadm5_ret_t
-_kadm5_set_keys_randomly __P((kadm5_server_context *context,
-			      hdb_entry *ent,
-			      krb5_keyblock **new_keys,
-			      int *n_keys));
-
-kadm5_ret_t
-_kadm5_set_modifier __P((
-	kadm5_server_context *context,
-	hdb_entry *ent));
-
-kadm5_ret_t
-_kadm5_setup_entry __P((
-	hdb_entry *ent,
-	u_int32_t mask,
-	kadm5_principal_ent_t princ,
-	u_int32_t princ_mask,
-	kadm5_principal_ent_t def,
-	u_int32_t def_mask));
-
-kadm5_ret_t
-kadm5_log_get_version (int fd,
-		       u_int32_t *ver);
-
-kadm5_ret_t
-kadm5_log_init (kadm5_server_context *context);
-
-kadm5_ret_t
-kadm5_log_create (kadm5_server_context *context,
-		  hdb_entry *ent);
-
-kadm5_ret_t
-kadm5_log_delete (kadm5_server_context *context,
-		  krb5_principal princ);
-
-kadm5_ret_t
-kadm5_log_rename (kadm5_server_context *context,
-		  krb5_principal source,
-		  hdb_entry *ent);
-
-kadm5_ret_t
-kadm5_log_modify (kadm5_server_context *context,
-		  hdb_entry *ent,
-		  u_int32_t mask);
-
-kadm5_ret_t
-kadm5_log_end (kadm5_server_context *context);
-
-kadm5_ret_t
-kadm5_log_foreach (kadm5_server_context *context,
-		   void (*func)(kadm5_server_context *server_context,
-				u_int32_t ver,
-				time_t timestamp,
-				enum kadm_ops op,
-				u_int32_t len,
-				krb5_storage *sp));
-
-kadm5_ret_t
-kadm5_log_replay_create (kadm5_server_context *context,
-			 u_int32_t ver,
-			 u_int32_t len,
-			 krb5_storage *sp);
-
-kadm5_ret_t
-kadm5_log_replay_delete (kadm5_server_context *context,
-			 u_int32_t ver,
-			 u_int32_t len,
-			 krb5_storage *sp);
-
-kadm5_ret_t
-kadm5_log_replay_rename (kadm5_server_context *context,
-			 u_int32_t ver,
-			 u_int32_t len,
-			 krb5_storage *sp);
-
-kadm5_ret_t
-kadm5_log_replay_modify (kadm5_server_context *context,
-			 u_int32_t ver,
-			 u_int32_t len,
-			 krb5_storage *sp);
-
-kadm5_ret_t
-kadm5_log_replay (kadm5_server_context *context,
-		  enum kadm_ops op,
-		  u_int32_t ver,
-		  u_int32_t len,
-		  krb5_storage *sp);
-
-krb5_storage *
-kadm5_log_goto_end (int fd);
-
-kadm5_ret_t
-kadm5_log_previous (krb5_storage *sp,
-		    u_int32_t *ver,
-		    time_t *timestamp,
-		    enum kadm_ops *op,
-		    u_int32_t *len);
-
-kadm5_ret_t
-_kadm5_marshal_params __P((krb5_context context, 
-			   kadm5_config_params *params, 
-			   krb5_data *out));
-
-kadm5_ret_t
-_kadm5_unmarshal_params __P((krb5_context context,
-			     krb5_data *in,
-			     kadm5_config_params *params));
-
-
+#include "kadm5-private.h"
 
 #endif /* __kadm5_private_h__ */
diff --git a/crypto/heimdal/lib/kadm5/privs_c.c b/crypto/heimdal/lib/kadm5/privs_c.c
index 25d4976..83d293c 100644
--- a/crypto/heimdal/lib/kadm5/privs_c.c
+++ b/crypto/heimdal/lib/kadm5/privs_c.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: privs_c.c,v 1.3 1999/12/02 17:05:07 joda Exp $");
+RCSID("$Id: privs_c.c,v 1.4 2000/07/11 15:59:54 joda Exp $");
 
 kadm5_ret_t
 kadm5_c_get_privs(void *server_handle, u_int32_t *privs)
@@ -45,6 +45,10 @@ kadm5_c_get_privs(void *server_handle, u_int32_t *privs)
     int32_t tmp;
     krb5_data reply;
 
+    ret = _kadm5_connect(server_handle);
+    if(ret)
+	return ret;
+
     sp = krb5_storage_from_mem(buf, sizeof(buf));
     if (sp == NULL)
 	return ENOMEM;
diff --git a/crypto/heimdal/lib/kadm5/randkey_c.c b/crypto/heimdal/lib/kadm5/randkey_c.c
index 7531b6e..eedf697 100644
--- a/crypto/heimdal/lib/kadm5/randkey_c.c
+++ b/crypto/heimdal/lib/kadm5/randkey_c.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: randkey_c.c,v 1.3 1999/12/02 17:05:07 joda Exp $");
+RCSID("$Id: randkey_c.c,v 1.4 2000/07/11 16:00:02 joda Exp $");
 
 kadm5_ret_t
 kadm5_c_randkey_principal(void *server_handle, 
@@ -48,6 +48,10 @@ kadm5_c_randkey_principal(void *server_handle,
     int32_t tmp;
     krb5_data reply;
 
+    ret = _kadm5_connect(server_handle);
+    if(ret)
+	return ret;
+
     sp = krb5_storage_from_mem(buf, sizeof(buf));
     if (sp == NULL)
 	return ENOMEM;
diff --git a/crypto/heimdal/lib/kadm5/randkey_s.c b/crypto/heimdal/lib/kadm5/randkey_s.c
index 25c8571..9780b11 100644
--- a/crypto/heimdal/lib/kadm5/randkey_s.c
+++ b/crypto/heimdal/lib/kadm5/randkey_s.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: randkey_s.c,v 1.10 1999/12/02 17:05:07 joda Exp $");
+RCSID("$Id: randkey_s.c,v 1.13 2001/01/30 01:24:28 assar Exp $");
 
 /*
  * Set the keys of `princ' to random values, returning the random keys
@@ -68,13 +68,18 @@ kadm5_s_randkey_principal(void *server_handle,
     ret = _kadm5_set_modifier(context, &ent);
     if(ret)
 	goto out3;
+    ret = _kadm5_bump_pw_expire(context, &ent);
+    if (ret)
+	goto out2;
 
-    hdb_seal_keys(context->db, &ent);
+    ret = hdb_seal_keys(context->context, context->db, &ent);
+    if (ret)
+	goto out2;
 
     kadm5_log_modify (context,
 		      &ent,
 		      KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME |
-		      KADM5_KEY_DATA | KADM5_KVNO);
+		      KADM5_KEY_DATA | KADM5_KVNO | KADM5_PW_EXPIRATION);
 
     ret = context->db->store(context->context, context->db, 
 			     HDB_F_REPLACE, &ent);
diff --git a/crypto/heimdal/lib/kadm5/rename_c.c b/crypto/heimdal/lib/kadm5/rename_c.c
index d33e611..95ccf25 100644
--- a/crypto/heimdal/lib/kadm5/rename_c.c
+++ b/crypto/heimdal/lib/kadm5/rename_c.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: rename_c.c,v 1.3 1999/12/02 17:05:07 joda Exp $");
+RCSID("$Id: rename_c.c,v 1.4 2000/07/11 16:00:08 joda Exp $");
 
 kadm5_ret_t
 kadm5_c_rename_principal(void *server_handle, 
@@ -47,6 +47,10 @@ kadm5_c_rename_principal(void *server_handle,
     int32_t tmp;
     krb5_data reply;
 
+    ret = _kadm5_connect(server_handle);
+    if(ret)
+	return ret;
+
     sp = krb5_storage_from_mem(buf, sizeof(buf));
     if (sp == NULL)
 	return ENOMEM;
diff --git a/crypto/heimdal/lib/kadm5/rename_s.c b/crypto/heimdal/lib/kadm5/rename_s.c
index e7f9038..a478e0a 100644
--- a/crypto/heimdal/lib/kadm5/rename_s.c
+++ b/crypto/heimdal/lib/kadm5/rename_s.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: rename_s.c,v 1.9 1999/12/02 17:05:07 joda Exp $");
+RCSID("$Id: rename_s.c,v 1.11 2001/01/30 01:24:29 assar Exp $");
 
 kadm5_ret_t
 kadm5_s_rename_principal(void *server_handle, 
@@ -82,7 +82,11 @@ kadm5_s_rename_principal(void *server_handle,
     ent2.principal = ent.principal;
     ent.principal = target;
 
-    hdb_seal_keys(context->db, &ent);
+    ret = hdb_seal_keys(context->context, context->db, &ent);
+    if (ret) {
+	ent.principal = ent2.principal;
+	goto out2;
+    }
 
     kadm5_log_rename (context,
 		      source,
diff --git a/crypto/heimdal/lib/kadm5/send_recv.c b/crypto/heimdal/lib/kadm5/send_recv.c
index 51f6972..796cd05 100644
--- a/crypto/heimdal/lib/kadm5/send_recv.c
+++ b/crypto/heimdal/lib/kadm5/send_recv.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: send_recv.c,v 1.7 1999/12/02 17:05:07 joda Exp $");
+RCSID("$Id: send_recv.c,v 1.8 2000/07/11 16:00:58 joda Exp $");
 
 kadm5_ret_t 
 _kadm5_client_send(kadm5_client_context *context, krb5_storage *sp)
@@ -43,6 +43,8 @@ _kadm5_client_send(kadm5_client_context *context, krb5_storage *sp)
     size_t len;
     krb5_storage *sock;
 
+    assert(context->sock != -1);
+
     len = sp->seek(sp, 0, SEEK_CUR);
     ret = krb5_data_alloc(&msg, len);
     sp->seek(sp, 0, SEEK_SET);
diff --git a/crypto/heimdal/lib/kadm5/set_keys.c b/crypto/heimdal/lib/kadm5/set_keys.c
index e4d5d1a..f3f4e36 100644
--- a/crypto/heimdal/lib/kadm5/set_keys.c
+++ b/crypto/heimdal/lib/kadm5/set_keys.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,173 +33,347 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: set_keys.c,v 1.18 1999/12/04 23:11:01 assar Exp $");
+RCSID("$Id: set_keys.c,v 1.23 2000/11/15 23:13:30 assar Exp $");
 
 /*
- * free all the memory used by (len, keys)
+ * the known and used DES enctypes
  */
 
-static void
-free_keys (kadm5_server_context *context,
-	   int len, Key *keys)
+static krb5_enctype des_types[] = { ETYPE_DES_CBC_CRC,
+ 				    ETYPE_DES_CBC_MD4,
+ 				    ETYPE_DES_CBC_MD5 };
+static unsigned n_des_types = sizeof(des_types) / sizeof(des_types[0]);
+
+static krb5_error_code
+make_keys(krb5_context context, krb5_principal principal, const char *password,
+	  Key **keys_ret, size_t *num_keys_ret)
 {
+    krb5_enctype all_etypes[] = { ETYPE_DES3_CBC_SHA1,
+				  ETYPE_DES_CBC_MD5,
+				  ETYPE_DES_CBC_MD4,
+				  ETYPE_DES_CBC_CRC };
+
+
+    krb5_enctype e;
+
+    krb5_error_code ret = 0;
+    char **ktypes, **kp;
+
+    Key *keys = NULL, *tmp;
+    int num_keys = 0;
+    Key key;
+
     int i;
+    char *v4_ktypes[] = {"des3:pw-salt", "v4", NULL};
+
+    ktypes = krb5_config_get_strings(context, NULL, "kadmin", 
+				     "default_keys", NULL);
+
+    /* for each entry in `default_keys' try to parse it as a sequence
+       of etype:salttype:salt, syntax of this if something like:
+       [(des|des3|etype):](pw|afs3)[:string], if etype is omitted it
+       means everything, and if string is omitted is means the default
+       string (for that principal). Additional special values:
+       v5 == pw-salt, and
+       v4 == pw-salt:
+    */
+
+    if (ktypes == NULL
+	&& krb5_config_get_bool (context, NULL, "kadmin",
+				 "use_v4_salt", NULL))
+	ktypes = v4_ktypes;
+
+    for(kp = ktypes; kp && *kp; kp++) {
+	krb5_enctype *etypes;
+	int num_etypes;
+	krb5_salt salt;
+	krb5_boolean salt_set;
+
+	const char *p;
+	char buf[3][256];
+	int num_buf = 0;
+
+	p = *kp;
+	if(strcmp(p, "v5") == 0)
+	    p = "pw-salt";
+	else if(strcmp(p, "v4") == 0)
+	    p = "des:pw-salt:";
+	
+	/* split p in a list of :-separated strings */
+	for(num_buf = 0; num_buf < 3; num_buf++)
+	    if(strsep_copy(&p, ":", buf[num_buf], sizeof(buf[num_buf])) == -1)
+		break;
+
+	etypes = NULL;
+	num_etypes = 0;
+	memset(&salt, 0, sizeof(salt));
+	salt_set = FALSE;
+
+	for(i = 0; i < num_buf; i++) {
+	    if(etypes == NULL) {
+		/* this might be a etype specifier */
+		/* XXX there should be a string_to_etypes handling
+                   special cases like `des' and `all' */
+		if(strcmp(buf[i], "des") == 0) {
+		    etypes = all_etypes + 1;
+		    num_etypes = 3;
+		    continue;
+		} else if(strcmp(buf[i], "des3") == 0) {
+		    e = ETYPE_DES3_CBC_SHA1;
+		    etypes = &e;
+		    num_etypes = 1;
+		    continue;
+		} else {
+		    ret = krb5_string_to_enctype(context, buf[i], &e);
+		    if(ret == 0) {
+			etypes = &e;
+			num_etypes = 1;
+			continue;
+		    }
+		}
+	    }
+	    if(salt.salttype == 0) {
+		/* interpret string as a salt specifier, if no etype
+                   is set, this sets default values */
+		/* XXX should perhaps use string_to_salttype, but that
+                   interface sucks */
+		if(strcmp(buf[i], "pw-salt") == 0) {
+		    if(etypes == NULL) {
+			etypes = all_etypes;
+			num_etypes = 4;
+		    }
+		    salt.salttype = KRB5_PW_SALT;
+		} else if(strcmp(buf[i], "afs3-salt") == 0) {
+		    if(etypes == NULL) {
+			etypes = all_etypes + 1;
+			num_etypes = 3;
+		    }
+		    salt.salttype = KRB5_AFS3_SALT;
+		}
+	    } else {
+		/* if there is a final string, use it as the string to
+                   salt with, this is mostly useful with null salt for
+                   v4 compat, and a cell name for afs compat */
+		salt.saltvalue.data = buf[i];
+		salt.saltvalue.length = strlen(buf[i]);
+		salt_set = TRUE;
+	    }
+	}
 
-    for (i = 0; i < len; ++i) {
-	free (keys[i].mkvno);
-	keys[i].mkvno = NULL;
-	if (keys[i].salt != NULL) {
-	    free_Salt(keys[i].salt);
-	    free(keys[i].salt);
-	    keys[i].salt = NULL;
+	if(etypes == NULL || salt.salttype == 0) {	    
+	    krb5_warnx(context, "bad value for default_keys `%s'", *kp);
+	    continue;
 	}
-	krb5_free_keyblock_contents(context->context, &keys[i].key);
-    }
-    free (keys);
-}
 
-/*
- * null-ify `len', `keys'
- */
+	if(!salt_set && salt.salttype == KRB5_PW_SALT)
+	    /* make up default salt */
+	    ret = krb5_get_pw_salt(context, principal, &salt);
+	memset(&key, 0, sizeof(key));
+	for(i = 0; i < num_etypes; i++) {
+	    ret = krb5_string_to_key_salt (context,
+					   etypes[i],
+					   password,
+					   salt,
+					   &key.key);
+
+	    if(ret)
+		goto out;
 
-static void
-init_keys (Key *keys, int len)
-{
-    int i;
+	    if (salt.salttype != KRB5_PW_SALT || salt_set) {
+		key.salt = malloc (sizeof(*key.salt));
+		if (key.salt == NULL) {
+		    free_Key(&key);
+		    ret = ENOMEM;
+		    goto out;
+		}
+		key.salt->type = salt.salttype;
+		krb5_data_zero (&key.salt->salt);
+
+		/* is the salt has not been set explicitly, it will be
+		   the default salt, so there's no need to explicitly
+		   copy it */
+		if (salt_set) {
+		    ret = krb5_data_copy(&key.salt->salt, 
+					 salt.saltvalue.data, 
+					 salt.saltvalue.length);
+		    if (ret) {
+			free_Key(&key);
+			goto out;
+		    }
+		}
+	    }
+	    tmp = realloc(keys, (num_keys + 1) * sizeof(*keys));
+	    if(tmp == NULL) {
+		free_Key(&key);
+		ret = ENOMEM;
+		goto out;
+	    }
+	    keys = tmp;
+	    keys[num_keys++] = key;
+	}
+    }
 
-    for (i = 0; i < len; ++i) {
-	keys[i].mkvno               = NULL;
-	keys[i].salt                = NULL;
-	keys[i].key.keyvalue.length = 0;
-	keys[i].key.keyvalue.data   = NULL;
+    if(num_keys == 0) {
+	/* if we didn't manage to find a single valid key, create a
+           default set */
+	/* XXX only do this is there is no `default_keys'? */
+	krb5_salt v5_salt;
+	tmp = realloc(keys, (num_keys + 4) * sizeof(*keys));
+	if(tmp == NULL) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+	keys = tmp;
+	ret = krb5_get_pw_salt(context, principal, &v5_salt);
+	if(ret)
+	    goto out;
+	for(i = 0; i < 4; i++) {
+	    memset(&key, 0, sizeof(key));
+	    ret = krb5_string_to_key_salt(context, all_etypes[i], password, 
+					  v5_salt, &key.key);
+	    if(ret) {
+		krb5_free_salt(context, v5_salt);
+		goto out;
+	    }
+	    keys[num_keys++] = key;
+	}
+	krb5_free_salt(context, v5_salt);
     }
+
+  out:
+    if(ret == 0) {
+	*keys_ret = keys;
+	*num_keys_ret = num_keys;
+    } else {
+	for(i = 0; i < num_keys; i++) {
+	    free_Key(&keys[i]);
+	}
+	free(keys);
+    }
+    return ret;
 }
 
 /*
- * the known and used DES enctypes
+ * Set the keys of `ent' to the string-to-key of `password'
  */
 
-static krb5_enctype des_types[] = { ETYPE_DES_CBC_CRC,
-				    ETYPE_DES_CBC_MD4,
-				    ETYPE_DES_CBC_MD5 };
+kadm5_ret_t
+_kadm5_set_keys(kadm5_server_context *context,
+		hdb_entry *ent, 
+		const char *password)
+{
+    kadm5_ret_t ret;
+    Key *keys;
+    size_t num_keys;
 
-static unsigned n_des_types = 3;
+    ret = make_keys(context->context, ent->principal, password, 
+		    &keys, &num_keys);
+
+    if(ret)
+	return ret;
+    
+    _kadm5_free_keys (context, ent->keys.len, ent->keys.val);
+    ent->keys.val = keys;
+    ent->keys.len = num_keys;
+    ent->kvno++;
+    return 0;
+}
 
 /*
- * Set the keys of `ent' to the string-to-key of `password'
+ * Set the keys of `ent' to (`n_key_data', `key_data')
  */
 
 kadm5_ret_t
-_kadm5_set_keys(kadm5_server_context *context,
-		hdb_entry *ent, 
-		const char *password)
+_kadm5_set_keys2(kadm5_server_context *context,
+		 hdb_entry *ent, 
+		 int16_t n_key_data, 
+		 krb5_key_data *key_data)
 {
-    kadm5_ret_t ret = 0;
+    krb5_error_code ret;
     int i;
     unsigned len;
     Key *keys;
-    krb5_salt salt;
-    krb5_boolean v4_salt = FALSE;
 
-    len  = n_des_types + 1;
+    len  = n_key_data;
     keys = malloc (len * sizeof(*keys));
     if (keys == NULL)
 	return ENOMEM;
 
-    init_keys (keys, len);
-
-    salt.salttype         = KRB5_PW_SALT;
-    salt.saltvalue.length = 0;
-    salt.saltvalue.data   = NULL;
+    _kadm5_init_keys (keys, len);
 
-    if (krb5_config_get_bool (context->context,
-			      NULL, "kadmin", "use_v4_salt", NULL)) {
-	v4_salt = TRUE;
-    } else {
-	ret = krb5_get_pw_salt (context->context, ent->principal, &salt);
-	if (ret)
+    for(i = 0; i < n_key_data; i++) {
+	keys[i].mkvno = NULL;
+	keys[i].key.keytype = key_data[i].key_data_type[0];
+	ret = krb5_data_copy(&keys[i].key.keyvalue,
+			     key_data[i].key_data_contents[0],
+			     key_data[i].key_data_length[0]);
+	if(ret)
 	    goto out;
-    }
+	if(key_data[i].key_data_ver == 2) {
+	    Salt *salt;
 
-    for (i = 0; i < n_des_types; ++i) {
-	ret = krb5_string_to_key_salt (context->context,
-				       des_types[i],
-				       password,
-				       salt,
-				       &keys[i].key);
-	if (ret)
-	    goto out;
-	if (v4_salt) {
-	    keys[i].salt = malloc (sizeof(*keys[i].salt));
-	    if (keys[i].salt == NULL) {
+	    salt = malloc(sizeof(*salt));
+	    if(salt == NULL) {
 		ret = ENOMEM;
 		goto out;
 	    }
-	    keys[i].salt->type = salt.salttype;
-	    ret = copy_octet_string (&salt.saltvalue, &keys[i].salt->salt);
-	    if (ret)
-		goto out;
-	}
+	    keys[i].salt = salt;
+	    salt->type = key_data[i].key_data_type[1];
+	    krb5_data_copy(&salt->salt, 
+			   key_data[i].key_data_contents[1],
+			   key_data[i].key_data_length[1]);
+	} else
+	    keys[i].salt = NULL;
     }
-
-    ret = krb5_string_to_key (context->context,
-			      ETYPE_DES3_CBC_SHA1,
-			      password,
-			      ent->principal,
-			      &keys[n_des_types].key);
-    if (ret)
-	goto out;
-
-    free_keys (context, ent->keys.len, ent->keys.val);
+    _kadm5_free_keys (context, ent->keys.len, ent->keys.val);
     ent->keys.len = len;
     ent->keys.val = keys;
     ent->kvno++;
-    return ret;
-out:
-    krb5_data_free (&salt.saltvalue);
-    free_keys (context, len, keys);
+    return 0;
+ out:
+    _kadm5_free_keys (context, len, keys);
     return ret;
 }
 
 /*
- * Set the keys of `ent' to (`n_key_data', `key_data')
+ * Set the keys of `ent' to `n_keys, keys'
  */
 
 kadm5_ret_t
-_kadm5_set_keys2(hdb_entry *ent, 
-		 int16_t n_key_data, 
-		 krb5_key_data *key_data)
+_kadm5_set_keys3(kadm5_server_context *context,
+		 hdb_entry *ent,
+		 int n_keys,
+		 krb5_keyblock *keyblocks)
 {
     krb5_error_code ret;
     int i;
+    unsigned len;
+    Key *keys;
 
-    ent->keys.len = n_key_data;
-    ent->keys.val = malloc(ent->keys.len * sizeof(*ent->keys.val));
-    if(ent->keys.val == NULL)
+    len  = n_keys;
+    keys = malloc (len * sizeof(*keys));
+    if (keys == NULL)
 	return ENOMEM;
-    for(i = 0; i < n_key_data; i++) {
-	ent->keys.val[i].mkvno = NULL;
-	ent->keys.val[i].key.keytype = key_data[i].key_data_type[0];
-	ret = krb5_data_copy(&ent->keys.val[i].key.keyvalue,
-			     key_data[i].key_data_contents[0],
-			     key_data[i].key_data_length[0]);
+
+    _kadm5_init_keys (keys, len);
+
+    for(i = 0; i < n_keys; i++) {
+	keys[i].mkvno = NULL;
+	ret = krb5_copy_keyblock_contents (context->context,
+					   &keyblocks[i],
+					   &keys[i].key);
 	if(ret)
-	    return ret;
-	if(key_data[i].key_data_ver == 2) {
-	    Salt *salt;
-	    salt = malloc(sizeof(*salt));
-	    if(salt == NULL)
-		return ENOMEM;
-	    ent->keys.val[i].salt = salt;
-	    salt->type = key_data[i].key_data_type[1];
-	    krb5_data_copy(&salt->salt, 
-			   key_data[i].key_data_contents[1],
-			   key_data[i].key_data_length[1]);
-	} else
-	    ent->keys.val[i].salt = NULL;
+	    goto out;
+	keys[i].salt = NULL;
     }
+    _kadm5_free_keys (context, ent->keys.len, ent->keys.val);
+    ent->keys.len = len;
+    ent->keys.val = keys;
     ent->kvno++;
     return 0;
+ out:
+    _kadm5_free_keys (context, len, keys);
+    return ret;
 }
 
 /*
@@ -235,7 +409,7 @@ _kadm5_set_keys_randomly (kadm5_server_context *context,
 	return ENOMEM;
     }
 
-    init_keys (hkeys, len);
+    _kadm5_init_keys (hkeys, len);
 
     ret = krb5_generate_random_keyblock (context->context,
 					 des_types[0],
@@ -276,7 +450,7 @@ _kadm5_set_keys_randomly (kadm5_server_context *context,
     if (ret)
 	goto out;
 
-    free_keys (context, ent->keys.len, ent->keys.val);
+    _kadm5_free_keys (context, ent->keys.len, ent->keys.val);
     ent->keys.len = len;
     ent->keys.val = hkeys;
     ent->kvno++;
@@ -287,6 +461,6 @@ out:
     for (i = 0; i < len; ++i)
 	krb5_free_keyblock_contents (context->context, &keys[i]);
     free (keys);
-    free_keys (context, len, hkeys);
+    _kadm5_free_keys (context, len, hkeys);
     return ret;
 }
diff --git a/crypto/heimdal/lib/kadm5/truncate_log.c b/crypto/heimdal/lib/kadm5/truncate_log.c
new file mode 100644
index 0000000..215fdd7
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/truncate_log.c
@@ -0,0 +1,88 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "iprop.h"
+
+RCSID("$Id: truncate_log.c,v 1.1 2000/07/24 04:27:06 assar Exp $");
+
+static char *realm;
+static int version_flag;
+static int help_flag;
+
+static struct getargs args[] = {
+    { "realm", 'r', arg_string, &realm },
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    void *kadm_handle;
+    kadm5_server_context *server_context;
+    kadm5_config_params conf;
+
+    krb5_program_setup(&context, argc, argv, args, num_args, NULL);
+    
+    if(help_flag)
+	krb5_std_usage(0, args, num_args);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    memset(&conf, 0, sizeof(conf));
+    if(realm) {
+	conf.mask |= KADM5_CONFIG_REALM;
+	conf.realm = realm;
+    }
+
+    ret = kadm5_init_with_password_ctx (context,
+					KADM5_ADMIN_SERVICE,
+					NULL,
+					KADM5_ADMIN_SERVICE,
+					&conf, 0, 0, 
+					&kadm_handle);
+    if (ret)
+	krb5_err (context, 1, ret, "kadm5_init_with_password_ctx");
+
+    server_context = (kadm5_server_context *)kadm_handle;
+
+    ret = kadm5_log_truncate (server_context);
+	krb5_err (context, 1, ret, "kadm5_log_truncate");
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kafs/ChangeLog b/crypto/heimdal/lib/kafs/ChangeLog
index 09ea01e..180f2c4 100644
--- a/crypto/heimdal/lib/kafs/ChangeLog
+++ b/crypto/heimdal/lib/kafs/ChangeLog
@@ -1,3 +1,47 @@
+2000-12-11  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libkafs_la_LDFLAGS): set version to 2:3:2
+
+2000-11-17  Assar Westerlund  <assar@sics.se>
+
+	* afssysdefs.h: solaris 8 apperently uses 65
+
+2000-09-19  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libkafs_la_LDFLAGS): bump version to 2:2:2
+
+2000-09-12  Johan Danielsson  <joda@pdc.kth.se>
+
+	* dlfcn.c: correct arguments to some snprintf:s
+
+2000-07-25  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: bump version to 2:1:2
+
+2000-04-03  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 2:0:2
+
+2000-03-20  Assar Westerlund  <assar@sics.se>
+
+	* afssysdefs.h: make versions later than 5.7 of solaris also use
+	73
+
+2000-03-16  Assar Westerlund  <assar@sics.se>
+
+	* afskrb.c (afslog_uid_int): use krb_get_tf_fullname instead of
+	krb_get_default_principal
+
+2000-03-15  Assar Westerlund  <assar@sics.se>
+
+	* afssys.c (map_syscall_name_to_number): ignore # at
+	beginning-of-line
+
+2000-03-13  Assar Westerlund  <assar@sics.se>
+
+	* afssysdefs.h: add 230 for MacOS X per information from
+	<warner.c@apple.com>
+
 1999-12-06  Assar Westerlund  <assar@sics.se>
 
 	* Makefile.am: set version to 1:2:1
diff --git a/crypto/heimdal/lib/kafs/Makefile.am b/crypto/heimdal/lib/kafs/Makefile.am
index 2460e55..9557588 100644
--- a/crypto/heimdal/lib/kafs/Makefile.am
+++ b/crypto/heimdal/lib/kafs/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.19 2000/01/06 15:14:27 assar Exp $
+# $Id: Makefile.am,v 1.23 2000/12/11 00:44:50 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
@@ -41,7 +41,7 @@ endif # KRB4
 
 
 lib_LTLIBRARIES = $(AFSLIBS)
-libkafs_la_LDFLAGS = -version-info 1:2:1
+libkafs_la_LDFLAGS = -version-info 2:3:2
 foodir = $(libdir)
 foo_DATA = $(AFS_EXTRA_LIBS)
 # EXTRA_DATA = afslib.so
diff --git a/crypto/heimdal/lib/kafs/Makefile.in b/crypto/heimdal/lib/kafs/Makefile.in
index 32b69cb..147f327 100644
--- a/crypto/heimdal/lib/kafs/Makefile.in
+++ b/crypto/heimdal/lib/kafs/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.19 2000/01/06 15:14:27 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,25 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -91,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.23 2000/12/11 00:44:50 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4) $(AFS_EXTRA_DEFS)
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(AFS_EXTRA_DEFS)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -135,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -143,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -151,45 +170,41 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
-@KRB4_TRUE@AFSLIBS = libkafs.la
+@KRB4_TRUE@AFSLIBS = @KRB4_TRUE@libkafs.la
 @KRB4_FALSE@AFSLIBS = 
 
-@KRB4_TRUE@@AIX_TRUE@AFSL_EXP = $(srcdir)/afsl.exp
+@KRB4_TRUE@@AIX_TRUE@AFSL_EXP = @KRB4_TRUE@@AIX_TRUE@$(srcdir)/afsl.exp
 @KRB4_TRUE@@AIX_FALSE@AFSL_EXP = 
-@KRB4_TRUE@@AIX_TRUE@@AIX4_TRUE@AFS_EXTRA_LD = -bnoentry
-@KRB4_TRUE@@AIX_TRUE@@AIX4_FALSE@AFS_EXTRA_LD = -e _nostart
+@KRB4_TRUE@@AIX_TRUE@@AIX4_TRUE@AFS_EXTRA_LD = @KRB4_TRUE@@AIX_TRUE@@AIX4_TRUE@-bnoentry
+@KRB4_TRUE@@AIX_TRUE@@AIX4_FALSE@AFS_EXTRA_LD = @KRB4_TRUE@@AIX_TRUE@@AIX4_FALSE@-e _nostart
 @KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_TRUE@@HAVE_DLOPEN_TRUE@AIX_SRC = 
-@KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_TRUE@@HAVE_DLOPEN_FALSE@AIX_SRC = dlfcn.c
-@KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_FALSE@AIX_SRC = afslib.c
+@KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_TRUE@@HAVE_DLOPEN_FALSE@AIX_SRC = @KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_TRUE@@HAVE_DLOPEN_FALSE@dlfcn.c
+@KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_FALSE@AIX_SRC = @KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_FALSE@afslib.c
 @KRB4_TRUE@@AIX_FALSE@AIX_SRC = 
-@KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_TRUE@AFS_EXTRA_LIBS = afslib.so
+@KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_TRUE@AFS_EXTRA_LIBS = @KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_TRUE@afslib.so
 @KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_FALSE@AFS_EXTRA_LIBS = 
 @KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_TRUE@AFS_EXTRA_DEFS = 
-@KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_FALSE@AFS_EXTRA_DEFS = -DSTATIC_AFS
+@KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_FALSE@AFS_EXTRA_DEFS = @KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_FALSE@-DSTATIC_AFS
 
 lib_LTLIBRARIES = $(AFSLIBS)
-libkafs_la_LDFLAGS = -version-info 1:2:1
+libkafs_la_LDFLAGS = -version-info 2:3:2
 foodir = $(libdir)
 foo_DATA = $(AFS_EXTRA_LIBS)
 # EXTRA_DATA = afslib.so
@@ -198,7 +213,7 @@ CLEANFILES = $(AFS_EXTRA_LIBS)
 
 include_HEADERS = kafs.h
 
-@KRB5_TRUE@afskrb5_c = afskrb5.c
+@KRB5_TRUE@afskrb5_c = @KRB5_TRUE@afskrb5.c
 
 libkafs_la_SOURCES = afssys.c afskrb.c $(afskrb5_c) common.c $(AIX_SRC) kafs_locl.h afssysdefs.h
 #afslib_so_SOURCES = afslib.c
@@ -208,6 +223,7 @@ EXTRA_libkafs_la_SOURCES = afskrb5.c dlfcn.c afslib.c dlfcn.h
 EXTRA_DIST = README.dlfcn afsl.exp afslib.exp
 
 man_MANS = kafs.3
+subdir = lib/kafs
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -217,186 +233,187 @@ LTLIBRARIES =  $(lib_LTLIBRARIES)
 DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
-LIBS = @LIBS@
 X_CFLAGS = @X_CFLAGS@
 X_LIBS = @X_LIBS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 libkafs_la_LIBADD = 
-@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afskrb5.lo \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@common.lo
-@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
-@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
-@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
-@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afskrb5.lo \
-@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@common.lo
-@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
-@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
-@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
-@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@common.lo
-@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
-@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
-@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
-@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afskrb5.lo \
-@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@common.lo
-@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
-@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
-@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
-@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@common.lo
-@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
-@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
-@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
-@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afskrb5.lo \
-@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@common.lo
-@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
-@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
-@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
-@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@common.lo
-@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
-@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
-@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
-@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afskrb5.lo \
-@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@common.lo
-@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
-@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
-@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
-@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@common.lo
-@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
-@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
-@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
-@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afskrb5.lo \
-@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@common.lo
-@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
-@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
-@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
-@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@common.lo
-@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
-@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
-@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
-@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@common.lo
-@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
-@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
-@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
-@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afskrb5.lo \
-@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@common.lo
-@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
-@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
-@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
-@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@common.lo
-@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
-@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
-@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
-@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afskrb5.lo \
-@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@common.lo
-@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
-@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
-@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
-@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afskrb5.lo \
-@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@common.lo
-@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
-@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
-@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
-@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@common.lo
-@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
-@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
-@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
-@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@common.lo
-@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
-@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
-@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
-@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afskrb5.lo \
-@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@common.lo
-@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@common.lo \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afslib.lo
-@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afskrb5.lo \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@common.lo \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@dlfcn.lo
-@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@common.lo
-@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
-@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
-@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
-@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afskrb5.lo \
-@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@common.lo
-@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afskrb5.lo \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@common.lo \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afslib.lo
-@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
-@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
-@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
-@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@common.lo
-@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@common.lo \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@dlfcn.lo
-@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
-@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
-@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
-@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afskrb5.lo \
-@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@common.lo
-@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
-@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
-@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
-@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@common.lo
-@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
-@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
-@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
-@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afskrb5.lo \
-@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@common.lo
-@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@common.lo \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afslib.lo
-@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afskrb5.lo \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@common.lo \
-@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afslib.lo
-@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
-@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
-@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
-@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@common.lo
-CFLAGS = @CFLAGS@
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@common.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@common.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@common.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@common.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@common.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@common.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@common.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@common.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@common.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@common.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@common.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@afslib.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@afslib.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@common.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@common.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@common.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@afslib.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@afslib.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@common.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@common.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@common.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@common.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@common.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@common.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@common.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@common.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@common.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@common.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@common.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@dlfcn.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@dlfcn.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@common.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@common.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@common.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@common.lo
+libkafs_la_OBJECTS =  $(am_libkafs_la_OBJECTS)
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(libkafs_la_SOURCES) $(EXTRA_libkafs_la_SOURCES)
 man3dir = $(mandir)/man3
 MANS = $(man_MANS)
 DATA =  $(foo_DATA)
 
 HEADERS =  $(include_HEADERS)
 
-DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+depcomp = 
+DIST_COMMON =  $(include_HEADERS) ChangeLog Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
 SOURCES = $(libkafs_la_SOURCES) $(EXTRA_libkafs_la_SOURCES)
-OBJECTS = $(libkafs_la_OBJECTS)
+OBJECTS = $(am_libkafs_la_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/kafs/Makefile
 
@@ -419,31 +436,18 @@ install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 	$(mkinstalldirs) $(DESTDIR)$(libdir)
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo "$(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p; \
 	  else :; fi; \
 	done
 
 uninstall-libLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  echo " $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \
 	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
 	done
 
-.c.o:
-	$(COMPILE) -c $<
-
-# FIXME: We should only use cygpath when building on Windows,
-# and only if it is available.
-.c.obj:
-	$(COMPILE) -c `cygpath -w $<`
-
-.s.o:
-	$(COMPILE) -c $<
-
-.S.o:
-	$(COMPILE) -c $<
-
 mostlyclean-compile:
 	-rm -f *.o core *.core
 	-rm -f *.$(OBJEXT)
@@ -455,15 +459,6 @@ distclean-compile:
 
 maintainer-clean-compile:
 
-.c.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.s.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.S.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -476,6 +471,12 @@ maintainer-clean-libtool:
 
 libkafs.la: $(libkafs_la_OBJECTS) $(libkafs_la_DEPENDENCIES)
 	$(LINK) -rpath $(libdir) $(libkafs_la_LDFLAGS) $(libkafs_la_OBJECTS) $(libkafs_la_LIBADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
 
 install-man3:
 	$(mkinstalldirs) $(DESTDIR)$(man3dir)
@@ -490,6 +491,7 @@ install-man3:
 	  else file=$$i; fi; \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
 	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
 	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man3dir)/$$inst"; \
 	  $(INSTALL_DATA) $$file $(DESTDIR)$(man3dir)/$$inst; \
@@ -505,6 +507,7 @@ uninstall-man3:
 	for i in $$list; do \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
 	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
 	  echo " rm -f $(DESTDIR)$(man3dir)/$$inst"; \
 	  rm -f $(DESTDIR)$(man3dir)/$$inst; \
@@ -520,19 +523,18 @@ install-fooDATA: $(foo_DATA)
 	@$(NORMAL_INSTALL)
 	$(mkinstalldirs) $(DESTDIR)$(foodir)
 	@list='$(foo_DATA)'; for p in $$list; do \
-	  if test -f $(srcdir)/$$p; then \
-	    echo " $(INSTALL_DATA) $(srcdir)/$$p $(DESTDIR)$(foodir)/$$p"; \
-	    $(INSTALL_DATA) $(srcdir)/$$p $(DESTDIR)$(foodir)/$$p; \
-	  else if test -f $$p; then \
-	    echo " $(INSTALL_DATA) $$p $(DESTDIR)$(foodir)/$$p"; \
-	    $(INSTALL_DATA) $$p $(DESTDIR)$(foodir)/$$p; \
-	  fi; fi; \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(foodir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(foodir)/$$f; \
 	done
 
 uninstall-fooDATA:
 	@$(NORMAL_UNINSTALL)
-	list='$(foo_DATA)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(foodir)/$$p; \
+	@list='$(foo_DATA)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(foodir)/$$f"; \
+	  rm -f $(DESTDIR)$(foodir)/$$f; \
 	done
 
 install-includeHEADERS: $(include_HEADERS)
@@ -540,35 +542,42 @@ install-includeHEADERS: $(include_HEADERS)
 	$(mkinstalldirs) $(DESTDIR)$(includedir)
 	@list='$(include_HEADERS)'; for p in $$list; do \
 	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
-	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p"; \
-	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f; \
 	done
 
 uninstall-includeHEADERS:
 	@$(NORMAL_UNINSTALL)
-	list='$(include_HEADERS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(includedir)/$$p; \
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(includedir)/$$f"; \
+	  rm -f $(DESTDIR)$(includedir)/$$f; \
 	done
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -581,17 +590,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = lib/kafs
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
@@ -622,7 +630,7 @@ uninstall: uninstall-am
 all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) $(HEADERS) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
 	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(mandir)/man3 \
 		$(DESTDIR)$(foodir) $(DESTDIR)$(includedir)
@@ -638,6 +646,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-libLTLIBRARIES mostlyclean-compile \
 		mostlyclean-libtool mostlyclean-tags \
 		mostlyclean-generic
@@ -677,7 +686,7 @@ distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
 dvi-am dvi check-local check check-am installcheck-am installcheck \
 install-exec-am install-exec install-data-local install-data-am \
 install-data install-am install uninstall-am uninstall all-local \
-all-redirect all-am all installdirs mostlyclean-generic \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
 distclean-generic clean-generic maintainer-clean-generic clean \
 mostlyclean distclean maintainer-clean
 
@@ -687,7 +696,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -699,8 +711,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -769,87 +781,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/lib/kafs/afskrb.c b/crypto/heimdal/lib/kafs/afskrb.c
index 805750d..ea7ca53 100644
--- a/crypto/heimdal/lib/kafs/afskrb.c
+++ b/crypto/heimdal/lib/kafs/afskrb.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -33,7 +33,7 @@
 
 #include "kafs_locl.h"
 
-RCSID("$Id: afskrb.c,v 1.13 1999/12/02 16:58:39 joda Exp $");
+RCSID("$Id: afskrb.c,v 1.14 2000/03/16 05:35:56 assar Exp $");
 
 struct krb_kafs_data {
     const char *realm;
@@ -69,13 +69,9 @@ afslog_uid_int(kafs_data *data,
 	return _kafs_afslog_all_local_cells (data, uid, homedir);
 
     /* Extract realm from ticket file. */
-    {
-        char name[ANAME_SZ], inst[INST_SZ];
-
-	ret = krb_get_default_principal(name, inst, realm);
-	if (ret != KSUCCESS)
-	    return ret;
-    }
+    ret = krb_get_tf_fullname(tkt_string(), NULL, NULL, realm);
+    if (ret != KSUCCESS)
+	return ret;
 
     ret = _kafs_get_cred(data, cell, realm_hint, realm, &c);
     
diff --git a/crypto/heimdal/lib/kafs/afssys.c b/crypto/heimdal/lib/kafs/afssys.c
index d49a65a..c64b382 100644
--- a/crypto/heimdal/lib/kafs/afssys.c
+++ b/crypto/heimdal/lib/kafs/afssys.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995 - 200 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -33,7 +33,7 @@
 
 #include "kafs_locl.h"
 
-RCSID("$Id: afssys.c,v 1.65 1999/12/02 16:58:40 joda Exp $");
+RCSID("$Id: afssys.c,v 1.67 2000/07/08 12:06:03 assar Exp $");
 
 int _kafs_debug; /* this should be done in a better way */
 
@@ -113,6 +113,9 @@ map_syscall_name_to_number (const char *str, int *res)
     if (f == NULL)
 	return -1;
     while (fgets (buf, sizeof(buf), f) != NULL) {
+	if (buf[0] == '#')
+	    continue;
+
 	if (strncmp (str, buf, str_len) == 0) {
 	    char *begptr = buf + str_len;
 	    char *endptr;
@@ -280,7 +283,7 @@ int
 k_hasafs(void)
 {
 #if !defined(NO_AFS) && defined(SIGSYS)
-    RETSIGTYPE (*saved_func)();
+    RETSIGTYPE (*saved_func)(int);
 #endif
     int saved_errno;
     char *env = getenv ("AFS_SYSCALL");
diff --git a/crypto/heimdal/lib/kafs/afssysdefs.h b/crypto/heimdal/lib/kafs/afssysdefs.h
index 574b33f..800921f 100644
--- a/crypto/heimdal/lib/kafs/afssysdefs.h
+++ b/crypto/heimdal/lib/kafs/afssysdefs.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: afssysdefs.h,v 1.21 1999/12/02 16:58:40 joda Exp $ */
+/* $Id: afssysdefs.h,v 1.24 2000/11/17 01:07:47 assar Exp $ */
 
 /*
  * This section is for machines using single entry point AFS syscalls!
@@ -54,6 +54,10 @@
 #define AFS_SYSCALL	73
 #endif
 
+#if SunOS >= 58
+#define AFS_SYSCALL	65
+#endif
+
 #if defined(__hpux)
 #define AFS_SYSCALL	50
 #define AFS_SYSCALL2	49
@@ -82,6 +86,10 @@
 #define AFS_SYSCALL 210
 #endif
 
+#ifdef __APPLE__		/* MacOS X */
+#define AFS_SYSCALL 230
+#endif
+
 #ifdef SYS_afs_syscall
 #define AFS_SYSCALL3	SYS_afs_syscall
 #endif
diff --git a/crypto/heimdal/lib/kafs/dlfcn.c b/crypto/heimdal/lib/kafs/dlfcn.c
index e664fe3..728cf5c 100644
--- a/crypto/heimdal/lib/kafs/dlfcn.c
+++ b/crypto/heimdal/lib/kafs/dlfcn.c
@@ -115,12 +115,12 @@ void *dlopen(const char *path, int mode)
 		}
 	if ((mp = (ModulePtr)calloc(1, sizeof(*mp))) == NULL) {
 		errvalid++;
-		snprintf (errbuf, "calloc: %s", strerror(errno));
+		snprintf (errbuf, sizeof(errbuf), "calloc: %s", strerror(errno));
 		return NULL;
 	}
 	if ((mp->name = strdup(path)) == NULL) {
 		errvalid++;
-		snprintf (errbuf, "strdup: %s", strerror(errno));
+		snprintf (errbuf, sizeof(errbuf), "strdup: %s", strerror(errno));
 		free(mp);
 		return NULL;
 	}
diff --git a/crypto/heimdal/lib/kafs/kafs.3 b/crypto/heimdal/lib/kafs/kafs.3
index 4a7b5ef..0b6b050 100644
--- a/crypto/heimdal/lib/kafs/kafs.3
+++ b/crypto/heimdal/lib/kafs/kafs.3
@@ -1,4 +1,4 @@
-.\"	$Id: kafs.3,v 1.3 1998/06/30 15:41:52 assar Exp $
+.\"	$Id: kafs.3,v 1.4 2001/01/11 16:16:29 assar Exp $
 .\"
 .Dd May 7, 1997
 .Os KTH-KRB
@@ -11,8 +11,8 @@
 .Nm k_afs_cell_of_file ,
 .Nm krb_afslog ,
 .Nm krb_afslog_uid
-\" .Nm krb5_afslog ,
-\" .Nm krb5_afslog_uid
+.\" .Nm krb5_afslog ,
+.\" .Nm krb5_afslog_uid
 .Nd AFS library
 .Sh SYNOPSIS
 .Fd #include <kafs.h>
@@ -30,10 +30,10 @@
 .Fn krb_afslog "char *cell" "char *realm"
 .Ft int
 .Fn krb_afslog_uid "char *cell" "char *realm" "uid_t uid"
-\" .Ft krb5_error_code
-\" .Fn krb5_afslog_uid "krb5_context context" "krb5_ccache id" "const char *cell" "krb5_const_realm realm" "uid_t uid"
-\" .Ft krb5_error_code
-\" .Fn krb5_afslog "krb5_context context" "krb5_ccache id" "const char *cell" "krb5_const_realm realm"
+.\" .Ft krb5_error_code
+.\" .Fn krb5_afslog_uid "krb5_context context" "krb5_ccache id" "const char *cell" "krb5_const_realm realm" "uid_t uid"
+.\" .Ft krb5_error_code
+.\" .Fn krb5_afslog "krb5_context context" "krb5_ccache id" "const char *cell" "krb5_const_realm realm"
 .Sh DESCRIPTION
 .Fn k_hasafs
 initializes some library internal structures, and tests for the
@@ -41,7 +41,7 @@ presense of AFS in the kernel, none of the other functions should be
 called before 
 .Fn k_hasafs
 is called, or if it fails.
-
+.Pp
 .Fn krb_afslog ,
 and
 .Fn krb_afslog_uid
@@ -66,22 +66,22 @@ field in the token,
 .Fn krb_afslog_uid
 will use
 .Fa uid .
-
-\" .Fn krb5_afslog ,
-\" and 
-\" .Fn krb5_afslog_uid
-\" are the Kerberos 5 equivalents of
-\" .Fn krb_afslog ,
-\" and
-\" .Fn krb_afslog_uid .
-\" The extra arguments are the ubiquitous context, and the cache id where
-\" to store any obtained tickets. Since AFS servers normally can't handle
-\" Kerberos 5 tickets directly, these functions will first obtain version
-\" 5 tickets for the requested cells, and then convert them to version 4
-\" tickets, that can be stashed in the kernel. To convert tickets the
-\" .Fn krb524_convert_creds_kdc
-\" function will be used.
-
+.Pp
+.\" .Fn krb5_afslog ,
+.\" and 
+.\" .Fn krb5_afslog_uid
+.\" are the Kerberos 5 equivalents of
+.\" .Fn krb_afslog ,
+.\" and
+.\" .Fn krb_afslog_uid .
+.\" The extra arguments are the ubiquitous context, and the cache id where
+.\" to store any obtained tickets. Since AFS servers normally can't handle
+.\" Kerberos 5 tickets directly, these functions will first obtain version
+.\" 5 tickets for the requested cells, and then convert them to version 4
+.\" tickets, that can be stashed in the kernel. To convert tickets the
+.\" .Fn krb524_convert_creds_kdc
+.\" function will be used.
+.\" .Pp
 .Fn k_afs_cell_of_file
 will in 
 .Fa cell
@@ -89,23 +89,22 @@ return the cell of a specified file, no more than
 .Fa len
 characters is put in 
 .Fa cell .
-
+.Pp
 .Fn k_pioctl
 does a 
 .Fn pioctl
 syscall with the specified arguments. This function is equivalent to
 .Fn lpioctl .
-
+.Pp
 .Fn k_setpag
 initializes a new PAG.
-
+.Pp
 .Fn k_unlog
 removes destroys all tokens in the current PAG.
-
 .Sh ENVIRONMENT
 The following environment variable affect the mode of operation of
 .Nm kafs :
-.Bl -tag
+.Bl -tag -width AFS_SYSCALL
 .It Ev AFS_SYSCALL
 Normally,
 .Nm kafs
diff --git a/crypto/heimdal/lib/kdfs/ChangeLog b/crypto/heimdal/lib/kdfs/ChangeLog
new file mode 100644
index 0000000..6b52fd2
--- /dev/null
+++ b/crypto/heimdal/lib/kdfs/ChangeLog
@@ -0,0 +1,11 @@
+2000-12-11  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libkdfs_la_LDFLAGS): set version to 0:1:0
+
+2000-07-02  Assar Westerlund  <assar@sics.se>
+
+	* k5dfspag.c: use krb5.h instead of krb5_locl.h
+
+	* initial import from Ake Sandgren <ake@cs.umu.se>
+
+
diff --git a/crypto/heimdal/lib/kdfs/Makefile.am b/crypto/heimdal/lib/kdfs/Makefile.am
new file mode 100644
index 0000000..c51d55e
--- /dev/null
+++ b/crypto/heimdal/lib/kdfs/Makefile.am
@@ -0,0 +1,10 @@
+# $Id: Makefile.am,v 1.2 2000/12/11 00:46:47 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+lib_LTLIBRARIES = libkdfs.la
+
+libkdfs_la_SOURCES = \
+	k5dfspag.c
+
+libkdfs_la_LDFLAGS = -version-info 0:1:0
diff --git a/crypto/heimdal/lib/kdfs/Makefile.in b/crypto/heimdal/lib/kdfs/Makefile.in
new file mode 100644
index 0000000..124a908
--- /dev/null
+++ b/crypto/heimdal/lib/kdfs/Makefile.in
@@ -0,0 +1,557 @@
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
+
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.2 2000/12/11 00:46:47 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+lib_LTLIBRARIES = libkdfs.la
+
+libkdfs_la_SOURCES = \
+	k5dfspag.c
+
+
+libkdfs_la_LDFLAGS = -version-info 0:1:0
+subdir = lib/kdfs
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+LTLIBRARIES =  $(lib_LTLIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+libkdfs_la_LIBADD = 
+am_libkdfs_la_OBJECTS =  k5dfspag.lo
+libkdfs_la_OBJECTS =  $(am_libkdfs_la_OBJECTS)
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(libkdfs_la_SOURCES)
+depcomp = 
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(libkdfs_la_SOURCES)
+OBJECTS = $(am_libkdfs_la_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/kdfs/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libLTLIBRARIES:
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+
+distclean-libLTLIBRARIES:
+
+maintainer-clean-libLTLIBRARIES:
+
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libdir)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p; \
+	  else :; fi; \
+	done
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  echo " $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \
+	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+libkdfs.la: $(libkdfs_la_OBJECTS) $(libkdfs_la_DEPENDENCIES)
+	$(LINK) -rpath $(libdir) $(libkdfs_la_LDFLAGS) $(libkdfs_la_OBJECTS) $(libkdfs_la_LIBADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libLTLIBRARIES
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libLTLIBRARIES
+uninstall: uninstall-am
+all-am: Makefile $(LTLIBRARIES) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libdir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-libLTLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libLTLIBRARIES clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libLTLIBRARIES distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libLTLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libLTLIBRARIES distclean-libLTLIBRARIES \
+clean-libLTLIBRARIES maintainer-clean-libLTLIBRARIES \
+uninstall-libLTLIBRARIES install-libLTLIBRARIES mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool tags mostlyclean-tags distclean-tags \
+clean-tags maintainer-clean-tags distdir info-am info dvi-am dvi \
+check-local check check-am installcheck-am installcheck install-exec-am \
+install-exec install-data-local install-data-am install-data install-am \
+install uninstall-am uninstall all-local all-redirect all-am all \
+install-strip installdirs mostlyclean-generic distclean-generic \
+clean-generic maintainer-clean-generic clean mostlyclean distclean \
+maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/kdfs/k5dfspag.c b/crypto/heimdal/lib/kdfs/k5dfspag.c
new file mode 100644
index 0000000..3e48a85
--- /dev/null
+++ b/crypto/heimdal/lib/kdfs/k5dfspag.c
@@ -0,0 +1,362 @@
+/* 
+ * lib/krb5/os/k5dfspag.c
+ *
+ * New Kerberos module to issue the DFS PAG syscalls. 
+ * It also contains the routine to fork and exec the
+ * k5dcecon routine to do most of the work. 
+ * 
+ * This file is designed to be as independent of DCE 
+ * and DFS as possible. The only dependencies are on 
+ * the syscall numbers.  If DFS not running or not installed,
+ * the sig handlers will catch and the signal and 
+ * will  continue. 
+ *
+ * krb5_dfs_newpag and krb5_dfs_getpag should not be real
+ * Kerberos routines, since they should be setpag and getpag
+ * in the DCE library, but without the DCE baggage. 
+ * Thus they don't have context, and don't return a krb5 error. 
+ *
+ * 
+ * 
+ * krb5_dfs_pag()
+ */
+
+#include <krb5.h>
+
+#ifdef DCE
+
+#include <stdio.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <fcntl.h>
+#include <sys/param.h>
+
+/* Only run this DFS PAG code on systems with POSIX
+ * All that we are interested in dor:, AIX 4.x,
+ * Solaris 2.5.x, HPUX 10.x  Even SunOS 4.1.4, AIX 3.2.5
+ * and SGI 5.3 are OK.  This simplifies
+ * the build/configure which I don't want to change now.
+ * All of them also have waitpid as well. 
+ */
+
+#define POSIX_SETJMP
+#define POSIX_SIGNALS
+#define HAVE_WAITPID
+
+#include <signal.h>
+#include <setjmp.h>
+#ifndef POSIX_SETJMP
+#undef sigjmp_buf
+#undef sigsetjmp
+#undef siglongjmp
+#define sigjmp_buf  jmp_buf
+#define sigsetjmp(j,s)  setjmp(j)
+#define siglongjmp  longjmp
+#endif
+
+#ifdef POSIX_SIGNALS
+typedef struct sigaction handler;
+#define handler_init(H,F)       (sigemptyset(&(H).sa_mask), \
+                     (H).sa_flags=0, \
+                     (H).sa_handler=(F))
+#define handler_swap(S,NEW,OLD)     sigaction(S, &NEW, &OLD)
+#define handler_set(S,OLD)      sigaction(S, &OLD, NULL)
+#else
+typedef sigtype (*handler)();
+#define handler_init(H,F)       ((H) = (F))
+#define handler_swap(S,NEW,OLD)     ((OLD) = signal ((S), (NEW)))
+#define handler_set(S,OLD)      (signal ((S), (OLD)))
+#endif
+
+#define krb5_sigtype void
+#define WAIT_USES_INT
+typedef krb5_sigtype sigtype;
+
+
+/* 
+ * Need some syscall numbers based on different systems. 
+ * These are based on: 
+ * HPUX 10.10 /opt/dce/include/dcedfs/syscall.h 
+ * Solaris 2.5 /opt/dcelocal/share/include/dcedfs/syscall.h
+ * AIX 4.2  - needs some funny games with load and kafs_syscall
+ * to get the kernel extentions. There should be a better way! 
+ * 
+ * DEE 5/27/97
+ *
+ */
+
+
+#define AFSCALL_SETPAG 2
+#define AFSCALL_GETPAG 11
+
+#if defined(sun)
+#define AFS_SYSCALL  72
+
+#elif defined(hpux)
+/* assume HPUX 10 +  or is it 50 */
+#define AFS_SYSCALL 326
+
+#elif defined(_AIX)
+#ifndef DPAGAIX
+#define DPAGAIX LIBEXECDIR ## "/dpagaix"
+#endif
+int *load();
+static int (*dpagaix)(int, int, int, int, int, int) = 0;
+
+#elif defined(sgi) || defined(_sgi)
+#define AFS_SYSCALL      206+1000
+
+#else
+#define AFS_SYSCALL (Unknown_DFS_AFS_SYSCALL)
+#endif
+
+
+#ifdef  WAIT_USES_INT
+                int wait_status;
+#else   /* WAIT_USES_INT */
+                union wait wait_status;
+#endif  /* WAIT_USES_INT */
+
+#ifndef K5DCECON
+#define K5DCECON LIBEXECDIR ## "/k5dcecon"
+#endif
+
+/* 
+ * mysig()
+ *
+ * signal handler if DFS not running
+ *
+ */
+
+static sigjmp_buf setpag_buf;
+
+static sigtype mysig()
+{
+  siglongjmp(setpag_buf, 1);
+}
+
+/*
+ * krb5_dfs_pag_syscall()
+ *
+ * wrapper for the syscall with signal handlers
+ *
+ */
+
+static int  krb5_dfs_pag_syscall(opt1,opt2) 
+  int opt1;
+  int opt2;
+{
+  handler sa1, osa1;
+  handler sa2, osa2;
+  int pag = -2;
+
+  handler_init (sa1, mysig);
+  handler_init (sa2, mysig);
+  handler_swap (SIGSYS, sa1, osa1);
+  handler_swap (SIGSEGV, sa2, osa2);
+  
+  if (sigsetjmp(setpag_buf, 1) == 0) {
+
+#if defined(_AIX)
+    if (!dpagaix)
+      dpagaix = load(DPAGAIX, 0, 0);
+    if (dpagaix) 
+      pag = (*dpagaix)(opt1, opt2, 0, 0, 0, 0);
+#else
+    pag = syscall(AFS_SYSCALL, opt1, opt2, 0, 0, 0, 0); 
+#endif
+
+    handler_set (SIGSYS, osa1);
+    handler_set (SIGSEGV, osa2);
+    return(pag);
+  }
+
+  /* syscall failed! return 0 */
+  handler_set (SIGSYS, osa1);
+  handler_set (SIGSEGV, osa2);
+  return(-2);
+}
+
+/*
+ * krb5_dfs_newpag()
+ *
+ * issue a DCE/DFS setpag system call to set the newpag
+ * for this process. This takes advantage of a currently
+ * undocumented feature of the Transarc port of DFS. 
+ * Even in DCE 1.2.2 for which the source is available,
+ * (but no vendors have released), this feature is not
+ * there, but it should be, or could be added. 
+ * If new_pag is zero, then the syscall will get a new pag
+ * and return its value. 
+ */ 
+
+int krb5_dfs_newpag(new_pag) 
+  int new_pag;
+{
+  return(krb5_dfs_pag_syscall(AFSCALL_SETPAG, new_pag));
+}
+
+/* 
+ * krb5_dfs_getpag()
+ *
+ * get the current PAG. Used mostly as a test. 
+ */
+
+int krb5_dfs_getpag()
+{
+  return(krb5_dfs_pag_syscall(AFSCALL_GETPAG, 0));
+}
+
+/*
+ * krb5_dfs_pag()
+ *
+ * Given a principal and local username,
+ * fork and exec the k5dcecon module to create 
+ * refresh or join a new DCE/DFS
+ * Process Authentication Group (PAG)
+ * 
+ * This routine should be called after krb5_kuserok has 
+ * determined that this combination of local user and 
+ * principal are acceptable for the local host. 
+ * 
+ * It should also be called after a forwarded ticket has 
+ * been received, and the KRB5CCNAME environment variable
+ * has been set to point at it. k5dcecon will convert this
+ * to a new DCE context and a new pag and replace KRB5CCNAME
+ * in the environment. 
+ *
+ * If there is no forwarded ticket, k5dcecon will attempt
+ * to join an existing PAG for the same principal and local
+ * user. 
+ *
+ * And it should be called before access to the home directory
+ * as this may be in DFS, not accessable by root, and require
+ * the PAG to have been setup. 
+ * 
+ * The krb5_afs_pag can be called after this routine to 
+ * use the the cache obtained by k5dcecon to get an AFS token. 
+ * DEE - 7/97
+ */ 
+ 
+int krb5_dfs_pag(context, flag, principal, luser)
+	krb5_context context;
+    int flag; /* 1 if a forwarded TGT is to be used */
+	krb5_principal principal;
+	const char *luser;
+
+{
+  
+  struct stat stx;
+  int fd[2];
+  int i,j;
+  int pid;
+  int new_pag;
+  int pag;
+  char newccname[MAXPATHLEN] = ""; 
+  char *princ;
+  int err; 
+  struct sigaction newsig, oldsig;
+
+#ifdef  WAIT_USES_INT
+  int wait_status;
+#else   /* WAIT_USES_INT */
+  union wait wait_status;
+#endif  /* WAIT_USES_INT */
+
+  if (krb5_unparse_name(context, principal, &princ))
+   return(0);
+
+   /* test if DFS is running or installed */
+   if (krb5_dfs_getpag() == -2)
+     return(0); /* DFS not running, dont try */
+  
+  if (pipe(fd) == -1) 
+     return(0);
+
+  /* Make sure that telnetd.c's SIGCHLD action don't happen right now... */
+  memset((char *)&newsig, 0, sizeof(newsig));
+  newsig.sa_handler = SIG_IGN;
+  sigaction(SIGCHLD, &newsig, &oldsig);
+
+  pid = fork();
+  if (pid <0) 
+   return(0);
+
+  if (pid == 0) {  /* child process */
+
+    close(1);       /* close stdout */
+    dup(fd[1]);     /* point stdout at pipe here */
+    close(fd[0]);   /* don't use end of pipe here */
+    close(fd[1]);   /* pipe now as stdout */
+
+    execl(K5DCECON, "k5dcecon",
+         (flag) ? "-f" : "-s" ,
+		 "-l", luser,
+		 "-p", princ, (char *)0);
+
+    exit(127);      /* incase execl fails */
+  } 
+
+  /* parent, wait for child to finish */
+
+  close(fd[1]);  /* dont need this end of pipe */
+
+/* #if defined(sgi) || defined(_sgi) */
+  /* wait_status.w_status = 0; */
+  /* waitpid((pid_t) pid, &wait_status.w_status, 0); */
+/* #else */
+
+
+  wait_status = 0;
+#ifdef  HAVE_WAITPID
+  err = waitpid((pid_t) pid, &wait_status, 0);
+#else   /* HAVE_WAITPID */
+  err = wait4(pid, &wait_status, 0, (struct rusage *) NULL);
+#endif  /* HAVE_WAITPID */
+/* #endif */
+
+  sigaction(SIGCHLD, &oldsig, 0);
+  if (WIFEXITED(wait_status)){
+    if (WEXITSTATUS(wait_status) == 0) {
+      i = 1;
+      j = 0;
+      while (i != 0) {
+        i = read(fd[0], &newccname[j], sizeof(newccname)-1-j);
+        if ( i > 0)
+          j += i;
+        if (j >=  sizeof(newccname)-1)
+          i = 0;
+      }
+      close(fd[0]);
+      if (j > 0) {
+        newccname[j] = '\0'; 
+        esetenv("KRB5CCNAME",newccname,1);
+        sscanf(&newccname[j-8],"%8x",&new_pag);
+        if (new_pag && strncmp("FILE:/opt/dcelocal/var/security/creds/dcecred_", newccname, 46) == 0) {
+          if((pag = krb5_dfs_newpag(new_pag)) != -2) {
+            return(pag);
+          }
+        }
+      }
+    }
+  }
+  return(0); /* something not right */
+}
+
+#else /* DCE */
+
+/* 
+ * krb5_dfs_pag - dummy version for the lib for systems 
+ * which don't have DFS, or the needed setpag kernel code.  
+ */
+
+krb5_boolean
+krb5_dfs_pag(context, principal, luser)
+	krb5_context context;
+	krb5_principal principal;
+	const char *luser;
+{
+	return(0);
+}
+
+#endif /* DCE */
diff --git a/crypto/heimdal/lib/krb5/Makefile.am b/crypto/heimdal/lib/krb5/Makefile.am
index df8ac6d..395f29d 100644
--- a/crypto/heimdal/lib/krb5/Makefile.am
+++ b/crypto/heimdal/lib/krb5/Makefile.am
@@ -1,24 +1,22 @@
-# $Id: Makefile.am,v 1.98 2000/02/19 18:53:56 assar Exp $
+# $Id: Makefile.am,v 1.119 2001/01/30 01:50:52 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += $(INCLUDE_krb4)
-
 bin_PROGRAMS = verify_krb5_conf
 
-noinst_PROGRAMS = dump_config
+noinst_PROGRAMS = dump_config test_get_addrs
 
 check_PROGRAMS = n-fold-test string-to-key-test
 TESTS = n-fold-test string-to-key-test
 
-if KRB4
-KRB4LIB = $(LIB_krb4)
-keytab_krb4_c = keytab_krb4.c
-endif
-
 LDADD = libkrb5.la \
-	$(KRB4LIB) \
-	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
+
+libkrb5_la_LIBADD = \
+	../com_err/error.lo ../com_err/com_err.lo \
+	$(LIB_des) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken)
 
@@ -27,10 +25,12 @@ lib_LTLIBRARIES = libkrb5.la
 ERR_FILES = krb5_err.c heim_err.c
 
 libkrb5_la_SOURCES = \
+	acl.c \
 	add_et_list.c \
 	addr_families.c \
 	address.c \
 	aname_to_localname.c \
+	appdefault.c \
 	asn1_glue.c \
 	auth_context.c \
 	build_ap_req.c \
@@ -48,6 +48,7 @@ libkrb5_la_SOURCES = \
 	creds.c \
 	crypto.c \
 	data.c \
+	eai_to_heim_errno.c \
 	expand_hostname.c \
 	fcache.c \
 	free.c \
@@ -71,8 +72,8 @@ libkrb5_la_SOURCES = \
 	keytab.c \
 	keytab_file.c \
 	keytab_memory.c \
-	$(keytab_krb4_c) \
 	keytab_keyfile.c \
+	keytab_krb4.c \
 	krbhst.c \
 	kuserok.c \
 	log.c \
@@ -99,6 +100,7 @@ libkrb5_la_SOURCES = \
 	rd_safe.c \
 	read_message.c \
 	recvauth.c \
+	replay.c \
 	send_to_kdc.c \
 	sendauth.c \
 	set_default_realm.c \
@@ -117,9 +119,7 @@ libkrb5_la_SOURCES = \
 	write_message.c \
 	$(ERR_FILES)
 
-EXTRA_libkrb5_la_SOURCES = keytab_krb4.c
-
-libkrb5_la_LDFLAGS = -version-info 9:1:0
+libkrb5_la_LDFLAGS = -version-info 15:0:0
 
 $(libkrb5_la_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h
 
@@ -129,11 +129,25 @@ $(srcdir)/krb5-protos.h:
 $(srcdir)/krb5-private.h:
 	cd $(srcdir); perl ../../cf/make-proto.pl -p krb5-private.h $(libkrb5_la_SOURCES) || rm -f krb5-private.h
 
-libkrb5_la_LIBADD = ../com_err/error.lo ../com_err/com_err.lo
-
-man_MANS = krb5.conf.5 krb5_warn.3 krb5_openlog.3 \
-	krb5_425_conv_principal.3 krb5_build_principal.3 krb5_free_principal.3 \
-	krb5_parse_name.3 krb5_sname_to_principal.3 krb5_unparse_name.3
+#libkrb5_la_LIBADD = ../com_err/error.lo ../com_err/com_err.lo
+
+man_MANS =					\
+	kerberos.8				\
+	krb5.conf.5				\
+	krb5_425_conv_principal.3		\
+	krb5_appdefault.3			\
+	krb5_build_principal.3			\
+	krb5_config.3				\
+	krb5_free_principal.3			\
+	krb5_openlog.3				\
+	krb5_parse_name.3			\
+	krb5_sname_to_principal.3		\
+	krb5_unparse_name.3			\
+	krb5_warn.3				\
+	verify_krb5_conf.8			\
+	krb5_auth_context.3			\
+	krb5_context.3				\
+	krb5_init_context.3
 
 include_HEADERS = krb5.h krb5-protos.h krb5-private.h krb5_err.h heim_err.h
 
diff --git a/crypto/heimdal/lib/krb5/Makefile.in b/crypto/heimdal/lib/krb5/Makefile.in
index dbca9de..be103d2 100644
--- a/crypto/heimdal/lib/krb5/Makefile.in
+++ b/crypto/heimdal/lib/krb5/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.98 2000/02/19 18:53:56 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.119 2001/01/30 01:50:52 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4)
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,59 +170,170 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
 bin_PROGRAMS = verify_krb5_conf
 
-noinst_PROGRAMS = dump_config
+noinst_PROGRAMS = dump_config test_get_addrs
 
 check_PROGRAMS = n-fold-test string-to-key-test
 TESTS = n-fold-test string-to-key-test
 
-@KRB4_TRUE@KRB4LIB = $(LIB_krb4)
-@KRB4_TRUE@keytab_krb4_c = keytab_krb4.c
+LDADD = libkrb5.la \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
+
 
-LDADD = libkrb5.la 	$(KRB4LIB) 	$(top_builddir)/lib/des/libdes.la 	$(top_builddir)/lib/asn1/libasn1.la 	$(LIB_roken)
+libkrb5_la_LIBADD = \
+	../com_err/error.lo ../com_err/com_err.lo \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
 
 
 lib_LTLIBRARIES = libkrb5.la
 
 ERR_FILES = krb5_err.c heim_err.c
 
-libkrb5_la_SOURCES =  	add_et_list.c 	addr_families.c 	address.c 	aname_to_localname.c 	asn1_glue.c 	auth_context.c 	build_ap_req.c 	build_auth.c 	cache.c 	changepw.c 	codec.c 	config_file.c 	config_file_netinfo.c 	convert_creds.c 	constants.c 	context.c 	copy_host_realm.c 	crc.c 	creds.c 	crypto.c 	data.c 	expand_hostname.c 	fcache.c 	free.c 	free_host_realm.c 	generate_seq_number.c 	generate_subkey.c 	get_addrs.c 	get_cred.c 	get_default_principal.c 	get_default_realm.c 	get_for_creds.c 	get_host_realm.c 	get_in_tkt.c 	get_in_tkt_pw.c 	get_in_tkt_with_keytab.c 	get_in_tkt_with_skey.c 	get_port.c 	init_creds.c 	init_creds_pw.c 	keyblock.c 	keytab.c 	keytab_file.c 	keytab_memory.c 	$(keytab_krb4_c) 	keytab_keyfile.c 	krbhst.c 	kuserok.c 	log.c 	mcache.c 	misc.c 	mk_error.c 	mk_priv.c 	mk_rep.c 	mk_req.c 	mk_req_ext.c 	mk_safe.c 	net_read.c 	net_write.c 	n-fold.c 	padata.c 	principal.c 	prog_setup.c 	prompter_posix.c 	rd_cred.c 	rd_error.c 	rd_priv.c 	rd_rep.c 	rd_req.c 	rd_safe.c 	read_message.c 	recvauth.c 	send_to_kdc.c 	sendauth.c 	set_default_realm.c 	sock_principal.c 	store.c 	store_emem.c 	store_fd.c 	store_mem.c 	ticket.c 	time.c 	transited.c 	verify_init.c 	verify_user.c 	version.c 	warn.c 	write_message.c 	$(ERR_FILES)
-
-
-EXTRA_libkrb5_la_SOURCES = keytab_krb4.c
-
-libkrb5_la_LDFLAGS = -version-info 9:1:0
-
-libkrb5_la_LIBADD = ../com_err/error.lo ../com_err/com_err.lo
-
-man_MANS = krb5.conf.5 krb5_warn.3 krb5_openlog.3 	krb5_425_conv_principal.3 krb5_build_principal.3 krb5_free_principal.3 	krb5_parse_name.3 krb5_sname_to_principal.3 krb5_unparse_name.3
+libkrb5_la_SOURCES = \
+	acl.c \
+	add_et_list.c \
+	addr_families.c \
+	address.c \
+	aname_to_localname.c \
+	appdefault.c \
+	asn1_glue.c \
+	auth_context.c \
+	build_ap_req.c \
+	build_auth.c \
+	cache.c \
+	changepw.c \
+	codec.c \
+	config_file.c \
+	config_file_netinfo.c \
+	convert_creds.c \
+	constants.c \
+	context.c \
+	copy_host_realm.c \
+	crc.c \
+	creds.c \
+	crypto.c \
+	data.c \
+	eai_to_heim_errno.c \
+	expand_hostname.c \
+	fcache.c \
+	free.c \
+	free_host_realm.c \
+	generate_seq_number.c \
+	generate_subkey.c \
+	get_addrs.c \
+	get_cred.c \
+	get_default_principal.c \
+	get_default_realm.c \
+	get_for_creds.c \
+	get_host_realm.c \
+	get_in_tkt.c \
+	get_in_tkt_pw.c \
+	get_in_tkt_with_keytab.c \
+	get_in_tkt_with_skey.c \
+	get_port.c \
+	init_creds.c \
+	init_creds_pw.c \
+	keyblock.c \
+	keytab.c \
+	keytab_file.c \
+	keytab_memory.c \
+	keytab_keyfile.c \
+	keytab_krb4.c \
+	krbhst.c \
+	kuserok.c \
+	log.c \
+	mcache.c \
+	misc.c \
+	mk_error.c \
+	mk_priv.c \
+	mk_rep.c \
+	mk_req.c \
+	mk_req_ext.c \
+	mk_safe.c \
+	net_read.c \
+	net_write.c \
+	n-fold.c \
+	padata.c \
+	principal.c \
+	prog_setup.c \
+	prompter_posix.c \
+	rd_cred.c \
+	rd_error.c \
+	rd_priv.c \
+	rd_rep.c \
+	rd_req.c \
+	rd_safe.c \
+	read_message.c \
+	recvauth.c \
+	replay.c \
+	send_to_kdc.c \
+	sendauth.c \
+	set_default_realm.c \
+	sock_principal.c \
+	store.c \
+	store_emem.c \
+	store_fd.c \
+	store_mem.c \
+	ticket.c \
+	time.c \
+	transited.c \
+	verify_init.c \
+	verify_user.c \
+	version.c \
+	warn.c \
+	write_message.c \
+	$(ERR_FILES)
+
+
+libkrb5_la_LDFLAGS = -version-info 15:0:0
+
+#libkrb5_la_LIBADD = ../com_err/error.lo ../com_err/com_err.lo
+
+man_MANS = \
+	kerberos.8				\
+	krb5.conf.5				\
+	krb5_425_conv_principal.3		\
+	krb5_appdefault.3			\
+	krb5_build_principal.3			\
+	krb5_config.3				\
+	krb5_free_principal.3			\
+	krb5_openlog.3				\
+	krb5_parse_name.3			\
+	krb5_sname_to_principal.3		\
+	krb5_unparse_name.3			\
+	krb5_warn.3				\
+	verify_krb5_conf.8			\
+	krb5_auth_context.3			\
+	krb5_context.3				\
+	krb5_init_context.3
 
 
 include_HEADERS = krb5.h krb5-protos.h krb5-private.h krb5_err.h heim_err.h
 
 CLEANFILES = krb5_err.c krb5_err.h heim_err.c heim_err.h
+subdir = lib/krb5
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -214,128 +343,94 @@ LTLIBRARIES =  $(lib_LTLIBRARIES)
 DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
-LIBS = @LIBS@
 X_CFLAGS = @X_CFLAGS@
 X_LIBS = @X_LIBS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
-libkrb5_la_DEPENDENCIES =  ../com_err/error.lo ../com_err/com_err.lo
-@KRB4_TRUE@libkrb5_la_OBJECTS =  add_et_list.lo addr_families.lo \
-@KRB4_TRUE@address.lo aname_to_localname.lo asn1_glue.lo \
-@KRB4_TRUE@auth_context.lo build_ap_req.lo build_auth.lo cache.lo \
-@KRB4_TRUE@changepw.lo codec.lo config_file.lo config_file_netinfo.lo \
-@KRB4_TRUE@convert_creds.lo constants.lo context.lo copy_host_realm.lo \
-@KRB4_TRUE@crc.lo creds.lo crypto.lo data.lo expand_hostname.lo \
-@KRB4_TRUE@fcache.lo free.lo free_host_realm.lo generate_seq_number.lo \
-@KRB4_TRUE@generate_subkey.lo get_addrs.lo get_cred.lo \
-@KRB4_TRUE@get_default_principal.lo get_default_realm.lo \
-@KRB4_TRUE@get_for_creds.lo get_host_realm.lo get_in_tkt.lo \
-@KRB4_TRUE@get_in_tkt_pw.lo get_in_tkt_with_keytab.lo \
-@KRB4_TRUE@get_in_tkt_with_skey.lo get_port.lo init_creds.lo \
-@KRB4_TRUE@init_creds_pw.lo keyblock.lo keytab.lo keytab_file.lo \
-@KRB4_TRUE@keytab_memory.lo keytab_krb4.lo keytab_keyfile.lo krbhst.lo \
-@KRB4_TRUE@kuserok.lo log.lo mcache.lo misc.lo mk_error.lo mk_priv.lo \
-@KRB4_TRUE@mk_rep.lo mk_req.lo mk_req_ext.lo mk_safe.lo net_read.lo \
-@KRB4_TRUE@net_write.lo n-fold.lo padata.lo principal.lo prog_setup.lo \
-@KRB4_TRUE@prompter_posix.lo rd_cred.lo rd_error.lo rd_priv.lo \
-@KRB4_TRUE@rd_rep.lo rd_req.lo rd_safe.lo read_message.lo recvauth.lo \
-@KRB4_TRUE@send_to_kdc.lo sendauth.lo set_default_realm.lo \
-@KRB4_TRUE@sock_principal.lo store.lo store_emem.lo store_fd.lo \
-@KRB4_TRUE@store_mem.lo ticket.lo time.lo transited.lo verify_init.lo \
-@KRB4_TRUE@verify_user.lo version.lo warn.lo write_message.lo \
-@KRB4_TRUE@krb5_err.lo heim_err.lo
-@KRB4_FALSE@libkrb5_la_OBJECTS =  add_et_list.lo addr_families.lo \
-@KRB4_FALSE@address.lo aname_to_localname.lo asn1_glue.lo \
-@KRB4_FALSE@auth_context.lo build_ap_req.lo build_auth.lo cache.lo \
-@KRB4_FALSE@changepw.lo codec.lo config_file.lo config_file_netinfo.lo \
-@KRB4_FALSE@convert_creds.lo constants.lo context.lo copy_host_realm.lo \
-@KRB4_FALSE@crc.lo creds.lo crypto.lo data.lo expand_hostname.lo \
-@KRB4_FALSE@fcache.lo free.lo free_host_realm.lo generate_seq_number.lo \
-@KRB4_FALSE@generate_subkey.lo get_addrs.lo get_cred.lo \
-@KRB4_FALSE@get_default_principal.lo get_default_realm.lo \
-@KRB4_FALSE@get_for_creds.lo get_host_realm.lo get_in_tkt.lo \
-@KRB4_FALSE@get_in_tkt_pw.lo get_in_tkt_with_keytab.lo \
-@KRB4_FALSE@get_in_tkt_with_skey.lo get_port.lo init_creds.lo \
-@KRB4_FALSE@init_creds_pw.lo keyblock.lo keytab.lo keytab_file.lo \
-@KRB4_FALSE@keytab_memory.lo keytab_keyfile.lo krbhst.lo kuserok.lo \
-@KRB4_FALSE@log.lo mcache.lo misc.lo mk_error.lo mk_priv.lo mk_rep.lo \
-@KRB4_FALSE@mk_req.lo mk_req_ext.lo mk_safe.lo net_read.lo net_write.lo \
-@KRB4_FALSE@n-fold.lo padata.lo principal.lo prog_setup.lo \
-@KRB4_FALSE@prompter_posix.lo rd_cred.lo rd_error.lo rd_priv.lo \
-@KRB4_FALSE@rd_rep.lo rd_req.lo rd_safe.lo read_message.lo recvauth.lo \
-@KRB4_FALSE@send_to_kdc.lo sendauth.lo set_default_realm.lo \
-@KRB4_FALSE@sock_principal.lo store.lo store_emem.lo store_fd.lo \
-@KRB4_FALSE@store_mem.lo ticket.lo time.lo transited.lo verify_init.lo \
-@KRB4_FALSE@verify_user.lo version.lo warn.lo write_message.lo \
-@KRB4_FALSE@krb5_err.lo heim_err.lo
+libkrb5_la_DEPENDENCIES =  ../com_err/error.lo ../com_err/com_err.lo \
+$(top_builddir)/lib/asn1/libasn1.la
+am_libkrb5_la_OBJECTS =  acl.lo add_et_list.lo addr_families.lo \
+address.lo aname_to_localname.lo appdefault.lo asn1_glue.lo \
+auth_context.lo build_ap_req.lo build_auth.lo cache.lo changepw.lo \
+codec.lo config_file.lo config_file_netinfo.lo convert_creds.lo \
+constants.lo context.lo copy_host_realm.lo crc.lo creds.lo crypto.lo \
+data.lo eai_to_heim_errno.lo expand_hostname.lo fcache.lo free.lo \
+free_host_realm.lo generate_seq_number.lo generate_subkey.lo \
+get_addrs.lo get_cred.lo get_default_principal.lo get_default_realm.lo \
+get_for_creds.lo get_host_realm.lo get_in_tkt.lo get_in_tkt_pw.lo \
+get_in_tkt_with_keytab.lo get_in_tkt_with_skey.lo get_port.lo \
+init_creds.lo init_creds_pw.lo keyblock.lo keytab.lo keytab_file.lo \
+keytab_memory.lo keytab_keyfile.lo keytab_krb4.lo krbhst.lo kuserok.lo \
+log.lo mcache.lo misc.lo mk_error.lo mk_priv.lo mk_rep.lo mk_req.lo \
+mk_req_ext.lo mk_safe.lo net_read.lo net_write.lo n-fold.lo padata.lo \
+principal.lo prog_setup.lo prompter_posix.lo rd_cred.lo rd_error.lo \
+rd_priv.lo rd_rep.lo rd_req.lo rd_safe.lo read_message.lo recvauth.lo \
+replay.lo send_to_kdc.lo sendauth.lo set_default_realm.lo \
+sock_principal.lo store.lo store_emem.lo store_fd.lo store_mem.lo \
+ticket.lo time.lo transited.lo verify_init.lo verify_user.lo version.lo \
+warn.lo write_message.lo krb5_err.lo heim_err.lo
+libkrb5_la_OBJECTS =  $(am_libkrb5_la_OBJECTS)
 bin_PROGRAMS =  verify_krb5_conf$(EXEEXT)
 check_PROGRAMS =  n-fold-test$(EXEEXT) string-to-key-test$(EXEEXT)
-noinst_PROGRAMS =  dump_config$(EXEEXT)
+noinst_PROGRAMS =  dump_config$(EXEEXT) test_get_addrs$(EXEEXT)
 PROGRAMS =  $(bin_PROGRAMS) $(noinst_PROGRAMS)
 
-verify_krb5_conf_SOURCES = verify_krb5_conf.c
-verify_krb5_conf_OBJECTS =  verify_krb5_conf.$(OBJEXT)
-verify_krb5_conf_LDADD = $(LDADD)
-@KRB4_TRUE@verify_krb5_conf_DEPENDENCIES =  libkrb5.la \
-@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la \
-@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
-@KRB4_FALSE@verify_krb5_conf_DEPENDENCIES =  libkrb5.la \
-@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la \
-@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
-verify_krb5_conf_LDFLAGS = 
+dump_config_SOURCES = dump_config.c
+dump_config_OBJECTS =  dump_config.$(OBJEXT)
+dump_config_LDADD = $(LDADD)
+dump_config_DEPENDENCIES =  libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+dump_config_LDFLAGS = 
 n_fold_test_SOURCES = n-fold-test.c
 n_fold_test_OBJECTS =  n-fold-test.$(OBJEXT)
 n_fold_test_LDADD = $(LDADD)
-@KRB4_TRUE@n_fold_test_DEPENDENCIES =  libkrb5.la \
-@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la \
-@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
-@KRB4_FALSE@n_fold_test_DEPENDENCIES =  libkrb5.la \
-@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la \
-@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
+n_fold_test_DEPENDENCIES =  libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
 n_fold_test_LDFLAGS = 
 string_to_key_test_SOURCES = string-to-key-test.c
 string_to_key_test_OBJECTS =  string-to-key-test.$(OBJEXT)
 string_to_key_test_LDADD = $(LDADD)
-@KRB4_TRUE@string_to_key_test_DEPENDENCIES =  libkrb5.la \
-@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la \
-@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
-@KRB4_FALSE@string_to_key_test_DEPENDENCIES =  libkrb5.la \
-@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la \
-@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
+string_to_key_test_DEPENDENCIES =  libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
 string_to_key_test_LDFLAGS = 
-dump_config_SOURCES = dump_config.c
-dump_config_OBJECTS =  dump_config.$(OBJEXT)
-dump_config_LDADD = $(LDADD)
-@KRB4_TRUE@dump_config_DEPENDENCIES =  libkrb5.la \
-@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la \
-@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
-@KRB4_FALSE@dump_config_DEPENDENCIES =  libkrb5.la \
-@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la \
-@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
-dump_config_LDFLAGS = 
-CFLAGS = @CFLAGS@
+test_get_addrs_SOURCES = test_get_addrs.c
+test_get_addrs_OBJECTS =  test_get_addrs.$(OBJEXT)
+test_get_addrs_LDADD = $(LDADD)
+test_get_addrs_DEPENDENCIES =  libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+test_get_addrs_LDFLAGS = 
+verify_krb5_conf_SOURCES = verify_krb5_conf.c
+verify_krb5_conf_OBJECTS =  verify_krb5_conf.$(OBJEXT)
+verify_krb5_conf_LDADD = $(LDADD)
+verify_krb5_conf_DEPENDENCIES =  libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+verify_krb5_conf_LDFLAGS = 
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(libkrb5_la_SOURCES) dump_config.c n-fold-test.c \
+string-to-key-test.c test_get_addrs.c verify_krb5_conf.c
 man3dir = $(mandir)/man3
 man5dir = $(mandir)/man5
+man8dir = $(mandir)/man8
 MANS = $(man_MANS)
 HEADERS =  $(include_HEADERS)
 
-DIST_COMMON =  Makefile.am Makefile.in
+depcomp = 
+DIST_COMMON =  $(include_HEADERS) Makefile.am Makefile.in
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
-SOURCES = $(libkrb5_la_SOURCES) $(EXTRA_libkrb5_la_SOURCES) verify_krb5_conf.c n-fold-test.c string-to-key-test.c dump_config.c
-OBJECTS = $(libkrb5_la_OBJECTS) verify_krb5_conf.$(OBJEXT) n-fold-test.$(OBJEXT) string-to-key-test.$(OBJEXT) dump_config.$(OBJEXT)
+SOURCES = $(libkrb5_la_SOURCES) dump_config.c n-fold-test.c string-to-key-test.c test_get_addrs.c verify_krb5_conf.c
+OBJECTS = $(am_libkrb5_la_OBJECTS) dump_config.$(OBJEXT) n-fold-test.$(OBJEXT) string-to-key-test.$(OBJEXT) test_get_addrs.$(OBJEXT) verify_krb5_conf.$(OBJEXT)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/krb5/Makefile
 
@@ -358,31 +453,18 @@ install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 	$(mkinstalldirs) $(DESTDIR)$(libdir)
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo "$(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p; \
 	  else :; fi; \
 	done
 
 uninstall-libLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  echo " $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \
 	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
 	done
 
-.c.o:
-	$(COMPILE) -c $<
-
-# FIXME: We should only use cygpath when building on Windows,
-# and only if it is available.
-.c.obj:
-	$(COMPILE) -c `cygpath -w $<`
-
-.s.o:
-	$(COMPILE) -c $<
-
-.S.o:
-	$(COMPILE) -c $<
-
 mostlyclean-compile:
 	-rm -f *.o core *.core
 	-rm -f *.$(OBJEXT)
@@ -394,15 +476,6 @@ distclean-compile:
 
 maintainer-clean-compile:
 
-.c.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.s.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.S.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -430,15 +503,18 @@ install-binPROGRAMS: $(bin_PROGRAMS)
 	$(mkinstalldirs) $(DESTDIR)$(bindir)
 	@list='$(bin_PROGRAMS)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
 	  else :; fi; \
 	done
 
 uninstall-binPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	list='$(bin_PROGRAMS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
 	done
 
 mostlyclean-checkPROGRAMS:
@@ -459,9 +535,9 @@ distclean-noinstPROGRAMS:
 
 maintainer-clean-noinstPROGRAMS:
 
-verify_krb5_conf$(EXEEXT): $(verify_krb5_conf_OBJECTS) $(verify_krb5_conf_DEPENDENCIES)
-	@rm -f verify_krb5_conf$(EXEEXT)
-	$(LINK) $(verify_krb5_conf_LDFLAGS) $(verify_krb5_conf_OBJECTS) $(verify_krb5_conf_LDADD) $(LIBS)
+dump_config$(EXEEXT): $(dump_config_OBJECTS) $(dump_config_DEPENDENCIES)
+	@rm -f dump_config$(EXEEXT)
+	$(LINK) $(dump_config_LDFLAGS) $(dump_config_OBJECTS) $(dump_config_LDADD) $(LIBS)
 
 n-fold-test$(EXEEXT): $(n_fold_test_OBJECTS) $(n_fold_test_DEPENDENCIES)
 	@rm -f n-fold-test$(EXEEXT)
@@ -471,9 +547,19 @@ string-to-key-test$(EXEEXT): $(string_to_key_test_OBJECTS) $(string_to_key_test_
 	@rm -f string-to-key-test$(EXEEXT)
 	$(LINK) $(string_to_key_test_LDFLAGS) $(string_to_key_test_OBJECTS) $(string_to_key_test_LDADD) $(LIBS)
 
-dump_config$(EXEEXT): $(dump_config_OBJECTS) $(dump_config_DEPENDENCIES)
-	@rm -f dump_config$(EXEEXT)
-	$(LINK) $(dump_config_LDFLAGS) $(dump_config_OBJECTS) $(dump_config_LDADD) $(LIBS)
+test_get_addrs$(EXEEXT): $(test_get_addrs_OBJECTS) $(test_get_addrs_DEPENDENCIES)
+	@rm -f test_get_addrs$(EXEEXT)
+	$(LINK) $(test_get_addrs_LDFLAGS) $(test_get_addrs_OBJECTS) $(test_get_addrs_LDADD) $(LIBS)
+
+verify_krb5_conf$(EXEEXT): $(verify_krb5_conf_OBJECTS) $(verify_krb5_conf_DEPENDENCIES)
+	@rm -f verify_krb5_conf$(EXEEXT)
+	$(LINK) $(verify_krb5_conf_LDFLAGS) $(verify_krb5_conf_OBJECTS) $(verify_krb5_conf_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
 
 install-man3:
 	$(mkinstalldirs) $(DESTDIR)$(man3dir)
@@ -488,6 +574,7 @@ install-man3:
 	  else file=$$i; fi; \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
 	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
 	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man3dir)/$$inst"; \
 	  $(INSTALL_DATA) $$file $(DESTDIR)$(man3dir)/$$inst; \
@@ -503,6 +590,7 @@ uninstall-man3:
 	for i in $$list; do \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
 	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
 	  echo " rm -f $(DESTDIR)$(man3dir)/$$inst"; \
 	  rm -f $(DESTDIR)$(man3dir)/$$inst; \
@@ -521,6 +609,7 @@ install-man5:
 	  else file=$$i; fi; \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
 	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
 	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man5dir)/$$inst"; \
 	  $(INSTALL_DATA) $$file $(DESTDIR)$(man5dir)/$$inst; \
@@ -536,51 +625,94 @@ uninstall-man5:
 	for i in $$list; do \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
 	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
 	  echo " rm -f $(DESTDIR)$(man5dir)/$$inst"; \
 	  rm -f $(DESTDIR)$(man5dir)/$$inst; \
 	done
+
+install-man8:
+	$(mkinstalldirs) $(DESTDIR)$(man8dir)
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \
+	done
+
+uninstall-man8:
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man8dir)/$$inst; \
+	done
 install-man: $(MANS)
 	@$(NORMAL_INSTALL)
-	$(MAKE) $(AM_MAKEFLAGS) install-man3 install-man5
+	$(MAKE) $(AM_MAKEFLAGS) install-man3 install-man5 install-man8
 uninstall-man:
 	@$(NORMAL_UNINSTALL)
-	$(MAKE) $(AM_MAKEFLAGS) uninstall-man3 uninstall-man5
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man3 uninstall-man5 uninstall-man8
 
 install-includeHEADERS: $(include_HEADERS)
 	@$(NORMAL_INSTALL)
 	$(mkinstalldirs) $(DESTDIR)$(includedir)
 	@list='$(include_HEADERS)'; for p in $$list; do \
 	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
-	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p"; \
-	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f; \
 	done
 
 uninstall-includeHEADERS:
 	@$(NORMAL_UNINSTALL)
-	list='$(include_HEADERS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(includedir)/$$p; \
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(includedir)/$$f"; \
+	  rm -f $(DESTDIR)$(includedir)/$$f; \
 	done
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -590,48 +722,76 @@ distclean-tags:
 	-rm -f TAGS ID
 
 maintainer-clean-tags:
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; \
+	srcdir=$(srcdir); export srcdir; \
+	list='$(TESTS)'; \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *" $$tst "*) \
+	        xpass=`expr $$xpass + 1`; \
+	        failed=`expr $$failed + 1`; \
+	        echo "XPASS: $$tst"; \
+	      ;; \
+	      *) \
+	        echo "PASS: $$tst"; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *" $$tst "*) \
+	        xfail=`expr $$xfail + 1`; \
+	        echo "XFAIL: $$tst"; \
+	      ;; \
+	      *) \
+	        failed=`expr $$failed + 1`; \
+	        echo "FAIL: $$tst"; \
+	      ;; \
+	      esac; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="All $$all tests passed"; \
+	    else \
+	      banner="All $$all tests behaved as expected ($$xfail expected failures)"; \
+	    fi; \
+	  else \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all tests failed"; \
+	    else \
+	      banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \
+	    fi; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = lib/krb5
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
-check-TESTS: $(TESTS)
-	@failed=0; all=0; \
-	srcdir=$(srcdir); export srcdir; \
-	for tst in $(TESTS); do \
-	  if test -f $$tst; then dir=.; \
-	  else dir="$(srcdir)"; fi; \
-	  if $(TESTS_ENVIRONMENT) $$dir/$$tst; then \
-	    all=`expr $$all + 1`; \
-	    echo "PASS: $$tst"; \
-	  elif test $$? -ne 77; then \
-	    all=`expr $$all + 1`; \
-	    failed=`expr $$failed + 1`; \
-	    echo "FAIL: $$tst"; \
-	  fi; \
-	done; \
-	if test "$$failed" -eq 0; then \
-	  banner="All $$all tests passed"; \
-	else \
-	  banner="$$failed of $$all tests failed"; \
-	fi; \
-	dashes=`echo "$$banner" | sed s/./=/g`; \
-	echo "$$dashes"; \
-	echo "$$banner"; \
-	echo "$$dashes"; \
-	test "$$failed" -eq 0
 info-am:
 info: info-am
 dvi-am:
@@ -659,11 +819,11 @@ uninstall: uninstall-am
 all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(HEADERS) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
 	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(bindir) \
 		$(DESTDIR)$(mandir)/man3 $(DESTDIR)$(mandir)/man5 \
-		$(DESTDIR)$(includedir)
+		$(DESTDIR)$(mandir)/man8 $(DESTDIR)$(includedir)
 
 
 mostlyclean-generic:
@@ -676,6 +836,7 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
 mostlyclean-am:  mostlyclean-libLTLIBRARIES mostlyclean-compile \
 		mostlyclean-libtool mostlyclean-binPROGRAMS \
 		mostlyclean-checkPROGRAMS mostlyclean-noinstPROGRAMS \
@@ -720,15 +881,16 @@ install-binPROGRAMS mostlyclean-checkPROGRAMS distclean-checkPROGRAMS \
 clean-checkPROGRAMS maintainer-clean-checkPROGRAMS \
 mostlyclean-noinstPROGRAMS distclean-noinstPROGRAMS \
 clean-noinstPROGRAMS maintainer-clean-noinstPROGRAMS install-man3 \
-uninstall-man3 install-man5 uninstall-man5 install-man uninstall-man \
-uninstall-includeHEADERS install-includeHEADERS tags mostlyclean-tags \
-distclean-tags clean-tags maintainer-clean-tags distdir check-TESTS \
-info-am info dvi-am dvi check-local check check-am installcheck-am \
-installcheck install-exec-am install-exec install-data-local \
-install-data-am install-data install-am install uninstall-am uninstall \
-all-local all-redirect all-am all installdirs mostlyclean-generic \
-distclean-generic clean-generic maintainer-clean-generic clean \
-mostlyclean distclean maintainer-clean
+uninstall-man3 install-man5 uninstall-man5 install-man8 uninstall-man8 \
+install-man uninstall-man uninstall-includeHEADERS \
+install-includeHEADERS tags mostlyclean-tags distclean-tags clean-tags \
+maintainer-clean-tags check-TESTS distdir info-am info dvi-am dvi \
+check-local check check-am installcheck-am installcheck install-exec-am \
+install-exec install-data-local install-data-am install-data install-am \
+install uninstall-am uninstall all-local all-redirect all-am all \
+install-strip installdirs mostlyclean-generic distclean-generic \
+clean-generic maintainer-clean-generic clean mostlyclean distclean \
+maintainer-clean
 
 
 install-suid-programs:
@@ -736,7 +898,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -748,8 +913,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -818,87 +983,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/lib/krb5/acl.c b/crypto/heimdal/lib/krb5/acl.c
new file mode 100644
index 0000000..0106251
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/acl.c
@@ -0,0 +1,189 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb5_locl.h"
+#include <fnmatch.h>
+
+RCSID("$Id: acl.c,v 1.1 2000/06/12 11:17:52 joda Exp $");
+
+struct acl_field {
+    enum { acl_string, acl_fnmatch, acl_retval } type;
+    union {
+	const char *cstr;
+	char **retv;
+    } u;
+    struct acl_field *next, **last;
+};
+
+static void
+acl_free_list(struct acl_field *acl)
+{
+    struct acl_field *next;
+    while(acl != NULL) {
+	next = acl->next;
+	free(acl);
+	acl = next;
+    }
+}
+
+static krb5_error_code
+acl_parse_format(krb5_context context,
+		 struct acl_field **acl_ret,
+		 const char *format,
+		 va_list ap)
+{
+    const char *p;
+    struct acl_field *acl = NULL, *tmp;
+
+    for(p = format; *p != '\0'; p++) {
+	tmp = malloc(sizeof(*tmp));
+	if(tmp == NULL) {
+	    acl_free_list(acl);
+	    return ENOMEM;
+	}
+	if(*p == 's') {
+	    tmp->type = acl_string;
+	    tmp->u.cstr = va_arg(ap, const char*);
+	} else if(*p == 'f') {
+	    tmp->type = acl_fnmatch;
+	    tmp->u.cstr = va_arg(ap, const char*);
+	} else if(*p == 'r') {
+	    tmp->type = acl_retval;
+	    tmp->u.retv = va_arg(ap, char **);
+	}
+	tmp->next = NULL;
+	if(acl == NULL)
+	    acl = tmp;
+	else
+	    *acl->last = tmp;
+	acl->last = &tmp->next;
+    }
+    *acl_ret = acl;
+    return 0;
+}
+
+static krb5_boolean
+acl_match_field(krb5_context context,
+		const char *string,
+		struct acl_field *field)
+{
+    if(field->type == acl_string) {
+	return !strcmp(string, field->u.cstr);
+    } else if(field->type == acl_fnmatch) {
+	return !fnmatch(string, field->u.cstr, 0);
+    } else if(field->type == acl_retval) {
+	*field->u.retv = strdup(string);
+	return TRUE;
+    }
+    return FALSE;
+}
+
+static krb5_boolean
+acl_match_acl(krb5_context context,
+	      struct acl_field *acl,
+	      const char *string)
+{
+    char buf[256];
+    for(;strsep_copy(&string, " \t", buf, sizeof(buf)) != -1; 
+	acl = acl->next) {
+	if(buf[0] == '\0')
+	    continue; /* skip ws */
+	if(!acl_match_field(context, buf, acl)) {
+	    return FALSE;
+	}
+    }
+    return TRUE;
+}
+
+
+krb5_error_code
+krb5_acl_match_string(krb5_context context,
+		      const char *acl_string,
+		      const char *format,
+		      ...)
+{
+    krb5_error_code ret;
+    struct acl_field *acl;
+
+    va_list ap;
+    va_start(ap, format);
+    ret = acl_parse_format(context, &acl, format, ap);
+    va_end(ap);
+    if(ret)
+	return ret;
+
+    ret = acl_match_acl(context, acl, acl_string);
+
+    acl_free_list(acl);
+    return ret ? 0 : EACCES;
+}
+	       
+krb5_error_code
+krb5_acl_match_file(krb5_context context,
+		    const char *file,
+		    const char *format,
+		    ...)
+{
+    krb5_error_code ret;
+    struct acl_field *acl;
+    char buf[256];
+    va_list ap;
+    FILE *f;
+
+    f = fopen(file, "r");
+    if(f == NULL)
+	return errno;
+
+    va_start(ap, format);
+    ret = acl_parse_format(context, &acl, format, ap);
+    va_end(ap);
+    if(ret) {
+	fclose(f);
+	return ret;
+    }
+
+    ret = EACCES; /* XXX */
+    while(fgets(buf, sizeof(buf), f)) {
+	if(buf[0] == '#')
+	    continue;
+	if(acl_match_acl(context, acl, buf)) {
+	    ret = 0;
+	    goto out;
+	}
+    }
+
+  out:
+    fclose(f);
+    acl_free_list(acl);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/addr_families.c b/crypto/heimdal/lib/krb5/addr_families.c
index 9b17abd..339d23b 100644
--- a/crypto/heimdal/lib/krb5/addr_families.c
+++ b/crypto/heimdal/lib/krb5/addr_families.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: addr_families.c,v 1.23 2000/02/16 02:09:00 assar Exp $");
+RCSID("$Id: addr_families.c,v 1.24 2000/07/08 13:05:43 joda Exp $");
 
 struct addr_operations {
     int af;
@@ -523,7 +523,7 @@ krb5_parse_address(krb5_context context,
 
     error = getaddrinfo (string, NULL, NULL, &ai);
     if (error)
-	return -1;
+	return krb5_eai_to_heim_errno(error);
     
     n = 0;
     for (a = ai; a != NULL; a = a->ai_next)
diff --git a/crypto/heimdal/lib/krb5/appdefault.c b/crypto/heimdal/lib/krb5/appdefault.c
new file mode 100644
index 0000000..081dec0
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/appdefault.c
@@ -0,0 +1,123 @@
+/*
+ * Copyright (c) 2000, 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: appdefault.c,v 1.3 2001/01/10 00:19:58 assar Exp $");
+
+void
+krb5_appdefault_boolean(krb5_context context, const char *appname, 
+			krb5_realm realm, const char *option,
+			krb5_boolean def_val, krb5_boolean *ret_val)
+{
+    
+    if(appname == NULL)
+	appname = __progname;
+    def_val = krb5_config_get_bool_default(context, NULL, def_val, 
+					   "appdefaults", 
+					   option, 
+					   NULL);
+    if(realm != NULL)
+	def_val = krb5_config_get_bool_default(context, NULL, def_val,
+					       "appdefaults", 
+					       realm, 
+					       option, 
+					       NULL);
+    if(appname != NULL) {
+	def_val = krb5_config_get_bool_default(context, NULL, def_val, 
+					       "appdefaults", 
+					       appname, 
+					       option, 
+					       NULL);
+	if(realm != NULL)
+	    def_val = krb5_config_get_bool_default(context, NULL, def_val,
+						   "appdefaults", 
+						   appname, 
+						   realm, 
+						   option, 
+						   NULL);
+    }
+    *ret_val = def_val;
+}
+
+void
+krb5_appdefault_string(krb5_context context, const char *appname, 
+		       krb5_realm realm, const char *option,
+		       const char *def_val, char **ret_val)
+{
+    if(appname == NULL)
+	appname = __progname;
+    def_val = krb5_config_get_string_default(context, NULL, def_val, 
+					     "appdefaults", 
+					     option, 
+					     NULL);
+    if(realm != NULL)
+	def_val = krb5_config_get_string_default(context, NULL, def_val,
+						 "appdefaults", 
+						 realm, 
+						 option, 
+						 NULL);
+    if(appname != NULL) {
+	def_val = krb5_config_get_string_default(context, NULL, def_val, 
+						 "appdefaults", 
+						 appname, 
+						 option, 
+						 NULL);
+	if(realm != NULL)
+	    def_val = krb5_config_get_string_default(context, NULL, def_val,
+						     "appdefaults", 
+						     appname, 
+						     realm, 
+						     option, 
+						     NULL);
+    }
+    if(def_val != NULL)
+	*ret_val = strdup(def_val);
+    else
+	*ret_val = NULL;
+}
+
+void
+krb5_appdefault_time(krb5_context context, const char *appname,
+		     krb5_realm realm, const char *option,
+		     time_t def_val, time_t *ret_val)
+{
+    time_t t;
+    char tstr[32];
+    char *val;
+    snprintf(tstr, sizeof(tstr), "%ld", (long)def_val);
+    krb5_appdefault_string(context, appname, realm, option, tstr, &val);
+    t = parse_time (val, NULL);
+    free(val);
+    *ret_val = t;
+}
diff --git a/crypto/heimdal/lib/krb5/auth_context.c b/crypto/heimdal/lib/krb5/auth_context.c
index 94b1376..a37c4dd 100644
--- a/crypto/heimdal/lib/krb5/auth_context.c
+++ b/crypto/heimdal/lib/krb5/auth_context.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: auth_context.c,v 1.50 1999/12/02 17:05:07 joda Exp $");
+RCSID("$Id: auth_context.c,v 1.55 2000/12/10 20:01:05 assar Exp $");
 
 krb5_error_code
 krb5_auth_con_init(krb5_context context,
@@ -67,20 +67,21 @@ krb5_error_code
 krb5_auth_con_free(krb5_context context,
 		   krb5_auth_context auth_context)
 {
-    krb5_free_authenticator(context, &auth_context->authenticator);
-    if(auth_context->local_address){
-	free_HostAddress(auth_context->local_address);
-	free(auth_context->local_address);
-    }
-    if(auth_context->remote_address){
-	free_HostAddress(auth_context->remote_address);
-	free(auth_context->remote_address);
-    }
-    if(auth_context->keyblock)
+    if (auth_context != NULL) {
+	krb5_free_authenticator(context, &auth_context->authenticator);
+	if(auth_context->local_address){
+	    free_HostAddress(auth_context->local_address);
+	    free(auth_context->local_address);
+	}
+	if(auth_context->remote_address){
+	    free_HostAddress(auth_context->remote_address);
+	    free(auth_context->remote_address);
+	}
 	krb5_free_keyblock(context, auth_context->keyblock);
-    krb5_free_keyblock(context, auth_context->remote_subkey);
-    krb5_free_keyblock(context, auth_context->local_subkey);
-    free (auth_context);
+	krb5_free_keyblock(context, auth_context->remote_subkey);
+	krb5_free_keyblock(context, auth_context->local_subkey);
+	free (auth_context);
+    }
     return 0;
 }
 
@@ -128,49 +129,71 @@ krb5_auth_con_setaddrs(krb5_context context,
 }
 
 krb5_error_code
-krb5_auth_con_setaddrs_from_fd (krb5_context context,
-				krb5_auth_context auth_context,
-				void *p_fd)
+krb5_auth_con_genaddrs(krb5_context context, 
+		       krb5_auth_context auth_context, 
+		       int fd, int flags)
 {
-    int fd = *((int *)p_fd);
     krb5_error_code ret;
     krb5_address local_k_address, remote_k_address;
     krb5_address *lptr = NULL, *rptr = NULL;
     struct sockaddr_storage ss_local, ss_remote;
     struct sockaddr *local  = (struct sockaddr *)&ss_local;
     struct sockaddr *remote = (struct sockaddr *)&ss_remote;
-    int len;
-
-    if (auth_context->local_address == NULL) {
-	len = sizeof(ss_local);
-	if(getsockname(fd, local, &len) < 0) {
-	    ret = errno;
-	    goto out;
+    socklen_t len;
+
+    if(flags & KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR) {
+	if (auth_context->local_address == NULL) {
+	    len = sizeof(ss_local);
+	    if(getsockname(fd, local, &len) < 0) {
+		ret = errno;
+		goto out;
+	    }
+	    krb5_sockaddr2address (local, &local_k_address);
+	    if(flags & KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR) {
+		krb5_sockaddr2port (local, &auth_context->local_port);
+	    } else
+		auth_context->local_port = 0;
+	    lptr = &local_k_address;
 	}
-	krb5_sockaddr2address (local, &local_k_address);
-	krb5_sockaddr2port (local, &auth_context->local_port);
-	lptr = &local_k_address;
     }
-    if (auth_context->remote_address == NULL) {
+    if(flags & KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR) {
 	len = sizeof(ss_remote);
 	if(getpeername(fd, remote, &len) < 0) {
 	    ret = errno;
 	    goto out;
 	}
 	krb5_sockaddr2address (remote, &remote_k_address);
-	krb5_sockaddr2port (remote, &auth_context->remote_port);
+	if(flags & KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR) {
+	    krb5_sockaddr2port (remote, &auth_context->remote_port);
+	} else
+	    auth_context->remote_port = 0;
 	rptr = &remote_k_address;
     }
     ret = krb5_auth_con_setaddrs (context,
 				  auth_context,
 				  lptr,
 				  rptr);
-out:
+  out:
     if (lptr)
 	krb5_free_address (context, lptr);
     if (rptr)
 	krb5_free_address (context, rptr);
     return ret;
+
+}
+
+krb5_error_code
+krb5_auth_con_setaddrs_from_fd (krb5_context context,
+				krb5_auth_context auth_context,
+				void *p_fd)
+{
+    int fd = *(int*)p_fd;
+    int flags = 0;
+    if(auth_context->local_address == NULL)
+	flags |= KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR;
+    if(auth_context->remote_address == NULL)
+	flags |= KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR;
+    return krb5_auth_con_genaddrs(context, auth_context, fd, flags);
 }
 
 krb5_error_code
@@ -396,6 +419,24 @@ krb5_auth_con_setuserkey(krb5_context context,
     return krb5_copy_keyblock(context, keyblock, &auth_context->keyblock);
 }
 
+krb5_error_code
+krb5_auth_con_getrcache(krb5_context context,
+			krb5_auth_context auth_context,
+			krb5_rcache *rcache)
+{
+    *rcache = auth_context->rcache;
+    return 0;
+}
+
+krb5_error_code
+krb5_auth_con_setrcache(krb5_context context,
+			krb5_auth_context auth_context,
+			krb5_rcache rcache)
+{
+    auth_context->rcache = rcache;
+    return 0;
+}
+
 #if 0 /* not implemented */
 
 krb5_error_code
@@ -414,13 +455,4 @@ krb5_auth_con_setivector(krb5_context context,
     krb5_abortx(context, "unimplemented krb5_auth_con_setivector called");
 }
 
-
-krb5_error_code
-krb5_auth_con_setrcache(krb5_context context,
-			krb5_auth_context auth_context,
-			krb5_rcache rcache)
-{
-    krb5_abortx(context, "unimplemented krb5_auth_con_setrcache called");
-}
-
 #endif /* not implemented */
diff --git a/crypto/heimdal/lib/krb5/build_auth.c b/crypto/heimdal/lib/krb5/build_auth.c
index a38393b..c75b2f1 100644
--- a/crypto/heimdal/lib/krb5/build_auth.c
+++ b/crypto/heimdal/lib/krb5/build_auth.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: build_auth.c,v 1.32 1999/12/02 17:05:08 joda Exp $");
+RCSID("$Id: build_auth.c,v 1.34 2000/11/15 06:58:51 assar Exp $");
 
 krb5_error_code
 krb5_build_authenticator (krb5_context context,
@@ -42,7 +42,8 @@ krb5_build_authenticator (krb5_context context,
 			  krb5_creds *cred,
 			  Checksum *cksum,
 			  Authenticator **auth_result,
-			  krb5_data *result)
+			  krb5_data *result,
+			  krb5_key_usage usage)
 {
   Authenticator *auth;
   u_char *buf = NULL;
@@ -126,9 +127,11 @@ krb5_build_authenticator (krb5_context context,
   } while(ret == ASN1_OVERFLOW);
 
   ret = krb5_crypto_init(context, &cred->session, enctype, &crypto);
+  if (ret)
+      goto fail;
   ret = krb5_encrypt (context,
 		      crypto,
-		      KRB5_KU_AP_REQ_AUTH,
+		      usage /* KRB5_KU_AP_REQ_AUTH */,
 		      buf + buf_size - len, 
 		      len,
 		      result);
diff --git a/crypto/heimdal/lib/krb5/cache.c b/crypto/heimdal/lib/krb5/cache.c
index e78d4de..121f44f 100644
--- a/crypto/heimdal/lib/krb5/cache.c
+++ b/crypto/heimdal/lib/krb5/cache.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: cache.c,v 1.44 1999/12/02 17:05:08 joda Exp $");
+RCSID("$Id: cache.c,v 1.45 2000/12/05 09:18:29 joda Exp $");
 
 /*
  * Add a new ccache type with operations `ops', overwriting any
@@ -356,7 +356,9 @@ krb5_cc_remove_cred(krb5_context context,
 		    krb5_flags which,
 		    krb5_creds *cred)
 {
-    return id->ops->remove_cred(context, id, which, cred);
+    if(id->ops->remove_cred == NULL)
+	return EACCES; /* XXX */
+    return (*id->ops->remove_cred)(context, id, which, cred);
 }
 
 /*
diff --git a/crypto/heimdal/lib/krb5/changepw.c b/crypto/heimdal/lib/krb5/changepw.c
index 56c89a0..407abf0 100644
--- a/crypto/heimdal/lib/krb5/changepw.c
+++ b/crypto/heimdal/lib/krb5/changepw.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: changepw.c,v 1.20 2000/02/07 13:40:18 joda Exp $");
+RCSID("$Id: changepw.c,v 1.30 2000/12/10 23:10:10 assar Exp $");
 
 static krb5_error_code
 get_kdc_address (krb5_context context,
@@ -52,10 +52,12 @@ get_kdc_address (krb5_context context,
 	return ret;
 
     port = ntohs(krb5_getportbyname (context, "kpasswd", "udp", KPASSWD_PORT));
-    error = roken_getaddrinfo_hostspec(*hostlist, port, ai);
+    error = roken_getaddrinfo_hostspec2(*hostlist, SOCK_DGRAM, port, ai);
 
     krb5_free_krbhst (context, hostlist);
-    return error;
+    if(error)
+	return krb5_eai_to_heim_errno(error);
+    return 0;
 }
 
 static krb5_error_code
@@ -138,7 +140,12 @@ out2:
 
 static void
 str2data (krb5_data *d,
-	  char *fmt,
+	  const char *fmt,
+	  ...) __attribute__ ((format (printf, 2, 3)));
+
+static void
+str2data (krb5_data *d,
+	  const char *fmt,
 	  ...)
 {
     va_list args;
@@ -261,6 +268,7 @@ krb5_change_password (krb5_context	context,
     int sock;
     int i;
     struct addrinfo *ai, *a;
+    int done = 0;
 
     ret = krb5_auth_con_init (context, &auth_context);
     if (ret)
@@ -270,58 +278,71 @@ krb5_change_password (krb5_context	context,
     if (ret)
 	goto out;
 
-    krb5_auth_con_setflags (context, auth_context,
-			    KRB5_AUTH_CONTEXT_DO_SEQUENCE);
+    for (a = ai; !done && a != NULL; a = a->ai_next) {
+	int replied = 0;
 
-    for (a = ai; a != NULL; a = a->ai_next) {
 	sock = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
 	if (sock < 0)
 	    continue;
 
-	for (i = 0; i < 5; ++i) {
+	for (i = 0; !done && i < 5; ++i) {
 	    fd_set fdset;
 	    struct timeval tv;
 
-	    ret = send_request (context,
-				&auth_context,
-				creds,
-				sock,
-				a->ai_addr,
-				a->ai_addrlen,
-				newpw);
-	    if (ret)
+	    if (!replied) {
+		replied = 0;
+		ret = send_request (context,
+				    &auth_context,
+				    creds,
+				    sock,
+				    a->ai_addr,
+				    a->ai_addrlen,
+				    newpw);
+		if (ret) {
+		    close(sock);
+		    goto out;
+		}
+	    }
+	    
+	    if (sock >= FD_SETSIZE) {
+		ret = ERANGE;
+		close (sock);
 		goto out;
+	    }
 
 	    FD_ZERO(&fdset);
 	    FD_SET(sock, &fdset);
 	    tv.tv_usec = 0;
-	    tv.tv_sec  = 1 << i;
+	    tv.tv_sec  = 1 + (1 << i);
 
 	    ret = select (sock + 1, &fdset, NULL, NULL, &tv);
-	    if (ret < 0 && errno != EINTR)
+	    if (ret < 0 && errno != EINTR) {
+		close(sock);
 		goto out;
-	    if (ret == 1)
-		break;
-	}
-	if (i == 5) {
-	    ret = KRB5_KDC_UNREACH;
-	    close (sock);
-	    continue;
+	    }
+	    if (ret == 1) {
+		ret = process_reply (context,
+				     auth_context,
+				     sock,
+				     result_code,
+				     result_code_string,
+				     result_string);
+		if (ret == 0)
+		    done = 1;
+		else if (i > 0 && ret == KRB5KRB_AP_ERR_MUT_FAIL)
+		    replied = 1;
+	    } else {
+		ret = KRB5_KDC_UNREACH;
+	    }
 	}
-
-	ret = process_reply (context,
-			     auth_context,
-			     sock,
-			     result_code,
-			     result_code_string,
-			     result_string);
 	close (sock);
-	if (ret == 0)
-	    break;
     }
     freeaddrinfo (ai);
 
 out:
     krb5_auth_con_free (context, auth_context);
-    return ret;
+    if (done)
+	return 0;
+    else
+	return ret;
 }
diff --git a/crypto/heimdal/lib/krb5/config_file.c b/crypto/heimdal/lib/krb5/config_file.c
index 3d1ff1e..d5d8a42 100644
--- a/crypto/heimdal/lib/krb5/config_file.c
+++ b/crypto/heimdal/lib/krb5/config_file.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997, 1998, 1999, 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,7 +32,7 @@
  */
 
 #include "krb5_locl.h"
-RCSID("$Id: config_file.c,v 1.38 1999/12/02 17:05:08 joda Exp $");
+RCSID("$Id: config_file.c,v 1.41 2000/08/16 07:40:36 assar Exp $");
 
 #ifndef HAVE_NETINFO
 
@@ -210,7 +210,7 @@ krb5_config_parse_file_debug (const char *fname,
     krb5_config_section *s;
     krb5_config_binding *b;
     char buf[BUFSIZ];
-    int ret;
+    int ret = 0;
 
     s = NULL;
     b = NULL;
@@ -218,7 +218,7 @@ krb5_config_parse_file_debug (const char *fname,
     f = fopen (fname, "r");
     if (f == NULL) {
 	*error_message = "cannot open file";
-	return -1;
+	return ENOENT;
     }
     *res = NULL;
     while (fgets(buf, sizeof(buf), f) != NULL) {
@@ -234,20 +234,23 @@ krb5_config_parse_file_debug (const char *fname,
 	    continue;
 	if (*p == '[') {
 	    ret = parse_section(p, &s, res, error_message);
-	    if (ret)
-		return ret;
+	    if (ret) {
+		goto out;
+	    }
 	    b = NULL;
 	} else if (*p == '}') {
 	    *error_message = "unmatched }";
-	    return -1;
+	    ret = -1;
+	    goto out;
 	} else if(*p != '\0') {
 	    ret = parse_binding(f, lineno, p, &b, &s->u.list, error_message);
 	    if (ret)
-		return ret;
+		goto out;
 	}
     }
+out:
     fclose (f);
-    return 0;
+    return ret;
 }
 
 krb5_error_code
@@ -422,6 +425,35 @@ krb5_config_vget_string (krb5_context context,
     return krb5_config_vget (context, c, krb5_config_string, args);
 }
 
+const char *
+krb5_config_vget_string_default (krb5_context context,
+				 krb5_config_section *c,
+				 const char *def_value,
+				 va_list args)
+{
+    const char *ret;
+
+    ret = krb5_config_vget_string (context, c, args);
+    if (ret == NULL)
+	ret = def_value;
+    return ret;
+}
+
+const char *
+krb5_config_get_string_default (krb5_context context,
+				krb5_config_section *c,
+				const char *def_value,
+				...)
+{
+    const char *ret;
+    va_list args;
+
+    va_start(args, def_value);
+    ret = krb5_config_vget_string_default (context, c, def_value, args);
+    va_end(args);
+    return ret;
+}
+
 char **
 krb5_config_vget_strings(krb5_context context,
 			 krb5_config_section *c,
diff --git a/crypto/heimdal/lib/krb5/constants.c b/crypto/heimdal/lib/krb5/constants.c
index 8314c26..946fd4d 100644
--- a/crypto/heimdal/lib/krb5/constants.c
+++ b/crypto/heimdal/lib/krb5/constants.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: constants.c,v 1.4 1999/12/02 17:05:08 joda Exp $");
+RCSID("$Id: constants.c,v 1.5 2000/07/14 21:53:01 joda Exp $");
 
 const char krb5_config_file[] = "/etc/krb5.conf";
-const char krb5_defkeyname[] = "/etc/v5srvtab";
+const char krb5_defkeyname[] = KEYTAB_DEFAULT;
diff --git a/crypto/heimdal/lib/krb5/context.c b/crypto/heimdal/lib/krb5/context.c
index fb3fb61..0cfac9a 100644
--- a/crypto/heimdal/lib/krb5/context.c
+++ b/crypto/heimdal/lib/krb5/context.c
@@ -33,16 +33,12 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: context.c,v 1.53 2000/02/11 17:43:43 assar Exp $");
+RCSID("$Id: context.c,v 1.59 2000/12/15 17:11:51 joda Exp $");
 
 #define INIT_FIELD(C, T, E, D, F)					\
     (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), 	\
 						"libdefaults", F, NULL)
 
-#ifdef KRB4
-extern krb5_kt_ops krb4_fkt_ops;
-#endif
-
 /*
  * Set the list of etypes `ret_etypes' from the configuration variable
  * `name'
@@ -89,27 +85,26 @@ init_context_from_config_file(krb5_context context)
     INIT_FIELD(context, time, kdc_timeout, 3, "kdc_timeout");
     INIT_FIELD(context, int, max_retries, 3, "max_retries");
 
-    context->http_proxy = krb5_config_get_string(context, NULL, "libdefaults", 
-					   "http_proxy", NULL);
+    INIT_FIELD(context, string, http_proxy, NULL, "http_proxy");
 
     set_etypes (context, "default_etypes", &context->etypes);
     set_etypes (context, "default_etypes_des", &context->etypes_des);
 
     /* default keytab name */
-    context->default_keytab = krb5_config_get_string(context, NULL, 
-					       "libdefaults", 
-					       "default_keytab_name", 
-					       NULL);
-    if(context->default_keytab == NULL)
-	context->default_keytab = KEYTAB_DEFAULT;
-
-    context->time_fmt = krb5_config_get_string(context, NULL, "libdefaults", 
-					 "time_format", NULL);
-    if(context->time_fmt == NULL)
-	context->time_fmt = "%Y-%m-%dT%H:%M:%S";
-    context->log_utc = krb5_config_get_bool(context, NULL, "libdefaults",
-					    "log_utc", NULL);
+    INIT_FIELD(context, string, default_keytab, 
+	       KEYTAB_DEFAULT, "default_keytab_name");
+
+    INIT_FIELD(context, string, time_fmt, 
+	       "%Y-%m-%dT%H:%M:%S", "time_format");
+
+    INIT_FIELD(context, string, date_fmt, 
+	       "%Y-%m-%d", "date_format");
 
+    INIT_FIELD(context, bool, log_utc, 
+	       FALSE, "log_utc");
+
+
+    
     /* init dns-proxy slime */
     tmp = krb5_config_get_string(context, NULL, "libdefaults", 
 				 "dns_proxy", NULL);
@@ -136,7 +131,6 @@ init_context_from_config_file(krb5_context context)
     INIT_FIELD(context, bool, scan_interfaces, TRUE, "scan_interfaces");
     INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup");
     INIT_FIELD(context, bool, srv_try_txt, FALSE, "srv_try_txt");
-    INIT_FIELD(context, bool, srv_try_rfc2052, TRUE, "srv_try_rfc2052");
     INIT_FIELD(context, int, fcache_vno, 0, "fcache_version");
 
     context->cc_ops       = NULL;
@@ -148,10 +142,8 @@ init_context_from_config_file(krb5_context context)
     context->kt_types     = NULL;
     krb5_kt_register (context, &krb5_fkt_ops);
     krb5_kt_register (context, &krb5_mkt_ops);
-#ifdef KRB4
-    krb5_kt_register (context, &krb4_fkt_ops);
-#endif
     krb5_kt_register (context, &krb5_akf_ops);
+    krb5_kt_register (context, &krb4_fkt_ops);
     return 0;
 }
 
@@ -187,8 +179,10 @@ krb5_init_context(krb5_context *context)
 #endif
 
     ret = init_context_from_config_file(p);
-    if(ret)
+    if(ret) {
+	krb5_free_context(p);
 	return ret;
+    }
 
     *context = p;
     return 0;
@@ -211,12 +205,17 @@ krb5_free_context(krb5_context context)
   free(context);
 }
 
+/*
+ * set `etype' to a malloced list of the default enctypes
+ */
+
 static krb5_error_code
 default_etypes(krb5_enctype **etype)
 {
     krb5_enctype p[] = {
 	ETYPE_DES3_CBC_SHA1,
 	ETYPE_DES3_CBC_MD5,
+	ETYPE_ARCFOUR_HMAC_MD5,
 	ETYPE_DES_CBC_MD5,
 	ETYPE_DES_CBC_MD4,
 	ETYPE_DES_CBC_CRC,
diff --git a/crypto/heimdal/lib/krb5/convert_creds.c b/crypto/heimdal/lib/krb5/convert_creds.c
index 24dea0b..8459ee3 100644
--- a/crypto/heimdal/lib/krb5/convert_creds.c
+++ b/crypto/heimdal/lib/krb5/convert_creds.c
@@ -32,7 +32,7 @@
  */
 
 #include "krb5_locl.h"
-RCSID("$Id: convert_creds.c,v 1.13 1999/12/02 17:05:08 joda Exp $");
+RCSID("$Id: convert_creds.c,v 1.15 2000/07/11 19:30:04 joda Exp $");
 
 static krb5_error_code
 check_ticket_flags(TicketFlags f)
@@ -166,10 +166,32 @@ krb524_convert_creds_kdc(krb5_context context,
     if(ret)
 	goto out2;
 
-    ret = krb5_sendto_kdc (context,
+    {
+	char **hostlist;
+	int port;
+	port = krb5_getportbyname (context, "krb524", "udp", 4444);
+	
+	ret = krb5_get_krbhst (context, krb5_princ_realm(context, 
+							 v5_creds->server), 
+			       &hostlist);
+	if(ret)
+	    goto out2;
+	
+	ret = krb5_sendto (context,
 			   &v5_creds->ticket,
-			   krb5_princ_realm(context, v5_creds->server),
+			   hostlist,
+			   port,
 			   &reply);
+	if(ret == KRB5_KDC_UNREACH) {
+	    port = krb5_getportbyname (context, "kerberos", "udp", 88);
+	    ret = krb5_sendto (context,
+			       &v5_creds->ticket,
+			       hostlist,
+			       port,
+			       &reply);
+	}
+	krb5_free_krbhst (context, hostlist);
+    }
     if (ret)
 	goto out2;
     sp = krb5_storage_from_mem(reply.data, reply.length);
diff --git a/crypto/heimdal/lib/krb5/crc.c b/crypto/heimdal/lib/krb5/crc.c
index 2f9ef95..c7cedd8 100644
--- a/crypto/heimdal/lib/krb5/crc.c
+++ b/crypto/heimdal/lib/krb5/crc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: crc.c,v 1.8 1999/12/02 17:05:08 joda Exp $");
+RCSID("$Id: crc.c,v 1.9 2000/08/03 01:45:14 assar Exp $");
 
 static u_long table[256];
 
@@ -63,7 +63,7 @@ _krb5_crc_init_table(void)
 }
 
 u_int32_t
-_krb5_crc_update (char *p, size_t len, u_int32_t res)
+_krb5_crc_update (const char *p, size_t len, u_int32_t res)
 {
     while (len--)
 	res = table[(res ^ *p++) & 0xFF] ^ (res >> 8);
diff --git a/crypto/heimdal/lib/krb5/eai_to_heim_errno.c b/crypto/heimdal/lib/krb5/eai_to_heim_errno.c
new file mode 100644
index 0000000..b9272dd
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/eai_to_heim_errno.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: eai_to_heim_errno.c,v 1.1 2000/07/08 13:03:36 joda Exp $");
+
+krb5_error_code
+krb5_eai_to_heim_errno(int eai_errno)
+{
+    switch(eai_errno) {
+    case EAI_NOERROR:
+	return 0;
+    case EAI_ADDRFAMILY:
+	return HEIM_EAI_ADDRFAMILY;
+    case EAI_AGAIN:
+	return HEIM_EAI_AGAIN;
+    case EAI_BADFLAGS:
+	return HEIM_EAI_BADFLAGS;
+    case EAI_FAIL:
+	return HEIM_EAI_FAIL;
+    case EAI_FAMILY:
+	return HEIM_EAI_FAMILY;
+    case EAI_MEMORY:
+	return HEIM_EAI_MEMORY;
+    case EAI_NODATA:
+	return HEIM_EAI_NODATA;
+    case EAI_NONAME:
+	return HEIM_EAI_NONAME;
+    case EAI_SERVICE:
+	return HEIM_EAI_SERVICE;
+    case EAI_SOCKTYPE:
+	return HEIM_EAI_SOCKTYPE;
+    case EAI_SYSTEM:
+	return errno;
+    default:
+	return HEIM_EAI_UNKNOWN; /* XXX */
+    }
+}
diff --git a/crypto/heimdal/lib/krb5/expand_hostname.c b/crypto/heimdal/lib/krb5/expand_hostname.c
index 3e98e88..72c5718 100644
--- a/crypto/heimdal/lib/krb5/expand_hostname.c
+++ b/crypto/heimdal/lib/krb5/expand_hostname.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: expand_hostname.c,v 1.8 2000/02/20 02:25:29 assar Exp $");
+RCSID("$Id: expand_hostname.c,v 1.9 2000/02/23 03:12:07 assar Exp $");
 
 static krb5_error_code
 copy_hostname(krb5_context context,
@@ -130,7 +130,7 @@ krb5_expand_hostname_realms (krb5_context context,
 
     for (a = ai; a != NULL; a = a->ai_next) {
 	if (a->ai_canonname != NULL) {
-	    ret = copy_hostname (context, orig_hostname, new_hostname);
+	    ret = copy_hostname (context, a->ai_canonname, new_hostname);
 	    if (ret) {
 		freeaddrinfo (ai);
 		return ret;
diff --git a/crypto/heimdal/lib/krb5/fcache.c b/crypto/heimdal/lib/krb5/fcache.c
index df88e6f..fbdb3a1 100644
--- a/crypto/heimdal/lib/krb5/fcache.c
+++ b/crypto/heimdal/lib/krb5/fcache.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: fcache.c,v 1.22 1999/12/02 17:05:09 joda Exp $");
+RCSID("$Id: fcache.c,v 1.31 2000/12/05 09:15:10 joda Exp $");
 
 typedef struct krb5_fcache{
     char *filename;
@@ -83,28 +83,86 @@ fcc_resolve(krb5_context context, krb5_ccache *id, const char *res)
     return 0;
 }
 
+/*
+ * Try to scrub the contents of `filename' safely.
+ */
+
+static int
+scrub_file (int fd)
+{
+    off_t pos;
+    char buf[128];
+
+    pos = lseek(fd, 0, SEEK_END);
+    if (pos < 0)
+        return errno;
+    if (lseek(fd, 0, SEEK_SET) < 0)
+        return errno;
+    memset(buf, 0, sizeof(buf));
+    while(pos > 0) {
+        ssize_t tmp = write(fd, buf, min(sizeof(buf), pos));
+
+	if (tmp < 0)
+	    return errno;
+	pos -= tmp;
+    }
+    fsync (fd);
+    return 0;
+}
+
+/*
+ * Erase `filename' if it exists, trying to remove the contents if
+ * it's `safe'.  We always try to remove the file, it it exists.  It's
+ * only overwritten if it's a regular file (not a symlink and not a
+ * hardlink)
+ */
+
 static krb5_error_code
 erase_file(const char *filename)
 {
     int fd;
-    off_t pos;
-    char buf[128];
+    struct stat sb1, sb2;
+    int ret;
+
+    ret = lstat (filename, &sb1);
+    if (ret < 0)
+	return errno;
 
     fd = open(filename, O_RDWR | O_BINARY);
-    if(fd < 0){
+    if(fd < 0) {
 	if(errno == ENOENT)
 	    return 0;
 	else
 	    return errno;
     }
-    pos = lseek(fd, 0, SEEK_END);
-    lseek(fd, 0, SEEK_SET);
-    memset(buf, 0, sizeof(buf));
-    while(pos > 0)
-	pos -= write(fd, buf, sizeof(buf));
-    close(fd);
-    unlink(filename);
-    return 0;
+    if (unlink(filename) < 0) {
+        close (fd);
+        return errno;
+    }
+
+    ret = fstat (fd, &sb2);
+    if (ret < 0) {
+	close (fd);
+	return errno;
+    }
+
+    /* check if someone was playing with symlinks */
+
+    if (sb1.st_dev != sb2.st_dev || sb1.st_ino != sb2.st_ino) {
+	close (fd);
+	return EPERM;
+    }
+
+    /* there are still hard links to this file */
+
+    if (sb2.st_nlink != 0) {
+        close (fd);
+        return 0;
+    }
+
+    ret = scrub_file (fd);
+    close (fd);
+    return ret;
 }
 
 static krb5_error_code
@@ -116,7 +174,7 @@ fcc_gen_new(krb5_context context, krb5_ccache *id)
     f = malloc(sizeof(*f));
     if(f == NULL)
 	return KRB5_CC_NOMEM;
-    asprintf(&file, "/tmp/krb5cc_XXXXXX"); /* XXX */
+    asprintf (&file, "%sXXXXXX", KRB5_DEFAULT_CCFILE_ROOT);
     if(file == NULL) {
 	free(f);
 	return KRB5_CC_NOMEM;
@@ -166,12 +224,11 @@ fcc_initialize(krb5_context context,
 	       krb5_principal primary_principal)
 {
     krb5_fcache *f = FCACHE(id);
-    int ret;
+    int ret = 0;
     int fd;
     char *filename = f->filename;
 
-    if((ret = erase_file(filename)))
-	return ret;
+    unlink (filename);
   
     fd = open(filename, O_RDWR | O_CREAT | O_EXCL | O_BINARY, 0600);
     if(fd == -1)
@@ -183,27 +240,29 @@ fcc_initialize(krb5_context context,
 	    f->version = context->fcache_vno;
 	else
 	    f->version = KRB5_FCC_FVNO_4;
-	krb5_store_int8(sp, 5);
-	krb5_store_int8(sp, f->version);
+	ret |= krb5_store_int8(sp, 5);
+	ret |= krb5_store_int8(sp, f->version);
 	storage_set_flags(context, sp, f->version);
-	if(f->version == KRB5_FCC_FVNO_4) {
+	if(f->version == KRB5_FCC_FVNO_4 && ret == 0) {
 	    /* V4 stuff */
 	    if (context->kdc_sec_offset) {
-		krb5_store_int16 (sp, 12); /* length */
-		krb5_store_int16 (sp, FCC_TAG_DELTATIME); /* Tag */
-		krb5_store_int16 (sp, 8); /* length of data */
-		krb5_store_int32 (sp, context->kdc_sec_offset);
-		krb5_store_int32 (sp, context->kdc_usec_offset);
+		ret |= krb5_store_int16 (sp, 12); /* length */
+		ret |= krb5_store_int16 (sp, FCC_TAG_DELTATIME); /* Tag */
+		ret |= krb5_store_int16 (sp, 8); /* length of data */
+		ret |= krb5_store_int32 (sp, context->kdc_sec_offset);
+		ret |= krb5_store_int32 (sp, context->kdc_usec_offset);
 	    } else {
-		krb5_store_int16 (sp, 0);
+		ret |= krb5_store_int16 (sp, 0);
 	    }
 	}
-	krb5_store_principal(sp, primary_principal);
+	ret |= krb5_store_principal(sp, primary_principal);
 	krb5_storage_free(sp);
     }
-    close(fd);
+    if(close(fd) < 0)
+	if (ret == 0)
+	    ret = errno;
 	
-    return 0;
+    return ret;
 }
 
 static krb5_error_code
@@ -232,6 +291,7 @@ fcc_store_cred(krb5_context context,
 	       krb5_ccache id,
 	       krb5_creds *creds)
 {
+    int ret;
     int fd;
     char *f;
 
@@ -244,11 +304,13 @@ fcc_store_cred(krb5_context context,
 	krb5_storage *sp;
 	sp = krb5_storage_from_fd(fd);
 	storage_set_flags(context, sp, FCACHE(id)->version);
-	krb5_store_creds(sp, creds);
+	ret = krb5_store_creds(sp, creds);
 	krb5_storage_free(sp);
     }
-    close(fd);
-    return 0; /* XXX */
+    if (close(fd) < 0)
+	if (ret == 0)
+	    ret = errno;
+    return ret;
 }
 
 static krb5_error_code
@@ -274,12 +336,17 @@ init_fcc (krb5_context context,
     int fd;
     int8_t pvno, tag;
     krb5_storage *sp;
+    krb5_error_code ret;
 
     fd = open(fcache->filename, O_RDONLY | O_BINARY);
     if(fd < 0)
 	return errno;
     sp = krb5_storage_from_fd(fd);
-    krb5_ret_int8(sp, &pvno);
+    ret = krb5_ret_int8(sp, &pvno);
+    if(ret == KRB5_CC_END)
+	return ENOENT;
+    if(ret)
+	return ret;
     if(pvno != 5) {
 	krb5_storage_free(sp);
 	close(fd);
@@ -341,10 +408,10 @@ fcc_get_principal(krb5_context context,
     ret = init_fcc (context, f, &sp, &fd);
     if (ret)
 	return ret;
-    krb5_ret_principal(sp, principal);
+    ret = krb5_ret_principal(sp, principal);
     krb5_storage_free(sp);
     close(fd);
-    return 0;
+    return ret;
 }
 
 static krb5_error_code
diff --git a/crypto/heimdal/lib/krb5/generate_seq_number.c b/crypto/heimdal/lib/krb5/generate_seq_number.c
index a000ea1..3ebe562 100644
--- a/crypto/heimdal/lib/krb5/generate_seq_number.c
+++ b/crypto/heimdal/lib/krb5/generate_seq_number.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,12 +33,12 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: generate_seq_number.c,v 1.6 1999/12/02 17:05:09 joda Exp $");
+RCSID("$Id: generate_seq_number.c,v 1.7 2000/04/08 21:20:45 assar Exp $");
 
 krb5_error_code
 krb5_generate_seq_number(krb5_context context,
 			 const krb5_keyblock *key,
-			 int32_t *seqno)
+			 u_int32_t *seqno)
 {
     krb5_error_code ret;
     krb5_keyblock *subkey;
diff --git a/crypto/heimdal/lib/krb5/get_addrs.c b/crypto/heimdal/lib/krb5/get_addrs.c
index 65a1b3c..7b9d74c 100644
--- a/crypto/heimdal/lib/krb5/get_addrs.c
+++ b/crypto/heimdal/lib/krb5/get_addrs.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: get_addrs.c,v 1.35 1999/12/02 17:05:09 joda Exp $");
+RCSID("$Id: get_addrs.c,v 1.40 2000/12/10 20:07:05 assar Exp $");
 
 #ifdef __osf__
 /* hate */
@@ -43,42 +43,35 @@ struct mbuf;
 #ifdef HAVE_NET_IF_H
 #include <net/if.h>
 #endif
-
-#ifdef HAVE_SYS_SOCKIO_H
-#include <sys/sockio.h>
-#endif /* HAVE_SYS_SOCKIO_H */
-
-#ifdef HAVE_NETINET_IN6_VAR_H
-#include <netinet/in6_var.h>
-#endif /* HAVE_NETINET_IN6_VAR_H */
+#include <ifaddrs.h>
 
 static krb5_error_code
 gethostname_fallback (krb5_addresses *res)
 {
-     krb5_error_code err;
-     char hostname[MAXHOSTNAMELEN];
-     struct hostent *hostent;
-
-     if (gethostname (hostname, sizeof(hostname)))
-	  return errno;
-     hostent = roken_gethostbyname (hostname);
-     if (hostent == NULL)
-	  return errno;
-     res->len = 1;
-     res->val = malloc (sizeof(*res->val));
-     if (res->val == NULL)
-	 return ENOMEM;
-     res->val[0].addr_type = hostent->h_addrtype;
-     res->val[0].address.data = NULL;
-     res->val[0].address.length = 0;
-     err = krb5_data_copy (&res->val[0].address,
-			   hostent->h_addr,
-			   hostent->h_length);
-     if (err) {
-	 free (res->val);
-	 return err;
-     }
-     return 0;
+    krb5_error_code err;
+    char hostname[MAXHOSTNAMELEN];
+    struct hostent *hostent;
+
+    if (gethostname (hostname, sizeof(hostname)))
+	return errno;
+    hostent = roken_gethostbyname (hostname);
+    if (hostent == NULL)
+	return errno;
+    res->len = 1;
+    res->val = malloc (sizeof(*res->val));
+    if (res->val == NULL)
+	return ENOMEM;
+    res->val[0].addr_type = hostent->h_addrtype;
+    res->val[0].address.data = NULL;
+    res->val[0].address.length = 0;
+    err = krb5_data_copy (&res->val[0].address,
+			  hostent->h_addr,
+			  hostent->h_length);
+    if (err) {
+	free (res->val);
+	return err;
+    }
+    return 0;
 }
 
 enum {
@@ -94,143 +87,96 @@ enum {
  */
 
 static krb5_error_code
-find_all_addresses (krb5_context context,
-		    krb5_addresses *res, int flags,
-		    int af, int siocgifconf, int siocgifflags,
-		    size_t ifreq_sz)
+find_all_addresses (krb5_context context, krb5_addresses *res, int flags)
 {
-     krb5_error_code ret;
-     int fd;
-     size_t buf_size;
-     char *buf;
-     struct ifconf ifconf;
-     int num, j = 0;
-     char *p;
-     size_t sz;
-     struct sockaddr sa_zero;
-     struct ifreq *ifr;
-     krb5_address lo_addr;
-     int got_lo = FALSE;
-
-     buf = NULL;
-     res->val = NULL;
-
-     memset (&sa_zero, 0, sizeof(sa_zero));
-     fd = socket(af, SOCK_DGRAM, 0);
-     if (fd < 0)
-	  return -1;
+    struct sockaddr sa_zero;
+    struct ifaddrs *ifa0, *ifa;
+    krb5_error_code ret = ENXIO; 
+    int num, idx;
 
-     buf_size = 8192;
-     for (;;) {
-	 buf = malloc(buf_size);
-	 if (buf == NULL) {
-	     ret = ENOMEM;
-	     goto error_out;
-	 }
-	 ifconf.ifc_len = buf_size;
-	 ifconf.ifc_buf = buf;
-	 if (ioctl (fd, siocgifconf, &ifconf) < 0) {
-	     ret = errno;
-	     goto error_out;
-	 }
-	 /*
-	  * Can the difference between a full and a overfull buf
-	  * be determined?
-	  */
+    res->val = NULL;
 
-	 if (ifconf.ifc_len < buf_size)
-	     break;
-	 free (buf);
-	 buf_size *= 2;
-     }
+    if (getifaddrs(&ifa0) == -1)
+	return (errno);
 
-     num = ifconf.ifc_len / ifreq_sz;
-     res->len = num;
-     res->val = calloc(num, sizeof(*res->val));
-     if (res->val == NULL) {
-	 ret = ENOMEM;
-	 goto error_out;
-     }
-
-     j = 0;
-     for (p = ifconf.ifc_buf;
-	  p < ifconf.ifc_buf + ifconf.ifc_len;
-	  p += sz) {
-	 struct ifreq ifreq;
-	 struct sockaddr *sa;
-
-	 ifr = (struct ifreq *)p;
-	 sa  = &ifr->ifr_addr;
-
-	 sz = ifreq_sz;
-#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
-	 sz = max(sz, sizeof(ifr->ifr_name) + sa->sa_len);
-#endif
-#ifdef SA_LEN
-	 sz = max(sz, SA_LEN(sa));
-#endif
-	 memcpy (ifreq.ifr_name, ifr->ifr_name, sizeof(ifr->ifr_name));
+    memset(&sa_zero, 0, sizeof(sa_zero));
 
-	 if (ioctl(fd, siocgifflags, &ifreq) < 0) {
-	     ret = errno;
-	     goto error_out;
-	 }
+    /* First, count all the ifaddrs. */
+    for (ifa = ifa0, num = 0; ifa != NULL; ifa = ifa->ifa_next, num++)
+	/* nothing */;
 
-	 if (!(ifreq.ifr_flags & IFF_UP))
-	     continue;
-	 if (memcmp (sa, &sa_zero, sizeof(sa_zero)) == 0)
-	     continue;
-	 if (krb5_sockaddr_uninteresting (sa))
-	     continue;
+    if (num == 0) {
+	freeifaddrs(ifa0);
+	return (ENXIO);
+    }
 
-	 if (ifreq.ifr_flags & IFF_LOOPBACK) {
-	     if (flags & LOOP_IF_NONE) {
-		 ret = krb5_sockaddr2address (sa, &lo_addr);
-		 if (ret)
-		     goto error_out;
-		 got_lo = TRUE;
-		 continue;
-	     } else if((flags & LOOP) == 0)
-		 continue;
-	 }
+    /* Allocate storage for them. */
+    res->val = calloc(num, sizeof(*res->val));
+    if (res->val == NULL) {
+	freeifaddrs(ifa0);
+	return (ENOMEM);
+    }
 
-	 ret = krb5_sockaddr2address (sa, &res->val[j]);
-	 if (ret)
-	     goto error_out;
-	 ++j;
-     }
-     if ((flags & LOOP_IF_NONE) && got_lo) {
-	 if (j == 0)
-	     res->val[j++] = lo_addr;
-	 else
-	     krb5_free_address (context, &lo_addr);
-     }
+    /* Now traverse the list. */
+    for (ifa = ifa0, idx = 0; ifa != NULL; ifa = ifa->ifa_next) {
+	if ((ifa->ifa_flags & IFF_UP) == 0)
+	    continue;
+	if (memcmp(ifa->ifa_addr, &sa_zero, sizeof(sa_zero)) == 0)
+	    continue;
+	if (krb5_sockaddr_uninteresting(ifa->ifa_addr))
+	    continue;
+
+	if ((ifa->ifa_flags & IFF_LOOPBACK) != 0) {
+	    /* We'll deal with the LOOP_IF_NONE case later. */
+	    if ((flags & LOOP) == 0)
+		continue;
+	}
 
-     if (j != num) {
-	 void *tmp;
+	ret = krb5_sockaddr2address(ifa->ifa_addr, &res->val[idx]);
+	if (ret) {
+	    /*
+	     * The most likely error here is going to be "Program
+	     * lacks support for address type".  This is no big
+	     * deal -- just continue, and we'll listen on the
+	     * addresses who's type we *do* support.
+	     */
+	    continue;
+	}
+	idx++;
+    }
 
-	 res->len = j;
-	 tmp = realloc (res->val, j * sizeof(*res->val));
-	 if (j != 0 && tmp == NULL) {
-	     ret = ENOMEM;
-	     goto error_out;
-	 }
-	 res->val = tmp;
-     }
-     ret = 0;
-     goto cleanup;
+    /*
+     * If no addresses were found, and LOOP_IF_NONE is set, then find
+     * the loopback addresses and add them to our list.
+     */
+    if ((flags & LOOP_IF_NONE) != 0 && idx == 0) {
+	for (ifa = ifa0; ifa != NULL; ifa = ifa->ifa_next) {
+	    if ((ifa->ifa_flags & IFF_UP) == 0)
+		continue;
+	    if (memcmp(ifa->ifa_addr, &sa_zero, sizeof(sa_zero)) == 0)
+		continue;
+	    if (krb5_sockaddr_uninteresting(ifa->ifa_addr))
+		continue;
+
+	    if ((ifa->ifa_flags & IFF_LOOPBACK) != 0) {
+		ret = krb5_sockaddr2address(ifa->ifa_addr, &res->val[idx]);
+		if (ret) {
+		    /*
+		     * See comment above.
+		     */
+		    continue;
+		}
+		idx++;
+	    }
+	}
+    }
 
-error_out:
-     if (got_lo)
-	     krb5_free_address (context, &lo_addr);
-     while(j--) {
-	 krb5_free_address (context, &res->val[j]);
-     }
-     free (res->val);
-cleanup:
-     close (fd);
-     free (buf);
-     return ret;
+    freeifaddrs(ifa0);
+    if (ret)
+	free(res->val);
+    else
+	res->len = idx;        /* Now a count. */
+    return (ret);
 }
 
 static krb5_error_code
@@ -239,26 +185,9 @@ get_addrs_int (krb5_context context, krb5_addresses *res, int flags)
     krb5_error_code ret = -1;
 
     if (flags & SCAN_INTERFACES) {
-#if defined(AF_INET6) && defined(SIOCGIF6CONF) && defined(SIOCGIF6FLAGS)
-	if (ret)
-	    ret = find_all_addresses (context, res, flags,
-				      AF_INET6, SIOCGIF6CONF, SIOCGIF6FLAGS,
-				      sizeof(struct in6_ifreq));
-#endif
-#if defined(HAVE_IPV6) && defined(SIOCGIFCONF)
-	if (ret)
-	    ret = find_all_addresses (context, res, flags,
-				      AF_INET6, SIOCGIFCONF, SIOCGIFFLAGS,
-				      sizeof(struct ifreq));
-#endif
-#if defined(AF_INET) && defined(SIOCGIFCONF) && defined(SIOCGIFFLAGS)
-	if (ret)
-	    ret = find_all_addresses (context, res, flags,
-				      AF_INET, SIOCGIFCONF, SIOCGIFFLAGS,
-				      sizeof(struct ifreq));
+	ret = find_all_addresses (context, res, flags);
 	if(ret || res->len == 0)
 	    ret = gethostname_fallback (res);
-#endif
     } else
 	ret = 0;
 
diff --git a/crypto/heimdal/lib/krb5/get_cred.c b/crypto/heimdal/lib/krb5/get_cred.c
index 61951c1..e649cfe 100644
--- a/crypto/heimdal/lib/krb5/get_cred.c
+++ b/crypto/heimdal/lib/krb5/get_cred.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: get_cred.c,v 1.75 1999/12/02 17:05:09 joda Exp $");
+RCSID("$Id: get_cred.c,v 1.82 2001/01/19 04:29:44 assar Exp $");
 
 /*
  * Take the `body' and encode it into `padata' using the credentials
@@ -82,12 +82,13 @@ make_pa_tgs_req(krb5_context context,
     in_data.data   = buf + buf_size - len;
     ret = krb5_mk_req_internal(context, &ac, 0, &in_data, creds,
 			       &padata->padata_value,
-			       KRB5_KU_TGS_REQ_AUTH_CKSUM);
+			       KRB5_KU_TGS_REQ_AUTH_CKSUM,
+			       KRB5_KU_TGS_REQ_AUTH);
 out:
     free (buf);
     if(ret)
 	return ret;
-    padata->padata_type = pa_tgs_req;
+    padata->padata_type = KRB5_PADATA_TGS_REQ;
     return 0;
 }
 
@@ -191,6 +192,10 @@ init_tgs_req (krb5_context context,
 	ret = ENOMEM;
 	goto fail;
     }
+
+    /* some versions of some code might require that the client be
+       present in TGS-REQs, but this is clearly against the spec */
+
     ret = copy_PrincipalName(&in_creds->server->name, t->req_body.sname);
     if (ret)
 	goto fail;
@@ -273,6 +278,7 @@ init_tgs_req (krb5_context context,
     }
 fail:
     if (ret)
+	/* XXX - don't free addresses? */
 	free_TGS_REQ (t);
     return ret;
 }
@@ -320,7 +326,9 @@ decrypt_tkt_with_subkey (krb5_context context,
     size_t size;
     krb5_crypto crypto;
     
-    krb5_crypto_init(context, key, 0, &crypto);
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret)
+	return ret;
     ret = krb5_decrypt_EncryptedData (context,
 				      crypto,
 				      usage,
@@ -329,7 +337,9 @@ decrypt_tkt_with_subkey (krb5_context context,
     krb5_crypto_destroy(context, crypto);
     if(ret && subkey){
 	/* DCE compat -- try to decrypt with subkey */
-	krb5_crypto_init(context, (krb5_keyblock*)subkey, 0, &crypto);
+	ret = krb5_crypto_init(context, (krb5_keyblock*)subkey, 0, &crypto);
+	if (ret)
+	    return ret;
 	ret = krb5_decrypt_EncryptedData (context,
 					  crypto,
 					  KRB5_KU_TGS_REP_ENC_PART_SUB_KEY,
@@ -471,6 +481,7 @@ get_cred_kdc(krb5_context context,
 				   &krbtgt->addresses,
 				   nonce,
 				   TRUE,
+				   flags.b.request_anonymous,
 				   decrypt_tkt_with_subkey,
 				   subkey);
 	krb5_free_kdc_rep(context, &rep);
@@ -610,7 +621,7 @@ get_cred_from_kdc_flags(krb5_context context,
 {
     krb5_error_code ret;
     krb5_creds *tgt, tmp_creds;
-    krb5_realm client_realm, server_realm;
+    krb5_const_realm client_realm, server_realm, try_realm;
 
     *out_creds = NULL;
 
@@ -620,9 +631,15 @@ get_cred_from_kdc_flags(krb5_context context,
     ret = krb5_copy_principal(context, in_creds->client, &tmp_creds.client);
     if(ret)
 	return ret;
+
+    try_realm = krb5_config_get_string(context, NULL, "libdefaults",
+				       "capath", server_realm, NULL);
+    if (try_realm == NULL)
+	try_realm = client_realm;
+
     ret = krb5_make_principal(context,
 			      &tmp_creds.server,
-			      client_realm,
+			      try_realm,
 			      KRB5_TGS_NAME,
 			      server_realm,
 			      NULL);
@@ -642,8 +659,10 @@ get_cred_from_kdc_flags(krb5_context context,
 	    else {
 		ret = get_cred_kdc_la(context, ccache, flags, 
 				      in_creds, &tgts, *out_creds);
-		if (ret)
+		if (ret) {
 		    free (*out_creds);
+		    *out_creds = NULL;
+		}
 	    }
 	    krb5_free_creds_contents(context, &tgts);
 	    krb5_free_principal(context, tmp_creds.server);
@@ -656,8 +675,7 @@ get_cred_from_kdc_flags(krb5_context context,
     /* XXX this can loop forever */
     while(1){
 	general_string tgt_inst;
-	krb5_kdc_flags f;
-	f.i = 0;
+
 	ret = get_cred_from_kdc_flags(context, flags, ccache, &tmp_creds, 
 				      &tgt, ret_tgts);
 	if(ret) {
@@ -698,8 +716,10 @@ get_cred_from_kdc_flags(krb5_context context,
     else {
 	ret = get_cred_kdc_la(context, ccache, flags, 
 				      in_creds, tgt, *out_creds);
-	if (ret)
+	if (ret) {
 	    free (*out_creds);
+	    *out_creds = NULL;
+	}
     }
     krb5_free_creds(context, tgt);
     return ret;
@@ -729,20 +749,24 @@ krb5_get_credentials_with_flags(krb5_context context,
 {
     krb5_error_code ret;
     krb5_creds **tgts;
+    krb5_creds *res_creds;
     int i;
     
-    *out_creds = calloc(1, sizeof(**out_creds));
-    if (*out_creds == NULL)
+    *out_creds = NULL;
+    res_creds = calloc(1, sizeof(*res_creds));
+    if (res_creds == NULL)
 	return ENOMEM;
 
     ret = krb5_cc_retrieve_cred(context,
 				ccache,
 				in_creds->session.keytype ?
 				KRB5_TC_MATCH_KEYTYPE : 0,
-				in_creds, *out_creds);
-    if(ret == 0)
+				in_creds, res_creds);
+    if(ret == 0) {
+	*out_creds = res_creds;
 	return 0;
-    free(*out_creds);
+    }
+    free(res_creds);
     if(ret != KRB5_CC_END)
 	return ret;
     if(options & KRB5_GC_CACHED)
@@ -752,7 +776,7 @@ krb5_get_credentials_with_flags(krb5_context context,
     tgts = NULL;
     ret = get_cred_from_kdc_flags(context, flags, ccache, 
 				  in_creds, out_creds, &tgts);
-    for(i = 0; tgts && tgts[i]; i++){
+    for(i = 0; tgts && tgts[i]; i++) {
 	krb5_cc_store_cred(context, ccache, tgts[i]);
 	krb5_free_creds(context, tgts[i]);
     }
diff --git a/crypto/heimdal/lib/krb5/get_for_creds.c b/crypto/heimdal/lib/krb5/get_for_creds.c
index 977515f..103b757 100644
--- a/crypto/heimdal/lib/krb5/get_for_creds.c
+++ b/crypto/heimdal/lib/krb5/get_for_creds.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: get_for_creds.c,v 1.21 1999/12/20 00:57:37 assar Exp $");
+RCSID("$Id: get_for_creds.c,v 1.27 2000/08/18 06:47:40 assar Exp $");
 
 static krb5_error_code
 add_addrs(krb5_context context,
@@ -41,7 +41,7 @@ add_addrs(krb5_context context,
 	  struct addrinfo *ai)
 {
     krb5_error_code ret;
-    unsigned n, i;
+    unsigned n, i, j;
     void *tmp;
     struct addrinfo *a;
 
@@ -57,11 +57,18 @@ add_addrs(krb5_context context,
 	goto fail;
     }
     addr->val = tmp;
+    for (j = i; j < addr->len; ++j) {
+	addr->val[i].addr_type = 0;
+	krb5_data_zero(&addr->val[i].address);
+    }
     for (a = ai; a != NULL; a = a->ai_next) {
-	ret = krb5_sockaddr2address (a->ai_addr, &addr->val[i++]);
-	if (ret)
+	ret = krb5_sockaddr2address (a->ai_addr, &addr->val[i]);
+	if (ret == 0)
+	    ++i;
+	else if (ret != KRB5_PROG_ATYPE_NOSUPP)
 	    goto fail;
     }
+    addr->len = i;
     return 0;
 fail:
     krb5_free_addresses (context, addr);
@@ -137,7 +144,7 @@ krb5_get_forwarded_creds (krb5_context	    context,
 
     ret = getaddrinfo (hostname, NULL, NULL, &ai);
     if (ret)
-	return ret;
+	return krb5_eai_to_heim_errno(ret);
 
     ret = add_addrs (context, &addrs, ai);
     freeaddrinfo (ai);
@@ -194,22 +201,26 @@ krb5_get_forwarded_creds (krb5_context	    context,
     }
     *enc_krb_cred_part.usec      = usec;
 
-    ret = krb5_make_addrport (&enc_krb_cred_part.s_address,
-			      auth_context->local_address,
-			      auth_context->local_port);
-    if (ret)
-	goto out4;
-
-    ALLOC(enc_krb_cred_part.r_address, 1);
-    if (enc_krb_cred_part.r_address == NULL) {
-	ret = ENOMEM;
-	goto out4;
+    if (auth_context->local_address && auth_context->local_port) {
+	ret = krb5_make_addrport (&enc_krb_cred_part.s_address,
+				  auth_context->local_address,
+				  auth_context->local_port);
+	if (ret)
+	    goto out4;
     }
 
-    ret = krb5_copy_address (context, auth_context->remote_address,
-			     enc_krb_cred_part.r_address);
-    if (ret)
-	goto out4;
+    if (auth_context->remote_address) {
+	ALLOC(enc_krb_cred_part.r_address, 1);
+	if (enc_krb_cred_part.r_address == NULL) {
+	    ret = ENOMEM;
+	    goto out4;
+	}
+
+	ret = krb5_copy_address (context, auth_context->remote_address,
+				 enc_krb_cred_part.r_address);
+	if (ret)
+	    goto out4;
+    }
 
     /* fill ticket_info.val[0] */
 
@@ -252,7 +263,11 @@ krb5_get_forwarded_creds (krb5_context	    context,
 	return ret;
     }    
 
-    krb5_crypto_init(context, auth_context->local_subkey, 0, &crypto);
+    ret = krb5_crypto_init(context, auth_context->local_subkey, 0, &crypto);
+    if (ret) {
+	free_KRB_CRED(&cred);
+	return ret;
+    }
     ret = krb5_encrypt_EncryptedData (context,
 				      crypto,
 				      KRB5_KU_KRB_CRED,
diff --git a/crypto/heimdal/lib/krb5/get_in_tkt.c b/crypto/heimdal/lib/krb5/get_in_tkt.c
index e043d1d..84afe5e 100644
--- a/crypto/heimdal/lib/krb5/get_in_tkt.c
+++ b/crypto/heimdal/lib/krb5/get_in_tkt.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: get_in_tkt.c,v 1.94 2000/02/06 05:18:20 assar Exp $");
+RCSID("$Id: get_in_tkt.c,v 1.97 2000/08/18 06:47:54 assar Exp $");
 
 krb5_error_code
 krb5_init_etype (krb5_context context,
@@ -85,7 +85,9 @@ decrypt_tkt (krb5_context context,
     size_t size;
     krb5_crypto crypto;
 
-    krb5_crypto_init(context, key, 0, &crypto);
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret)
+	return ret;
 
     ret = krb5_decrypt_EncryptedData (context,
 				      crypto,
@@ -124,6 +126,7 @@ _krb5_extract_ticket(krb5_context context,
 		     krb5_addresses *addrs,
 		     unsigned nonce,
 		     krb5_boolean allow_server_mismatch,
+		     krb5_boolean ignore_cname,
 		     krb5_decrypt_proc decrypt_proc,
 		     krb5_const_pointer decryptarg)
 {
@@ -133,20 +136,26 @@ _krb5_extract_ticket(krb5_context context,
     time_t tmp_time;
     krb5_timestamp sec_now;
 
-    /* compare client */
-
     ret = principalname2krb5_principal (&tmp_principal,
 					rep->kdc_rep.cname,
 					rep->kdc_rep.crealm);
     if (ret)
 	goto out;
-    tmp = krb5_principal_compare (context, tmp_principal, creds->client);
-    krb5_free_principal (context, tmp_principal);
-    if (!tmp) {
-	ret = KRB5KRB_AP_ERR_MODIFIED;
-	goto out;
+
+    /* compare client */
+
+    if (!ignore_cname) {
+	tmp = krb5_principal_compare (context, tmp_principal, creds->client);
+	if (!tmp) {
+	    krb5_free_principal (context, tmp_principal);
+	    ret = KRB5KRB_AP_ERR_MODIFIED;
+	    goto out;
+	}
     }
-    
+
+    krb5_free_principal (context, creds->client);
+    creds->client = tmp_principal;
+
     /* extract ticket */
     {
 	unsigned char *buf;
@@ -314,7 +323,9 @@ make_pa_enc_timestamp(krb5_context context, PA_DATA *pa,
     if (ret)
 	return ret;
 
-    krb5_crypto_init(context, key, 0, &crypto);
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret)
+	return ret;
     ret = krb5_encrypt_EncryptedData(context, 
 				     crypto,
 				     KRB5_KU_PA_ENC_TIMESTAMP,
@@ -333,7 +344,7 @@ make_pa_enc_timestamp(krb5_context context, PA_DATA *pa,
     free_EncryptedData(&encdata);
     if (ret)
 	return ret;
-    pa->padata_type = pa_enc_timestamp;
+    pa->padata_type = KRB5_PADATA_ENC_TIMESTAMP;
     pa->padata_value.length = 0;
     krb5_data_copy(&pa->padata_value,
 		   buf + sizeof(buf) - len,
@@ -575,10 +586,10 @@ set_ptypes(krb5_context context,
 			   NULL);
 	for(i = 0; i < md.len; i++){
 	    switch(md.val[i].padata_type){
-	    case pa_enc_timestamp:
+	    case KRB5_PADATA_ENC_TIMESTAMP:
 		*ptypes = ptypes2;
 		break;
-	    case pa_etype_info:
+	    case KRB5_PADATA_ETYPE_INFO:
 		*preauth = &preauth2;
 		ALLOC_SEQ(*preauth, 1);
 		(*preauth)->val[0].type = KRB5_PADATA_ENC_TIMESTAMP;
@@ -588,6 +599,8 @@ set_ptypes(krb5_context context,
 				       &(*preauth)->val[0].info,
 				       NULL);
 		break;
+	    default:
+		break;
 	    }
 	}
 	free_METHOD_DATA(&md);
@@ -707,12 +720,12 @@ krb5_get_in_cred(krb5_context context,
     if(rep.kdc_rep.padata){
 	int index = 0;
 	pa = krb5_find_padata(rep.kdc_rep.padata->val, rep.kdc_rep.padata->len, 
-			      pa_pw_salt, &index);
+			      KRB5_PADATA_PW_SALT, &index);
 	if(pa == NULL) {
 	    index = 0;
 	    pa = krb5_find_padata(rep.kdc_rep.padata->val, 
 				  rep.kdc_rep.padata->len, 
-				  pa_afs3_salt, &index);
+				  KRB5_PADATA_AFS3_SALT, &index);
 	}
     }
     if(pa) {
@@ -741,6 +754,7 @@ krb5_get_in_cred(krb5_context context,
 			       NULL, 
 			       nonce, 
 			       FALSE, 
+			       opts.b.request_anonymous,
 			       decrypt_proc, 
 			       decryptarg);
     memset (key->keyvalue.data, 0, key->keyvalue.length);
diff --git a/crypto/heimdal/lib/krb5/get_port.c b/crypto/heimdal/lib/krb5/get_port.c
index 17bb45f..6c51741 100644
--- a/crypto/heimdal/lib/krb5/get_port.c
+++ b/crypto/heimdal/lib/krb5/get_port.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: get_port.c,v 1.7 1999/12/02 17:05:10 joda Exp $");
+RCSID("$Id: get_port.c,v 1.8 2001/01/27 19:24:34 joda Exp $");
 
 int
 krb5_getportbyname (krb5_context context,
@@ -44,8 +44,10 @@ krb5_getportbyname (krb5_context context,
     struct servent *sp;
 
     if ((sp = roken_getservbyname (service, proto)) == NULL) {
+#if 0
 	krb5_warnx(context, "%s/%s unknown service, using default port %d", 
 		   service, proto, default_port);
+#endif
 	return htons(default_port);
     } else
 	return sp->s_port;
diff --git a/crypto/heimdal/lib/krb5/heim_err.et b/crypto/heimdal/lib/krb5/heim_err.et
index 5ec3543..09145f2 100644
--- a/crypto/heimdal/lib/krb5/heim_err.et
+++ b/crypto/heimdal/lib/krb5/heim_err.et
@@ -3,7 +3,7 @@
 #
 # This might look like a com_err file, but is not
 #
-id "$Id: heim_err.et,v 1.7 1999/08/25 20:49:17 joda Exp $"
+id "$Id: heim_err.et,v 1.10 2000/07/08 13:02:11 joda Exp $"
 
 error_table heim
 
@@ -14,5 +14,23 @@ error_code V4_PRINC_NO_CONV,	"Failed to convert v4 principal"
 error_code SALTTYPE_NOSUPP,	"Salt type is not supported by enctype"
 error_code NOHOST,		"Host not found"
 error_code OPNOTSUPP,		"Operation not supported"
+error_code EOF,			"End of file"
+error_code BAD_MKEY,		"Failed to get the master key"
+
+index 128
+prefix HEIM_EAI
+#error_code NOERROR,		"no error"
+error_code UNKNOWN,		"unknown error from getaddrinfo"
+error_code ADDRFAMILY,		"address family for nodename not supported"
+error_code AGAIN,		"temporary failure in name resolution"
+error_code BADFLAGS,		"invalid value for ai_flags"
+error_code FAIL,		"non-recoverable failure in name resolution"
+error_code FAMILY,		"ai_family not supported"
+error_code MEMORY,		"memory allocation failure"
+error_code NODATA,		"no address associated with nodename"
+error_code NONAME,		"nodename nor servname provided, or not known"
+error_code SERVICE,		"servname not supported for ai_socktype"
+error_code SOCKTYPE,		"ai_socktype not supported"
+error_code SYSTEM,		"system error returned in errno"
 
 end
diff --git a/crypto/heimdal/lib/krb5/init_creds.c b/crypto/heimdal/lib/krb5/init_creds.c
index 404fa5a..f6c571a 100644
--- a/crypto/heimdal/lib/krb5/init_creds.c
+++ b/crypto/heimdal/lib/krb5/init_creds.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: init_creds.c,v 1.2 1999/12/02 17:05:10 joda Exp $");
+RCSID("$Id: init_creds.c,v 1.5 2001/01/05 16:27:39 joda Exp $");
 
 void
 krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt)
@@ -43,6 +43,48 @@ krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt)
 }
 
 void
+krb5_get_init_creds_opt_set_default_flags(krb5_context context,
+					  const char *appname, 
+					  krb5_realm realm,
+					  krb5_get_init_creds_opt *opt)
+{
+    krb5_boolean b;
+    time_t t;
+
+    krb5_appdefault_boolean(context, appname, realm, "forwardable", FALSE, &b);
+    krb5_get_init_creds_opt_set_forwardable(opt, b);
+
+    krb5_appdefault_boolean(context, appname, realm, "proxiable", FALSE, &b);
+    krb5_get_init_creds_opt_set_proxiable (opt, b);
+
+    krb5_appdefault_time(context, appname, realm, "ticket_life", 0, &t);
+    if(t != 0)
+	krb5_get_init_creds_opt_set_tkt_life(opt, t);
+    
+    krb5_appdefault_time(context, appname, realm, "renewable_life", 0, &t);
+    if(t != 0)
+	krb5_get_init_creds_opt_set_renew_life(opt, t);
+
+#if 0
+    krb5_appdefault_boolean(context, appname, realm, "anonymous", FALSE, &b);
+    krb5_get_init_creds_opt_set_anonymous (opt, b);
+
+    krb5_get_init_creds_opt_set_etype_list(opt, enctype, 
+					   etype_str.num_strings);
+
+    krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt,
+				     krb5_data *salt);
+
+    krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt,
+					     krb5_preauthtype *preauth_list,
+					     int preauth_list_length);
+    krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt,
+					     krb5_addresses *addresses);
+#endif
+}
+
+
+void
 krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt,
 				     krb5_deltat tkt_life)
 {
@@ -109,3 +151,11 @@ krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt,
     opt->flags |= KRB5_GET_INIT_CREDS_OPT_SALT;
     opt->salt = salt;
 }
+
+void
+krb5_get_init_creds_opt_set_anonymous(krb5_get_init_creds_opt *opt,
+				      int anonymous)
+{
+    opt->flags |= KRB5_GET_INIT_CREDS_OPT_ANONYMOUS;
+    opt->anonymous = anonymous;
+}
diff --git a/crypto/heimdal/lib/krb5/init_creds_pw.c b/crypto/heimdal/lib/krb5/init_creds_pw.c
index 3caf939..8881d13 100644
--- a/crypto/heimdal/lib/krb5/init_creds_pw.c
+++ b/crypto/heimdal/lib/krb5/init_creds_pw.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: init_creds_pw.c,v 1.38 2000/02/07 03:17:20 assar Exp $");
+RCSID("$Id: init_creds_pw.c,v 1.44 2000/07/24 03:46:40 assar Exp $");
 
 static int
 get_config_time (krb5_context context,
@@ -178,9 +178,9 @@ print_expire (krb5_context context,
 	if (lr->val[i].lr_type == 6
 	    && lr->val[i].lr_value <= t) {
 	    char *p;
+	    time_t tmp = lr->val[i].lr_value;
 	    
-	    asprintf (&p, "Your password will expire at %s",
-		      ctime(&lr->val[i].lr_value));
+	    asprintf (&p, "Your password will expire at %s", ctime(&tmp));
 	    (*prompter) (context, data, p, 0, NULL);
 	    free (p);
 	    return;
@@ -190,9 +190,9 @@ print_expire (krb5_context context,
     if (rep->enc_part.key_expiration
 	&& *rep->enc_part.key_expiration <= t) {
 	char *p;
+	time_t t = *rep->enc_part.key_expiration;
 
-	asprintf (&p, "Your password/account will expire at %s",
-		  ctime(rep->enc_part.key_expiration));
+	asprintf (&p, "Your password/account will expire at %s", ctime(&t));
 	(*prompter) (context, data, p, 0, NULL);
 	free (p);
     }
@@ -263,6 +263,8 @@ get_init_creds_common(krb5_context context,
     }
     if (options->flags & KRB5_GET_INIT_CREDS_OPT_SALT)
 	;			/* XXX */
+    if (options->flags & KRB5_GET_INIT_CREDS_OPT_ANONYMOUS)
+	flags->b.request_anonymous = options->anonymous;
     return 0;
 }
 
@@ -291,9 +293,12 @@ change_password (krb5_context context,
 
     krb5_get_init_creds_opt_init (&options);
     krb5_get_init_creds_opt_set_tkt_life (&options, 60);
-    krb5_get_init_creds_opt_set_preauth_list (&options,
-					      old_options->preauth_list,
-					      old_options->preauth_list_length);					      
+    krb5_get_init_creds_opt_set_forwardable (&options, FALSE);
+    krb5_get_init_creds_opt_set_proxiable (&options, FALSE);
+    if (old_options->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST)
+	krb5_get_init_creds_opt_set_preauth_list (&options,
+						  old_options->preauth_list,
+						  old_options->preauth_list_length);					      
 
     krb5_data_zero (&result_code_string);
     krb5_data_zero (&result_string);
@@ -438,6 +443,12 @@ krb5_get_init_creds_password(krb5_context context,
 	    done = 1;
 	    break;
 	case KRB5KDC_ERR_KEY_EXPIRED :
+	    /* try to avoid recursion */
+
+	    if (in_tkt_service != NULL
+		&& strcmp (in_tkt_service, "kadmin/changepw") == 0)
+		goto out;
+
 	    ret = change_password (context,
 				   client,
 				   password,
diff --git a/crypto/heimdal/lib/krb5/kerberos.8 b/crypto/heimdal/lib/krb5/kerberos.8
new file mode 100644
index 0000000..1b2ec91
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/kerberos.8
@@ -0,0 +1,73 @@
+.\" $Id: kerberos.8,v 1.1 2000/09/01 15:52:24 joda Exp $
+.\"
+.Dd September 1, 2000
+.Dt KERBEROS 8
+.Os HEIMDAL
+.Sh NAME
+.Nm kerberos
+.Nd introduction to the Kerberos system
+.Sh DESCRIPTION
+Kerberos is a network authentication system. It's purpose is to
+securely authenticate users and services in an insecure network
+environment. 
+.Pp
+This is done with a Kerberos server acting as a trusted third party,
+keeping a database with secret keys for all users and services
+(collectively called
+.Em principals ) .
+.Pp
+Each principal belongs to exactly one 
+.Em realm ,
+which is the administrative domain in Kerberos. A realm usually
+corresponds to an organisation, and the realm should normally be
+derived from that organisation's domain name. A realm is served by one
+or more Kerberos servers.
+.Pp
+The authentication process involves exchange of
+.Sq tickets
+and 
+.Sq authenticators 
+which together prove the principal's identity.
+.Pp
+When you login to the Kerberos system, either through the normal
+system login or with the
+.Xr kinit 1
+program, you acquire a 
+.Em ticket granting ticket
+which allows you to get new tickets for other services, such as
+.Ic telnet
+or
+.Ic ftp ,
+without giving your password.
+.Pp
+For more information on how Kerberos works, and other general Kerberos
+questions see the Kerberos FAQ at
+.Ad http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html .
+
+For setup instructions see the Heimdal Texinfo manual.
+.Sh SEE ALSO
+.Xr ftp 1
+.Xr kdestroy 1 ,
+.Xr kinit 1 ,
+.Xr klist 1 ,
+.Xr kpasswd 1 ,
+.Xr telnet 1
+.Sh HISTORY
+The Kerberos authentication system was developed in the late 1980's as
+part of the Athena Project at the Massachusetts Institute of
+Technology. Versions one through three never reached outside MIT, but
+version 4 was (and still is) quite popular, especially in the academic
+community, but is also used in commercial products like the AFS
+filesystem.
+.Pp
+The problems with version 4 are that it has many limitations, the code
+was not too well written (since it had been developed over a long
+time), and it has a number of known security problems. To resolve many
+of these issues work on version five started, and resulted in IETF
+RFC1510 in 1993. Since then much work has been put into the further
+development, and a new RFC will hopefully appear soon.
+.Pp
+This manual manual page is part of the
+.Nm Heimdal
+Kerberos 5 distribution, which has been in development at the Royal
+Institute of Technology in Stockholm, Sweden, since about 1997.
diff --git a/crypto/heimdal/lib/krb5/keyblock.c b/crypto/heimdal/lib/krb5/keyblock.c
index 89732a0..124d9bc 100644
--- a/crypto/heimdal/lib/krb5/keyblock.c
+++ b/crypto/heimdal/lib/krb5/keyblock.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,6 +33,8 @@
 
 #include "krb5_locl.h"
 
+RCSID("$Id: keyblock.c,v 1.11 2000/03/23 03:38:25 assar Exp $");
+
 void
 krb5_free_keyblock_contents(krb5_context context,
 			    krb5_keyblock *keyblock)
diff --git a/crypto/heimdal/lib/krb5/keytab_keyfile.c b/crypto/heimdal/lib/krb5/keytab_keyfile.c
index fa14e62..ffdf35c 100644
--- a/crypto/heimdal/lib/krb5/keytab_keyfile.c
+++ b/crypto/heimdal/lib/krb5/keytab_keyfile.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: keytab_keyfile.c,v 1.7 2000/01/02 04:00:22 assar Exp $");
+RCSID("$Id: keytab_keyfile.c,v 1.9 2000/07/02 16:14:16 assar Exp $");
 
 /* afs keyfile operations --------------------------------------- */
 
@@ -221,7 +221,7 @@ akf_next_entry(krb5_context context,
 	goto out;
     }
 
-    entry->vno = (int8_t) kvno;
+    entry->vno = kvno;
 
     entry->keyblock.keytype         = ETYPE_DES_CBC_MD5;
     entry->keyblock.keyvalue.length = 8;
@@ -235,6 +235,8 @@ akf_next_entry(krb5_context context,
     ret = cursor->sp->fetch(cursor->sp, entry->keyblock.keyvalue.data, 8);
     if(ret != 8)
 	ret = (ret < 0) ? errno : KRB5_KT_END;
+    else
+	ret = 0;
 
     entry->timestamp = time(NULL);
 
@@ -260,7 +262,7 @@ akf_add_entry(krb5_context context,
 {
     struct akf_data *d = id->data;
     int fd, created = 0;
-    int32_t kvno;
+    krb5_error_code ret;
 
     fd = open (d->filename, O_RDWR | O_BINARY);
     if (fd < 0) {
@@ -274,29 +276,68 @@ akf_add_entry(krb5_context context,
     if (entry->keyblock.keyvalue.length == 8
 	&& entry->keyblock.keytype == ETYPE_DES_CBC_MD5) {
 
-	int32_t len = 0;
+	int32_t len;
+	krb5_storage *sp;
 
-	if (!created) {
-	    if (lseek (fd, 0, SEEK_SET))
+	sp = krb5_storage_from_fd(fd);
+	if(sp == NULL) {
+	    close(fd);
+	    return ENOMEM;
+	}
+	if (created)
+	    len = 0;
+	else {
+	    if((*sp->seek)(sp, 0, SEEK_SET) < 0) {
+		krb5_storage_free(sp);
+		close(fd);
 		return errno;
+	    }
 	    
-	    if (read (fd, &len, sizeof(len)) != sizeof(len))
-		return errno;
+	    ret = krb5_ret_int32(sp, &len);
+	    if(ret) {
+		krb5_storage_free(sp);
+		close(fd);
+		return ret;
+	    }
 	}
-	len += 1;
-
-	if (lseek (fd, 0, SEEK_SET))
-	    return errno;
-
-	if (write (fd, &len, sizeof(len)) != sizeof(len))
+	len++;
+	
+	if((*sp->seek)(sp, 0, SEEK_SET) < 0) {
+	    krb5_storage_free(sp);
+	    close(fd);
 	    return errno;
+	}
+	
+	ret = krb5_store_int32(sp, len);
+	if(ret) {
+	    krb5_storage_free(sp);
+	    close(fd);
+	    return ret;
+	}
+		
 
-	if (lseek (fd, 4 + (len-1) * (8+4), SEEK_SET))
+	if((*sp->seek)(sp, (len - 1) * (8 + 4), SEEK_CUR) < 0) {
+	    krb5_storage_free(sp);
+	    close(fd);
 	    return errno;
-
-	kvno = entry->vno;
-	write(fd, &kvno, sizeof(kvno));
-	write(fd, entry->keyblock.keyvalue.data, 8);
+	}
+	
+	ret = krb5_store_int32(sp, entry->vno);
+	if(ret) {
+	    krb5_storage_free(sp);
+	    close(fd);
+	    return ret;
+	}
+	ret = sp->store(sp, entry->keyblock.keyvalue.data, 
+			entry->keyblock.keyvalue.length);
+	if(ret != entry->keyblock.keyvalue.length) {
+	    krb5_storage_free(sp);
+	    close(fd);
+	    if(ret < 0)
+		return errno;
+	    return ENOTTY;
+	}
+	krb5_storage_free(sp);
     }
     close (fd);
     return 0;
diff --git a/crypto/heimdal/lib/krb5/keytab_krb4.c b/crypto/heimdal/lib/krb5/keytab_krb4.c
index b1f425c..e41f849 100644
--- a/crypto/heimdal/lib/krb5/keytab_krb4.c
+++ b/crypto/heimdal/lib/krb5/keytab_krb4.c
@@ -32,9 +32,8 @@
  */
 
 #include "krb5_locl.h"
-#include <krb.h>
 
-RCSID("$Id: keytab_krb4.c,v 1.5 2000/01/06 08:04:58 assar Exp $");
+RCSID("$Id: keytab_krb4.c,v 1.6 2000/12/15 17:10:40 joda Exp $");
 
 struct krb4_kt_data {
     char *filename;
@@ -227,6 +226,9 @@ krb4_kt_add_entry (krb5_context context,
     struct krb4_kt_data *d = id->data;
     krb5_error_code ret;
     int fd;
+#define ANAME_SZ 40
+#define INST_SZ 40
+#define REALM_SZ 40
     char service[ANAME_SZ];
     char instance[INST_SZ];
     char realm[REALM_SZ];
@@ -258,7 +260,7 @@ krb4_kt_add_entry (krb5_context context,
     return 0;
 }
 
-krb5_kt_ops krb4_fkt_ops = {
+const krb5_kt_ops krb4_fkt_ops = {
     "krb4",
     krb4_kt_resolve,
     krb4_kt_get_name,
diff --git a/crypto/heimdal/lib/krb5/krb5-private.h b/crypto/heimdal/lib/krb5/krb5-private.h
index b24328a..c653695 100644
--- a/crypto/heimdal/lib/krb5/krb5-private.h
+++ b/crypto/heimdal/lib/krb5/krb5-private.h
@@ -18,7 +18,7 @@ _krb5_crc_init_table __P((void));
 
 u_int32_t
 _krb5_crc_update __P((
-	char *p,
+	const char *p,
 	size_t len,
 	u_int32_t res));
 
@@ -33,6 +33,7 @@ _krb5_extract_ticket __P((
 	krb5_addresses *addrs,
 	unsigned nonce,
 	krb5_boolean allow_server_mismatch,
+	krb5_boolean ignore_cname,
 	krb5_decrypt_proc decrypt_proc,
 	krb5_const_pointer decryptarg));
 
diff --git a/crypto/heimdal/lib/krb5/krb5-protos.h b/crypto/heimdal/lib/krb5/krb5-protos.h
index 59402a7..628f560 100644
--- a/crypto/heimdal/lib/krb5/krb5-protos.h
+++ b/crypto/heimdal/lib/krb5/krb5-protos.h
@@ -66,6 +66,20 @@ krb5_abortx __P((
     __attribute__ ((noreturn, format (printf, 2, 3)));
 
 krb5_error_code
+krb5_acl_match_file __P((
+	krb5_context context,
+	const char *file,
+	const char *format,
+	...));
+
+krb5_error_code
+krb5_acl_match_string __P((
+	krb5_context context,
+	const char *acl_string,
+	const char *format,
+	...));
+
+krb5_error_code
 krb5_add_et_list __P((
 	krb5_context context,
 	void (*func)(struct et_list **)));
@@ -130,6 +144,33 @@ krb5_anyaddr __P((
 	int *sa_size,
 	int port));
 
+void
+krb5_appdefault_boolean __P((
+	krb5_context context,
+	const char *appname,
+	krb5_realm realm,
+	const char *option,
+	krb5_boolean def_val,
+	krb5_boolean *ret_val));
+
+void
+krb5_appdefault_string __P((
+	krb5_context context,
+	const char *appname,
+	krb5_realm realm,
+	const char *option,
+	const char *def_val,
+	char **ret_val));
+
+void
+krb5_appdefault_time __P((
+	krb5_context context,
+	const char *appname,
+	krb5_realm realm,
+	const char *option,
+	time_t def_val,
+	time_t *ret_val));
+
 krb5_error_code
 krb5_append_addresses __P((
 	krb5_context context,
@@ -142,6 +183,13 @@ krb5_auth_con_free __P((
 	krb5_auth_context auth_context));
 
 krb5_error_code
+krb5_auth_con_genaddrs __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	int fd,
+	int flags));
+
+krb5_error_code
 krb5_auth_con_getaddrs __P((
 	krb5_context context,
 	krb5_auth_context auth_context,
@@ -167,6 +215,12 @@ krb5_auth_con_getlocalsubkey __P((
 	krb5_keyblock **keyblock));
 
 krb5_error_code
+krb5_auth_con_getrcache __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_rcache *rcache));
+
+krb5_error_code
 krb5_auth_con_getremotesubkey __P((
 	krb5_context context,
 	krb5_auth_context auth_context,
@@ -209,6 +263,12 @@ krb5_auth_con_setlocalsubkey __P((
 	krb5_keyblock *keyblock));
 
 krb5_error_code
+krb5_auth_con_setrcache __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_rcache rcache));
+
+krb5_error_code
 krb5_auth_con_setremotesubkey __P((
 	krb5_context context,
 	krb5_auth_context auth_context,
@@ -291,7 +351,8 @@ krb5_build_authenticator __P((
 	krb5_creds *cred,
 	Checksum *cksum,
 	Authenticator **auth_result,
-	krb5_data *result));
+	krb5_data *result,
+	krb5_key_usage usage));
 
 krb5_error_code
 krb5_build_principal __P((
@@ -545,6 +606,13 @@ krb5_config_get_string __P((
 	krb5_config_section *c,
 	...));
 
+const char *
+krb5_config_get_string_default __P((
+	krb5_context context,
+	krb5_config_section *c,
+	const char *def_value,
+	...));
+
 char**
 krb5_config_get_strings __P((
 	krb5_context context,
@@ -629,6 +697,13 @@ krb5_config_vget_string __P((
 	krb5_config_section *c,
 	va_list args));
 
+const char *
+krb5_config_vget_string_default __P((
+	krb5_context context,
+	krb5_config_section *c,
+	const char *def_value,
+	va_list args));
+
 char **
 krb5_config_vget_strings __P((
 	krb5_context context,
@@ -827,10 +902,20 @@ krb5_decrypt_EncryptedData __P((
 	krb5_context context,
 	krb5_crypto crypto,
 	unsigned usage,
-	EncryptedData *e,
+	const EncryptedData *e,
 	krb5_data *result));
 
 krb5_error_code
+krb5_decrypt_ivec __P((
+	krb5_context context,
+	krb5_crypto crypto,
+	unsigned usage,
+	void *data,
+	size_t len,
+	krb5_data *result,
+	void *ivec));
+
+krb5_error_code
 krb5_decrypt_ticket __P((
 	krb5_context context,
 	Ticket *ticket,
@@ -853,6 +938,9 @@ krb5_domain_x500_encode __P((
 	krb5_data *encoding));
 
 krb5_error_code
+krb5_eai_to_heim_errno __P((int eai_errno));
+
+krb5_error_code
 krb5_encode_Authenticator __P((
 	krb5_context context,
 	void *data,
@@ -928,6 +1016,16 @@ krb5_encrypt_EncryptedData __P((
 	EncryptedData *result));
 
 krb5_error_code
+krb5_encrypt_ivec __P((
+	krb5_context context,
+	krb5_crypto crypto,
+	unsigned usage,
+	void *data,
+	size_t len,
+	krb5_data *result,
+	void *ivec));
+
+krb5_error_code
 krb5_enctype_to_keytype __P((
 	krb5_context context,
 	krb5_enctype etype,
@@ -988,6 +1086,14 @@ krb5_find_padata __P((
 	int *index));
 
 krb5_error_code
+krb5_format_time __P((
+	krb5_context context,
+	time_t t,
+	char *s,
+	size_t len,
+	krb5_boolean include_time));
+
+krb5_error_code
 krb5_free_address __P((
 	krb5_context context,
 	krb5_address *address));
@@ -1106,7 +1212,7 @@ krb5_error_code
 krb5_generate_seq_number __P((
 	krb5_context context,
 	const krb5_keyblock *key,
-	int32_t *seqno));
+	u_int32_t *seqno));
 
 krb5_error_code
 krb5_generate_subkey __P((
@@ -1291,6 +1397,18 @@ krb5_get_init_creds_opt_set_address_list __P((
 	krb5_addresses *addresses));
 
 void
+krb5_get_init_creds_opt_set_anonymous __P((
+	krb5_get_init_creds_opt *opt,
+	int anonymous));
+
+void
+krb5_get_init_creds_opt_set_default_flags __P((
+	krb5_context context,
+	const char *appname,
+	krb5_realm realm,
+	krb5_get_init_creds_opt *opt));
+
+void
 krb5_get_init_creds_opt_set_etype_list __P((
 	krb5_get_init_creds_opt *opt,
 	krb5_enctype *etype_list,
@@ -1373,6 +1491,12 @@ krb5_get_pw_salt __P((
 	krb5_const_principal principal,
 	krb5_salt *salt));
 
+krb5_error_code
+krb5_get_server_rcache __P((
+	krb5_context context,
+	const krb5_data *piece,
+	krb5_rcache *id));
+
 krb5_boolean
 krb5_get_use_admin_kdc __P((krb5_context context));
 
@@ -1623,7 +1747,7 @@ krb5_mk_priv __P((
 krb5_error_code
 krb5_mk_rep __P((
 	krb5_context context,
-	krb5_auth_context *auth_context,
+	krb5_auth_context auth_context,
 	krb5_data *outbuf));
 
 krb5_error_code
@@ -1638,6 +1762,16 @@ krb5_mk_req __P((
 	krb5_data *outbuf));
 
 krb5_error_code
+krb5_mk_req_exact __P((
+	krb5_context context,
+	krb5_auth_context *auth_context,
+	const krb5_flags ap_req_options,
+	const krb5_principal server,
+	krb5_data *in_data,
+	krb5_ccache ccache,
+	krb5_data *outbuf));
+
+krb5_error_code
 krb5_mk_req_extended __P((
 	krb5_context context,
 	krb5_auth_context *auth_context,
@@ -1654,7 +1788,8 @@ krb5_mk_req_internal __P((
 	krb5_data *in_data,
 	krb5_creds *in_creds,
 	krb5_data *outbuf,
-	krb5_key_usage usage));
+	krb5_key_usage checksum_usage,
+	krb5_key_usage encrypt_usage));
 
 krb5_error_code
 krb5_mk_safe __P((
@@ -1732,6 +1867,12 @@ krb5_principal_compare_any_realm __P((
 	krb5_const_principal princ1,
 	krb5_const_principal princ2));
 
+krb5_boolean
+krb5_principal_match __P((
+	krb5_context context,
+	krb5_const_principal princ,
+	krb5_const_principal pattern));
+
 krb5_error_code
 krb5_print_address __P((
 	const krb5_address *addr,
@@ -1757,9 +1898,94 @@ krb5_prompter_posix __P((
 	krb5_prompt prompts[]));
 
 krb5_error_code
+krb5_rc_close __P((
+	krb5_context context,
+	krb5_rcache id));
+
+krb5_error_code
+krb5_rc_default __P((
+	krb5_context context,
+	krb5_rcache *id));
+
+const char *
+krb5_rc_default_name __P((krb5_context context));
+
+const char *
+krb5_rc_default_type __P((krb5_context context));
+
+krb5_error_code
+krb5_rc_destroy __P((
+	krb5_context context,
+	krb5_rcache id));
+
+krb5_error_code
+krb5_rc_expunge __P((
+	krb5_context context,
+	krb5_rcache id));
+
+krb5_error_code
+krb5_rc_get_lifespan __P((
+	krb5_context context,
+	krb5_rcache id,
+	krb5_deltat *auth_lifespan));
+
+const char*
+krb5_rc_get_name __P((
+	krb5_context context,
+	krb5_rcache id));
+
+const char*
+krb5_rc_get_type __P((
+	krb5_context context,
+	krb5_rcache id));
+
+krb5_error_code
+krb5_rc_initialize __P((
+	krb5_context context,
+	krb5_rcache id,
+	krb5_deltat auth_lifespan));
+
+krb5_error_code
+krb5_rc_recover __P((
+	krb5_context context,
+	krb5_rcache id));
+
+krb5_error_code
+krb5_rc_resolve __P((
+	krb5_context context,
+	krb5_rcache id,
+	const char *name));
+
+krb5_error_code
+krb5_rc_resolve_full __P((
+	krb5_context context,
+	krb5_rcache *id,
+	const char *string_name));
+
+krb5_error_code
+krb5_rc_resolve_type __P((
+	krb5_context context,
+	krb5_rcache *id,
+	const char *type));
+
+krb5_error_code
+krb5_rc_store __P((
+	krb5_context context,
+	krb5_rcache id,
+	krb5_donot_replay *rep));
+
+krb5_error_code
 krb5_rd_cred __P((
 	krb5_context context,
 	krb5_auth_context auth_context,
+	krb5_data *in_data,
+	krb5_creds ***ret_creds,
+	krb5_replay_data *out_data));
+
+krb5_error_code
+krb5_rd_cred2 __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
 	krb5_ccache ccache,
 	krb5_data *in_data));
 
@@ -1818,6 +2044,20 @@ krb5_read_message __P((
 	krb5_pointer p_fd,
 	krb5_data *data));
 
+krb5_error_code
+krb5_read_priv_message __P((
+	krb5_context context,
+	krb5_auth_context ac,
+	krb5_pointer p_fd,
+	krb5_data *data));
+
+krb5_error_code
+krb5_read_safe_message __P((
+	krb5_context context,
+	krb5_auth_context ac,
+	krb5_pointer p_fd,
+	krb5_data *data));
+
 krb5_boolean
 krb5_realm_compare __P((
 	krb5_context context,
@@ -1936,6 +2176,14 @@ krb5_sendauth __P((
 	krb5_creds **out_creds));
 
 krb5_error_code
+krb5_sendto __P((
+	krb5_context context,
+	const krb5_data *send,
+	char **hostlist,
+	int port,
+	krb5_data *receive));
+
+krb5_error_code
 krb5_sendto_kdc __P((
 	krb5_context context,
 	const krb5_data *send,
@@ -1943,6 +2191,14 @@ krb5_sendto_kdc __P((
 	krb5_data *receive));
 
 krb5_error_code
+krb5_sendto_kdc2 __P((
+	krb5_context context,
+	const krb5_data *send,
+	const krb5_realm *realm,
+	krb5_data *receive,
+	krb5_boolean master));
+
+krb5_error_code
 krb5_set_default_in_tkt_etypes __P((
 	krb5_context context,
 	const krb5_enctype *etypes));
@@ -2102,7 +2358,7 @@ krb5_store_string __P((
 krb5_error_code
 krb5_store_stringz __P((
 	krb5_storage *sp,
-	char *s));
+	const char *s));
 
 krb5_error_code
 krb5_store_times __P((
@@ -2232,6 +2488,18 @@ krb5_verify_ap_req __P((
 	krb5_ticket **ticket));
 
 krb5_error_code
+krb5_verify_ap_req2 __P((
+	krb5_context context,
+	krb5_auth_context *auth_context,
+	krb5_ap_req *ap_req,
+	krb5_const_principal server,
+	krb5_keyblock *keyblock,
+	krb5_flags flags,
+	krb5_flags *ap_req_options,
+	krb5_ticket **ticket,
+	krb5_key_usage usage));
+
+krb5_error_code
 krb5_verify_authenticator_checksum __P((
 	krb5_context context,
 	krb5_auth_context ac,
@@ -2355,6 +2623,21 @@ krb5_write_message __P((
 	krb5_data *data));
 
 krb5_error_code
+krb5_write_priv_message __P((
+	krb5_context context,
+	krb5_auth_context ac,
+	krb5_pointer p_fd,
+	krb5_data *data));
+
+krb5_error_code
+krb5_write_safe_message __P((
+	krb5_context context,
+	krb5_auth_context ac,
+	krb5_boolean priv,
+	krb5_pointer p_fd,
+	krb5_data *data));
+
+krb5_error_code
 krb5_xfree __P((void *ptr));
 
 krb5_error_code
diff --git a/crypto/heimdal/lib/krb5/krb5.conf.5 b/crypto/heimdal/lib/krb5/krb5.conf.5
index 2a0adb6..51f6cfb 100644
--- a/crypto/heimdal/lib/krb5/krb5.conf.5
+++ b/crypto/heimdal/lib/krb5/krb5.conf.5
@@ -1,4 +1,4 @@
-.\" $Id: krb5.conf.5,v 1.7 1999/11/04 01:57:28 assar Exp $
+.\" $Id: krb5.conf.5,v 1.12 2001/01/19 04:53:24 assar Exp $
 .\"
 .Dd April 11, 1999
 .Dt KRB5.CONF 5
@@ -46,7 +46,6 @@ name:
 .Li STRINGs
 consists of one or more non-white space characters.
 Currently recognised sections and bindings are:
-
 .Bl -tag -width "xxx" -offset indent
 .It Li [libdefaults]
 .Bl -tag -width "xxx" -offset indent
@@ -65,7 +64,24 @@ Maximum time to wait for a reply from the kdc, default is 3 seconds.
 These are decribed in the 
 .Xr krb5_425_conv_principal  3
 manual page.
-.It Li capath = Va realm-routing-table
+.It Li capath = {
+.Bl -tag -width "xxx" -offset indent
+.It Va destination-realm Li = Va next-hop-realm
+.It ...
+.El
+Normally, all requests to realms different from the one of the current
+client are sent to this KDC to get cross-realm tickets.
+If this KDC does not have a cross-realm key with the desired realm and
+the hierarchical path to that realm does not work, a path can be
+configured using this directive.
+The text shown above instructs the KDC to try to obtain a cross-realm
+ticket to
+.Va next-hop-realm
+when the desired realm is
+.Va destination-realm .
+This configuration should preferably be done on the KDC where it will
+help all its clients but can also be done on the client itself.
+.It Li }
 .It Li default_etypes = Va etypes...
 A list of default etypes to use.
 .It Li default_etypes_des = Va etypes...
@@ -113,10 +129,18 @@ perid.
 .It Va REALM Li = {
 .Bl -tag -width "xxx" -offset indent
 .It Li kdc = Va host[:port]
-Specifies a kdc for this realm. If the optional port is absent, the
+Specifies a list of kdcs for this realm. If the optional port is absent, the
 default value for the
 .Dq kerberos/udp
 service will be used.
+The kdcs will be used in the order that they are specified.
+.It Li admin_server = Va host[:port]
+Specifies the admin server for this realm, where all the modifications
+to the database are perfomed.
+.It Li kpasswd_server = Va host[:port]
+Points to the server where all the password changes are perfomed.
+If there is no such entry, the kpasswd port on the admin_server host
+will be tried.
 .It Li v4_instance_convert
 .It Li v4_name_convert
 .It Li default_domain
@@ -136,7 +160,100 @@ for logging. See the
 .Xr krb5_openlog 3
 manual page for a list of defined destinations.
 .El
+.It Li [kdc]
+.Bl -tag -width "xxx" -offset indent
+.It database Li = {
+.Bl -tag -width "xxx" -offset indent
+.It dbname Li = Va DATABASENAME
+use this database for this realm.
+.It realm Li = Va REALM
+specifies the realm that will be stored in this database.
+.It mkey_file Li = Pa FILENAME
+use this keytab file for the master key of this database.
+If not specified
+.Va DATABASENAME Ns .mkey
+will be used.
+.It acl_file Li = PA FILENAME
+use this file for the ACL list of this database.
+.It log_file Li = Pa FILENAME
+use this file as the log of changes performed to the database.  This
+file is used by
+.Nm ipropd-master
+for propagating changes to slaves.
+.El
+.It Li }
+.It max-request = Va SIZE
+Maximum size of a kdc request.
+.It require-preauth = Va BOOL
+If set pre-authentication is required. Since krb4 requests are not
+pre-authenticated they will be rejected.
+.It ports = Va "list of ports"
+list of ports the kdc should listen to.
+.It addresses = Va "list of interfaces"
+list of addresses the kdc should bind to.
+.It enable-kerberos4 = Va BOOL
+turn on kerberos4 support.
+.It v4-realm = Va REALM
+to what realm v4 requests should be mapped.
+.It enable-524 = Va BOOL
+should the Kerberos 524 converting facility be turned on. Default is same as
+.Va enable-kerberos4 .
+.It enable-http = Va BOOL
+should the kdc answer kdc-requests over http.
+.It enable-kaserver = Va BOOL
+if this kdc should emulate the AFS kaserver.
+.It check-ticket-addresses = Va BOOL
+verify the addresses in the tickets used in tgs requests.
+.\" XXX
+.It allow-null-ticket-addresses = Va BOOL
+allow addresses-less tickets.
+.\" XXX 
+.It allow-anonymous = Va BOOL
+if the kdc is allowed to hand out anonymous tickets.
+.It encode_as_rep_as_tgs_rep = Va BOOL
+encode as-rep as tgs-rep tobe compatible with mistakes older DCE secd did.
+.\" XXX 
+.It kdc_warn_pwexpire = Va TIME
+the time before expiration that the user should be warned that her
+password is about to expire.
+.It logging = Va Logging
+What type of logging the kdc should use, see also [logging]/kdc.
 .El
+.It Li [kadmin]
+.Bl -tag -width "xxx" -offset indent
+.It require-preauth = Va BOOL
+If pre-authentication is required to talk to the kadmin server.
+.It default_keys = Va keytypes...
+for each entry in
+.Va default_keys
+try to parse it as a sequence of
+.Va etype:salttype:salt
+syntax of this if something like:
+.Pp
+[(des|des3|etype):](pw-salt|afs3-salt)[:string]
+.Pp
+if
+.Ar etype
+is omitted it means everything, and if string is omitted is means the default string (for that principal). Additional special values of keyttypes are:
+.Bl -tag -width "xxx" -offset indent
+.It v5 
+The kerberos 5 salt
+.Va pw-salt
+.It v4
+The kerberos 4 type
+.Va des:pw-salt:
+.El
+.It use_v4_salt = Va BOOL
+When true, this is the same as
+.Pp
+.Va default_keys = Va des3:pw-salt Va v4
+.Pp
+and is only left for backwards compatability.
+.El
+.El
+.Sh ENVIRONMENT
+.Ev KRB5_CONFIG
+points to the configuration file to read.
 .Sh EXAMPLE
 .Bd -literal -offset indent
 [lib_defaults]
@@ -160,7 +277,21 @@ manual page for a list of defined destinations.
 	kdc = SYSLOG:INFO
 	default = SYSLOG:INFO:USER
 .Ed
+.Sh DIAGNOSTICS
+Since
+.Nm
+is read and parsed by the krb5 library, there is not a lot of
+opportunities for programs to report parsing errors in any useful
+format.
+To help overcome this problem, there is a program
+.Nm verify_krb5_conf
+that reads
+.Nm
+and tries to emit useful diagnostics from parsing errors.  Note that
+this program does not have any way of knowing what options are
+actually used and thus cannot warn about unknown or misspelt ones.
 .Sh SEE ALSO
+.Xr verify_krb5_conf 8 ,
 .Xr krb5_openlog 3 ,
 .Xr krb5_425_conv_principal 3 ,
 .Xr strftime 3 ,
diff --git a/crypto/heimdal/lib/krb5/krb5.h b/crypto/heimdal/lib/krb5/krb5.h
index 15837e0..65a8a16 100644
--- a/crypto/heimdal/lib/krb5/krb5.h
+++ b/crypto/heimdal/lib/krb5/krb5.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: krb5.h,v 1.164 2000/02/06 07:40:57 assar Exp $ */
+/* $Id: krb5.h,v 1.179 2000/12/15 17:11:12 joda Exp $ */
 
 #ifndef __KRB5_H__
 #define __KRB5_H__
@@ -68,24 +68,7 @@ typedef octet_string krb5_data;
 struct krb5_crypto_data;
 typedef struct krb5_crypto_data *krb5_crypto;
 
-typedef enum krb5_cksumtype { 
-  CKSUMTYPE_NONE		= 0,
-  CKSUMTYPE_CRC32		= 1,
-  CKSUMTYPE_RSA_MD4		= 2,
-  CKSUMTYPE_RSA_MD4_DES		= 3,
-  CKSUMTYPE_DES_MAC		= 4,
-  CKSUMTYPE_DES_MAC_K		= 5,
-  CKSUMTYPE_RSA_MD4_DES_K	= 6,
-  CKSUMTYPE_RSA_MD5		= 7,
-  CKSUMTYPE_RSA_MD5_DES		= 8,
-  CKSUMTYPE_RSA_MD5_DES3	= 9,
-/*  CKSUMTYPE_SHA1		= 10,*/
-  CKSUMTYPE_HMAC_SHA1_DES3	= 12,
-  CKSUMTYPE_SHA1		= 1000, /* correct value? */
-  CKSUMTYPE_HMAC_MD5		= -138, /* unofficial microsoft number */
-  CKSUMTYPE_HMAC_MD5_ENC	= -1138 /* even more unofficial */
-} krb5_cksumtype;
-
+typedef CKSUMTYPE krb5_cksumtype;
 
 typedef enum krb5_enctype { 
   ETYPE_NULL			= 0,
@@ -101,17 +84,14 @@ typedef enum krb5_enctype {
   ETYPE_ARCFOUR_HMAC_MD5	= 23,
   ETYPE_ARCFOUR_HMAC_MD5_56	= 24,
   ETYPE_ENCTYPE_PK_CROSS	= 48,
-  ETYPE_DES_CBC_NONE		= 0x1000,
-  ETYPE_DES3_CBC_NONE		= 0x1001
+  ETYPE_DES_CBC_NONE		= -0x1000,
+  ETYPE_DES3_CBC_NONE		= -0x1001,
+  ETYPE_DES_CFB64_NONE		= -0x1002,
+  ETYPE_DES_PCBC_NONE		= -0x1003,
+  ETYPE_DES3_CBC_NONE_IVEC	= -0x1004
 } krb5_enctype;
 
-typedef enum krb5_preauthtype {
-  KRB5_PADATA_NONE		= 0,
-  KRB5_PADATA_AP_REQ,
-  KRB5_PADATA_TGS_REQ		= 1,
-  KRB5_PADATA_ENC_TIMESTAMP	= 2,
-  KRB5_PADATA_ENC_SECURID
-} krb5_preauthtype;
+typedef PADATA_TYPE krb5_preauthtype;
 
 typedef enum krb5_key_usage {
     KRB5_KU_PA_ENC_TIMESTAMP = 1,
@@ -165,14 +145,28 @@ typedef enum krb5_key_usage {
     KRB5_KU_OTHER_ENCRYPTED = 16,
     /* Data which is defined in some specification outside of
        Kerberos to be encrypted using an RFC1510 encryption type. */
-    KRB5_KU_OTHER_CKSUM = 17
+    KRB5_KU_OTHER_CKSUM = 17,
     /* Data which is defined in some specification outside of
        Kerberos to be checksummed using an RFC1510 checksum type. */
+    KRB5_KU_KRB_ERROR = 18,
+    /* Krb-error checksum */
+    KRB5_KU_AD_KDC_ISSUED = 19,
+    /* AD-KDCIssued checksum */
+    KRB5_KU_MANDATORY_TICKET_EXTENSION = 20,
+    /* Checksum for Mandatory Ticket Extensions */
+    KRB5_KU_AUTH_DATA_TICKET_EXTENSION = 21,
+    /* Checksum in Authorization Data in Ticket Extensions */
+    KRB5_KU_USAGE_SEAL = 22,
+    /* seal in GSSAPI krb5 mechanism */
+    KRB5_KU_USAGE_SIGN = 23,
+    /* sign in GSSAPI krb5 mechanism */
+    KRB5_KU_USAGE_SEQ = 24
+    /* SEQ in GSSAPI krb5 mechanism */
 } krb5_key_usage;
 
 typedef enum krb5_salttype {
-    KRB5_PW_SALT = pa_pw_salt,
-    KRB5_AFS3_SALT = pa_afs3_salt
+    KRB5_PW_SALT = KRB5_PADATA_PW_SALT,
+    KRB5_AFS3_SALT = KRB5_PADATA_AFS3_SALT
 }krb5_salttype;
 
 typedef struct krb5_salt {
@@ -221,7 +215,14 @@ typedef AP_REQ krb5_ap_req;
 
 struct krb5_cc_ops;
 
-#define KRB5_DEFAULT_CCROOT "FILE:/tmp/krb5cc_"
+#define KRB5_DEFAULT_CCFILE_ROOT "/tmp/krb5cc_"
+
+#define KRB5_DEFAULT_CCROOT "FILE:" KRB5_DEFAULT_CCFILE_ROOT
+
+#define KRB5_ACCEPT_NULL_ADDRESSES(C) 					 \
+    krb5_config_get_bool_default((C), NULL, TRUE, 			 \
+				 "libdefaults", "accept_null_addresses", \
+				 NULL)
 
 typedef void *krb5_cc_cursor;
 
@@ -373,18 +374,9 @@ typedef struct krb5_context_data {
                                            version */
     int num_kt_types;			/* # of registered keytab types */
     struct krb5_keytab_data *kt_types;  /* registered keytab types */
+    const char *date_fmt;
 } krb5_context_data;
 
-enum {
-  KRB5_NT_UNKNOWN	= 0,
-  KRB5_NT_PRINCIPAL	= 1,
-  KRB5_NT_SRV_INST	= 2,
-  KRB5_NT_SRV_HST	= 3,
-  KRB5_NT_SRV_XHST	= 4,
-  KRB5_NT_UID		= 5
-};
-
-
 typedef struct krb5_ticket {
     EncTicketPart ticket;
     krb5_principal client;
@@ -397,7 +389,7 @@ typedef krb5_authenticator_data *krb5_authenticator;
 
 struct krb5_rcache_data;
 typedef struct krb5_rcache_data *krb5_rcache;
-typedef Authenticator krb5_donot_reply;
+typedef Authenticator krb5_donot_replay;
 
 #define KRB5_STORAGE_HOST_BYTEORDER			0x01
 #define KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS	0x02
@@ -407,7 +399,7 @@ typedef Authenticator krb5_donot_reply;
 typedef struct krb5_storage {
     void *data;
     ssize_t (*fetch)(struct krb5_storage*, void*, size_t);
-    ssize_t (*store)(struct krb5_storage*, void*, size_t);
+    ssize_t (*store)(struct krb5_storage*, const void*, size_t);
     off_t (*seek)(struct krb5_storage*, off_t, int);
     void (*free)(struct krb5_storage*);
     krb5_flags flags;
@@ -456,11 +448,27 @@ struct krb5_keytab_key_proc_args {
 
 typedef struct krb5_keytab_key_proc_args krb5_keytab_key_proc_args;
 
+typedef struct krb5_replay_data {
+    krb5_timestamp timestamp;
+    u_int32_t usec;
+    u_int32_t seq;
+} krb5_replay_data;
+
+/* flags for krb5_auth_con_setflags */
 enum {
     KRB5_AUTH_CONTEXT_DO_TIME      = 1,
     KRB5_AUTH_CONTEXT_RET_TIME     = 2,
     KRB5_AUTH_CONTEXT_DO_SEQUENCE  = 4,
-    KRB5_AUTH_CONTEXT_RET_SEQUENCE = 8
+    KRB5_AUTH_CONTEXT_RET_SEQUENCE = 8,
+    KRB5_AUTH_CONTEXT_PERMIT_ALL   = 16
+};
+
+/* flags for krb5_auth_con_genaddrs */
+enum {
+    KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR       = 1,
+    KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR  = 3,
+    KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR      = 4,
+    KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR = 12
 };
 
 typedef struct krb5_auth_context_data {
@@ -474,8 +482,8 @@ typedef struct krb5_auth_context_data {
     krb5_keyblock *local_subkey;
     krb5_keyblock *remote_subkey;
 
-    int32_t local_seqnumber;
-    int32_t remote_seqnumber;
+    u_int32_t local_seqnumber;
+    u_int32_t remote_seqnumber;
 
     krb5_authenticator authenticator;
   
@@ -494,7 +502,7 @@ typedef struct {
     KRB_ERROR error;
 } krb5_kdc_rep;
 
-extern char *heimdal_version, *heimdal_long_version;
+extern const char *heimdal_version, *heimdal_long_version;
 
 typedef void (*krb5_log_log_func_t)(const char*, const char*, void*);
 typedef void (*krb5_log_close_func_t)(void*);
@@ -549,6 +557,7 @@ typedef struct _krb5_get_init_creds_opt {
     krb5_deltat renew_life;
     int forwardable;
     int proxiable;
+    int anonymous;
     krb5_enctype *etype_list;
     int etype_list_length;
     krb5_addresses *address_list;
@@ -570,6 +579,7 @@ typedef struct _krb5_get_init_creds_opt {
 #define KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST	0x0020
 #define KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST	0x0040
 #define KRB5_GET_INIT_CREDS_OPT_SALT		0x0080
+#define KRB5_GET_INIT_CREDS_OPT_ANONYMOUS	0x0100
 
 typedef struct _krb5_verify_init_creds_opt {
     krb5_flags flags;
@@ -584,6 +594,7 @@ extern const krb5_cc_ops krb5_mcc_ops;
 extern const krb5_kt_ops krb5_fkt_ops;
 extern const krb5_kt_ops krb5_mkt_ops;
 extern const krb5_kt_ops krb5_akf_ops;
+extern const krb5_kt_ops krb4_fkt_ops;
 
 #define KRB5_KPASSWD_SUCCESS	0
 #define KRB5_KPASSWD_MALFORMED	0
diff --git a/crypto/heimdal/lib/krb5/krb5_425_conv_principal.3 b/crypto/heimdal/lib/krb5/krb5_425_conv_principal.3
index 231c3ff..ff90c64 100644
--- a/crypto/heimdal/lib/krb5/krb5_425_conv_principal.3
+++ b/crypto/heimdal/lib/krb5/krb5_425_conv_principal.3
@@ -1,5 +1,5 @@
 .\" Copyright (c) 1997 Kungliga Tekniska Högskolan
-.\" $Id: krb5_425_conv_principal.3,v 1.3 1999/04/11 01:47:22 joda Exp $
+.\" $Id: krb5_425_conv_principal.3,v 1.4 2001/01/26 22:43:21 assar Exp $
 .Dd April 11, 1999
 .Dt KRB5_425_CONV_PRINCIPAL 3
 .Os HEIMDAL
@@ -8,21 +8,15 @@
 .Nm krb5_425_conv_principal_ext ,
 .Nm krb5_524_conv_principal
 .Nd Converts to and from version 4 principals
-
 .Sh SYNOPSIS
 .Fd #include <krb5.h>
-
 .Ft krb5_error_code
 .Fn krb5_425_conv_principal "krb5_context context" "const char *name" "const char *instance" "const char *realm" "krb5_principal *principal"
-
 .Ft krb5_error_code
 .Fn krb5_425_conv_principal_ext "krb5_context context" "const char *name" "const char *instance" "const char *realm" "krb5_boolean (*func)(krb5_context, krb5_principal)" "krb5_boolean resolve" "krb5_principal *principal"
-
 .Ft krb5_error_code
 .Fn krb5_524_conv_principal "krb5_context context" "const krb5_principal principal" "char *name" "char *instance" "char *realm"
-
 .Sh DESCRIPTION
-
 Converting between version 4 and version 5 principals can at best be
 described as a mess.
 .Pp
@@ -124,9 +118,7 @@ instances found to belong to a host principal. The
 and 
 .Fa realm
 should be at least 40 characters long.
-
 .Sh EXAMPLES
-
 Since this is confusing an example is in place.
 .Pp
 Assume that we have the 
@@ -188,7 +180,6 @@ the second example will result in
 .Dq ftp/b-host.foo.com 
 (because of the default domain). And all of this is of course only
 valid if you have working name resolving.
-
 .Sh SEE ALSO
 .Xr krb5_build_principal 3 ,
 .Xr krb5_free_principal 3 ,
diff --git a/crypto/heimdal/lib/krb5/krb5_appdefault.3 b/crypto/heimdal/lib/krb5/krb5_appdefault.3
new file mode 100644
index 0000000..3ce6fc9
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_appdefault.3
@@ -0,0 +1,57 @@
+.\" Copyright (c) 2000 Kungliga Tekniska Högskolan
+.\" $Id: krb5_appdefault.3,v 1.3 2001/01/05 16:29:42 joda Exp $
+.Dd July 25, 2000
+.Dt KRB5_APPDEFAULT 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_appdefault_boolean ,
+.Nm krb5_appdefault_string ,
+.Nm krb5_appdefault_time
+.Nd Get application configuration value
+
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+
+.Ft void
+.Fn krb5_appdefault_boolean "krb5_context context" "const char *appname" "krb5_realm realm" "const char *option" "krb5_boolean def_val" "krb5_boolean *ret_val"
+.Ft void
+.Fn krb5_appdefault_string "krb5_context context" "const char *appname" "krb5_realm realm" "const char *option" "const char *def_val" "char **ret_val"
+.Ft void
+.Fn krb5_appdefault_time "krb5_context context" "const char *appname" "krb5_realm realm" "const char *option" "time_t def_val" "time_t *ret_val"
+
+.Sh DESCRIPTION
+
+These functions get application application defaults from the 
+.Dv appdefaults
+section of the
+.Xr krb5.conf 5 
+configuration file. These defaults can be specified per application,
+and/or per realm.
+
+These values will be looked for in 
+.Xr krb5.conf 5 ,
+in order of descending importance.
+.Bd -literal -offset indent
+[appdefaults]
+	appname = {
+		realm = {
+			option = value
+		}
+	}
+	appname = {
+		option = value
+	}
+	realm = {
+		option = value
+	}
+	option = value
+.Ed
+
+If the realm is omitted it will not be used for resolving values.  If
+no value can be found,
+.Fa def_val
+is returned instead.
+
+.Sh SEE ALSO
+.Xr krb5_config 3 ,
+.Xr krb5.conf 5
diff --git a/crypto/heimdal/lib/krb5/krb5_auth_context.3 b/crypto/heimdal/lib/krb5/krb5_auth_context.3
new file mode 100644
index 0000000..42a96ec
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_auth_context.3
@@ -0,0 +1,284 @@
+.\" Copyright (c) 2001 Kungliga Tekniska Högskolan
+.\" $Id: krb5_auth_context.3,v 1.1 2001/01/28 19:47:33 assar Exp $
+.Dd Jan 21, 2001
+.Dt KRB5_AUTH_CONTEXT 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_auth_context ,
+.Nm krb5_auth_con_init ,
+.Nm krb5_auth_con_free ,
+.Nm krb5_auth_con_setflags ,
+.Nm krb5_auth_con_getflags ,
+.Nm krb5_auth_con_setaddrs ,
+.Nm krb5_auth_con_setaddrs_from_fd ,
+.Nm krb5_auth_con_getaddrs ,
+.Nm krb5_auth_con_genaddrs ,
+.Nm krb5_auth_con_getkey ,
+.Nm krb5_auth_con_setkey ,
+.Nm krb5_auth_con_getuserkey ,
+.Nm krb5_auth_con_setuserkey ,
+.Nm krb5_auth_con_getlocalsubkey ,
+.Nm krb5_auth_con_setlocalsubkey ,
+.Nm krb5_auth_con_getremotesubkey ,
+.Nm krb5_auth_con_setremotesubkey ,
+.Nm krb5_auth_setcksumtype ,
+.Nm krb5_auth_getcksumtype ,
+.Nm krb5_auth_setkeytype ,
+.Nm krb5_auth_getkeytype ,
+.Nm krb5_auth_getlocalseqnumber ,
+.Nm krb5_auth_setlocalseqnumber ,
+.Nm krb5_auth_getremoteseqnumber ,
+.Nm krb5_auth_setremoteseqnumber ,
+.Nm krb5_auth_getauthenticator ,
+.Nm krb5_auth_con_getrcache ,
+.Nm krb5_auth_con_setrcache ,
+.Nm krb5_auth_con_initivector ,
+.Nm krb5_auth_con_setivector
+.Nd manage authetication on connection level.
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+.Ft krb5_error_code
+.Fo krb5_auth_con_init
+.Fa "krb5_context context"
+.Fa "krb5_auth_context *auth_context"
+.Fc
+.Ft void
+.Fo krb5_auth_con_free
+.Fa "krb5_context context"
+.Fa "krb5_auth_context auth_context"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_auth_con_setflags
+.Fa "krb5_context context"
+.Fa "krb5_auth_context auth_context"
+.Fa "int32_t flags"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_auth_con_getflags
+.Fa "krb5_context context"
+.Fa "krb5_auth_context auth_context"
+.Fa "int32_t *flags"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_auth_con_setaddrs
+.Fa "krb5_context context"
+.Fa "krb5_auth_context auth_context"
+.Fa "krb5_address *local_addr"
+.Fa "krb5_address *remote_addr"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_auth_con_getaddrs
+.Fa "krb5_context context"
+.Fa "krb5_auth_context auth_context"
+.Fa "krb5_address **local_addr"
+.Fa "krb5_address **remote_addr"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_auth_con_genaddrs
+.Fa "krb5_context context"
+.Fa "krb5_auth_context auth_context"
+.Fa "int fd"
+.Fa "int flags"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_auth_con_setaddrs_from_fd
+.Fa "krb5_context context"
+.Fa "krb5_auth_context auth_context"
+.Fa "void *p_fd"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_auth_con_getkey
+.Fa "krb5_context context"
+.Fa "krb5_auth_context auth_context"
+.Fa "krb5_keyblock **keyblock"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_auth_con_getlocalsubkey
+.Fa "krb5_context context"
+.Fa "krb5_auth_context auth_context"
+.Fa "krb5_keyblock **keyblock"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_auth_con_getremotesubkey
+.Fa "krb5_context context"
+.Fa "krb5_auth_context auth_context"
+.Fa "krb5_keyblock **keyblock"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_auth_con_initivector
+.Fa "krb5_context context"
+.Fa "krb5_auth_context auth_context"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_auth_con_setivector
+.Fa "krb5_context context"
+.Fa "krb5_auth_context *auth_context"
+.Fa "krb5_pointer ivector"
+.Fc
+.Sh DESCRIPTION
+The
+.Nm krb5_auth_context
+structure holds all context related to an authenticated connection, in
+a similar way to 
+.Nm krb5_context
+that holds the context for the thread or process.  
+.Nm krb5_auth_context
+is used by various functions that are directly related to
+authentication between the server/client. Example of data that this
+structure contains are varius flags, addresses of client and server,
+port numbers, keyblocks (and subkeys), sequence numbers, replay cache,
+and checksum-type.
+.Pp
+.Fn krb5_auth_con_init
+allocates and initilizes the
+.Nm krb5_auth_context
+structure. Default values can be changed with
+.Fn krb5_auth_con_setcksumtype
+and
+.Fn krb5_auth_con_setflags .
+The
+.Nm auth_context
+structure must be freed by 
+.Fn krb5_auth_con_free .
+.Pp
+.Fn krb5_auth_con_getflags
+and
+.Fn krb5_auth_con_setflags
+gets and modifies the flags for a 
+.Nm krb5_auth_context
+structure. Possible flags to set are:
+.Bl -tag -width Ds
+.It Dv KRB5_AUTH_CONTEXT_DO_TIME
+check timestamp on incoming packets. 
+.\".It Dv KRB5_AUTH_CONTEXT_RET_TIME
+.It Dv KRB5_AUTH_CONTEXT_DO_SEQUENCE
+Generate and check sequence-number on each packet.
+.\".It Dv KRB5_AUTH_CONTEXT_RET_SEQUENCE
+.\".It Dv KRB5_AUTH_CONTEXT_PERMIT_ALL
+.El
+.Pp
+.Fn krb5_auth_con_setaddrs ,
+.Fn krb5_auth_con_setaddrs_from_fd
+and
+.Fn krb5_auth_con_getaddrs
+gets and sets the addresses that are checked when a packet is received.
+It is mandatory to set an address for the remote
+host. If the local address is not set, it iss deduced from the underlaying
+operating system.
+.Fn krb5_auth_con_getaddrs
+will call
+.Fn krb5_free_address
+on any address that is passed in
+.Fa local_addr
+or
+.Fa remote_addr .
+.Fn krb5_auth_con_setaddr
+allows passing in a
+.Dv NULL
+pointer as
+.Fa local_addr
+and
+.Fa remote_addr ,
+in that case it will just not set that address.
+.Pp
+.Fn krb5_auth_con_setaddrs_from_fd
+fetches the addresses from a file descriptor.
+.Pp
+.Fn krb5_auth_con_genaddrs
+fetches the address information from the given file descriptor
+.Fa fd 
+depending on the bitmap argument
+.Fa flags .
+.Pp
+Possible values on
+.Fa flags
+are:
+.Bl -tag -width Ds
+.It Va KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR
+fetches the local address from
+.Fa fd .
+.It Va KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR
+fetches the remote address from
+.Fa fd .
+.El
+.Pp
+.Fn krb5_auth_con_setkey ,
+.Fn krb5_auth_con_setuserkey
+and
+.Fn krb5_auth_con_getkey
+gets and sets the key used for this auth context. The keyblock returned by
+.Fn krb5_auth_con_getkey
+should be freed with
+.Fn krb5_free_keyblock .
+The keyblock send into
+.Fn krb5_auth_con_setkey
+is copied into the
+.Nm krb5_auth_context ,
+and thus no special handling is needed.
+.Dv NULL
+is not a valid keyblock to
+.Fn krb5_auth_con_setkey .
+.Pp
+.Fn krb5_auth_con_setuserkey 
+is only useful when doing user to user authentication.
+.Fn krb5_auth_con_setkey
+is equivalent to
+.Fn krb5_auth_con_setuserkey .
+.Pp
+.Fn krb5_auth_con_getlocalsubkey ,
+.Fn krb5_auth_con_setlocalsubkey ,
+.Fn krb5_auth_con_getremotesubkey
+and
+.Fn krb5_auth_con_setremotesubkey
+gets and sets the keyblock for the local and remote subkey. The keyblock returned by 
+.Fn krb5_auth_con_getlocalsubkey
+and
+.Fn krb5_auth_con_getremotesubkey
+must be freed with
+.Fn krb5_free_keyblock .
+.Pp
+.Fn krb5_auth_setcksumtype
+and
+.Fn krb5_auth_getcksumtype
+sets and gets the checksum type that should be used for this
+connection.
+.Pp
+.Fn krb5_auth_getremoteseqnumber
+.Fn krb5_auth_setremoteseqnumber ,
+.Fn krb5_auth_getlocalseqnumber
+and
+.Fn krb5_auth_setlocalseqnumber
+gets and sets the sequence-number for the local and remote
+sequence-number counter.
+.Pp
+.Fn krb5_auth_setkeytype
+and
+.Fn krb5_auth_getkeytype
+gets and gets the keytype of the keyblock in
+.Nm krb5_auth_context .
+.Pp
+.Fn krb5_auth_getauthenticator
+Retrieves the authenticator that was used during mutual
+authentication. The 
+.Dv authenticator
+returned should be freed by calling
+.Fn krb5_free_authenticator .
+.Pp
+.Fn krb5_auth_con_getrcache
+and
+.Fn krb5_auth_con_setrcache
+gets and sets the replay-cache.
+.Pp
+.Fn krb5_auth_con_initivector
+allocates memory for and zeros the initial vector in the
+.Fa auth_context
+keyblock.
+.Pp
+.Fn krb5_auth_con_setivector
+sets the i_vector portion of 
+.Fa auth_context
+to
+.Fa ivector .
+.Sh SEE ALSO
+.Xr krb5_context 3 ,
+.Xr kerberos 8
diff --git a/crypto/heimdal/lib/krb5/krb5_build_principal.3 b/crypto/heimdal/lib/krb5/krb5_build_principal.3
index 16ccf72..db703a4 100644
--- a/crypto/heimdal/lib/krb5/krb5_build_principal.3
+++ b/crypto/heimdal/lib/krb5/krb5_build_principal.3
@@ -1,5 +1,5 @@
 .\" Copyright (c) 1997 Kungliga Tekniska Högskolan
-.\" $Id: krb5_build_principal.3,v 1.1 1997/08/14 00:03:16 joda Exp $
+.\" $Id: krb5_build_principal.3,v 1.2 2001/01/26 22:43:21 assar Exp $
 .Dd August 8, 1997
 .Dt KRB5_BUILD_PRINCIPAL 3
 .Os HEIMDAL
@@ -10,28 +10,19 @@
 .Nm krb5_build_principal_va_ext ,
 .Nm krb5_make_principal
 .Nd Principal creation functions
-
 .Sh SYNOPSIS
 .Fd #include <krb5.h>
-
 .Ft krb5_error_code
 .Fn krb5_build_principal "krb5_context context" "krb5_principal *principal" "int realm_len" "krb5_const_realm realm" "..."
-
 .Ft krb5_error_code
 .Fn krb5_build_principal_ext "krb5_context context" "krb5_principal *principal" "int realm_len" "krb5_const_realm realm" "..."
-
 .Ft krb5_error_code
 .Fn krb5_build_principal_va "krb5_context context" "krb5_principal *principal" "int realm_len" "krb5_const_realm realm" "va_list ap"
-
 .Ft krb5_error_code
 .Fn krb5_build_principal_va_ext "krb5_context context" "krb5_principal *principal" "int realm_len" "krb5_const_realm realm" "va_list ap"
-
 .Ft krb5_error_code
 .Fn krb5_make_principal "krb5_context context" "krb5_principal *principal" "krb5_const_realm realm" "..."
-
-
 .Sh DESCRIPTION
-
 These functions create a Kerberos 5 principal from a realm and a list
 of components.
 All of these functions return an allocated principal in the 
@@ -65,7 +56,6 @@ is a wrapper around
 If the realm is
 .Dv NULL ,
 the default realm will be used.
-
 .Sh BUGS
 You can not have a NUL in a component. Until someone can give a good
 example of where it would be a good idea to have NUL's in a component,
diff --git a/crypto/heimdal/lib/krb5/krb5_config.3 b/crypto/heimdal/lib/krb5/krb5_config.3
new file mode 100644
index 0000000..b5a74db
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_config.3
@@ -0,0 +1,71 @@
+.\" Copyright (c) 2000 Kungliga Tekniska Högskolan
+.\" $Id: krb5_config.3,v 1.1 2000/07/25 10:22:46 joda Exp $
+.Dd July 25, 2000
+.Dt KRB5_CONFIG 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_config_get_bool_default ,
+.Nm krb5_config_get_int_default ,
+.Nm krb5_config_get_string_default ,
+.Nm krb5_config_get_time_default
+.Nd Get configuration value
+
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+
+.Ft krb5_boolean
+.Fn krb5_config_get_bool_default "krb5_context context" "krb5_config_section *c" "krb5_boolean def_value" "..."
+.Ft int
+.Fn krb5_config_get_int_default "krb5_context context" "krb5_config_section *c" "int def_value" "..."
+.Ft const char*
+.Fn krb5_config_get_string_default "krb5_context context" "krb5_config_section *c" "const char *def_value" "..."
+.Ft int
+.Fn krb5_config_get_time_default "krb5_context context" "krb5_config_section *c" "int def_value" "..."
+
+.Sh DESCRIPTION
+
+These functions get values from the 
+.Xr krb5.conf 5 
+configuration file, or another configuration database specified by the
+.Fa c
+parameter.
+
+The variable arguments should be a list of strings naming each
+subsection to look for. For example:
+
+.Bd -literal -offset indent
+krb5_config_get_bool_default(context, NULL, FALSE, "libdefaults", "log_utc", NULL)
+.Ed
+
+gets the boolean value for the
+.Dv log_utc
+option, defaulting to
+.Dv FALSE .
+
+.Fn krb5_config_get_bool_default
+will convert the option value to a boolean value, where
+.Sq yes , 
+.Sq true ,
+and any non-zero number means
+.Dv TRUE ,
+and any other value 
+.Dv FALSE .
+
+.Fn krb5_config_get_int_default
+will convert the value to an integer.
+
+.Fn krb5_config_get_time_default
+will convert the value to a period of time (not a time stamp) in
+seconds, so the string
+.Sq 2 weeks
+will be converted to
+1209600 (2 * 7 * 24 * 60 * 60).
+
+.Sh BUGS
+
+Other than for the string case, there's no way to tell whether there
+was a value specified or not.
+
+.Sh SEE ALSO
+.Xr krb5_appdefault 3 ,
+.Xr krb5.conf 5
diff --git a/crypto/heimdal/lib/krb5/krb5_context.3 b/crypto/heimdal/lib/krb5/krb5_context.3
new file mode 100644
index 0000000..83a768d
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_context.3
@@ -0,0 +1,20 @@
+.\" Copyright (c) 2001 Kungliga Tekniska Högskolan
+.\" $Id: krb5_context.3,v 1.1 2001/01/28 21:39:29 assar Exp $
+.Dd Jan 21, 2001
+.Dt KRB5_CONTEXT 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_context
+.Sh DESCRIPTION
+The
+.Nm
+structure is designed to hold all per thread state. All global
+variables that are context specific are stored in this struture,
+including default encryption types, credential-cache (ticket file), and
+default realms.
+.Pp
+The internals of the structure should never be accessed directly,
+functions exist for extracting information.
+.Sh SEE ALSO
+.Xr krb5_init_context 3 ,
+.Xr kerberos 8
diff --git a/crypto/heimdal/lib/krb5/krb5_create_checksum.3 b/crypto/heimdal/lib/krb5/krb5_create_checksum.3
index e2362a9..9472ed6 100644
--- a/crypto/heimdal/lib/krb5/krb5_create_checksum.3
+++ b/crypto/heimdal/lib/krb5/krb5_create_checksum.3
@@ -1,5 +1,5 @@
 .\" Copyright (c) 1999 Kungliga Tekniska Högskolan
-.\" $Id: krb5_create_checksum.3,v 1.1 1999/04/18 13:47:11 joda Exp $
+.\" $Id: krb5_create_checksum.3,v 1.2 2001/01/26 22:43:21 assar Exp $
 .Dd April  7, 1999
 .Dt NAME 3
 .Os HEIMDAL
@@ -12,19 +12,14 @@
 .Nd creates and verifies checksums
 .Sh SYNOPSIS
 .Fd #include <krb5.h>
-
 .Ft krb5_error_code
 .Fn krb5_create_checksum "krb5_context context" "krb5_crypto crypto" "unsigned usage_or_type" "void *data" "size_t len" "Checksum *result"
-
 .Ft krb5_error_code
 .Fn krb5_verify_checksum "krb5_context context" "krb5_crypto crypto" "krb5_key_usage usage" "void *data" "size_t len" "Checksum *cksum"
-
 .Ft krb5_boolean
 .Fn krb5_checksum_is_collision_proof "krb5_context context" "krb5_cksumtype type"
-
 .Ft krb5_boolean
 .Fn krb5_checksum_is_keyed "krb5_context context" "krb5_cksumtype type"
-
 .Sh DESCRIPTION
 These functions are used to create and verify checksums.
 .Fn krb5_create_checksum 
@@ -60,7 +55,6 @@ value is a function of both the data, and a separate key). Examples of
 keyed hash algorithms are HMAC-SHA1-DES3, and RSA-MD5-DES. The 
 .Dq plain
 hash functions MD5, and SHA1 are not keyed.
-
 .\" .Sh EXAMPLE
 .\" .Sh BUGS
 .Sh SEE ALSO
diff --git a/crypto/heimdal/lib/krb5/krb5_crypto_init.3 b/crypto/heimdal/lib/krb5/krb5_crypto_init.3
index 29db8c1..7d46567 100644
--- a/crypto/heimdal/lib/krb5/krb5_crypto_init.3
+++ b/crypto/heimdal/lib/krb5/krb5_crypto_init.3
@@ -1,5 +1,5 @@
 .\" Copyright (c) 1999 Kungliga Tekniska Högskolan
-.\" $Id: krb5_crypto_init.3,v 1.1 1999/04/18 13:47:21 joda Exp $
+.\" $Id: krb5_crypto_init.3,v 1.2 2001/01/26 22:43:22 assar Exp $
 .Dd April  7, 1999
 .Dt NAME 3
 .Os HEIMDAL
@@ -9,13 +9,10 @@
 .Nd initialize encryption context
 .Sh SYNOPSIS
 .Fd #include <krb5.h>
-
 .Ft krb5_error_code
 .Fn krb5_crypto_init "krb5_context context" "krb5_keyblock *key" "krb5_enctype enctype" "krb5_crypto *crypto"
-
 .Ft krb5_error_code
 .Fn krb5_crypto_destroy "krb5_context context" "krb5_crypto crypto"
-
 .Sh DESCRIPTION
 These functions are used to initialize an encryption context that can
 be used to encrypt or checksum data.
@@ -33,7 +30,6 @@ with the
 .Pp
 .Fn krb5_crypto_destroy
 frees a previously allocated encrypion context.
-
 .\" .Sh EXAMPLE
 .\" .Sh BUGS
 .Sh SEE ALSO
diff --git a/crypto/heimdal/lib/krb5/krb5_encrypt.3 b/crypto/heimdal/lib/krb5/krb5_encrypt.3
index d8cc89e..291e503 100644
--- a/crypto/heimdal/lib/krb5/krb5_encrypt.3
+++ b/crypto/heimdal/lib/krb5/krb5_encrypt.3
@@ -1,5 +1,5 @@
 .\" Copyright (c) 1999 Kungliga Tekniska Högskolan
-.\" $Id: krb5_encrypt.3,v 1.1 1999/04/18 13:47:30 joda Exp $
+.\" $Id: krb5_encrypt.3,v 1.2 2001/01/26 22:43:22 assar Exp $
 .Dd April  7, 1999
 .Dt KRB5_ENCRYPT 3
 .Os HEIMDAL
@@ -11,19 +11,14 @@
 .Nd encrypt and decrypt data
 .Sh SYNOPSIS
 .Fd #include <krb5.h>
-
 .Ft krb5_error_code
 .Fn krb5_encrypt "krb5_context context" "krb5_crypto crypto" "unsigned usage" "void *data" "size_t len" "krb5_data *result"
-
 .Ft krb5_error_code
 .Fn krb5_encrypt_EncryptedData "krb5_context context" "krb5_crypto crypto" "unsigned usage" "void *data" "size_t len" "int kvno" "EncryptedData *result"
-
 .Ft krb5_error_code
 .Fn krb5_decrypt "krb5_context context" "krb5_crypto crypto" "unsigned usage" "void *data" "size_t len" "krb5_data *result"
-
 .Ft krb5_error_code
 .Fn krb5_decrypt_EncryptedData "krb5_context context" "krb5_crypto crypto" "unsigned usage" "EncryptedData *e" "krb5_data *result"
-
 .Sh DESCRIPTION
 These functions are used to encrypt and decrypt data.
 .Pp
@@ -52,7 +47,6 @@ is not zero, it will be put in the
 and
 .Fn krb5_decrypt_EncryptedData
 works similarly.
-
 .\" .Sh EXAMPLE
 .\" .Sh BUGS
 .Sh SEE ALSO
diff --git a/crypto/heimdal/lib/krb5/krb5_err.et b/crypto/heimdal/lib/krb5/krb5_err.et
index 895ae66..3427923 100644
--- a/crypto/heimdal/lib/krb5/krb5_err.et
+++ b/crypto/heimdal/lib/krb5/krb5_err.et
@@ -3,7 +3,7 @@
 #
 # This might look like a com_err file, but is not
 #
-id "$Id: krb5_err.et,v 1.8 2000/02/07 12:54:17 joda Exp $"
+id "$Id: krb5_err.et,v 1.9 2000/04/06 00:41:37 assar Exp $"
 
 error_table krb5
 
@@ -68,10 +68,30 @@ index 60
 error_code GENERIC,		"Generic error (see e-text)"
 error_code FIELD_TOOLONG,	"Field is too long for this implementation"
 
-# 62-127 are reserved
+# pkinit
+index 62
+prefix KDC_ERROR
+error_code CLIENT_NOT_TRUSTED,	"Client not trusted"
+error_code KDC_NOT_TRUSTED,	"KDC not trusted"
+error_code INVALID_SIG,		"Invalid signature"
+error_code KEY_TOO_WEAK,	"Key too weak"
+error_code CERTIFICATE_MISMATCH, "Certificate mismatch"
+prefix KRB5_AP_ERR
+error_code USER_TO_USER_REQUIRED, "User to user required"
+prefix KDC_ERROR
+error_code CANT_VERIFY_CERTIFICATE, "Cannot verify certificate"
+error_code INVALID_CERTIFICATE,	"Invalid certificate"
+error_code REVOKED_CERTIFICATE,	"Revoked certificate"
+error_code REVOCATION_STATUS_UNKNOWN,	"Revocation status unknown"
+error_code REVOCATION_STATUS_UNAVAILABLE,"Revocation status unavailable"
+error_code CLIENT_NAME_MISMATCH,	"Client name mismatch"
+error_code KDC_NAME_MISMATCH,	"KDC name mismatch"
+
+# 77-127 are reserved
+
 index 128
 prefix
-error_code KRB5_ERR_RCSID,	"$Id: krb5_err.et,v 1.8 2000/02/07 12:54:17 joda Exp $"
+error_code KRB5_ERR_RCSID,	"$Id: krb5_err.et,v 1.9 2000/04/06 00:41:37 assar Exp $"
 
 error_code KRB5_LIBOS_BADLOCKFLAG,	"Invalid flag for file lock mode"
 error_code KRB5_LIBOS_CANTREADPWD,	"Cannot read password"
diff --git a/crypto/heimdal/lib/krb5/krb5_free_principal.3 b/crypto/heimdal/lib/krb5/krb5_free_principal.3
index ba5888a..1f318cc 100644
--- a/crypto/heimdal/lib/krb5/krb5_free_principal.3
+++ b/crypto/heimdal/lib/krb5/krb5_free_principal.3
@@ -1,27 +1,22 @@
 .\" Copyright (c) 1997 Kungliga Tekniska Högskolan
-.\" $Id: krb5_free_principal.3,v 1.1 1997/08/14 00:03:17 joda Exp $
+.\" $Id: krb5_free_principal.3,v 1.2 2001/01/26 22:43:22 assar Exp $
 .Dd August 8, 1997
 .Dt KRB5_FREE_PRINCIPAL 3
 .Os HEIMDAL
 .Sh NAME
 .Nm krb5_free_principal
 .Nd Principal free function
-
 .Sh SYNOPSIS
 .Fd #include <krb5.h>
-
 .Ft void
 .Fn krb5_free_principal "krb5_context context" "krb5_principal principal"
-
 .Sh DESCRIPTION
-
 The 
 .Fn krb5_free_principal
 will free a principal that has been created with
 .Fn krb5_build_principal ,
 .Fn krb5_parse_name ,
 or with some other function. 
-
 .Sh SEE ALSO
 .Xr krb5_425_conv_principal 3 ,
 .Xr krb5_build_principal 3 ,
diff --git a/crypto/heimdal/lib/krb5/krb5_init_context.3 b/crypto/heimdal/lib/krb5/krb5_init_context.3
new file mode 100644
index 0000000..7e27ec2
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_init_context.3
@@ -0,0 +1,38 @@
+.\" Copyright (c) 2001 Kungliga Tekniska Högskolan
+.\" $Id: krb5_init_context.3,v 1.1 2001/01/28 21:39:29 assar Exp $
+.Dd Jan 21, 2001
+.Dt KRB5_CONTEXT 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_init_context ,
+.Nm krb5_free_context
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+.Ft krb5_error_code
+.Fn krb5_init_context "krb5_context *context"
+.Ft void
+.Fn krb5_free_context "krb5_context *context"
+.Sh DESCRIPTION
+The
+.Fn krb5_init_context
+function initializes the
+.Fa context
+structure and reads the configration file
+.Pa /etc/krb5.conf .
+.Pp
+The structure should be freed by calling
+.Fn krb5_free_context
+when it is no longer being used.
+.Sh RETURN VALUES
+.Fn krb5_init_context
+returns 0 to indicate success.
+Otherwise an errno code is returned.
+Failure means either that something bad happened during initialization
+(typically
+.Bq ENOMEM )
+or that Kerberos should not be used
+.Bq ENXIO .
+.Sh SEE ALSO
+.Xr krb5_context 3 ,
+.Xr errno 2 ,
+.Xr kerberos 8
diff --git a/crypto/heimdal/lib/krb5/krb5_openlog.3 b/crypto/heimdal/lib/krb5/krb5_openlog.3
index 87040ba..5576475 100644
--- a/crypto/heimdal/lib/krb5/krb5_openlog.3
+++ b/crypto/heimdal/lib/krb5/krb5_openlog.3
@@ -1,5 +1,5 @@
 .\" Copyright (c) 1997 Kungliga Tekniska Högskolan
-.\" $Id: krb5_openlog.3,v 1.4 1999/04/07 14:06:32 joda Exp $
+.\" $Id: krb5_openlog.3,v 1.5 2001/01/26 22:43:22 assar Exp $
 .Dd August 6, 1997
 .Dt KRB5_OPENLOG 3
 .Os HEIMDAL
@@ -16,40 +16,28 @@
 .Nd Heimdal logging functions
 .Sh SYNOPSIS
 .Fd #include <krb5.h>
-
-.\" ouch!
-.ds xx \\*(fP\fR(\fP\\*(lI*\\*(fP
-.ds xy \fR)\|\fP
-.Fn "\\*(lItypedef void \\*(xxkrb5_log_log_func_t\\*(xy" "const char *time" "const char *message" "void *data" 
-.Fn "\\*(lItypedef void \\*(xxkrb5_log_close_func_t\\*(xy" "void *data" 
-
+.Ft "typedef void"
+.Fn "\*(lp*krb5_log_log_func_t\*(rp" "const char *time" "const char *message" "void *data" 
+.Ft "typedef void"
+.Fn "\*(lp*krb5_log_close_func_t\*(rp" "void *data" 
 .Ft krb5_error_code
 .Fn krb5_addlog_dest "krb5_context context" "krb5_log_facility *facility" "const char *destination"
-
 .Ft krb5_error_code
 .Fn krb5_addlog_func "krb5_context context" "krb5_log_facility *facility" "int min" "int max" "krb5_log_log_func_t log" "krb5_log_close_func_t close" "void *data"
-
 .Ft krb5_error_code
 .Fn krb5_closelog "krb5_context context" "krb5_log_facility *facility"
-
 .Ft krb5_error_code
 .Fn krb5_initlog "krb5_context context" "const char *program" "krb5_log_facility **facility"
-
 .Ft krb5_error_code
 .Fn krb5_log "krb5_context context" "krb5_log_facility *facility" "int level" "const char *format" "..."
-
 .Ft krb5_error_code
 .Fn krb5_log_msg "krb5_context context" "krb5_log_facility *facility" "char **reply" "int level" "const char *format" "..."
-
 .Ft krb5_error_code
 .Fn krb5_openlog "krb5_context context" "const char *program" "krb5_log_facility **facility"
-
 .Ft krb5_error_code
 .Fn krb5_vlog "krb5_context context" "krb5_log_facility *facility" "int level" "const char *format" "va_list arglist"
-
 .Ft krb5_error_code
 .Fn krb5_vlog_msg "krb5_context context" "krb5_log_facility *facility" "char **reply" "int level" "const char *format" "va_list arglist"
-
 .Sh DESCRIPTION
 These functions logs messages to one or more destinations.
 .Pp
@@ -97,7 +85,6 @@ is a standard
 .Fn printf
 style format string (but see the BUGS section).
 .Pp
-
 If you want better control of where things gets logged, you can instead of using 
 .Fn krb5_openlog
 call 
@@ -135,9 +122,7 @@ calls
 and then calls 
 .Fn krb5_addlog_dest
 for each destination found.
-
 .Ss Destinations
-
 The defined destinations (as specified in
 .Pa krb5.conf )
 follows:
diff --git a/crypto/heimdal/lib/krb5/krb5_parse_name.3 b/crypto/heimdal/lib/krb5/krb5_parse_name.3
index db9236c..c5b0c1d 100644
--- a/crypto/heimdal/lib/krb5/krb5_parse_name.3
+++ b/crypto/heimdal/lib/krb5/krb5_parse_name.3
@@ -1,20 +1,16 @@
 .\" Copyright (c) 1997 Kungliga Tekniska Högskolan
-.\" $Id: krb5_parse_name.3,v 1.1 1997/08/14 00:03:17 joda Exp $
+.\" $Id: krb5_parse_name.3,v 1.2 2001/01/26 22:43:22 assar Exp $
 .Dd August 8, 1997
 .Dt KRB5_PARSE_NAME 3
 .Os HEIMDAL
 .Sh NAME
 .Nm krb5_parse_name
 .Nd String to principal conversion
-
 .Sh SYNOPSIS
 .Fd #include <krb5.h>
-
 .Ft krb5_error_code
 .Fn krb5_parse_name "krb5_context context" "const char *name" "krb5_principal *principal"
-
 .Sh DESCRIPTION
-
 .Fn krb5_parse_name
 converts a string representation of a princpal name to
 .Nm krb5_principal .
diff --git a/crypto/heimdal/lib/krb5/krb5_sname_to_principal.3 b/crypto/heimdal/lib/krb5/krb5_sname_to_principal.3
index aea4150..2c9f405 100644
--- a/crypto/heimdal/lib/krb5/krb5_sname_to_principal.3
+++ b/crypto/heimdal/lib/krb5/krb5_sname_to_principal.3
@@ -1,5 +1,5 @@
 .\" Copyright (c) 1997 Kungliga Tekniska Högskolan
-.\" $Id: krb5_sname_to_principal.3,v 1.1 1997/08/14 00:03:18 joda Exp $
+.\" $Id: krb5_sname_to_principal.3,v 1.2 2001/01/26 22:43:22 assar Exp $
 .Dd August 8, 1997
 .Dt KRB5_PRINCIPAL 3
 .Os HEIMDAL
@@ -7,18 +7,13 @@
 .Nm krb5_sname_to_principal ,
 .Nm krb5_sock_to_principal
 .Nd Create a service principal
-
 .Sh SYNOPSIS
 .Fd #include <krb5.h>
-
 .Ft krb5_error_code
 .Fn krb5_sname_to_principal "krb5_context context" "const char *hostname" "const char *sname" "int32_t type" "krb5_principal *principal"
-
 .Ft krb5_error_code
 .Fn krb5_sock_to_principal "krb5_context context" "int socket" "const char *sname" "int32_t type" "krb5_principal *principal"
-
 .Sh DESCRIPTION
-
 These functions create a 
 .Dq service
 principal that can, for instance, be used to lookup a key in a keytab. For both these function the
@@ -49,7 +44,6 @@ of the passed
 which should be a bound
 .Dv AF_INET
 socket.
-
 .Sh SEE ALSO
 .Xr krb5_425_conv_principal 3 ,
 .Xr krb5_build_principal 3 ,
diff --git a/crypto/heimdal/lib/krb5/krb5_unparse_name.3 b/crypto/heimdal/lib/krb5/krb5_unparse_name.3
index 13277d6..5a744af 100644
--- a/crypto/heimdal/lib/krb5/krb5_unparse_name.3
+++ b/crypto/heimdal/lib/krb5/krb5_unparse_name.3
@@ -1,5 +1,5 @@
 .\" Copyright (c) 1997 Kungliga Tekniska Högskolan
-.\" $Id: krb5_unparse_name.3,v 1.1 1997/08/14 00:03:19 joda Exp $
+.\" $Id: krb5_unparse_name.3,v 1.2 2001/01/26 22:43:22 assar Exp $
 .Dd August 8, 1997
 .Dt KRB5_UNPARSE_NAME 3
 .Os HEIMDAL
@@ -7,25 +7,19 @@
 .Nm krb5_unparse_name
 .\" .Nm krb5_unparse_name_ext
 .Nd Principal to string conversion
-
 .Sh SYNOPSIS
 .Fd #include <krb5.h>
-
 .Ft krb5_error_code
 .Fn krb5_unparse_name "krb5_context context" "krb5_principal principal" "char **name"
-
 .\" .Ft krb5_error_code
 .\" .Fn krb5_unparse_name_ext "krb5_context context" "krb5_const_principal principal" "char **name" "size_t *size"
-
 .Sh DESCRIPTION
-
 This function takes a
 .Fa principal ,
 and will convert in to a printable representation with the same syntax as decribed in
 .Xr krb5_parse_name 3 .
 .Fa *name 
 will point to allocated data and should be freed by the caller.
-
 .Sh SEE ALSO
 .Xr krb5_425_conv_principal 3 ,
 .Xr krb5_build_principal 3 ,
diff --git a/crypto/heimdal/lib/krb5/krb5_warn.3 b/crypto/heimdal/lib/krb5/krb5_warn.3
index 521da0e..ae3a330 100644
--- a/crypto/heimdal/lib/krb5/krb5_warn.3
+++ b/crypto/heimdal/lib/krb5/krb5_warn.3
@@ -1,5 +1,5 @@
 .\" Copyright (c) 1997 Kungliga Tekniska Högskolan
-.\" $Id: krb5_warn.3,v 1.2 1997/08/08 03:45:55 joda Exp $
+.\" $Id: krb5_warn.3,v 1.3 2001/01/26 22:43:23 assar Exp $
 .Dd August 8, 1997
 .Dt KRB5_WARN 3
 .Os HEIMDAL
@@ -16,36 +16,25 @@
 .Nd Heimdal warning and error functions
 .Sh SYNOPSIS
 .Fd #include <krb5.h>
-
 .Ft krb5_error_code
 .Fn krb5_err "krb5_context context" "int eval" "krb5_error_code code" "const char *format" "..."
-
 .Ft krb5_error_code
 .Fn krb5_errx "krb5_context context" "int eval" "const char *format" "..."
-
 .Ft krb5_error_code
 .Fn krb5_verr "krb5_context context" "int eval" "krb5_error_code code" "const char *format" "va_list ap"
-
 .Ft krb5_error_code
 .Fn krb5_verrx "krb5_context context" "int eval" "const char *format" "va_list ap"
-
 .Ft krb5_error_code
 .Fn krb5_vwarn "krb5_context context" "krb5_error_code code" "const char *format" "va_list ap"
-
 .Ft krb5_error_code
 .Fn krb5_vwarnx "krb5_context context" "const char *format" "va_list ap"
-
 .Ft krb5_error_code
 .Fn krb5_warn "krb5_context context" "krb5_error_code code" "const char *format" "..."
-
 .Ft krb5_error_code
 .Fn krb5_warnx "krb5_context context" "const char *format" "..."
-
 .Ft krb5_error_code
 .Fn krb5_set_warn_dest "krb5_context context" "krb5_log_facility *facility"
-
 .Sh DESCRIPTION
-
 These functions prints a warning message to some destination.
 .Fa format
 is a printf style format specifying the message to print. The forms not ending in an
@@ -68,6 +57,5 @@ Messages logged with the
 functions have a log level of 1, while the
 .Dq err
 functions logs with level 0.
-
 .Sh SEE ALSO
 .Xr krb5_openlog 3
diff --git a/crypto/heimdal/lib/krb5/krbhst.c b/crypto/heimdal/lib/krb5/krbhst.c
index 8d5c4e4..b257e8b 100644
--- a/crypto/heimdal/lib/krb5/krbhst.c
+++ b/crypto/heimdal/lib/krb5/krbhst.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -34,7 +34,7 @@
 #include "krb5_locl.h"
 #include <resolve.h>
 
-RCSID("$Id: krbhst.c,v 1.23 1999/12/11 23:14:25 assar Exp $");
+RCSID("$Id: krbhst.c,v 1.25 2001/01/19 04:30:54 assar Exp $");
 
 /*
  * assuming that `*res' contains `*count' strings, add a copy of `string'.
@@ -58,6 +58,11 @@ add_string(char ***res, int *count, const char *string)
     return 0;
 }
 
+/*
+ * do a SRV lookup for `realm, proto, service' returning the result
+ * in `res, count'
+ */
+
 static krb5_error_code
 srv_find_realm(krb5_context context, char ***res, int *count, 
 	       const char *realm, const char *proto, const char *service)
@@ -131,7 +136,7 @@ get_krbhst (krb5_context context,
 				  "realms", *realm, conf_string, NULL);
     for(r = res, count = 0; r && *r; r++, count++);
 
-    if(context->srv_lookup) {
+    if(count == 0 && context->srv_lookup) {
 	char *s[] = { "udp", "tcp", "http" }, **q;
 	for(q = s; q < s + sizeof(s) / sizeof(s[0]); q++) {
 	    ret = srv_find_realm(context, &res, &count, *realm, *q,
@@ -157,6 +162,10 @@ get_krbhst (krb5_context context,
     return 0;
 }
 
+/*
+ * set `hostlist' to a malloced list of kadmin servers.
+ */
+
 krb5_error_code
 krb5_get_krb_admin_hst (krb5_context context,
 			const krb5_realm *realm,
@@ -166,15 +175,30 @@ krb5_get_krb_admin_hst (krb5_context context,
 		       hostlist);
 }
 
+/*
+ * set `hostlist' to a malloced list of changepw servers.
+ */
+
 krb5_error_code
 krb5_get_krb_changepw_hst (krb5_context context,
 			   const krb5_realm *realm,
 			   char ***hostlist)
 {
-    return get_krbhst (context, realm, "admin_server", "kpasswd",
-		       hostlist);
+    krb5_error_code ret;
+
+    ret = get_krbhst (context, realm, "kpasswd_server", "kpasswd",
+		      hostlist);
+    if (ret)
+	return ret;
+    ret = get_krbhst (context, realm, "admin_server", "kpasswd",
+		      hostlist);
+    return ret;
 }
 
+/*
+ * set `hostlist' to a malloced list of kerberos servers.
+ */
+
 krb5_error_code
 krb5_get_krbhst (krb5_context context,
 		 const krb5_realm *realm,
@@ -183,6 +207,10 @@ krb5_get_krbhst (krb5_context context,
     return get_krbhst (context, realm, "kdc", "kerberos", hostlist);
 }
 
+/*
+ * free all memory associated with `hostlist'
+ */
+
 krb5_error_code
 krb5_free_krbhst (krb5_context context,
 		  char **hostlist)
diff --git a/crypto/heimdal/lib/krb5/log.c b/crypto/heimdal/lib/krb5/log.c
index e1511e2..37bff1d 100644
--- a/crypto/heimdal/lib/krb5/log.c
+++ b/crypto/heimdal/lib/krb5/log.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: log.c,v 1.21 1999/12/02 17:05:11 joda Exp $");
+RCSID("$Id: log.c,v 1.25 2000/09/17 21:46:07 assar Exp $");
 
 struct facility {
     int min;
@@ -56,14 +56,14 @@ log_realloc(krb5_log_facility *f)
     return fp;
 }
 
-struct s2i{
+struct s2i {
     char *s;
     int val;
 };
 
 #define L(X) { #X, LOG_ ## X }
 
-struct s2i syslogvals[] = {
+static struct s2i syslogvals[] = {
     L(EMERG),
     L(ALERT),
     L(CRIT),
@@ -356,18 +356,22 @@ krb5_vlog_msg(krb5_context context,
      __attribute__((format (printf, 5, 0)))
 {
     char *msg;
+    const char *actual;
     char buf[64];
     time_t t;
     int i;
 
     vasprintf(&msg, fmt, ap);
+    if (msg != NULL)
+	actual = msg;
+    else
+	actual = fmt;
     t = time(NULL);
-    strftime(buf, sizeof(buf), context->time_fmt, 
-	     context->log_utc ? gmtime(&t) : localtime(&t));
+    krb5_format_time(context, t, buf, sizeof(buf), TRUE);
     for(i = 0; i < fac->len; i++)
 	if(fac->val[i].min <= level && 
 	   (fac->val[i].max < 0 || fac->val[i].max >= level))
-	    (*fac->val[i].log)(buf, msg, fac->val[i].data);
+	    (*fac->val[i].log)(buf, actual, fac->val[i].data);
     *reply = msg;
     return 0;
 }
diff --git a/crypto/heimdal/lib/krb5/mcache.c b/crypto/heimdal/lib/krb5/mcache.c
index d45deea..29c5cfd 100644
--- a/crypto/heimdal/lib/krb5/mcache.c
+++ b/crypto/heimdal/lib/krb5/mcache.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,43 +33,97 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: mcache.c,v 1.10 1999/12/02 17:05:11 joda Exp $");
+RCSID("$Id: mcache.c,v 1.12 2000/11/15 02:12:51 assar Exp $");
 
 typedef struct krb5_mcache {
+    char *name;
+    unsigned int refcnt;
     krb5_principal primary_principal;
     struct link {
 	krb5_creds cred;
 	struct link *next;
     } *creds;
+    struct krb5_mcache *next;
 } krb5_mcache;
 
+static struct krb5_mcache *mcc_head;
+
+#define	MCACHE(X)	((krb5_mcache *)(X)->data.data)
+
+#define MISDEAD(X)	((X)->primary_principal == NULL)
+
 #define MCC_CURSOR(C) ((struct link*)(C))
 
 static char*
 mcc_get_name(krb5_context context,
 	     krb5_ccache id)
 {
-    return "";			/* XXX */
+    return MCACHE(id)->name;
+}
+
+static krb5_mcache *
+mcc_alloc(const char *name)
+{
+    krb5_mcache *m;
+    ALLOC(m, 1);
+    if(m == NULL)
+	return NULL;
+    if(name == NULL)
+	asprintf(&m->name, "%p", m);
+    else
+	m->name = strdup(name);
+    if(m->name == NULL) {
+	free(m);
+	return NULL;
+    }
+    m->refcnt = 1;
+    m->primary_principal = NULL;
+    m->creds = NULL;
+    m->next = mcc_head;
+    mcc_head = m;
+    return m;
 }
 
 static krb5_error_code
 mcc_resolve(krb5_context context, krb5_ccache *id, const char *res)
 {
-    krb5_abortx(context, "unimplemented mcc_resolve called");
+    krb5_mcache *m;
+
+    for (m = mcc_head; m != NULL; m = m->next)
+	if (strcmp(m->name, res) == 0)
+	    break;
+
+    if (m != NULL) {
+	m->refcnt++;
+	(*id)->data.data = m;
+	(*id)->data.length = sizeof(*m);
+	return 0;
+    }
+
+    m = mcc_alloc(res);
+    if (m == NULL)
+	return KRB5_CC_NOMEM;
+    
+    (*id)->data.data = m;
+    (*id)->data.length = sizeof(*m);
+
+    return 0;
 }
 
+
 static krb5_error_code
 mcc_gen_new(krb5_context context, krb5_ccache *id)
 {
     krb5_mcache *m;
 
-    m = malloc (sizeof(*m));
+    m = mcc_alloc(NULL);
+
     if (m == NULL)
 	return KRB5_CC_NOMEM;
-    m->primary_principal = NULL;
-    m->creds = NULL;
+
     (*id)->data.data = m;
     (*id)->data.length = sizeof(*m);
+
     return 0;
 }
 
@@ -78,37 +132,25 @@ mcc_initialize(krb5_context context,
 	       krb5_ccache id,
 	       krb5_principal primary_principal)
 {
-    krb5_error_code ret;
-    krb5_mcache *m;
-
-    m = (krb5_mcache *)id->data.data;
-
-    ret = krb5_copy_principal (context,
-			       primary_principal,
-			       &m->primary_principal);
-    if (ret)
-	return ret;
-    return 0;
+    return krb5_copy_principal (context,
+				primary_principal,
+				&MCACHE(id)->primary_principal);
 }
 
 static krb5_error_code
 mcc_close(krb5_context context,
 	  krb5_ccache id)
 {
-    krb5_mcache *m = (krb5_mcache *)id->data.data;
-    struct link *l;
+    krb5_mcache *m = MCACHE(id);
 
-    krb5_free_principal (context, m->primary_principal);
-    l = m->creds;
-    while (l != NULL) {
-	struct link *old;
+    if (--m->refcnt != 0)
+	return 0;
 
-	krb5_free_creds_contents (context, &l->cred);
-	old = l;
-	l = l->next;
-	free (old);
+    if (MISDEAD(m)) {
+	free (m->name);
+	krb5_data_free(&id->data);
     }
-    krb5_data_free(&id->data);
+
     return 0;
 }
 
@@ -116,6 +158,35 @@ static krb5_error_code
 mcc_destroy(krb5_context context,
 	    krb5_ccache id)
 {
+    krb5_mcache **n, *m = MCACHE(id);
+    struct link *l;
+
+    if (m->refcnt == 0)
+	krb5_abortx(context, "mcc_destroy: refcnt already 0");
+
+    if (!MISDEAD(m)) {
+	/* if this is an active mcache, remove it from the linked
+           list, and free all data */
+	for(n = &mcc_head; n && *n; n = &(*n)->next) {
+	    if(m == *n) {
+		*n = m->next;
+		break;
+	    }
+	}
+	krb5_free_principal (context, m->primary_principal);
+	m->primary_principal = NULL;
+	
+	l = m->creds;
+	while (l != NULL) {
+	    struct link *old;
+	    
+	    krb5_free_creds_contents (context, &l->cred);
+	    old = l;
+	    l = l->next;
+	    free (old);
+	}
+	m->creds = NULL;
+    }
     return 0;
 }
 
@@ -124,10 +195,13 @@ mcc_store_cred(krb5_context context,
 	       krb5_ccache id,
 	       krb5_creds *creds)
 {
+    krb5_mcache *m = MCACHE(id);
     krb5_error_code ret;
-    krb5_mcache *m = (krb5_mcache *)id->data.data;
     struct link *l;
 
+    if (MISDEAD(m))
+	return ENOENT;
+
     l = malloc (sizeof(*l));
     if (l == NULL)
 	return KRB5_CC_NOMEM;
@@ -148,7 +222,10 @@ mcc_get_principal(krb5_context context,
 		  krb5_ccache id,
 		  krb5_principal *principal)
 {
-    krb5_mcache *m = (krb5_mcache *)id->data.data;
+    krb5_mcache *m = MCACHE(id);
+
+    if (MISDEAD(m))
+	return ENOENT;
 
     return krb5_copy_principal (context,
 				m->primary_principal,
@@ -160,7 +237,11 @@ mcc_get_first (krb5_context context,
 	       krb5_ccache id,
 	       krb5_cc_cursor *cursor)
 {
-    krb5_mcache *m = (krb5_mcache *)id->data.data;
+    krb5_mcache *m = MCACHE(id);
+
+    if (MISDEAD(m))
+	return ENOENT;
+
     *cursor = m->creds;
     return 0;
 }
@@ -171,8 +252,12 @@ mcc_get_next (krb5_context context,
 	      krb5_cc_cursor *cursor,
 	      krb5_creds *creds)
 {
+    krb5_mcache *m = MCACHE(id);
     struct link *l;
 
+    if (MISDEAD(m))
+	return ENOENT;
+
     l = *cursor;
     if (l != NULL) {
 	*cursor = l->next;
@@ -195,9 +280,19 @@ static krb5_error_code
 mcc_remove_cred(krb5_context context,
 		 krb5_ccache id,
 		 krb5_flags which,
-		 krb5_creds *cred)
+		 krb5_creds *mcreds)
 {
-    return 0; /* XXX */
+    krb5_mcache *m = MCACHE(id);
+    struct link **q, *p;
+    for(q = &m->creds, p = *q; p; p = *q) {
+	if(krb5_compare_creds(context, which, mcreds, &p->cred)) {
+	    *q = p->next;
+	    krb5_free_cred_contents(context, &p->cred);
+	    free(p);
+	} else
+	    q = &p->next;
+    }
+    return 0;
 }
 
 static krb5_error_code
diff --git a/crypto/heimdal/lib/krb5/mk_priv.c b/crypto/heimdal/lib/krb5/mk_priv.c
index 1ee2bed..c880f10 100644
--- a/crypto/heimdal/lib/krb5/mk_priv.c
+++ b/crypto/heimdal/lib/krb5/mk_priv.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: mk_priv.c,v 1.25 1999/12/02 17:05:11 joda Exp $");
+RCSID("$Id: mk_priv.c,v 1.28 2000/08/18 06:48:07 assar Exp $");
 
 /*
  *
@@ -52,7 +52,7 @@ krb5_mk_priv(krb5_context context,
   u_char *buf;
   size_t buf_size;
   size_t len;
-  int tmp_seq;
+  u_int32_t tmp_seq;
   krb5_keyblock *key;
   int32_t sec, usec;
   KerberosTime sec2;
@@ -76,7 +76,7 @@ krb5_mk_priv(krb5_context context,
   usec2          = usec;
   part.usec      = &usec2;
   if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
-    tmp_seq = ++auth_context->local_seqnumber;
+    tmp_seq = auth_context->local_seqnumber;
     part.seq_number = &tmp_seq;
   } else {
     part.seq_number = NULL;
@@ -117,7 +117,11 @@ krb5_mk_priv(krb5_context context,
   s.enc_part.etype = key->keytype;
   s.enc_part.kvno = NULL;
 
-  krb5_crypto_init(context, key, 0, &crypto);
+  ret = krb5_crypto_init(context, key, 0, &crypto);
+  if (ret) {
+      free (buf);
+      return ret;
+  }
   ret = krb5_encrypt (context, 
 		      crypto,
 		      KRB5_KU_KRB_PRIV,
@@ -159,6 +163,9 @@ krb5_mk_priv(krb5_context context,
   }
   memcpy (outbuf->data, buf + buf_size - len, len);
   free (buf);
+  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE)
+      auth_context->local_seqnumber =
+	  (auth_context->local_seqnumber + 1) & 0xFFFFFFFF;
   return 0;
 
 fail:
diff --git a/crypto/heimdal/lib/krb5/mk_rep.c b/crypto/heimdal/lib/krb5/mk_rep.c
index 060be03..ad750b0 100644
--- a/crypto/heimdal/lib/krb5/mk_rep.c
+++ b/crypto/heimdal/lib/krb5/mk_rep.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,11 +33,11 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: mk_rep.c,v 1.16 1999/12/02 17:05:11 joda Exp $");
+RCSID("$Id: mk_rep.c,v 1.18 2000/12/06 20:57:23 joda Exp $");
 
 krb5_error_code
 krb5_mk_rep(krb5_context context,
-	    krb5_auth_context *auth_context,
+	    krb5_auth_context auth_context,
 	    krb5_data *outbuf)
 {
   krb5_error_code ret;
@@ -53,21 +53,21 @@ krb5_mk_rep(krb5_context context,
 
   memset (&body, 0, sizeof(body));
 
-  body.ctime = (*auth_context)->authenticator->ctime;
-  body.cusec = (*auth_context)->authenticator->cusec;
+  body.ctime = auth_context->authenticator->ctime;
+  body.cusec = auth_context->authenticator->cusec;
   body.subkey = NULL;
-  if ((*auth_context)->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
     krb5_generate_seq_number (context,
-			      (*auth_context)->keyblock,
-			      &(*auth_context)->local_seqnumber);
+			      auth_context->keyblock,
+			      &auth_context->local_seqnumber);
     body.seq_number = malloc (sizeof(*body.seq_number));
     if (body.seq_number == NULL)
 	return ENOMEM;
-    *(body.seq_number) = (*auth_context)->local_seqnumber;
+    *(body.seq_number) = auth_context->local_seqnumber;
   } else
     body.seq_number = NULL;
 
-  ap.enc_part.etype = (*auth_context)->keyblock->keytype;
+  ap.enc_part.etype = auth_context->keyblock->keytype;
   ap.enc_part.kvno  = NULL;
 
   buf_size = length_EncAPRepPart(&body);
@@ -84,8 +84,12 @@ krb5_mk_rep(krb5_context context,
 				  &len);
 
   free_EncAPRepPart (&body);
-  krb5_crypto_init(context, (*auth_context)->keyblock, 
-		   0 /* ap.enc_part.etype */, &crypto);
+  ret = krb5_crypto_init(context, auth_context->keyblock, 
+			 0 /* ap.enc_part.etype */, &crypto);
+  if (ret) {
+      free (buf);
+      return ret;
+  }
   ret = krb5_encrypt (context,
 		      crypto,
 		      KRB5_KU_AP_REQ_ENC_PART,
diff --git a/crypto/heimdal/lib/krb5/mk_req.c b/crypto/heimdal/lib/krb5/mk_req.c
index 55ecd46..a30c19e 100644
--- a/crypto/heimdal/lib/krb5/mk_req.c
+++ b/crypto/heimdal/lib/krb5/mk_req.c
@@ -33,23 +33,19 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: mk_req.c,v 1.20 2000/01/16 10:22:42 assar Exp $");
+RCSID("$Id: mk_req.c,v 1.22 2000/11/15 06:50:53 assar Exp $");
 
 krb5_error_code
-krb5_mk_req(krb5_context context,
-	    krb5_auth_context *auth_context,
-	    const krb5_flags ap_req_options,
-	    const char *service,
-	    const char *hostname,
-	    krb5_data *in_data,
-	    krb5_ccache ccache,
-	    krb5_data *outbuf)
+krb5_mk_req_exact(krb5_context context,
+		  krb5_auth_context *auth_context,
+		  const krb5_flags ap_req_options,
+		  const krb5_principal server,
+		  krb5_data *in_data,
+		  krb5_ccache ccache,
+		  krb5_data *outbuf)
 {
     krb5_error_code ret;
     krb5_creds this_cred, *cred;
-    char **realms;
-    krb5_data realm_data;
-    char *real_hostname;
 
     memset(&this_cred, 0, sizeof(this_cred));
 
@@ -58,34 +54,18 @@ krb5_mk_req(krb5_context context,
     if(ret)
 	return ret;
 
-    ret = krb5_expand_hostname_realms (context, hostname,
-				       &real_hostname, &realms);
+    ret = krb5_copy_principal (context, server, &this_cred.server);
     if (ret) {
-	krb5_free_principal (context, this_cred.client);
+	krb5_free_creds_contents (context, &this_cred);
 	return ret;
     }
 
-    realm_data.length = strlen(*realms);
-    realm_data.data   = *realms;
-
-    ret = krb5_build_principal (context, &this_cred.server,
-				strlen(*realms),
-				*realms,
-				service,
-				real_hostname,
-				NULL);
-    free (real_hostname);
-    krb5_free_host_realm (context, realms);
-
-    if (ret) {
-	krb5_free_principal (context, this_cred.client);
-	return ret;
-    }
     this_cred.times.endtime = 0;
     if (auth_context && *auth_context && (*auth_context)->keytype)
 	this_cred.session.keytype = (*auth_context)->keytype;
 
     ret = krb5_get_credentials (context, 0, ccache, &this_cred, &cred);
+    krb5_free_creds_contents(context, &this_cred);
     if (ret)
 	return ret;
 
@@ -96,3 +76,39 @@ krb5_mk_req(krb5_context context,
 				 cred,
 				 outbuf);
 }
+
+krb5_error_code
+krb5_mk_req(krb5_context context,
+	    krb5_auth_context *auth_context,
+	    const krb5_flags ap_req_options,
+	    const char *service,
+	    const char *hostname,
+	    krb5_data *in_data,
+	    krb5_ccache ccache,
+	    krb5_data *outbuf)
+{
+    krb5_error_code ret;
+    char **realms;
+    char *real_hostname;
+    krb5_principal server;
+
+    ret = krb5_expand_hostname_realms (context, hostname,
+				       &real_hostname, &realms);
+    if (ret)
+	return ret;
+
+    ret = krb5_build_principal (context, &server,
+				strlen(*realms),
+				*realms,
+				service,
+				real_hostname,
+				NULL);
+    free (real_hostname);
+    krb5_free_host_realm (context, realms);
+    if (ret)
+	return ret;
+    ret = krb5_mk_req_exact (context, auth_context, ap_req_options,
+			     server, in_data, ccache, outbuf);
+    krb5_free_principal (context, server);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/mk_req_ext.c b/crypto/heimdal/lib/krb5/mk_req_ext.c
index 2b7b886..f0f572c 100644
--- a/crypto/heimdal/lib/krb5/mk_req_ext.c
+++ b/crypto/heimdal/lib/krb5/mk_req_ext.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: mk_req_ext.c,v 1.21 1999/12/02 17:05:11 joda Exp $");
+RCSID("$Id: mk_req_ext.c,v 1.24 2000/11/15 07:01:26 assar Exp $");
 
 krb5_error_code
 krb5_mk_req_internal(krb5_context context,
@@ -42,7 +42,8 @@ krb5_mk_req_internal(krb5_context context,
 		     krb5_data *in_data,
 		     krb5_creds *in_creds,
 		     krb5_data *outbuf,
-		     krb5_key_usage usage)
+		     krb5_key_usage checksum_usage,
+		     krb5_key_usage encrypt_usage)
 {
   krb5_error_code ret;
   krb5_data authenticator;
@@ -88,6 +89,11 @@ krb5_mk_req_internal(krb5_context context,
   krb5_free_keyblock(context, ac->keyblock);
   krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock);
   
+  /* it's unclear what type of checksum we can use.  try the best one, except:
+   * a) if it's configured differently for the current realm, or
+   * b) if the session key is des-cbc-crc
+   */
+
   if (in_data) {
       if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) {
 	  /* this is to make DCE secd (and older MIT kdcs?) happy */
@@ -99,10 +105,13 @@ krb5_mk_req_internal(krb5_context context,
 				     &c);
       } else {
 	  krb5_crypto crypto;
-	  krb5_crypto_init(context, ac->keyblock, 0, &crypto);
+
+	  ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto);
+	  if (ret)
+	      return ret;
 	  ret = krb5_create_checksum(context, 
 				     crypto,
-				     usage,
+				     checksum_usage,
 				     in_data->data,
 				     in_data->length,
 				     &c);
@@ -120,7 +129,8 @@ krb5_mk_req_internal(krb5_context context,
 				  in_creds,
 				  c_opt,
 				  NULL,
-				  &authenticator);
+				  &authenticator,
+				  encrypt_usage);
   if (c_opt)
       free_Checksum (c_opt);
   if (ret)
@@ -147,5 +157,6 @@ krb5_mk_req_extended(krb5_context context,
 				 in_data,
 				 in_creds,
 				 outbuf,
-				 KRB5_KU_AP_REQ_AUTH_CKSUM);
+				 KRB5_KU_AP_REQ_AUTH_CKSUM,
+				 KRB5_KU_AP_REQ_AUTH);
 }
diff --git a/crypto/heimdal/lib/krb5/mk_safe.c b/crypto/heimdal/lib/krb5/mk_safe.c
index 4d848a6..2803d38 100644
--- a/crypto/heimdal/lib/krb5/mk_safe.c
+++ b/crypto/heimdal/lib/krb5/mk_safe.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: mk_safe.c,v 1.20 1999/12/02 17:05:11 joda Exp $");
+RCSID("$Id: mk_safe.c,v 1.24 2000/08/18 06:48:40 assar Exp $");
 
 krb5_error_code
 krb5_mk_safe(krb5_context context,
@@ -50,7 +50,7 @@ krb5_mk_safe(krb5_context context,
   u_char *buf = NULL;
   size_t buf_size;
   size_t len;
-  int tmp_seq;
+  u_int32_t tmp_seq;
   krb5_crypto crypto;
 
   s.pvno = 5;
@@ -64,7 +64,7 @@ krb5_mk_safe(krb5_context context,
   usec2                  = usec2;
   s.safe_body.usec       = &usec2;
   if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
-      tmp_seq = ++auth_context->local_seqnumber;
+      tmp_seq = auth_context->local_seqnumber;
       s.safe_body.seq_number = &tmp_seq;
   } else 
       s.safe_body.seq_number = NULL;
@@ -76,13 +76,20 @@ krb5_mk_safe(krb5_context context,
   s.cksum.checksum.data   = NULL;
   s.cksum.checksum.length = 0;
 
-
   buf_size = length_KRB_SAFE(&s);
   buf = malloc(buf_size + 128); /* add some for checksum */
   if(buf == NULL)
       return ENOMEM;
   ret = encode_KRB_SAFE (buf + buf_size - 1, buf_size, &s, &len);
+  if (ret) {
+      free (buf);
+      return ret;
+  }
   ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
+  if (ret) {
+      free (buf);
+      return ret;
+  }
   ret = krb5_create_checksum(context, 
 			     crypto,
 			     KRB5_KU_KRB_SAFE_CKSUM,
@@ -111,5 +118,8 @@ krb5_mk_safe(krb5_context context,
   }
   memcpy (outbuf->data, buf + buf_size - len, len);
   free (buf);
+  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE)
+      auth_context->local_seqnumber =
+	  (auth_context->local_seqnumber + 1) & 0xFFFFFFFF;
   return 0;
 }
diff --git a/crypto/heimdal/lib/krb5/principal.c b/crypto/heimdal/lib/krb5/principal.c
index 2999868..7be1d93 100644
--- a/crypto/heimdal/lib/krb5/principal.c
+++ b/crypto/heimdal/lib/krb5/principal.c
@@ -38,9 +38,10 @@
 #ifdef HAVE_ARPA_NAMESER_H
 #include <arpa/nameser.h>
 #endif
+#include <fnmatch.h>
 #include "resolve.h"
 
-RCSID("$Id: principal.c,v 1.63 2000/02/07 03:19:05 assar Exp $");
+RCSID("$Id: principal.c,v 1.73 2000/10/16 03:42:14 assar Exp $");
 
 #define princ_num_comp(P) ((P)->name.name_string.len)
 #define princ_type(P) ((P)->name.name_type)
@@ -494,6 +495,9 @@ krb5_copy_principal(krb5_context context,
     return 0;
 }
 
+/*
+ * return TRUE iff princ1 == princ2 (without considering the realm)
+ */
 
 krb5_boolean
 krb5_principal_compare_any_realm(krb5_context context,
@@ -510,6 +514,10 @@ krb5_principal_compare_any_realm(krb5_context context,
     return TRUE;
 }
 
+/*
+ * return TRUE iff princ1 == princ2
+ */
+
 krb5_boolean
 krb5_principal_compare(krb5_context context,
 		       krb5_const_principal princ1,
@@ -520,6 +528,9 @@ krb5_principal_compare(krb5_context context,
     return krb5_principal_compare_any_realm(context, princ1, princ2);
 }
 
+/*
+ * return TRUE iff realm(princ1) == realm(princ2)
+ */
 
 krb5_boolean
 krb5_realm_compare(krb5_context context,
@@ -529,22 +540,52 @@ krb5_realm_compare(krb5_context context,
     return strcmp(princ_realm(princ1), princ_realm(princ2)) == 0;
 }
 
+/*
+ * return TRUE iff princ matches pattern
+ */
+
+krb5_boolean
+krb5_principal_match(krb5_context context,
+		     krb5_const_principal princ,
+		     krb5_const_principal pattern)
+{
+    int i;
+    if(princ_num_comp(princ) != princ_num_comp(pattern))
+	return FALSE;
+    if(fnmatch(princ_realm(pattern), princ_realm(princ), 0) != 0)
+	return FALSE;
+    for(i = 0; i < princ_num_comp(princ); i++){
+	if(fnmatch(princ_ncomp(pattern, i), princ_ncomp(princ, i), 0) != 0)
+	    return FALSE;
+    }
+    return TRUE;
+}
+
+
 struct v4_name_convert {
     const char *from;
     const char *to; 
 } default_v4_name_convert[] = {
-    { "ftp", "ftp" },
-    { "hprop", "hprop" },
-    { "pop", "pop" },
-    { "rcmd", "host" },
+    { "ftp",	"ftp" },
+    { "hprop",	"hprop" },
+    { "pop",	"pop" },
+    { "imap",	"imap" },
+    { "rcmd",	"host" },
     { NULL, NULL }
 };
 
+/*
+ * return the converted instance name of `name' in `realm'.
+ * look in the configuration file and then in the default set above.
+ * return NULL if no conversion is appropriate.
+ */
+
 static const char*
 get_name_conversion(krb5_context context, const char *realm, const char *name)
 {
     struct v4_name_convert *q;
     const char *p;
+
     p = krb5_config_get_string(context, NULL, "realms", realm,
 			       "v4_name_convert", "host", name, NULL);
     if(p == NULL)
@@ -577,6 +618,12 @@ get_name_conversion(krb5_context context, const char *realm, const char *name)
     return NULL;
 }
 
+/*
+ * convert the v4 principal `name.instance@realm' to a v5 principal in `princ'.
+ * if `resolve', use DNS.
+ * if `func', use that function for validating the conversion
+ */
+
 krb5_error_code
 krb5_425_conv_principal_ext(krb5_context context,
 			    const char *name,
@@ -589,7 +636,7 @@ krb5_425_conv_principal_ext(krb5_context context,
     const char *p;
     krb5_error_code ret;
     krb5_principal pr;
-    char host[128];
+    char host[MAXHOSTNAMELEN];
 
     /* do the following: if the name is found in the
        `v4_name_convert:host' part, is is assumed to be a `host' type
@@ -635,7 +682,17 @@ krb5_425_conv_principal_ext(krb5_context context,
 	    inst = hp->h_name;
 #endif
 	if(inst) {
-	    ret = krb5_make_principal(context, &pr, realm, name, inst, NULL);
+	    char *low_inst = strdup(inst);
+
+	    if (low_inst == NULL) {
+#ifdef USE_RESOLVER
+		dns_free_data(r);
+#endif
+		return ENOMEM;
+	    }
+	    ret = krb5_make_principal(context, &pr, realm, name, low_inst,
+				      NULL);
+	    free (low_inst);
 	    if(ret == 0) {
 		if(func == NULL || (*func)(context, pr)){
 		    *princ = pr;
@@ -673,8 +730,7 @@ krb5_425_conv_principal_ext(krb5_context context,
     p = krb5_config_get_string(context, NULL, "realms", realm, 
 			       "default_domain", NULL);
     if(p == NULL){
-	/* should this be an error or should it silently
-	   succeed? */
+	/* this should be an error, just faking a name is not good */
 	return HEIM_ERR_V4_PRINC_NO_CONV;
     }
 	
@@ -801,6 +857,13 @@ name_convert(krb5_context context, const char *name, const char *realm,
     return -1;
 }
 
+/*
+ * convert the v5 principal in `principal' into a v4 corresponding one
+ * in `name, instance, realm'
+ * this is limited interface since there's no length given for these
+ * three parameters.  They have to be 40 bytes each (ANAME_SZ).
+ */
+
 krb5_error_code
 krb5_524_conv_principal(krb5_context context,
 			const krb5_principal principal,
@@ -811,6 +874,7 @@ krb5_524_conv_principal(krb5_context context,
     const char *n, *i, *r;
     char tmpinst[40];
     int type = princ_type(principal);
+    const int aname_sz = 40;
 
     r = principal->realm;
 
@@ -846,15 +910,12 @@ krb5_524_conv_principal(krb5_context context,
 	i = tmpinst;
     }
     
-    if(strlen(r) >= 40)
+    if (strlcpy (name, n, aname_sz) >= aname_sz)
 	return KRB5_PARSE_MALFORMED;
-    if(strlen(n) >= 40)
+    if (strlcpy (instance, i, aname_sz) >= aname_sz)
 	return KRB5_PARSE_MALFORMED;
-    if(strlen(i) >= 40)
+    if (strlcpy (realm, r, aname_sz) >= aname_sz)
 	return KRB5_PARSE_MALFORMED;
-    strcpy(realm, r);
-    strcpy(name, n);
-    strcpy(instance, i);
     return 0;
 }
 
@@ -870,7 +931,7 @@ krb5_sname_to_principal (krb5_context context,
 			 krb5_principal *ret_princ)
 {
     krb5_error_code ret;
-    char localhost[128];
+    char localhost[MAXHOSTNAMELEN];
     char **realms, *host = NULL;
 	
     if(type != KRB5_NT_SRV_HST && type != KRB5_NT_UNKNOWN)
diff --git a/crypto/heimdal/lib/krb5/prog_setup.c b/crypto/heimdal/lib/krb5/prog_setup.c
index 4693d08..dc3b119 100644
--- a/crypto/heimdal/lib/krb5/prog_setup.c
+++ b/crypto/heimdal/lib/krb5/prog_setup.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,8 +33,9 @@
 
 #include "krb5_locl.h"
 #include <getarg.h>
+#include <err.h>
 
-RCSID("$Id: prog_setup.c,v 1.6 1999/12/02 17:05:11 joda Exp $");
+RCSID("$Id: prog_setup.c,v 1.8 2001/01/25 11:20:32 assar Exp $");
 
 void
 krb5_std_usage(int code, struct getargs *args, int num_args)
@@ -48,13 +49,16 @@ krb5_program_setup(krb5_context *context, int argc, char **argv,
 		   struct getargs *args, int num_args, 
 		   void (*usage)(int, struct getargs*, int))
 {
+    krb5_error_code ret;
     int optind = 0;
 
     if(usage == NULL)
 	usage = krb5_std_usage;
 
     set_progname(argv[0]);
-    krb5_init_context(context);
+    ret = krb5_init_context(context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
     
     if(getarg(args, num_args, argc, argv, &optind))
 	(*usage)(1, args, num_args);
diff --git a/crypto/heimdal/lib/krb5/rd_cred.c b/crypto/heimdal/lib/krb5/rd_cred.c
index 71b79b1..ca8ff02 100644
--- a/crypto/heimdal/lib/krb5/rd_cred.c
+++ b/crypto/heimdal/lib/krb5/rd_cred.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,13 +33,14 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: rd_cred.c,v 1.9 2000/02/06 05:19:52 assar Exp $");
+RCSID("$Id: rd_cred.c,v 1.12 2001/01/04 16:19:00 joda Exp $");
 
 krb5_error_code
-krb5_rd_cred (krb5_context      context,
-	      krb5_auth_context auth_context,
-	      krb5_ccache       ccache,
-	      krb5_data         *in_data)
+krb5_rd_cred(krb5_context context,
+	     krb5_auth_context auth_context,
+	     krb5_data *in_data,
+	     krb5_creds ***ret_creds,
+	     krb5_replay_data *out_data)
 {
     krb5_error_code ret;
     size_t len;
@@ -49,9 +50,9 @@ krb5_rd_cred (krb5_context      context,
     krb5_crypto crypto;
     int i;
 
-    ret = decode_KRB_CRED (in_data->data, in_data->length,
-			   &cred, &len);
-    if (ret)
+    ret = decode_KRB_CRED(in_data->data, in_data->length, 
+			  &cred, &len);
+    if(ret)
 	return ret;
 
     if (cred.pvno != 5) {
@@ -64,16 +65,32 @@ krb5_rd_cred (krb5_context      context,
 	goto out;
     }
 
-    krb5_crypto_init(context, auth_context->remote_subkey, 0, &crypto);
-    ret = krb5_decrypt_EncryptedData(context,
-				     crypto,
-				     KRB5_KU_KRB_CRED,
-				     &cred.enc_part,
-				     &enc_krb_cred_part_data);
-    krb5_crypto_destroy(context, crypto);
-    if (ret)
-	goto out;
-    
+    if (cred.enc_part.etype == ETYPE_NULL) {  
+       /* DK: MIT GSS-API Compatibility */
+       enc_krb_cred_part_data.length = cred.enc_part.cipher.length;
+       enc_krb_cred_part_data.data   = cred.enc_part.cipher.data;
+    } else {
+	if (auth_context->remote_subkey)
+	    ret = krb5_crypto_init(context, auth_context->remote_subkey,
+				   0, &crypto);
+	else
+	    ret = krb5_crypto_init(context, auth_context->keyblock,
+				   0, &crypto);
+          /* DK: MIT rsh */
+
+	if (ret)
+	    goto out;
+       
+	ret = krb5_decrypt_EncryptedData(context,
+					 crypto,
+					 KRB5_KU_KRB_CRED,
+					 &cred.enc_part,
+					 &enc_krb_cred_part_data);
+       
+	krb5_crypto_destroy(context, crypto);
+	if (ret)
+	    goto out;
+    }
 
     ret = krb5_decode_EncKrbCredPart (context,
 				      enc_krb_cred_part_data.data,
@@ -86,7 +103,8 @@ krb5_rd_cred (krb5_context      context,
     /* check sender address */
 
     if (enc_krb_cred_part.s_address
-	&& auth_context->remote_address) {
+	&& auth_context->remote_address
+	&& auth_context->remote_port) {
 	krb5_address *a;
 	int cmp;
 
@@ -113,6 +131,7 @@ krb5_rd_cred (krb5_context      context,
     /* check receiver address */
 
     if (enc_krb_cred_part.r_address
+	&& auth_context->local_address
 	&& !krb5_address_compare (context,
 				  auth_context->local_address,
 				  enc_krb_cred_part.r_address)) {
@@ -135,51 +154,104 @@ krb5_rd_cred (krb5_context      context,
 	}
     }
 
-    /* XXX - check replay cache */
+    if(out_data != NULL) {
+	if(enc_krb_cred_part.timestamp)
+	    out_data->timestamp = *enc_krb_cred_part.timestamp;
+	else 
+	    out_data->timestamp = 0;
+	if(enc_krb_cred_part.usec)
+	    out_data->usec = *enc_krb_cred_part.usec;
+	else 
+	    out_data->usec = 0;
+	if(enc_krb_cred_part.nonce)
+	    out_data->seq = *enc_krb_cred_part.nonce;
+	else 
+	    out_data->seq = 0;
+    }
+    
+    /* Convert to NULL terminated list of creds */
 
-    /* Store the creds in the ccache */
+    *ret_creds = calloc(enc_krb_cred_part.ticket_info.len + 1, 
+		       sizeof(**ret_creds));
 
     for (i = 0; i < enc_krb_cred_part.ticket_info.len; ++i) {
 	KrbCredInfo *kci = &enc_krb_cred_part.ticket_info.val[i];
-	krb5_creds creds;
+	krb5_creds *creds;
 	u_char buf[1024];
 	size_t len;
 
-	memset (&creds, 0, sizeof(creds));
+	creds = calloc(1, sizeof(*creds));
+	if(creds == NULL) {
+	    ret = ENOMEM;
+	    goto out;
+	}
 
 	ret = encode_Ticket (buf + sizeof(buf) - 1, sizeof(buf),
 			     &cred.tickets.val[i],
 			     &len);
 	if (ret)
 	    goto out;
-	krb5_data_copy (&creds.ticket, buf + sizeof(buf) - len, len);
-	copy_EncryptionKey (&kci->key, &creds.session);
+	krb5_data_copy (&creds->ticket, buf + sizeof(buf) - len, len);
+	copy_EncryptionKey (&kci->key, &creds->session);
 	if (kci->prealm && kci->pname)
-	    principalname2krb5_principal (&creds.client,
+	    principalname2krb5_principal (&creds->client,
 					  *kci->pname,
 					  *kci->prealm);
 	if (kci->flags)
-	    creds.flags.b = *kci->flags;
+	    creds->flags.b = *kci->flags;
 	if (kci->authtime)
-	    creds.times.authtime = *kci->authtime;
+	    creds->times.authtime = *kci->authtime;
 	if (kci->starttime)
-	    creds.times.starttime = *kci->starttime;
+	    creds->times.starttime = *kci->starttime;
 	if (kci->endtime)
-	    creds.times.endtime = *kci->endtime;
+	    creds->times.endtime = *kci->endtime;
 	if (kci->renew_till)
-	    creds.times.renew_till = *kci->renew_till;
+	    creds->times.renew_till = *kci->renew_till;
 	if (kci->srealm && kci->sname)
-	    principalname2krb5_principal (&creds.server,
+	    principalname2krb5_principal (&creds->server,
 					  *kci->sname,
 					  *kci->srealm);
 	if (kci->caddr)
 	    krb5_copy_addresses (context,
 				 kci->caddr,
-				 &creds.addresses);
-	krb5_cc_store_cred (context, ccache, &creds);
+				 &creds->addresses);
+	
+	(*ret_creds)[i] = creds;
+	
     }
+    (*ret_creds)[i] = NULL;
+    return 0;
 
 out:
     free_KRB_CRED (&cred);
+    if(*ret_creds) {
+	for(i = 0; (*ret_creds)[i]; i++)
+	    krb5_free_creds(context, (*ret_creds)[i]);
+	free(*ret_creds);
+    }
     return ret;
 }
+
+krb5_error_code
+krb5_rd_cred2 (krb5_context      context,
+	       krb5_auth_context auth_context,
+	       krb5_ccache       ccache,
+	       krb5_data         *in_data)
+{
+    krb5_error_code ret;
+    krb5_creds **creds;
+    int i;
+
+    ret = krb5_rd_cred(context, auth_context, in_data, &creds, NULL);
+    if(ret)
+	return ret;
+
+    /* Store the creds in the ccache */
+
+    for(i = 0; creds && creds[i]; i++) {
+	krb5_cc_store_cred(context, ccache, creds[i]);
+	krb5_free_creds(context, creds[i]);
+    }
+    free(creds);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/rd_priv.c b/crypto/heimdal/lib/krb5/rd_priv.c
index c4d7bea..62350ba 100644
--- a/crypto/heimdal/lib/krb5/rd_priv.c
+++ b/crypto/heimdal/lib/krb5/rd_priv.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: rd_priv.c,v 1.23 2000/02/06 05:20:13 assar Exp $");
+RCSID("$Id: rd_priv.c,v 1.27 2001/01/19 04:27:09 assar Exp $");
 
 krb5_error_code
 krb5_rd_priv(krb5_context context,
@@ -72,7 +72,9 @@ krb5_rd_priv(krb5_context context,
   else
       key = auth_context->keyblock;
 
-  krb5_crypto_init(context, key, 0, &crypto);
+  ret = krb5_crypto_init(context, key, 0, &crypto);
+  if (ret)
+      goto failure;
   ret = krb5_decrypt_EncryptedData(context,
 				   crypto,
 				   KRB5_KU_KRB_PRIV,
@@ -124,13 +126,19 @@ krb5_rd_priv(krb5_context context,
 
   /* XXX - check replay cache */
 
-  /* check sequence number */
+  /* check sequence number. since MIT krb5 cannot generate a sequence
+     number of zero but instead generates no sequence number, we accept that
+  */
+
   if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
-    if (part.seq_number == NULL ||
-	*part.seq_number != ++auth_context->remote_seqnumber) {
-      ret = KRB5KRB_AP_ERR_BADORDER;
-      goto failure_part;
-    }
+      if ((part.seq_number == NULL
+	   && auth_context->remote_seqnumber != 0)
+	  || (part.seq_number != NULL
+	      && *part.seq_number != auth_context->remote_seqnumber)) {
+	  ret = KRB5KRB_AP_ERR_BADORDER;
+	  goto failure_part;
+      }
+      auth_context->remote_seqnumber++;
   }
 
   ret = krb5_data_copy (outbuf, part.user_data.data, part.user_data.length);
diff --git a/crypto/heimdal/lib/krb5/rd_rep.c b/crypto/heimdal/lib/krb5/rd_rep.c
index e2c401c..20f2033 100644
--- a/crypto/heimdal/lib/krb5/rd_rep.c
+++ b/crypto/heimdal/lib/krb5/rd_rep.c
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: rd_rep.c,v 1.19 1999/12/02 17:05:12 joda Exp $");
+RCSID("$Id: rd_rep.c,v 1.20 2000/08/18 06:49:03 assar Exp $");
 
 krb5_error_code
 krb5_rd_rep(krb5_context context,
@@ -62,7 +62,9 @@ krb5_rd_rep(krb5_context context,
     goto out;
   }
 
-  krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
+  ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
+  if (ret)
+      goto out;
   ret = krb5_decrypt_EncryptedData (context, 
 				    crypto,	
 				    KRB5_KU_AP_REQ_ENC_PART,
diff --git a/crypto/heimdal/lib/krb5/rd_req.c b/crypto/heimdal/lib/krb5/rd_req.c
index bcf4ecf..922137a 100644
--- a/crypto/heimdal/lib/krb5/rd_req.c
+++ b/crypto/heimdal/lib/krb5/rd_req.c
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: rd_req.c,v 1.41 2000/02/07 13:31:55 joda Exp $");
+RCSID("$Id: rd_req.c,v 1.44 2000/11/15 23:16:28 assar Exp $");
 
 static krb5_error_code
 decrypt_tkt_enc_part (krb5_context context,
@@ -46,7 +46,9 @@ decrypt_tkt_enc_part (krb5_context context,
     size_t len;
     krb5_crypto crypto;
 
-    krb5_crypto_init(context, key, 0, &crypto);
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret)
+	return ret;
     ret = krb5_decrypt_EncryptedData (context,
 				      crypto,
 				      KRB5_KU_TICKET,
@@ -66,19 +68,29 @@ static krb5_error_code
 decrypt_authenticator (krb5_context context,
 		       EncryptionKey *key,
 		       EncryptedData *enc_part,
-		       Authenticator *authenticator)
+		       Authenticator *authenticator,
+		       krb5_key_usage usage)
 {
     krb5_error_code ret;
     krb5_data plain;
     size_t len;
     krb5_crypto crypto;
 
-    krb5_crypto_init(context, key, 0, &crypto);
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret)
+	return ret;
     ret = krb5_decrypt_EncryptedData (context,
 				      crypto,
-				      KRB5_KU_AP_REQ_AUTH,
+				      usage /* KRB5_KU_AP_REQ_AUTH */,
 				      enc_part,
 				      &plain);
+    /* for backwards compatibility, also try the old usage */
+    if (ret && usage == KRB5_KU_TGS_REQ_AUTH)
+	ret = krb5_decrypt_EncryptedData (context,
+					  crypto,
+					  KRB5_KU_AP_REQ_AUTH,
+					  enc_part,
+					  &plain);
     krb5_crypto_destroy(context, crypto);
     if (ret)
 	return ret;
@@ -136,10 +148,14 @@ krb5_decrypt_ticket(krb5_context context,
 	    start = *t.starttime;
 	if(start - now > context->max_skew
 	   || (t.flags.invalid
-	       && !(flags & KRB5_VERIFY_AP_REQ_IGNORE_INVALID)))
+	       && !(flags & KRB5_VERIFY_AP_REQ_IGNORE_INVALID))) {
+	    free_EncTicketPart(&t);
 	    return KRB5KRB_AP_ERR_TKT_NYV;
-	if(now - t.endtime > context->max_skew)
+	}
+	if(now - t.endtime > context->max_skew) {
+	    free_EncTicketPart(&t);
 	    return KRB5KRB_AP_ERR_TKT_EXPIRED;
+	}
     }
     
     if(out)
@@ -222,19 +238,40 @@ krb5_verify_ap_req(krb5_context context,
 		   krb5_flags *ap_req_options,
 		   krb5_ticket **ticket)
 {
+    return krb5_verify_ap_req2 (context,
+				auth_context,
+				ap_req,
+				server,
+				keyblock,
+				flags,
+				ap_req_options,
+				ticket,
+				KRB5_KU_AP_REQ_AUTH);
+}
+
+krb5_error_code
+krb5_verify_ap_req2(krb5_context context,
+		    krb5_auth_context *auth_context,
+		    krb5_ap_req *ap_req,
+		    krb5_const_principal server,
+		    krb5_keyblock *keyblock,
+		    krb5_flags flags,
+		    krb5_flags *ap_req_options,
+		    krb5_ticket **ticket,
+		    krb5_key_usage usage)
+{
     krb5_ticket t;
     krb5_auth_context ac;
     krb5_error_code ret;
     
-    if(auth_context) {
-	if(*auth_context == NULL){
-	    krb5_auth_con_init(context, &ac);
-	    *auth_context = ac;
-	}else
-	    ac = *auth_context;
-    } else
-	krb5_auth_con_init(context, &ac);
-	
+    if (auth_context && *auth_context) {
+	ac = *auth_context;
+    } else {
+	ret = krb5_auth_con_init (context, &ac);
+	if (ret)
+	    return ret;
+    }
+
     if (ap_req->ap_options.use_session_key && ac->keyblock){
 	ret = krb5_decrypt_ticket(context, &ap_req->ticket, 
 				  ac->keyblock, 
@@ -249,7 +286,7 @@ krb5_verify_ap_req(krb5_context context,
 				  flags);
     
     if(ret)
-	return ret;
+	goto out;
 
     principalname2krb5_principal(&t.server, ap_req->ticket.sname, 
 				 ap_req->ticket.realm);
@@ -263,11 +300,10 @@ krb5_verify_ap_req(krb5_context context,
     ret = decrypt_authenticator (context,
 				 &t.ticket.key,
 				 &ap_req->authenticator,
-				 ac->authenticator);
-    if (ret){
-	/* XXX free data */
-	return ret;
-    }
+				 ac->authenticator,
+				 usage);
+    if (ret)
+	goto out2;
 
     {
 	krb5_principal p1, p2;
@@ -282,8 +318,10 @@ krb5_verify_ap_req(krb5_context context,
 	res = krb5_principal_compare (context, p1, p2);
 	krb5_free_principal (context, p1);
 	krb5_free_principal (context, p2);
-	if (!res)
-	    return KRB5KRB_AP_ERR_BADMATCH;
+	if (!res) {
+	    ret = KRB5KRB_AP_ERR_BADMATCH;
+	    goto out2;
+	}
     }
 
     /* check addresses */
@@ -292,8 +330,10 @@ krb5_verify_ap_req(krb5_context context,
 	&& ac->remote_address
 	&& !krb5_address_search (context,
 				 ac->remote_address,
-				 t.ticket.caddr))
-	return KRB5KRB_AP_ERR_BADADDR;
+				 t.ticket.caddr)) {
+	ret = KRB5KRB_AP_ERR_BADADDR;
+	goto out2;
+    }
 
     if (ac->authenticator->seq_number)
 	ac->remote_seqnumber = *ac->authenticator->seq_number;
@@ -322,7 +362,18 @@ krb5_verify_ap_req(krb5_context context,
 	**ticket = t;
     } else
 	krb5_free_ticket (context, &t);
+    if (auth_context) {
+	if (*auth_context == NULL)
+	    *auth_context = ac;
+    } else
+	krb5_auth_con_free (context, ac);
     return 0;
+ out2:
+    krb5_free_ticket (context, &t);
+ out:
+    if (auth_context == NULL || *auth_context == NULL)
+	krb5_auth_con_free (context, ac);
+    return ret;
 }
 		   
 
diff --git a/crypto/heimdal/lib/krb5/rd_safe.c b/crypto/heimdal/lib/krb5/rd_safe.c
index fb7cc2d..07628d9 100644
--- a/crypto/heimdal/lib/krb5/rd_safe.c
+++ b/crypto/heimdal/lib/krb5/rd_safe.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: rd_safe.c,v 1.19 2000/02/06 05:20:51 assar Exp $");
+RCSID("$Id: rd_safe.c,v 1.23 2001/01/19 04:25:37 assar Exp $");
 
 static krb5_error_code
 verify_checksum(krb5_context context,
@@ -65,7 +65,9 @@ verify_checksum(krb5_context context,
 			   buf_size,
 			   safe,
 			   &len);
-    krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
+    ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
+    if (ret)
+	goto out;
     ret = krb5_verify_checksum (context,
 				crypto,
 				KRB5_KU_KRB_SAFE_CKSUM,
@@ -144,13 +146,20 @@ krb5_rd_safe(krb5_context context,
   }
   /* XXX - check replay cache */
 
-  /* check sequence number */
+  /* check sequence number. since MIT krb5 cannot generate a sequence
+     number of zero but instead generates no sequence number, we accept that
+  */
+
   if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
-      if (safe.safe_body.seq_number == NULL ||
-	  *safe.safe_body.seq_number != ++auth_context->remote_seqnumber) {
+      if ((safe.safe_body.seq_number == NULL
+	   && auth_context->remote_seqnumber != 0)
+	  || (safe.safe_body.seq_number != NULL
+	      && *safe.safe_body.seq_number !=
+	      auth_context->remote_seqnumber)) {
 	  ret = KRB5KRB_AP_ERR_BADORDER;
 	  goto failure;
       }
+      auth_context->remote_seqnumber++;
   }
 
   ret = verify_checksum (context, auth_context, &safe);
diff --git a/crypto/heimdal/lib/krb5/read_message.c b/crypto/heimdal/lib/krb5/read_message.c
index f2cae03..45d6b62 100644
--- a/crypto/heimdal/lib/krb5/read_message.c
+++ b/crypto/heimdal/lib/krb5/read_message.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: read_message.c,v 1.5 1999/12/02 17:05:12 joda Exp $");
+RCSID("$Id: read_message.c,v 1.7 2000/07/21 22:54:09 joda Exp $");
 
 krb5_error_code
 krb5_read_message (krb5_context context,
@@ -49,7 +49,7 @@ krb5_read_message (krb5_context context,
 	return errno;
     if(ret < 4) {
 	data->length = 0;
-	return 0;
+	return HEIM_ERR_EOF;
     }
     len = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3];
     ret = krb5_data_alloc (data, len);
@@ -61,3 +61,41 @@ krb5_read_message (krb5_context context,
     }
     return 0;
 }
+
+krb5_error_code
+krb5_read_priv_message(krb5_context context,
+		       krb5_auth_context ac,
+		       krb5_pointer p_fd,
+		       krb5_data *data)
+{
+    krb5_error_code ret;
+    krb5_data packet;
+
+    ret = krb5_read_message(context, p_fd, &packet);
+    if(ret)
+	return ret;
+    ret = krb5_rd_priv (context, ac, &packet, data, NULL);
+    krb5_data_free(&packet);
+    if(ret)
+	return ret;
+    return ret;
+}
+
+krb5_error_code
+krb5_read_safe_message(krb5_context context,
+		       krb5_auth_context ac,
+		       krb5_pointer p_fd,
+		       krb5_data *data)
+{
+    krb5_error_code ret;
+    krb5_data packet;
+
+    ret = krb5_read_message(context, p_fd, &packet);
+    if(ret)
+	return ret;
+    ret = krb5_rd_safe (context, ac, &packet, data, NULL);
+    krb5_data_free(&packet);
+    if(ret)
+	return ret;
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/recvauth.c b/crypto/heimdal/lib/krb5/recvauth.c
index 49fe7b6..3c11254 100644
--- a/crypto/heimdal/lib/krb5/recvauth.c
+++ b/crypto/heimdal/lib/krb5/recvauth.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: recvauth.c,v 1.12 1999/12/02 17:05:12 joda Exp $");
+RCSID("$Id: recvauth.c,v 1.13 2000/12/06 20:59:05 joda Exp $");
 
 /*
  * See `sendauth.c' for the format.
@@ -177,7 +177,7 @@ krb5_recvauth_match_version(krb5_context context,
     return errno;
 
   if (ap_options & AP_OPTS_MUTUAL_REQUIRED) {
-    ret = krb5_mk_rep (context, auth_context, &data);
+    ret = krb5_mk_rep (context, *auth_context, &data);
     if (ret)
       return ret;
 
diff --git a/crypto/heimdal/lib/krb5/replay.c b/crypto/heimdal/lib/krb5/replay.c
index 3ca68e8..2935cfc 100644
--- a/crypto/heimdal/lib/krb5/replay.c
+++ b/crypto/heimdal/lib/krb5/replay.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,6 +32,9 @@
  */
 
 #include "krb5_locl.h"
+#include <vis.h>
+
+RCSID("$Id: replay.c,v 1.7 2001/01/29 02:09:00 assar Exp $");
 
 struct krb5_rcache_data {
     char *name;
@@ -82,6 +85,12 @@ krb5_rc_default_name(krb5_context context)
     return "FILE:/var/run/default_rcache";
 }
 
+const char *
+krb5_rc_default_type(krb5_context context)
+{
+    return "FILE";
+}
+
 krb5_error_code
 krb5_rc_default(krb5_context context,
 		krb5_rcache *id)
@@ -140,20 +149,20 @@ checksum_authenticator(Authenticator *auth, void *data)
     MD5_CTX md5;
     int i;
 
-    MD5Init (&md5);
-    MD5Update (&md5, auth->crealm, strlen(auth->crealm));
+    MD5_Init (&md5);
+    MD5_Update (&md5, auth->crealm, strlen(auth->crealm));
     for(i = 0; i < auth->cname.name_string.len; i++)
-	MD5Update(&md5, auth->cname.name_string.val[i], 
-		  strlen(auth->cname.name_string.val[i]));
-    MD5Update (&md5, &auth->ctime, sizeof(auth->ctime));
-    MD5Update (&md5, &auth->cusec, sizeof(auth->cusec));
-    MD5Final (&md5, data);
+	MD5_Update(&md5, auth->cname.name_string.val[i], 
+		   strlen(auth->cname.name_string.val[i]));
+    MD5_Update (&md5, &auth->ctime, sizeof(auth->ctime));
+    MD5_Update (&md5, &auth->cusec, sizeof(auth->cusec));
+    MD5_Final (data, &md5);
 }
 
 krb5_error_code
 krb5_rc_store(krb5_context context,
 	      krb5_rcache id,
-	      krb5_donot_reply *rep)
+	      krb5_donot_replay *rep)
 {
     struct rc_entry ent, tmp;
     time_t t;
@@ -209,6 +218,7 @@ krb5_rc_get_lifespan(krb5_context context,
     }
     return KRB5_RC_IO_UNKNOWN;
 }
+
 const char*
 krb5_rc_get_name(krb5_context context,
 		 krb5_rcache id)
@@ -223,3 +233,32 @@ krb5_rc_get_type(krb5_context context,
     return "FILE";
 }
 		 
+krb5_error_code
+krb5_get_server_rcache(krb5_context context, 
+		       const krb5_data *piece, 
+		       krb5_rcache *id)
+{
+    krb5_rcache rcache;
+    krb5_error_code ret;
+
+    char *tmp = malloc(4 * piece->length + 1);
+    char *name;
+    if(tmp == NULL)
+	return ENOMEM;
+    strvisx(tmp, piece->data, piece->length, VIS_WHITE | VIS_OCTAL);
+#ifdef HAVE_GETEUID
+    asprintf(&name, "FILE:rc_%s_%u", tmp, geteuid());
+#else
+    asprintf(&name, "FILE:rc_%s", tmp);
+#endif
+    free(tmp);
+    if(name == NULL)
+	return ENOMEM;
+
+    ret = krb5_rc_resolve_full(context, &rcache, name);
+    free(name);
+    if(ret)
+	return ret;
+    *id = rcache;
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/send_to_kdc.c b/crypto/heimdal/lib/krb5/send_to_kdc.c
index 2872322..e2b884d 100644
--- a/crypto/heimdal/lib/krb5/send_to_kdc.c
+++ b/crypto/heimdal/lib/krb5/send_to_kdc.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: send_to_kdc.c,v 1.36 2000/01/06 07:59:11 assar Exp $");
+RCSID("$Id: send_to_kdc.c,v 1.40 2000/11/15 01:48:23 assar Exp $");
 
 /*
  * send the data in `req' on the socket `fd' (which is datagram iff udp)
@@ -54,6 +54,10 @@ recv_loop (int fd,
      int ret;
      int nbytes;
 
+     if (fd >= FD_SETSIZE) {
+	 return -1;
+     }
+
      krb5_data_zero(rep);
      do {
 	 FD_ZERO(&fdset);
@@ -237,7 +241,8 @@ send_via_proxy (krb5_context context,
 		const krb5_data *send,
 		krb5_data *receive)
 {
-    char *proxy = strdup(context->http_proxy);
+    char *proxy2 = strdup(context->http_proxy);
+    char *proxy  = proxy2;
     char *prefix;
     char *colon;
     struct addrinfo hints;
@@ -246,6 +251,11 @@ send_via_proxy (krb5_context context,
     int s;
     char portstr[NI_MAXSERV];
 		 
+    if (proxy == NULL)
+	return ENOMEM;
+    if (strncmp (proxy, "http://", 7) == 0)
+	proxy += 7;
+
     colon = strchr(proxy, ':');
     if(colon != NULL)
 	*colon++ = '\0';
@@ -254,10 +264,10 @@ send_via_proxy (krb5_context context,
     hints.ai_socktype = SOCK_STREAM;
     snprintf (portstr, sizeof(portstr), "%d",
 	      ntohs(init_port (colon, htons(80))));
-    ret = getaddrinfo (proxy, portstr, NULL, &ai);
-    free (proxy);
+    ret = getaddrinfo (proxy, portstr, &hints, &ai);
+    free (proxy2);
     if (ret)
-	return ret;
+	return krb5_eai_to_heim_errno(ret);
 
     for (a = ai; a != NULL; a = a->ai_next) {
 	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
@@ -295,26 +305,17 @@ send_via_proxy (krb5_context context,
  */
 
 krb5_error_code
-krb5_sendto_kdc (krb5_context context,
-		 const krb5_data *send,
-		 const krb5_realm *realm,
-		 krb5_data *receive)
+krb5_sendto (krb5_context context,
+	     const krb5_data *send,
+	     char **hostlist,
+	     int port,
+	     krb5_data *receive)
 {
-     krb5_error_code ret;
-     char **hostlist, **hp, *p;
+     krb5_error_code ret = 0;
+     char **hp, *p;
      int fd;
-     int port;
      int i;
 
-     port = krb5_getportbyname (context, "kerberos", "udp", 88);
-
-     if (context->use_admin_kdc)
-	 ret = krb5_get_krb_admin_hst (context, realm, &hostlist);
-     else
-	 ret = krb5_get_krbhst (context, realm, &hostlist);
-     if (ret)
-	  return ret;
-
      for (i = 0; i < context->max_retries; ++i)
 	 for (hp = hostlist; (p = *hp); ++hp) {
 	     char *colon;
@@ -390,6 +391,38 @@ krb5_sendto_kdc (krb5_context context,
 	 }
      ret = KRB5_KDC_UNREACH;
 out:
-     krb5_free_krbhst (context, hostlist);
      return ret;
 }
+
+krb5_error_code
+krb5_sendto_kdc2(krb5_context context,
+		 const krb5_data *send,
+		 const krb5_realm *realm,
+		 krb5_data *receive,
+		 krb5_boolean master)
+{
+    krb5_error_code ret;
+    char **hostlist;
+    int port;
+    
+    port = krb5_getportbyname (context, "kerberos", "udp", 88);
+    
+    if (master || context->use_admin_kdc)
+	ret = krb5_get_krb_admin_hst (context, realm, &hostlist);
+    else
+	ret = krb5_get_krbhst (context, realm, &hostlist);
+    if (ret)
+	return ret;
+    ret = krb5_sendto(context, send, hostlist, port, receive);
+    krb5_free_krbhst (context, hostlist);
+    return ret;
+}
+
+krb5_error_code
+krb5_sendto_kdc(krb5_context context,
+		const krb5_data *send,
+		const krb5_realm *realm,
+		krb5_data *receive)
+{
+    return krb5_sendto_kdc2(context, send, realm, receive, FALSE);
+}
diff --git a/crypto/heimdal/lib/krb5/sock_principal.c b/crypto/heimdal/lib/krb5/sock_principal.c
index bfd4eb4..477622d 100644
--- a/crypto/heimdal/lib/krb5/sock_principal.c
+++ b/crypto/heimdal/lib/krb5/sock_principal.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: sock_principal.c,v 1.9 1999/12/02 17:05:12 joda Exp $");
+RCSID("$Id: sock_principal.c,v 1.11 2000/08/09 20:53:11 assar Exp $");
 			
 krb5_error_code
 krb5_sock_to_principal (krb5_context context,
@@ -46,10 +46,11 @@ krb5_sock_to_principal (krb5_context context,
     krb5_address address;
     struct sockaddr_storage __ss;
     struct sockaddr *sa = (struct sockaddr *)&__ss;
-    int len = sizeof(__ss);
+    socklen_t len = sizeof(__ss);
     struct hostent *hostent;
     int family;
     char hname[256];
+    char *tmp;
 
     if (getsockname (sock, sa, &len) < 0)
 	return errno;
@@ -65,7 +66,18 @@ krb5_sock_to_principal (krb5_context context,
 
     if (hostent == NULL)
 	return h_errno;
-    strlcpy(hname, hostent->h_name, sizeof(hname));
+    tmp = hostent->h_name;
+    if (strchr(tmp, '.') == NULL) {
+	char **a;
+
+	for (a = hostent->h_aliases; a != NULL && *a != NULL; ++a)
+	    if (strchr(*a, '.') != NULL) {
+		tmp = *a;
+		break;
+	    }
+    }
+
+    strlcpy(hname, tmp, sizeof(hname));
     return krb5_sname_to_principal (context,
 				    hname,
 				    sname,
diff --git a/crypto/heimdal/lib/krb5/store.c b/crypto/heimdal/lib/krb5/store.c
index 17b1547..5f9d659 100644
--- a/crypto/heimdal/lib/krb5/store.c
+++ b/crypto/heimdal/lib/krb5/store.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: store.c,v 1.32 1999/12/02 17:05:12 joda Exp $");
+RCSID("$Id: store.c,v 1.34 2000/04/11 00:46:09 assar Exp $");
 
 void
 krb5_storage_set_flags(krb5_storage *sp, krb5_flags flags)
@@ -275,8 +275,7 @@ krb5_ret_string(krb5_storage *sp,
 }
 
 krb5_error_code
-krb5_store_stringz(krb5_storage *sp,
-		  char *s)
+krb5_store_stringz(krb5_storage *sp, const char *s)
 {
     size_t len = strlen(s) + 1;
     ssize_t ret;
@@ -554,20 +553,46 @@ krb5_ret_authdata(krb5_storage *sp, krb5_authdata *auth)
     return ret;
 }
 
+/*
+ * store `creds' on `sp' returning error or zero
+ */
+
 krb5_error_code
 krb5_store_creds(krb5_storage *sp, krb5_creds *creds)
 {
-    krb5_store_principal(sp, creds->client);
-    krb5_store_principal(sp, creds->server);
-    krb5_store_keyblock(sp, creds->session);
-    krb5_store_times(sp, creds->times);
-    krb5_store_int8(sp, 0);  /* this is probably the
+    int ret;
+
+    ret = krb5_store_principal(sp, creds->client);
+    if (ret)
+	return ret;
+    ret = krb5_store_principal(sp, creds->server);
+    if (ret)
+	return ret;
+    ret = krb5_store_keyblock(sp, creds->session);
+    if (ret)
+	return ret;
+    ret = krb5_store_times(sp, creds->times);
+    if (ret)
+	return ret;
+    ret = krb5_store_int8(sp, 0);  /* this is probably the
 				enc-tkt-in-skey bit from KDCOptions */
-    krb5_store_int32(sp, creds->flags.i);
-    krb5_store_addrs(sp, creds->addresses);
-    krb5_store_authdata(sp, creds->authdata);
-    krb5_store_data(sp, creds->ticket);
-    krb5_store_data(sp, creds->second_ticket);
+    if (ret)
+	return ret;
+    ret = krb5_store_int32(sp, creds->flags.i);
+    if (ret)
+	return ret;
+    ret = krb5_store_addrs(sp, creds->addresses);
+    if (ret)
+	return ret;
+    ret = krb5_store_authdata(sp, creds->authdata);
+    if (ret)
+	return ret;
+    ret = krb5_store_data(sp, creds->ticket);
+    if (ret)
+	return ret;
+    ret = krb5_store_data(sp, creds->second_ticket);
+    if (ret)
+	return ret;
     return 0;
 }
 
diff --git a/crypto/heimdal/lib/krb5/store_emem.c b/crypto/heimdal/lib/krb5/store_emem.c
index d2497ef..4d531c6 100644
--- a/crypto/heimdal/lib/krb5/store_emem.c
+++ b/crypto/heimdal/lib/krb5/store_emem.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 200 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: store_emem.c,v 1.9 1999/12/02 17:05:12 joda Exp $");
+RCSID("$Id: store_emem.c,v 1.10 2000/05/19 14:39:49 assar Exp $");
 
 typedef struct emem_storage{
     unsigned char *base;
@@ -54,7 +54,7 @@ emem_fetch(krb5_storage *sp, void *data, size_t size)
 }
 
 static ssize_t
-emem_store(krb5_storage *sp, void *data, size_t size)
+emem_store(krb5_storage *sp, const void *data, size_t size)
 {
     emem_storage *s = (emem_storage*)sp->data;
     if(size > s->base + s->size - s->ptr){
diff --git a/crypto/heimdal/lib/krb5/store_fd.c b/crypto/heimdal/lib/krb5/store_fd.c
index e4c507c..2c795bd 100644
--- a/crypto/heimdal/lib/krb5/store_fd.c
+++ b/crypto/heimdal/lib/krb5/store_fd.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: store_fd.c,v 1.6 1999/12/02 17:05:13 joda Exp $");
+RCSID("$Id: store_fd.c,v 1.8 2001/01/29 02:32:35 assar Exp $");
 
 typedef struct fd_storage{
     int fd;
@@ -44,13 +44,13 @@ typedef struct fd_storage{
 static ssize_t
 fd_fetch(krb5_storage *sp, void *data, size_t size)
 {
-    return read(FD(sp), data, size);
+    return net_read(FD(sp), data, size);
 }
 
 static ssize_t
-fd_store(krb5_storage *sp, void *data, size_t size)
+fd_store(krb5_storage *sp, const void *data, size_t size)
 {
-    return write(FD(sp), data, size);
+    return net_write(FD(sp), data, size);
 }
 
 static off_t
diff --git a/crypto/heimdal/lib/krb5/store_mem.c b/crypto/heimdal/lib/krb5/store_mem.c
index a8019e6..e6c277a 100644
--- a/crypto/heimdal/lib/krb5/store_mem.c
+++ b/crypto/heimdal/lib/krb5/store_mem.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: store_mem.c,v 1.9 1999/12/02 17:05:13 joda Exp $");
+RCSID("$Id: store_mem.c,v 1.10 2000/05/19 14:39:02 assar Exp $");
 
 typedef struct mem_storage{
     unsigned char *base;
@@ -53,7 +53,7 @@ mem_fetch(krb5_storage *sp, void *data, size_t size)
 }
 
 static ssize_t
-mem_store(krb5_storage *sp, void *data, size_t size)
+mem_store(krb5_storage *sp, const void *data, size_t size)
 {
     mem_storage *s = (mem_storage*)sp->data;
     if(size > s->base + s->size - s->ptr)
diff --git a/crypto/heimdal/lib/krb5/string-to-key-test.c b/crypto/heimdal/lib/krb5/string-to-key-test.c
index 0e884d0..6e6c0b6 100644
--- a/crypto/heimdal/lib/krb5/string-to-key-test.c
+++ b/crypto/heimdal/lib/krb5/string-to-key-test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,7 +32,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: string-to-key-test.c,v 1.2 1999/10/28 23:10:38 assar Exp $");
+RCSID("$Id: string-to-key-test.c,v 1.4 2000/12/31 08:03:54 assar Exp $");
 
 enum { MAXSIZE = 24 };
 
@@ -60,6 +60,9 @@ static struct testcase {
      {0x7f, 0x40, 0x67, 0xb9, 0xbc, 0xc4, 0x40, 0xfb, 0x43, 0x73, 0xd9,
       0xd3, 0xcd, 0x7c, 0xc7, 0x67, 0xe6, 0x79, 0x94, 0xd0, 0xa8, 0x34,
       0xdf, 0x62}},
+    {"does/not@MATTER", "foo", ETYPE_ARCFOUR_HMAC_MD5,
+     {0xac, 0x8e, 0x65, 0x7f, 0x83, 0xdf, 0x82, 0xbe,
+      0xea, 0x5d, 0x43, 0xbd, 0xaf, 0x78, 0x00, 0xcc}},
     {NULL}
 };
 
@@ -71,7 +74,9 @@ main(int argc, char **argv)
     krb5_error_code ret;
     int val = 0;
 
-    krb5_init_context (&context);
+    ret = krb5_init_context (&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
 
     for (t = tests; t->principal_name; ++t) {
 	krb5_keyblock key;
diff --git a/crypto/heimdal/lib/krb5/test_get_addrs.c b/crypto/heimdal/lib/krb5/test_get_addrs.c
new file mode 100644
index 0000000..96a8f89
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/test_get_addrs.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "krb5_locl.h"
+#include <err.h>
+
+RCSID("$Id: test_get_addrs.c,v 1.3 2001/01/25 12:45:15 assar Exp $");
+
+/* print all addresses that we find */
+
+static void
+print_addresses (krb5_context context, const krb5_addresses *addrs)
+{
+    int i;
+    char buf[256];
+    size_t len;
+    
+    for (i = 0; i < addrs->len; ++i) {
+	krb5_print_address (&addrs->val[i], buf, sizeof(buf), &len);
+	printf ("%s\n", buf);
+    }
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    krb5_addresses addrs;
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    ret = krb5_get_all_client_addrs (context, &addrs);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_get_all_client_addrs");
+    printf ("client addresses\n");
+    print_addresses (context, &addrs);
+    krb5_free_addresses (context, &addrs);
+
+    ret = krb5_get_all_server_addrs (context, &addrs);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_get_all_server_addrs");
+    printf ("server addresses\n");
+    print_addresses (context, &addrs);
+    krb5_free_addresses (context, &addrs);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/time.c b/crypto/heimdal/lib/krb5/time.c
index e5a1185..98121b4 100644
--- a/crypto/heimdal/lib/krb5/time.c
+++ b/crypto/heimdal/lib/krb5/time.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: time.c,v 1.3 2000/02/06 05:21:53 assar Exp $");
+RCSID("$Id: time.c,v 1.4 2000/06/29 08:20:52 joda Exp $");
 
 /*
  * return ``corrected'' time in `timeret'.
@@ -64,3 +64,16 @@ krb5_us_timeofday (krb5_context context,
     *usec = tv.tv_usec;		/* XXX */
     return 0;
 }
+
+krb5_error_code
+krb5_format_time(krb5_context context, time_t t, 
+		 char *s, size_t len, krb5_boolean include_time)
+{
+    struct tm *tm;
+    if(context->log_utc)
+	tm = gmtime (&t);
+    else
+	tm = localtime(&t);
+    strftime(s, len, include_time ? context->time_fmt : context->date_fmt, tm);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/verify_krb5_conf.8 b/crypto/heimdal/lib/krb5/verify_krb5_conf.8
new file mode 100644
index 0000000..55cdc92
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/verify_krb5_conf.8
@@ -0,0 +1,33 @@
+.\" $Id: verify_krb5_conf.8,v 1.2 2000/03/04 14:07:50 assar Exp $
+.\"
+.Dd March  4, 2000
+.Dt VERIFY_KRB5_CONF 8
+.Os HEIMDAL
+.Sh NAME
+.Nm verify_krb5_conf
+.Nd
+does a crude test that
+.Pa krb5.conf
+does not contain any obvious syntax error
+.Sh SYNOPSIS
+.Nm
+.Ar [config-file]
+.Sh DESCRIPTION
+.Nm
+reads the configuration file
+.Pa krb5.conf ,
+or the file given on the command line,
+and parses it, thereby verifying that the syntax is not correctly wrong.
+Since that file is read by almost all Kerberos programs but most of
+them have no way of notifying the user that it could not be parsed,
+this program is useful.
+.Sh ENVIRONMENT
+.Ev KRB5_CONFIG
+points to the configuration file to read.
+.Sh FILES
+.Xr krb5.conf 5
+.Sh SEE ALSO
+.Xr krb5.conf 5
+.Sh BUGS
+It should know about what variables are actually used and warn about
+unknown ones.
diff --git a/crypto/heimdal/lib/krb5/verify_user.c b/crypto/heimdal/lib/krb5/verify_user.c
index 10c22cb..758bc60 100644
--- a/crypto/heimdal/lib/krb5/verify_user.c
+++ b/crypto/heimdal/lib/krb5/verify_user.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: verify_user.c,v 1.11 1999/12/02 17:05:13 joda Exp $");
+RCSID("$Id: verify_user.c,v 1.12 2001/01/04 17:40:00 joda Exp $");
 
 static krb5_error_code
 verify_common (krb5_context context,
@@ -101,6 +101,9 @@ krb5_verify_user(krb5_context context,
     krb5_creds cred;
     
     krb5_get_init_creds_opt_init (&opt);
+    krb5_get_init_creds_opt_set_default_flags(context, NULL, 
+					      *krb5_princ_realm(context, principal), 
+					      &opt);
 
     ret = krb5_get_init_creds_password (context,
 					&cred,
@@ -152,6 +155,9 @@ krb5_verify_user_lrealm(krb5_context context,
 	free (*krb5_princ_realm (context, principal));
 	krb5_princ_set_realm (context, principal, &tmp);
 
+	krb5_get_init_creds_opt_set_default_flags(context, NULL, 
+						  *krb5_princ_realm(context, principal), 
+						  &opt);
 	ret = krb5_get_init_creds_password (context,
 					    &cred,
 					    principal,
diff --git a/crypto/heimdal/lib/krb5/warn.c b/crypto/heimdal/lib/krb5/warn.c
index b202f7d..1f594fb 100644
--- a/crypto/heimdal/lib/krb5/warn.c
+++ b/crypto/heimdal/lib/krb5/warn.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -34,7 +34,7 @@
 #include "krb5_locl.h"
 #include <err.h>
 
-RCSID("$Id: warn.c,v 1.10 1999/12/02 17:05:13 joda Exp $");
+RCSID("$Id: warn.c,v 1.11 2000/08/16 07:37:41 assar Exp $");
 
 static krb5_error_code
 _warnerr(krb5_context context, int do_errtext, 
@@ -44,6 +44,7 @@ _warnerr(krb5_context context, int do_errtext,
     const char *args[2], **arg;
     char *msg = NULL;
     
+    args[0] = args[1] = NULL;
     arg = args;
     if(fmt){
 	strcat(xfmt, "%s");
diff --git a/crypto/heimdal/lib/krb5/write_message.c b/crypto/heimdal/lib/krb5/write_message.c
index b7f2c28..2e394b6 100644
--- a/crypto/heimdal/lib/krb5/write_message.c
+++ b/crypto/heimdal/lib/krb5/write_message.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: write_message.c,v 1.4 1999/12/02 17:05:13 joda Exp $");
+RCSID("$Id: write_message.c,v 1.6 2000/07/21 23:49:09 joda Exp $");
 
 krb5_error_code
 krb5_write_message (krb5_context context,
@@ -44,12 +44,42 @@ krb5_write_message (krb5_context context,
     u_int8_t buf[4];
 
     len = data->length;
-    buf[0] = (len >> 24) & 0xFF;
-    buf[1] = (len >> 16) & 0xFF;
-    buf[2] = (len >>  8) & 0xFF;
-    buf[3] = (len >>  0) & 0xFF;
+    _krb5_put_int(buf, len, 4);
     if (krb5_net_write (context, p_fd, buf, 4) != 4
 	|| krb5_net_write (context, p_fd, data->data, len) != len)
 	return errno;
     return 0;
 }
+
+krb5_error_code
+krb5_write_priv_message(krb5_context context,
+			krb5_auth_context ac,
+			krb5_pointer p_fd,
+			krb5_data *data)
+{
+    krb5_error_code ret;
+    krb5_data packet;
+    ret = krb5_mk_priv (context, ac, data, &packet, NULL);
+    if(ret)
+	return ret;
+    ret = krb5_write_message(context, p_fd, &packet);
+    krb5_data_free(&packet);
+    return ret;
+}
+
+krb5_error_code
+krb5_write_safe_message(krb5_context context,
+			krb5_auth_context ac,
+			krb5_boolean priv,
+			krb5_pointer p_fd,
+			krb5_data *data)
+{
+    krb5_error_code ret;
+    krb5_data packet;
+    ret = krb5_mk_safe (context, ac, data, &packet, NULL);
+    if(ret)
+	return ret;
+    ret = krb5_write_message(context, p_fd, &packet);
+    krb5_data_free(&packet);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/roken/ChangeLog b/crypto/heimdal/lib/roken/ChangeLog
index 6da4be0..2e3ee9d 100644
--- a/crypto/heimdal/lib/roken/ChangeLog
+++ b/crypto/heimdal/lib/roken/ChangeLog
@@ -1,3 +1,264 @@
+2001-01-30  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libroken_la_LDFLAGS): bump version to 11:1:2
+	* print_version.c (print_version): add 2001
+
+2001-01-29  Assar Westerlund  <assar@sics.se>
+
+	* getifaddrs.c (getifaddrs2): copy the entire sockaddr
+
+	* roken-common.h (_PATH_BSHELL): add
+
+2001-01-27  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in: move __attribute__ to roken-common.h
+
+	* esetenv.c (esetenv): cast to handle a setenv that takes a `char
+ 	* which is the case on Unicos
+
+2000-12-29  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (EXTRA_libroken_la_SOURCES): ifaddrs.h ->
+	ifaddrs.hin
+
+2000-12-25  Assar Westerlund  <assar@sics.se>
+
+	* getarg.c (print_arg): add a case for arg_strings
+
+2000-12-15  Johan Danielsson  <joda@pdc.kth.se>
+
+	* snprintf.c (append_string): handle NULL strings by printing
+	`(null)'
+
+2000-12-12  Johan Danielsson  <joda@pdc.kth.se>
+
+	* roken-common.h: add c++ externs
+
+	* roken.h.in: fix last commit differently
+
+2000-12-11  Assar Westerlund  <assar@sics.se>
+
+	* err.hin (warnerr): remove, it's not part of the err.h interface
+	* roken-common.h (warnerr): moved here from err.hin
+	* Makefile.am (libroken_la_LDFLAGS): set version to 11:0:2
+	* vis.c: s/u_int32_t/unsigned/ for systems that do not define
+	u_int32_t
+
+2000-12-10  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: rename some headers to avoid conflict with possible
+	system headers
+
+2000-12-06  Johan Danielsson  <joda@pdc.kth.se>
+
+	* vis.c: make sure _DIAGASSERT is defined
+
+	* unvis.c: make sure _DIAGASSERT is defined
+
+	* Makefile.am: unvis.c, and vis.h
+
+	* vis.h: vis.h from NetBSD
+
+	* unvis.c: unvis from NetBSD
+
+	* roken.h.in: cleanup previous
+
+	* roken-common.h: make `extern "C"' into a macro, this make emacs
+	much happier
+
+	* vis.c: strvis implementation from NetBSD
+
+	* roken.h.in: add prototypes for strvis*
+
+2000-12-05  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ifaddrs.h: fix freeifaddrs prototype, and add ifa_broadaddr
+	macro
+
+	* getifaddrs.c: free some memory
+
+2000-12-04  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ifaddrs.h: getifaddrs implementation using SIOCGIFCONFIG etc
+
+	* getifaddrs.c: getifaddrs implementation using SIOCGIFCONFIG etc
+
+2000-10-08  Assar Westerlund  <assar@sics.se>
+
+	* mini_inetd.c (mini_inetd): check that fds are not too large to
+	select on
+
+2000-09-24  Assar Westerlund  <assar@sics.se>
+
+	*  esetenv.c: new file/function
+
+2000-08-16  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 10:0:1
+
+2000-08-10  Assar Westerlund  <assar@sics.se>
+
+	* mini_inetd.c (accept_it): type-correctness on parameters to
+	accept
+
+2000-08-07  Johan Danielsson  <joda@pdc.kth.se>
+
+	* roken.h.in: add proto compat for getsockname
+
+2000-08-04  Johan Danielsson  <joda@pdc.kth.se>
+
+	* write_pid.c: conditionalise pidfile
+
+	* write_pid.c: add pidfile function
+
+2000-07-25  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: bump version to 9:0:0
+
+	* warnerr.c: add get_progname
+
+2000-07-24  Assar Westerlund  <assar@sics.se>
+
+	* getaddrinfo.c (add_hostent): if there's no fqdn in `he' try
+	reverse resolving to see if there's a fuller name there.  don't
+	use just-freed memory
+
+2000-07-22  Assar Westerlund  <assar@sics.se>
+
+	* xdbm.h: do not define ndbm functions in terms of dbm functions
+	if we're using db
+
+2000-07-20  Assar Westerlund  <assar@sics.se>
+
+	* rtbl.c (rtbl_format): avoid printing an empty row at the end
+
+2000-07-19  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: make this compatible with `make dist'
+
+	* Makefile.am: revert version number for now
+
+2000-07-18  Johan Danielsson  <joda@pdc.kth.se>
+
+	* configure.in: AM_PROG_LIBTOOL -> AC_PROG_LIBTOOL
+
+2000-07-17  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: set ACLOCAL_AMFLAGS
+
+2000-07-15  Johan Danielsson  <joda@pdc.kth.se>
+
+	* getaddrinfo_hostspec.c: add new function that takes socktype
+	hint as parameter
+
+2000-07-09  Assar Westerlund  <assar@sics.se>
+
+	* rtbl.c (rtbl_add_column): initialize `col' completely
+
+	* configure.in: bring headers and functions more in-line with
+	what's actually being used
+
+2000-07-08  Johan Danielsson  <joda@pdc.kth.se>
+
+	* roken.h.in: declare ether_addr and sockaddr_dl for AIX
+
+	* rtbl.{c,h}: simple table functions
+
+2000-07-08  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (AM_INIT_AUTOMAKE): bump version to 10
+	* configure.in (AC_BROKEN): add strsep_copy
+	* Makefile.am (ACLOCAL): fetch files from cf
+
+2000-07-01  Assar Westerlund  <assar@sics.se>
+
+	* roken-common.h (pid_file_*): fix protos
+
+2000-06-28  Assar Westerlund  <assar@sics.se>
+
+	* getnameinfo_verified.c (getnameinfo_verified): free memory
+	returned from getaddrinfo
+
+2000-06-27  Assar Westerlund  <assar@sics.se>
+
+	* resolve.c: export string_to_type and type_to_string
+	* resolve.c: add key,sig,cert update test-program
+	* resolve.h: add key,sig,cert
+
+2000-06-21  Assar Westerlund  <assar@sics.se>
+
+	* resolve.h: add T_SIG, T_KEY
+	* resolve.c: add SIG and KEY
+	* Makefile.am (libroken_la_SOURCES): add environment.c and
+	write_pid.c
+
+	* write_pid.c: new file for writing a pid file.
+
+	* environment.c: new file with functionality for reading
+	/etc/environment.  From Ake Sandgren <ake@cs.umu.se>
+
+2000-06-12  Johan Danielsson  <joda@pdc.kth.se>
+
+	* strsep_copy.c: strsep, but with const stringp so returns string
+	in separate buffer
+
+2000-05-23  Assar Westerlund  <assar@sics.se>
+
+	* vsyslog.c (vsyslog): calculate length of new format string
+	correctly
+
+2000-05-22  Johan Danielsson  <joda@pdc.kth.se>
+
+	* getusershell.c: implment the AIX version use
+	/etc/security/login.cfg
+
+2000-05-21  Assar Westerlund  <assar@sics.se>
+
+	* vsyslog.c (vsyslog): actually handle `%m'
+
+2000-05-15  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libroken_la_LDFLAGS): set version to 8:1:3
+
+	* roken-common.h: moved __attribute__ to roken.h.in
+
+2000-04-14  Assar Westerlund  <assar@sics.se>
+
+	* getaddrinfo_hostspec.c (roken_getaddrinfo_hostspec): copy the
+	correct length from `hostspec'.  based on a patch from Love
+	<lha@s3.kth.se>
+
+2000-04-09  Assar Westerlund  <assar@sics.se>
+
+	* xdbm.h: only include one of db.h and the dbm-series
+
+2000-04-05  Assar Westerlund  <assar@sics.se>
+
+	* resolve.c (_resolve_debug): explicitly set to zero.  this moves
+	the variable from bss to data and the dynamic linker on MacOS
+	X/Darwin seems unhappy with stuff in the bss segment.
+
+2000-04-03  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 8:0:3
+
+2000-03-11  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in (_SS_PAD1SIZE): try to write an inpenetrable
+	expression that also works on Crays
+
+2000-03-09  Assar Westerlund  <assar@sics.se>
+
+	* getarg.c (arg_match_short): backup optind when there's a missing
+	argument so that the error can point at the flag and not the
+	non-existant argument
+
+2000-03-03  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (SOURCES): add timeval.c
+	* Makefile.am (libroken_la_SOURCES): add timeval.c
+	* timeval.c: new file
+
 2000-02-19  Assar Westerlund  <assar@sics.se>
 
 	* Makefile.am: set version to 7:1:2
diff --git a/crypto/heimdal/lib/roken/Makefile.am b/crypto/heimdal/lib/roken/Makefile.am
index 3d303f8..23f2d59 100644
--- a/crypto/heimdal/lib/roken/Makefile.am
+++ b/crypto/heimdal/lib/roken/Makefile.am
@@ -1,35 +1,45 @@
-# $Id: Makefile.am,v 1.70 2000/02/19 18:53:13 assar Exp $
+# $Id: Makefile.am,v 1.94 2001/01/30 01:53:30 assar Exp $
 
-include $(top_srcdir)/Makefile.am.common
+AUTOMAKE_OPTIONS = foreign no-dependencies
 
-CLEANFILES = roken.h make-roken.c print_version.h
+AM_CFLAGS += $(WFLAGS)
+
+## ACLOCAL = @ACLOCAL@ -I cf
+ACLOCAL_AMFLAGS = -I ../../cf
+
+CLEANFILES = roken.h make-roken.c $(XHEADERS)
 
 lib_LTLIBRARIES = libroken.la
-libroken_la_LDFLAGS = -version-info 7:1:2
+libroken_la_LDFLAGS = -version-info 11:1:2
+
+noinst_PROGRAMS = make-roken
+
+nodist_make_roken_SOURCES = make-roken.c
 
-noinst_PROGRAMS = make-roken make-print-version
+check_PROGRAMS = parse_bytes-test \
+		strpftime-test \
+		getaddrinfo-test
 
-check_PROGRAMS = parse_bytes-test strpftime-test getaddrinfo-test
 TESTS = $(check_PROGRAMS)
 
-getaddrinfo_test_LDADD = libroken.la
-parse_bytes_test_LDADD = libroken.la
-strpftime_test_SOURCES = strpftime-test.c strftime.c strptime.c snprintf.c
+LIB_crypt = @LIB_crypt@
 
-if KRB4
-if KRB5
-## need to link with des here; otherwise, if krb4 is shared the link
-## will fail with unresolved references
-make_print_version_LDADD += $(LIB_krb4) -ldes
-endif
-endif
+common_LDADD = libroken.la $(LIB_crypt)
+
+strpftime_test_SOURCES = strpftime-test.c strftime.c strptime.c snprintf.c
+##snprintf_test_SOURCES  = snprintf-test.c snprintf.c
+##snprintf_test_LDADD    = $(common_LDADD) -lm
+getaddrinfo_test_LDADD = $(common_LDADD)
+parse_bytes_test_LDADD = $(common_LDADD)
 
 libroken_la_SOURCES =		\
 	base64.c		\
 	concat.c		\
 	emalloc.c		\
+	environment.c		\
 	eread.c			\
 	erealloc.c		\
+	esetenv.c		\
 	estrdup.c		\
 	ewrite.c		\
 	getaddrinfo_hostspec.c	\
@@ -46,17 +56,23 @@ libroken_la_SOURCES =		\
 	parse_bytes.c		\
 	parse_time.c		\
 	parse_units.c		\
-	print_version.c		\
 	resolve.c		\
 	roken_gethostby.c	\
+	rtbl.c			\
+	rtbl.h			\
 	signal.c		\
 	simple_exec.c		\
 	snprintf.c		\
 	socket.c		\
 	strcollect.c		\
+	timeval.c		\
 	tm2time.c		\
+	unvis.c			\
 	verify.c		\
+	vis.c			\
+	vis.h			\
 	warnerr.c		\
+	write_pid.c		\
 	xdbm.h
 
 EXTRA_libroken_la_SOURCES =	\
@@ -64,12 +80,12 @@ EXTRA_libroken_la_SOURCES =	\
 	copyhostent.c		\
 	daemon.c		\
 	err.c			\
-	err.h			\
+	err.hin			\
 	errx.c			\
 	fchown.c		\
 	flock.c			\
 	fnmatch.c		\
-	fnmatch.h		\
+	fnmatch.hin		\
 	freeaddrinfo.c		\
 	freehostent.c		\
 	gai_strerror.c		\
@@ -79,15 +95,16 @@ EXTRA_libroken_la_SOURCES =	\
 	geteuid.c		\
 	getgid.c		\
 	gethostname.c		\
+	getifaddrs.c		\
 	getipnodebyaddr.c	\
 	getipnodebyname.c	\
-	getnameinfo.c		\
 	getopt.c		\
 	gettimeofday.c		\
 	getuid.c		\
 	getusershell.c		\
-	glob.h			\
+	glob.hin		\
 	hstrerror.c		\
+	ifaddrs.hin		\
 	inet_aton.c		\
 	inet_ntop.c		\
 	inet_pton.c		\
@@ -117,6 +134,7 @@ EXTRA_libroken_la_SOURCES =	\
 	strnlen.c		\
 	strptime.c		\
 	strsep.c		\
+	strsep_copy.c		\
 	strtok_r.c		\
 	strupr.c		\
 	swab.c			\
@@ -130,20 +148,13 @@ EXTRA_libroken_la_SOURCES =	\
 	warnx.c			\
 	writev.c
 
-EXTRA_DIST = resource.h roken.awk roken.def roken.dsp roken.h.in \
-	roken.mak roken.rc
-
-
+EXTRA_DIST = roken.awk roken.h.in
 
 libroken_la_LIBADD = @LTLIBOBJS@
 
-$(LTLIBOBJS) $(libroken_la_OBJECTS): roken.h
-
-include_HEADERS = $(err_h) base64.h getarg.h \
-	parse_bytes.h parse_time.h parse_units.h \
-	resolve.h roken.h roken-common.h
+$(LTLIBOBJS) $(libroken_la_OBJECTS): $(include_HEADERS) roken.h
 
-build_HEADERZ = $(err_h) $(fnmatch_h) $(glob_h) xdbm.h
+BUILT_SOURCES = make-roken.c roken.h
 
 if have_err_h
 err_h =
@@ -163,6 +174,40 @@ else
 glob_h = glob.h
 endif
 
+if have_ifaddrs_h
+ifaddrs_h =
+else
+ifaddrs_h = ifaddrs.h
+endif
+
+if have_vis_h
+vis_h = 
+else
+vis_h = vis.h
+endif
+
+## these are controlled by configure
+XHEADERS = $(err_h) $(fnmatch_h) $(glob_h) $(ifaddrs_h) $(vis_h)
+
+include_HEADERS = 				\
+	base64.h				\
+	getarg.h				\
+	parse_bytes.h 				\
+	parse_time.h 				\
+	parse_units.h				\
+	resolve.h 				\
+	roken-common.h 				\
+	rtbl.h 					\
+	xdbm.h					\
+	$(XHEADERS) 
+
+nodist_include_HEADERS = roken.h
+
+
+SUFFIXES += .hin
+.hin.h:
+	cp $< $@
+
 roken.h: make-roken$(EXEEXT)
 	@./make-roken$(EXEEXT) > tmp.h ;\
 	if [ -f roken.h ] && cmp -s tmp.h roken.h ; then rm -f tmp.h ; \
@@ -170,10 +215,3 @@ roken.h: make-roken$(EXEEXT)
 
 make-roken.c: roken.h.in roken.awk
 	$(AWK) -f $(srcdir)/roken.awk $(srcdir)/roken.h.in > make-roken.c
-
-print_version.lo: print_version.h
-
-print_version.h: make-print-version$(EXEEXT)
-	./make-print-version$(EXEEXT) print_version.h
-
-make-print-version.o: $(top_builddir)/include/version.h
diff --git a/crypto/heimdal/lib/roken/Makefile.in b/crypto/heimdal/lib/roken/Makefile.in
index 6db3973..c779d46 100644
--- a/crypto/heimdal/lib/roken/Makefile.in
+++ b/crypto/heimdal/lib/roken/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.70 2000/02/19 18:53:13 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,124 +95,210 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
 
-AUTOMAKE_OPTIONS = foreign no-dependencies
+# $Id: Makefile.am,v 1.94 2001/01/30 01:53:30 assar Exp $
 
-SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include
+AUTOMAKE_OPTIONS = foreign no-dependencies
 
 AM_CFLAGS =  $(WFLAGS)
 
-COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
-
-buildinclude = $(top_builddir)/include
+ACLOCAL_AMFLAGS = -I ../../cf
 
-LIB_XauReadAuth = @LIB_XauReadAuth@
-LIB_crypt = @LIB_crypt@
-LIB_dbm_firstkey = @LIB_dbm_firstkey@
-LIB_dbopen = @LIB_dbopen@
-LIB_dlopen = @LIB_dlopen@
-LIB_dn_expand = @LIB_dn_expand@
-LIB_el_init = @LIB_el_init@
-LIB_getattr = @LIB_getattr@
-LIB_gethostbyname = @LIB_gethostbyname@
-LIB_getpwent_r = @LIB_getpwent_r@
-LIB_getpwnam_r = @LIB_getpwnam_r@
-LIB_getsockopt = @LIB_getsockopt@
-LIB_logout = @LIB_logout@
-LIB_logwtmp = @LIB_logwtmp@
-LIB_odm_initialize = @LIB_odm_initialize@
-LIB_readline = @LIB_readline@
-LIB_res_search = @LIB_res_search@
-LIB_setpcred = @LIB_setpcred@
-LIB_setsockopt = @LIB_setsockopt@
-LIB_socket = @LIB_socket@
-LIB_syslog = @LIB_syslog@
-LIB_tgetent = @LIB_tgetent@
-
-HESIODLIB = @HESIODLIB@
-HESIODINCLUDE = @HESIODINCLUDE@
-INCLUDE_hesiod = @INCLUDE_hesiod@
-LIB_hesiod = @LIB_hesiod@
-
-INCLUDE_krb4 = @INCLUDE_krb4@
-LIB_krb4 = @LIB_krb4@
-
-INCLUDE_readline = @INCLUDE_readline@
-
-LEXLIB = @LEXLIB@
-
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
-NROFF_MAN = groff -mandoc -Tascii
-
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
-
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
-
-CHECK_LOCAL = $(PROGRAMS)
-
-CLEANFILES = roken.h make-roken.c print_version.h
+CLEANFILES = roken.h make-roken.c $(XHEADERS)
 
 lib_LTLIBRARIES = libroken.la
-libroken_la_LDFLAGS = -version-info 7:1:2
+libroken_la_LDFLAGS = -version-info 11:1:2
 
-noinst_PROGRAMS = make-roken make-print-version
+noinst_PROGRAMS = make-roken
 
-check_PROGRAMS = parse_bytes-test strpftime-test getaddrinfo-test
-TESTS = $(check_PROGRAMS)
+nodist_make_roken_SOURCES = make-roken.c
 
-getaddrinfo_test_LDADD = libroken.la
-parse_bytes_test_LDADD = libroken.la
-strpftime_test_SOURCES = strpftime-test.c strftime.c strptime.c snprintf.c
+check_PROGRAMS = parse_bytes-test \
+		strpftime-test \
+		getaddrinfo-test
 
-@KRB4_TRUE@@KRB5_TRUE@make_print_version_LDADD =  $(LIB_krb4) -ldes
 
-libroken_la_SOURCES =  	base64.c			concat.c			emalloc.c			eread.c				erealloc.c			estrdup.c			ewrite.c			getaddrinfo_hostspec.c		get_default_username.c		get_window_size.c		getarg.c			getnameinfo_verified.c		issuid.c			k_getpwnam.c			k_getpwuid.c			mini_inetd.c			net_read.c			net_write.c			parse_bytes.c			parse_time.c			parse_units.c			print_version.c			resolve.c			roken_gethostby.c		signal.c			simple_exec.c			snprintf.c			socket.c			strcollect.c			tm2time.c			verify.c			warnerr.c			xdbm.h
-
-
-EXTRA_libroken_la_SOURCES =  	chown.c				copyhostent.c			daemon.c			err.c				err.h				errx.c				fchown.c			flock.c				fnmatch.c			fnmatch.h			freeaddrinfo.c			freehostent.c			gai_strerror.c			getaddrinfo.c			getdtablesize.c			getegid.c			geteuid.c			getgid.c			gethostname.c			getipnodebyaddr.c		getipnodebyname.c		getnameinfo.c			getopt.c			gettimeofday.c			getuid.c			getusershell.c			glob.h				hstrerror.c			inet_aton.c			inet_ntop.c			inet_pton.c			initgroups.c			innetgr.c			iruserok.c			lstat.c				memmove.c			mkstemp.c			putenv.c			rcmd.c				readv.c				recvmsg.c			sendmsg.c			setegid.c			setenv.c			seteuid.c			strcasecmp.c			strdup.c			strerror.c			strftime.c			strlcat.c			strlcpy.c			strlwr.c			strncasecmp.c			strndup.c			strnlen.c			strptime.c			strsep.c			strtok_r.c			strupr.c			swab.c				unsetenv.c			verr.c				verrx.c				vsyslog.c			vwarn.c				vwarnx.c			warn.c				warnx.c				writev.c
+TESTS = $(check_PROGRAMS)
 
+LIB_crypt = @LIB_crypt@
 
-EXTRA_DIST = resource.h roken.awk roken.def roken.dsp roken.h.in 	roken.mak roken.rc
+common_LDADD = libroken.la $(LIB_crypt)
 
+strpftime_test_SOURCES = strpftime-test.c strftime.c strptime.c snprintf.c
+getaddrinfo_test_LDADD = $(common_LDADD)
+parse_bytes_test_LDADD = $(common_LDADD)
+
+libroken_la_SOURCES = \
+	base64.c		\
+	concat.c		\
+	emalloc.c		\
+	environment.c		\
+	eread.c			\
+	erealloc.c		\
+	esetenv.c		\
+	estrdup.c		\
+	ewrite.c		\
+	getaddrinfo_hostspec.c	\
+	get_default_username.c	\
+	get_window_size.c	\
+	getarg.c		\
+	getnameinfo_verified.c	\
+	issuid.c		\
+	k_getpwnam.c		\
+	k_getpwuid.c		\
+	mini_inetd.c		\
+	net_read.c		\
+	net_write.c		\
+	parse_bytes.c		\
+	parse_time.c		\
+	parse_units.c		\
+	resolve.c		\
+	roken_gethostby.c	\
+	rtbl.c			\
+	rtbl.h			\
+	signal.c		\
+	simple_exec.c		\
+	snprintf.c		\
+	socket.c		\
+	strcollect.c		\
+	timeval.c		\
+	tm2time.c		\
+	unvis.c			\
+	verify.c		\
+	vis.c			\
+	vis.h			\
+	warnerr.c		\
+	write_pid.c		\
+	xdbm.h
+
+
+EXTRA_libroken_la_SOURCES = \
+	chown.c			\
+	copyhostent.c		\
+	daemon.c		\
+	err.c			\
+	err.hin			\
+	errx.c			\
+	fchown.c		\
+	flock.c			\
+	fnmatch.c		\
+	fnmatch.hin		\
+	freeaddrinfo.c		\
+	freehostent.c		\
+	gai_strerror.c		\
+	getaddrinfo.c		\
+	getdtablesize.c		\
+	getegid.c		\
+	geteuid.c		\
+	getgid.c		\
+	gethostname.c		\
+	getifaddrs.c		\
+	getipnodebyaddr.c	\
+	getipnodebyname.c	\
+	getopt.c		\
+	gettimeofday.c		\
+	getuid.c		\
+	getusershell.c		\
+	glob.hin		\
+	hstrerror.c		\
+	ifaddrs.hin		\
+	inet_aton.c		\
+	inet_ntop.c		\
+	inet_pton.c		\
+	initgroups.c		\
+	innetgr.c		\
+	iruserok.c		\
+	lstat.c			\
+	memmove.c		\
+	mkstemp.c		\
+	putenv.c		\
+	rcmd.c			\
+	readv.c			\
+	recvmsg.c		\
+	sendmsg.c		\
+	setegid.c		\
+	setenv.c		\
+	seteuid.c		\
+	strcasecmp.c		\
+	strdup.c		\
+	strerror.c		\
+	strftime.c		\
+	strlcat.c		\
+	strlcpy.c		\
+	strlwr.c		\
+	strncasecmp.c		\
+	strndup.c		\
+	strnlen.c		\
+	strptime.c		\
+	strsep.c		\
+	strsep_copy.c		\
+	strtok_r.c		\
+	strupr.c		\
+	swab.c			\
+	unsetenv.c		\
+	verr.c			\
+	verrx.c			\
+	vsyslog.c		\
+	vwarn.c			\
+	vwarnx.c		\
+	warn.c			\
+	warnx.c			\
+	writev.c
+
+
+EXTRA_DIST = roken.awk roken.h.in
 
 libroken_la_LIBADD = @LTLIBOBJS@
 
-include_HEADERS = $(err_h) base64.h getarg.h 	parse_bytes.h parse_time.h parse_units.h 	resolve.h roken.h roken-common.h
-
-
-build_HEADERZ = $(err_h) $(fnmatch_h) $(glob_h) xdbm.h
+BUILT_SOURCES = make-roken.c roken.h
 @have_err_h_TRUE@err_h = 
-@have_err_h_FALSE@err_h = err.h
+@have_err_h_FALSE@err_h = @have_err_h_FALSE@err.h
 @have_fnmatch_h_TRUE@fnmatch_h = 
-@have_fnmatch_h_FALSE@fnmatch_h = fnmatch.h
+@have_fnmatch_h_FALSE@fnmatch_h = @have_fnmatch_h_FALSE@fnmatch.h
 @have_glob_h_TRUE@glob_h = 
-@have_glob_h_FALSE@glob_h = glob.h
+@have_glob_h_FALSE@glob_h = @have_glob_h_FALSE@glob.h
+@have_ifaddrs_h_TRUE@ifaddrs_h = 
+@have_ifaddrs_h_FALSE@ifaddrs_h = @have_ifaddrs_h_FALSE@ifaddrs.h
+@have_vis_h_TRUE@vis_h = 
+@have_vis_h_FALSE@vis_h = @have_vis_h_FALSE@vis.h
+
+XHEADERS = $(err_h) $(fnmatch_h) $(glob_h) $(ifaddrs_h) $(vis_h)
+
+include_HEADERS = \
+	base64.h				\
+	getarg.h				\
+	parse_bytes.h 				\
+	parse_time.h 				\
+	parse_units.h				\
+	resolve.h 				\
+	roken-common.h 				\
+	rtbl.h 					\
+	xdbm.h					\
+	$(XHEADERS) 
+
+
+nodist_include_HEADERS = roken.h
+
+SUFFIXES =  .hin
+subdir = lib/roken
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -225,63 +314,64 @@ X_LIBS = @X_LIBS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 libroken_la_DEPENDENCIES =  @LTLIBOBJS@
-libroken_la_OBJECTS =  base64.lo concat.lo emalloc.lo eread.lo \
-erealloc.lo estrdup.lo ewrite.lo getaddrinfo_hostspec.lo \
-get_default_username.lo get_window_size.lo getarg.lo \
-getnameinfo_verified.lo issuid.lo k_getpwnam.lo k_getpwuid.lo \
+am_libroken_la_OBJECTS =  base64.lo concat.lo emalloc.lo environment.lo \
+eread.lo erealloc.lo esetenv.lo estrdup.lo ewrite.lo \
+getaddrinfo_hostspec.lo get_default_username.lo get_window_size.lo \
+getarg.lo getnameinfo_verified.lo issuid.lo k_getpwnam.lo k_getpwuid.lo \
 mini_inetd.lo net_read.lo net_write.lo parse_bytes.lo parse_time.lo \
-parse_units.lo print_version.lo resolve.lo roken_gethostby.lo signal.lo \
-simple_exec.lo snprintf.lo socket.lo strcollect.lo tm2time.lo verify.lo \
-warnerr.lo
+parse_units.lo resolve.lo roken_gethostby.lo rtbl.lo signal.lo \
+simple_exec.lo snprintf.lo socket.lo strcollect.lo timeval.lo \
+tm2time.lo unvis.lo verify.lo vis.lo warnerr.lo write_pid.lo
+libroken_la_OBJECTS =  $(am_libroken_la_OBJECTS)
 check_PROGRAMS =  parse_bytes-test$(EXEEXT) strpftime-test$(EXEEXT) \
 getaddrinfo-test$(EXEEXT)
-noinst_PROGRAMS =  make-roken$(EXEEXT) make-print-version$(EXEEXT)
+noinst_PROGRAMS =  make-roken$(EXEEXT)
 PROGRAMS =  $(noinst_PROGRAMS)
 
+getaddrinfo_test_SOURCES = getaddrinfo-test.c
+getaddrinfo_test_OBJECTS =  getaddrinfo-test.$(OBJEXT)
+getaddrinfo_test_DEPENDENCIES =  libroken.la
+getaddrinfo_test_LDFLAGS = 
+nodist_make_roken_OBJECTS =  make-roken.$(OBJEXT)
+make_roken_OBJECTS =  $(nodist_make_roken_OBJECTS)
+make_roken_LDADD = $(LDADD)
+make_roken_DEPENDENCIES = 
+make_roken_LDFLAGS = 
 parse_bytes_test_SOURCES = parse_bytes-test.c
 parse_bytes_test_OBJECTS =  parse_bytes-test.$(OBJEXT)
 parse_bytes_test_DEPENDENCIES =  libroken.la
 parse_bytes_test_LDFLAGS = 
-strpftime_test_OBJECTS =  strpftime-test.$(OBJEXT) strftime.$(OBJEXT) \
+am_strpftime_test_OBJECTS =  strpftime-test.$(OBJEXT) strftime.$(OBJEXT) \
 strptime.$(OBJEXT) snprintf.$(OBJEXT)
+strpftime_test_OBJECTS =  $(am_strpftime_test_OBJECTS)
 strpftime_test_LDADD = $(LDADD)
 strpftime_test_DEPENDENCIES = 
 strpftime_test_LDFLAGS = 
-getaddrinfo_test_SOURCES = getaddrinfo-test.c
-getaddrinfo_test_OBJECTS =  getaddrinfo-test.$(OBJEXT)
-getaddrinfo_test_DEPENDENCIES =  libroken.la
-getaddrinfo_test_LDFLAGS = 
-make_roken_SOURCES = make-roken.c
-make_roken_OBJECTS =  make-roken.$(OBJEXT)
-make_roken_LDADD = $(LDADD)
-make_roken_DEPENDENCIES = 
-make_roken_LDFLAGS = 
-make_print_version_SOURCES = make-print-version.c
-make_print_version_OBJECTS =  make-print-version.$(OBJEXT)
-@KRB4_TRUE@@KRB5_TRUE@make_print_version_DEPENDENCIES = 
-make_print_version_LDFLAGS = 
-CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
-HEADERS =  $(include_HEADERS)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(libroken_la_SOURCES) $(EXTRA_libroken_la_SOURCES) \
+getaddrinfo-test.c parse_bytes-test.c $(strpftime_test_SOURCES)
+HEADERS =  $(include_HEADERS) $(nodist_include_HEADERS)
 
-DIST_COMMON =  ChangeLog Makefile.am Makefile.in getcap.c glob.c \
-make-print-version.c
+depcomp = 
+DIST_COMMON =  $(include_HEADERS) ChangeLog Makefile.am Makefile.in \
+acinclude.m4 getcap.c getcwd.c getnameinfo.c glob.c install-sh \
+make-print-version.c missing mkinstalldirs
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
-SOURCES = $(libroken_la_SOURCES) $(EXTRA_libroken_la_SOURCES) parse_bytes-test.c $(strpftime_test_SOURCES) getaddrinfo-test.c make-roken.c make-print-version.c
-OBJECTS = $(libroken_la_OBJECTS) parse_bytes-test.$(OBJEXT) $(strpftime_test_OBJECTS) getaddrinfo-test.$(OBJEXT) make-roken.$(OBJEXT) make-print-version.$(OBJEXT)
+SOURCES = $(libroken_la_SOURCES) $(EXTRA_libroken_la_SOURCES) getaddrinfo-test.c $(nodist_make_roken_SOURCES) parse_bytes-test.c $(strpftime_test_SOURCES)
+OBJECTS = $(am_libroken_la_OBJECTS) getaddrinfo-test.$(OBJEXT) $(nodist_make_roken_OBJECTS) parse_bytes-test.$(OBJEXT) $(am_strpftime_test_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
-$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+.SUFFIXES: .c .h .hin .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) 
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/roken/Makefile
 
 Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
@@ -303,31 +393,18 @@ install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 	$(mkinstalldirs) $(DESTDIR)$(libdir)
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo "$(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p; \
 	  else :; fi; \
 	done
 
 uninstall-libLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  echo " $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \
 	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
 	done
 
-.c.o:
-	$(COMPILE) -c $<
-
-# FIXME: We should only use cygpath when building on Windows,
-# and only if it is available.
-.c.obj:
-	$(COMPILE) -c `cygpath -w $<`
-
-.s.o:
-	$(COMPILE) -c $<
-
-.S.o:
-	$(COMPILE) -c $<
-
 mostlyclean-compile:
 	-rm -f *.o core *.core
 	-rm -f *.$(OBJEXT)
@@ -339,15 +416,6 @@ distclean-compile:
 
 maintainer-clean-compile:
 
-.c.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.s.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.S.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -379,14 +447,6 @@ distclean-noinstPROGRAMS:
 
 maintainer-clean-noinstPROGRAMS:
 
-parse_bytes-test$(EXEEXT): $(parse_bytes_test_OBJECTS) $(parse_bytes_test_DEPENDENCIES)
-	@rm -f parse_bytes-test$(EXEEXT)
-	$(LINK) $(parse_bytes_test_LDFLAGS) $(parse_bytes_test_OBJECTS) $(parse_bytes_test_LDADD) $(LIBS)
-
-strpftime-test$(EXEEXT): $(strpftime_test_OBJECTS) $(strpftime_test_DEPENDENCIES)
-	@rm -f strpftime-test$(EXEEXT)
-	$(LINK) $(strpftime_test_LDFLAGS) $(strpftime_test_OBJECTS) $(strpftime_test_LDADD) $(LIBS)
-
 getaddrinfo-test$(EXEEXT): $(getaddrinfo_test_OBJECTS) $(getaddrinfo_test_DEPENDENCIES)
 	@rm -f getaddrinfo-test$(EXEEXT)
 	$(LINK) $(getaddrinfo_test_LDFLAGS) $(getaddrinfo_test_OBJECTS) $(getaddrinfo_test_LDADD) $(LIBS)
@@ -395,44 +455,79 @@ make-roken$(EXEEXT): $(make_roken_OBJECTS) $(make_roken_DEPENDENCIES)
 	@rm -f make-roken$(EXEEXT)
 	$(LINK) $(make_roken_LDFLAGS) $(make_roken_OBJECTS) $(make_roken_LDADD) $(LIBS)
 
-make-print-version$(EXEEXT): $(make_print_version_OBJECTS) $(make_print_version_DEPENDENCIES)
-	@rm -f make-print-version$(EXEEXT)
-	$(LINK) $(make_print_version_LDFLAGS) $(make_print_version_OBJECTS) $(make_print_version_LDADD) $(LIBS)
+parse_bytes-test$(EXEEXT): $(parse_bytes_test_OBJECTS) $(parse_bytes_test_DEPENDENCIES)
+	@rm -f parse_bytes-test$(EXEEXT)
+	$(LINK) $(parse_bytes_test_LDFLAGS) $(parse_bytes_test_OBJECTS) $(parse_bytes_test_LDADD) $(LIBS)
+
+strpftime-test$(EXEEXT): $(strpftime_test_OBJECTS) $(strpftime_test_DEPENDENCIES)
+	@rm -f strpftime-test$(EXEEXT)
+	$(LINK) $(strpftime_test_LDFLAGS) $(strpftime_test_OBJECTS) $(strpftime_test_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
 
 install-includeHEADERS: $(include_HEADERS)
 	@$(NORMAL_INSTALL)
 	$(mkinstalldirs) $(DESTDIR)$(includedir)
 	@list='$(include_HEADERS)'; for p in $$list; do \
 	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
-	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p"; \
-	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f; \
 	done
 
 uninstall-includeHEADERS:
 	@$(NORMAL_UNINSTALL)
-	list='$(include_HEADERS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(includedir)/$$p; \
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(includedir)/$$f"; \
+	  rm -f $(DESTDIR)$(includedir)/$$f; \
+	done
+
+install-nodist_includeHEADERS: $(nodist_include_HEADERS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(includedir)
+	@list='$(nodist_include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f; \
+	done
+
+uninstall-nodist_includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(nodist_include_HEADERS)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(includedir)/$$f"; \
+	  rm -f $(DESTDIR)$(includedir)/$$f; \
 	done
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -442,77 +537,104 @@ distclean-tags:
 	-rm -f TAGS ID
 
 maintainer-clean-tags:
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; \
+	srcdir=$(srcdir); export srcdir; \
+	list='$(TESTS)'; \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *" $$tst "*) \
+	        xpass=`expr $$xpass + 1`; \
+	        failed=`expr $$failed + 1`; \
+	        echo "XPASS: $$tst"; \
+	      ;; \
+	      *) \
+	        echo "PASS: $$tst"; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *" $$tst "*) \
+	        xfail=`expr $$xfail + 1`; \
+	        echo "XFAIL: $$tst"; \
+	      ;; \
+	      *) \
+	        failed=`expr $$failed + 1`; \
+	        echo "FAIL: $$tst"; \
+	      ;; \
+	      esac; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="All $$all tests passed"; \
+	    else \
+	      banner="All $$all tests behaved as expected ($$xfail expected failures)"; \
+	    fi; \
+	  else \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all tests failed"; \
+	    else \
+	      banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \
+	    fi; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = lib/roken
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
-	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
-check-TESTS: $(TESTS)
-	@failed=0; all=0; \
-	srcdir=$(srcdir); export srcdir; \
-	for tst in $(TESTS); do \
-	  if test -f $$tst; then dir=.; \
-	  else dir="$(srcdir)"; fi; \
-	  if $(TESTS_ENVIRONMENT) $$dir/$$tst; then \
-	    all=`expr $$all + 1`; \
-	    echo "PASS: $$tst"; \
-	  elif test $$? -ne 77; then \
-	    all=`expr $$all + 1`; \
-	    failed=`expr $$failed + 1`; \
-	    echo "FAIL: $$tst"; \
-	  fi; \
-	done; \
-	if test "$$failed" -eq 0; then \
-	  banner="All $$all tests passed"; \
-	else \
-	  banner="$$failed of $$all tests failed"; \
-	fi; \
-	dashes=`echo "$$banner" | sed s/./=/g`; \
-	echo "$$dashes"; \
-	echo "$$banner"; \
-	echo "$$dashes"; \
-	test "$$failed" -eq 0
 info-am:
 info: info-am
 dvi-am:
 dvi: dvi-am
 check-am: all-am
 	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
-	$(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS
 check: check-am
 installcheck-am:
 installcheck: installcheck-am
 install-exec-am: install-libLTLIBRARIES
-	@$(NORMAL_INSTALL)
-	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 install-exec: install-exec-am
 
-install-data-am: install-includeHEADERS install-data-local
+install-data-am: install-includeHEADERS install-nodist_includeHEADERS
 install-data: install-data-am
 
 install-am: all-am
 	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
 install: install-am
-uninstall-am: uninstall-libLTLIBRARIES uninstall-includeHEADERS
+uninstall-am: uninstall-libLTLIBRARIES uninstall-includeHEADERS \
+		uninstall-nodist_includeHEADERS
 uninstall: uninstall-am
-all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS)
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
-	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(includedir)
+	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(includedir) \
+		$(DESTDIR)$(nodist_includedir)
 
 
 mostlyclean-generic:
@@ -525,6 +647,8 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
+	-rm -f Makefile.in
+	-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
 mostlyclean-am:  mostlyclean-libLTLIBRARIES mostlyclean-compile \
 		mostlyclean-libtool mostlyclean-checkPROGRAMS \
 		mostlyclean-noinstPROGRAMS mostlyclean-tags \
@@ -566,220 +690,19 @@ distclean-checkPROGRAMS clean-checkPROGRAMS \
 maintainer-clean-checkPROGRAMS mostlyclean-noinstPROGRAMS \
 distclean-noinstPROGRAMS clean-noinstPROGRAMS \
 maintainer-clean-noinstPROGRAMS uninstall-includeHEADERS \
-install-includeHEADERS tags mostlyclean-tags distclean-tags clean-tags \
-maintainer-clean-tags distdir check-TESTS info-am info dvi-am dvi \
-check-local check check-am installcheck-am installcheck install-exec-am \
-install-exec install-data-local install-data-am install-data install-am \
-install uninstall-am uninstall all-local all-redirect all-am all \
+install-includeHEADERS uninstall-nodist_includeHEADERS \
+install-nodist_includeHEADERS tags mostlyclean-tags distclean-tags \
+clean-tags maintainer-clean-tags check-TESTS distdir info-am info \
+dvi-am dvi check check-am installcheck-am installcheck install-exec-am \
+install-exec install-data-am install-data install-am install \
+uninstall-am uninstall all-redirect all-am all install-strip \
 installdirs mostlyclean-generic distclean-generic clean-generic \
 maintainer-clean-generic clean mostlyclean distclean maintainer-clean
 
 
-install-suid-programs:
-	@foo='$(bin_SUIDS)'; \
-	for file in $$foo; do \
-	x=$(DESTDIR)$(bindir)/$$file; \
-	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
-
-install-exec-hook: install-suid-programs
-
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
-	for f in $$foo; do \
-		f=`basename $$f`; \
-		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
-		else file="$$f"; fi; \
-		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
-		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
-		fi ; \
-	done
-
-all-local: install-build-headers
-#NROFF_MAN = nroff -man
-.1.cat1:
-	$(NROFF_MAN) $< > $@
-.3.cat3:
-	$(NROFF_MAN) $< > $@
-.5.cat5:
-	$(NROFF_MAN) $< > $@
-.8.cat8:
-	$(NROFF_MAN) $< > $@
-
-dist-cat1-mans:
-	@foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done ;\
-	for i in $$foo; do \
-		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
-		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
-		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
-	done
-
-dist-cat3-mans:
-	@foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done ;\
-	for i in $$foo; do \
-		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
-		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
-		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
-	done
-
-dist-cat5-mans:
-	@foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done ;\
-	for i in $$foo; do \
-		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
-		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
-		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
-	done
-
-dist-cat8-mans:
-	@foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done ;\
-	for i in $$foo; do \
-		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
-		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
-		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
-	done
-
-dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
-
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
-
-install-data-local: install-cat-mans
-
-.et.h:
-	$(COMPILE_ET) $<
-.et.c:
-	$(COMPILE_ET) $<
-
-.x.c:
-	@cmp -s $< $@ 2> /dev/null || cp $< $@
-
-check-local::
-	@foo='$(CHECK_LOCAL)'; \
-	  if test "$$foo"; then \
-	  failed=0; all=0; \
-	  for i in $$foo; do \
-	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
-	      echo "PASS: $$i"; \
-	    else \
-	      echo "FAIL: $$i"; \
-	      failed=`expr $$failed + 1`; \
-	    fi; \
-	  done; \
-	  if test "$$failed" -eq 0; then \
-	    banner="All $$all tests passed"; \
-	  else \
-	    banner="$$failed of $$all tests failed"; \
-	  fi; \
-	  dashes=`echo "$$banner" | sed s/./=/g`; \
-	  echo "$$dashes"; \
-	  echo "$$banner"; \
-	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
-	fi
-
-$(LTLIBOBJS) $(libroken_la_OBJECTS): roken.h
+$(LTLIBOBJS) $(libroken_la_OBJECTS): $(include_HEADERS) roken.h
+.hin.h:
+	cp $< $@
 
 roken.h: make-roken$(EXEEXT)
 	@./make-roken$(EXEEXT) > tmp.h ;\
@@ -789,13 +712,6 @@ roken.h: make-roken$(EXEEXT)
 make-roken.c: roken.h.in roken.awk
 	$(AWK) -f $(srcdir)/roken.awk $(srcdir)/roken.h.in > make-roken.c
 
-print_version.lo: print_version.h
-
-print_version.h: make-print-version$(EXEEXT)
-	./make-print-version$(EXEEXT) print_version.h
-
-make-print-version.o: $(top_builddir)/include/version.h
-
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/lib/roken/acconfig.h b/crypto/heimdal/lib/roken/acconfig.h
new file mode 100644
index 0000000..5fbe685
--- /dev/null
+++ b/crypto/heimdal/lib/roken/acconfig.h
@@ -0,0 +1,36 @@
+@BOTTOM@
+
+#ifdef BROKEN_REALLOC
+#define realloc(X, Y) isoc_realloc((X), (Y))
+#define isoc_realloc(X, Y) ((X) ? realloc((X), (Y)) : malloc(Y))
+#endif
+
+#ifdef VOID_RETSIGTYPE
+#define SIGRETURN(x) return
+#else
+#define SIGRETURN(x) return (RETSIGTYPE)(x)
+#endif
+
+#define RCSID(msg) \
+static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
+
+#undef PROTOTYPES
+
+/* Maximum values on all known systems */
+#define MaxHostNameLen (64+4)
+#define MaxPathLen (1024+4)
+
+/*
+ * Define NDBM if you are using the 4.3 ndbm library (which is part of
+ * libc).  If not defined, 4.2 dbm will be assumed.
+ */
+#if defined(HAVE_DBM_FIRSTKEY)
+#define NDBM
+#endif
+
+/*
+ * Defining this enables lots of useful (and used) extensions on
+ * glibc-based systems such as Linux
+ */
+
+#define _GNU_SOURCE
diff --git a/crypto/heimdal/lib/roken/acinclude.m4 b/crypto/heimdal/lib/roken/acinclude.m4
new file mode 100644
index 0000000..1d0197c
--- /dev/null
+++ b/crypto/heimdal/lib/roken/acinclude.m4
@@ -0,0 +1,9 @@
+dnl $Id$
+dnl
+dnl Only put things that for some reason can't live in the `cf'
+dnl directory in this file.
+dnl
+
+dnl $xId: misc.m4,v 1.1 1997/12/14 15:59:04 joda Exp $
+dnl
+define(upcase,`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`)dnl
diff --git a/crypto/heimdal/lib/roken/config.h.in b/crypto/heimdal/lib/roken/config.h.in
new file mode 100644
index 0000000..b3df989
--- /dev/null
+++ b/crypto/heimdal/lib/roken/config.h.in
@@ -0,0 +1 @@
+/*autoheader*/
diff --git a/crypto/heimdal/lib/roken/environment.c b/crypto/heimdal/lib/roken/environment.c
new file mode 100644
index 0000000..62c732c
--- /dev/null
+++ b/crypto/heimdal/lib/roken/environment.c
@@ -0,0 +1,103 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: environment.c,v 1.1 2000/06/21 02:05:03 assar Exp $");
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include "roken.h"
+
+/*
+ * return count of environment assignments from `file' and 
+ * list of malloced strings in `env'
+ */
+
+int
+read_environment(const char *file, char ***env)
+{
+    int i, k;
+    FILE *F;
+    char **l;
+    char buf[BUFSIZ], *p, *r;
+
+    if ((F = fopen(file, "r")) == NULL) {
+	return 0;
+    }
+
+    i = 0;
+    if (*env) {
+	l = *env;
+	while (*l != NULL) {
+	    i++;
+	    l++;
+	}
+    }
+    l = *env;
+    /* This is somewhat more relaxed on what it accepts then
+     * Wietses sysv_environ from K4 was...
+     */
+    while (fgets(buf, BUFSIZ, F) != NULL) {
+	if (buf[0] == '#')
+	    continue;
+
+	p = strchr(buf, '#');
+	if (p != NULL)
+	    *p = '\0';
+
+	p = buf;
+	while (*p == ' ' || *p == '\t' || *p == '\n') p++;
+	if (*p == '\0')
+	    continue;
+
+	k = strlen(p);
+	if (p[k-1] == '\n')
+	    p[k-1] = '\0';
+
+	/* Here one should check that is is a 'valid' env string... */
+	r = strchr(p, '=');
+	if (r == NULL)
+	    continue;
+
+	l = realloc(l, (i+1) * sizeof (char *));
+	l[i++] = strdup(p);
+    }
+    fclose(F);
+    l = realloc(l, (i+1) * sizeof (char *));
+    l[i] = NULL;
+    *env = l;
+    return i;
+}
diff --git a/crypto/heimdal/lib/roken/err.hin b/crypto/heimdal/lib/roken/err.hin
new file mode 100644
index 0000000..1fa7774
--- /dev/null
+++ b/crypto/heimdal/lib/roken/err.hin
@@ -0,0 +1,68 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: err.hin,v 1.16 2000/12/11 04:40:59 assar Exp $ */
+
+#ifndef __ERR_H__
+#define __ERR_H__
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+
+extern const char *__progname;
+
+#if !defined(__GNUC__) && !defined(__attribute__)
+#define __attribute__(x)
+#endif
+
+void verr(int eval, const char *fmt, va_list ap)
+     __attribute__ ((noreturn, format (printf, 2, 0)));
+void err(int eval, const char *fmt, ...)
+     __attribute__ ((noreturn, format (printf, 2, 3)));
+void verrx(int eval, const char *fmt, va_list ap)
+     __attribute__ ((noreturn, format (printf, 2, 0)));
+void errx(int eval, const char *fmt, ...)
+     __attribute__ ((noreturn, format (printf, 2, 3)));
+void vwarn(const char *fmt, va_list ap)
+     __attribute__ ((format (printf, 1, 0)));
+void warn(const char *fmt, ...)
+     __attribute__ ((format (printf, 1, 2)));
+void vwarnx(const char *fmt, va_list ap)
+     __attribute__ ((format (printf, 1, 0)));
+void warnx(const char *fmt, ...)
+     __attribute__ ((format (printf, 1, 2)));
+
+#endif /* __ERR_H__ */
diff --git a/crypto/heimdal/lib/roken/esetenv.c b/crypto/heimdal/lib/roken/esetenv.c
new file mode 100644
index 0000000..cb35752
--- /dev/null
+++ b/crypto/heimdal/lib/roken/esetenv.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 2000, 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: esetenv.c,v 1.3 2001/01/27 05:28:38 assar Exp $");
+#endif
+
+#include "roken.h"
+
+#include <err.h>
+
+void
+esetenv(const char *var, const char *val, int rewrite)
+{
+    if (setenv ((char *)var, (char *)val, rewrite))
+	errx (1, "failed setting environment variable %s", var);
+}
diff --git a/crypto/heimdal/lib/roken/fnmatch.hin b/crypto/heimdal/lib/roken/fnmatch.hin
new file mode 100644
index 0000000..95c91d6
--- /dev/null
+++ b/crypto/heimdal/lib/roken/fnmatch.hin
@@ -0,0 +1,49 @@
+/*	$NetBSD: fnmatch.h,v 1.5 1994/10/26 00:55:53 cgd Exp $	*/
+
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)fnmatch.h	8.1 (Berkeley) 6/2/93
+ */
+
+#ifndef	_FNMATCH_H_
+#define	_FNMATCH_H_
+
+#define	FNM_NOMATCH	1	/* Match failed. */
+
+#define	FNM_NOESCAPE	0x01	/* Disable backslash escaping. */
+#define	FNM_PATHNAME	0x02	/* Slash must be matched by slash. */
+#define	FNM_PERIOD	0x04	/* Period must be matched by period. */
+
+int	 fnmatch (const char *, const char *, int);
+
+#endif /* !_FNMATCH_H_ */
diff --git a/crypto/heimdal/lib/roken/getaddrinfo-test.c b/crypto/heimdal/lib/roken/getaddrinfo-test.c
index ede9c95..0e3afc5 100644
--- a/crypto/heimdal/lib/roken/getaddrinfo-test.c
+++ b/crypto/heimdal/lib/roken/getaddrinfo-test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: getaddrinfo-test.c,v 1.2 1999/12/03 04:10:07 assar Exp $");
+RCSID("$Id: getaddrinfo-test.c,v 1.3 2000/07/08 14:22:09 assar Exp $");
 #endif
 
 #include "roken.h"
@@ -122,7 +122,7 @@ main(int argc, char **argv)
 	usage (0);
 
     if (version_flag) {
-	print_version (NULL);
+	fprintf (stderr, "%s from %s-%s)\n", __progname, PACKAGE, VERSION);
 	return 0;
     }
 
diff --git a/crypto/heimdal/lib/roken/getaddrinfo.c b/crypto/heimdal/lib/roken/getaddrinfo.c
index db18742..4b94d3d 100644
--- a/crypto/heimdal/lib/roken/getaddrinfo.c
+++ b/crypto/heimdal/lib/roken/getaddrinfo.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: getaddrinfo.c,v 1.6 1999/12/20 00:56:44 assar Exp $");
+RCSID("$Id: getaddrinfo.c,v 1.9 2000/07/24 02:34:20 assar Exp $");
 #endif
 
 #include "roken.h"
@@ -215,27 +215,56 @@ get_null (const struct addrinfo *hints,
     return 0;
 }
 
+/*
+ * Try to find a fqdn (with `.') in he if possible, else return h_name
+ */
+
+static char *
+find_fqdn (const struct hostent *he)
+{
+    char *ret = he->h_name;
+    char **h;
+
+    if (strchr (ret, '.') == NULL)
+	for (h = he->h_aliases; *h; ++h) {
+	    if (strchr (*h, '.') != NULL) {
+		ret = *h;
+		break;
+	    }
+	}
+    return ret;
+}
+
 static int
 add_hostent (int port, int protocol, int socktype,
 	     struct addrinfo ***current,
 	     int (*func)(struct addrinfo *, void *data, int port),
 	     struct hostent *he, int *flags)
 {
-    char **h;
     int ret;
     char *canonname = NULL;
+    char **h;
 
     if (*flags & AI_CANONNAME) {
-	canonname = he->h_name;
-
-	if (strchr (he->h_name, '.') == NULL)
-	    for (h = he->h_aliases; *h; ++h) {
-		if (strchr (*h, '.') != NULL) {
-		    canonname = *h;
-		    break;
-		}
+	struct hostent *he2 = NULL;
+
+	canonname = find_fqdn (he);
+	if (strchr (canonname, '.') == NULL) {
+	    int error;
+
+	    he2 = getipnodebyaddr (he->h_addr_list[0], he->h_length,
+				   he->h_addrtype, &error);
+	    if (he2 != NULL) {
+		char *tmp = find_fqdn (he2);
+
+		if (strchr (tmp, '.') != NULL)
+		    canonname = tmp;
 	    }
+	}
+
 	canonname = strdup (canonname);
+	if (he2 != NULL)
+	    freehostent (he2);
 	if (canonname == NULL)
 	    return EAI_MEMORY;
     }
diff --git a/crypto/heimdal/lib/roken/getaddrinfo_hostspec.c b/crypto/heimdal/lib/roken/getaddrinfo_hostspec.c
index 76e5d2b..7f6b0d1 100644
--- a/crypto/heimdal/lib/roken/getaddrinfo_hostspec.c
+++ b/crypto/heimdal/lib/roken/getaddrinfo_hostspec.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: getaddrinfo_hostspec.c,v 1.1 2000/02/07 13:38:22 joda Exp $");
+RCSID("$Id: getaddrinfo_hostspec.c,v 1.3 2000/07/15 12:50:32 joda Exp $");
 #endif
 
 #include "roken.h"
@@ -41,14 +41,16 @@ RCSID("$Id: getaddrinfo_hostspec.c,v 1.1 2000/02/07 13:38:22 joda Exp $");
 /* getaddrinfo via string specifying host and port */
 
 int
-roken_getaddrinfo_hostspec(const char *hostspec, 
-			   int port,
-			   struct addrinfo **ai)
+roken_getaddrinfo_hostspec2(const char *hostspec, 
+			    int socktype,
+			    int port,
+			    struct addrinfo **ai)
 {
     const char *p;
     char portstr[NI_MAXSERV];
     char host[MAXHOSTNAMELEN];
     struct addrinfo hints;
+    int hostspec_len;
 
     struct hst {
 	const char *prefix;
@@ -64,6 +66,8 @@ roken_getaddrinfo_hostspec(const char *hostspec,
     };
 
     memset(&hints, 0, sizeof(hints));
+
+    hints.ai_socktype = socktype;
 	
     for(hstp = hst; hstp->prefix; hstp++) {
 	if(strncmp(hostspec, hstp->prefix, strlen(hstp->prefix)) == 0) {
@@ -81,9 +85,20 @@ roken_getaddrinfo_hostspec(const char *hostspec,
 	char *end;
 
 	port = strtol (p + 1, &end, 0);
+	hostspec_len = p - hostspec;
+    } else {
+	hostspec_len = strlen(hostspec);
     }
     snprintf (portstr, sizeof(portstr), "%u", port);
     
-    snprintf (host, sizeof(host), "%.*s", p - hostspec, hostspec);
+    snprintf (host, sizeof(host), "%.*s", hostspec_len, hostspec);
     return getaddrinfo (host, portstr, &hints, ai);
 }
+
+int
+roken_getaddrinfo_hostspec(const char *hostspec, 
+			   int port,
+			   struct addrinfo **ai)
+{
+    return roken_getaddrinfo_hostspec2(hostspec, 0, port, ai);
+}
diff --git a/crypto/heimdal/lib/roken/getarg.3 b/crypto/heimdal/lib/roken/getarg.3
index 78a8802..e3b5c9f 100644
--- a/crypto/heimdal/lib/roken/getarg.3
+++ b/crypto/heimdal/lib/roken/getarg.3
@@ -1,5 +1,5 @@
 .\" Copyright (c) 1999 Kungliga Tekniska Högskolan
-.\" $Id: getarg.3,v 1.2 1999/10/18 17:14:31 joda Exp $
+.\" $Id: getarg.3,v 1.3 2001/01/11 16:16:30 assar Exp $
 .Dd September 24, 1999
 .Dt GETARG 3
 .Os ROKEN
@@ -9,13 +9,10 @@
 .Nd collect command line options
 .Sh SYNOPSIS
 .Fd #include <getarg.h>
-
 .Ft int
 .Fn getarg "struct getargs *args" "size_t num_args" "int argc" "char **argv" "int *optind"
-
 .Ft void
 .Fn arg_printusage "struct getargs *args" "size_t num_args" "const char *progname" "const char *extra_string"
-
 .Sh DESCRIPTION
 .Fn getarg
 collects any command line options given to a program in an easily used way. 
@@ -45,7 +42,8 @@ take the same
 and
 .Fa num_args
 as getarg;
-.Fa progname is the name of the program (to be used in the help text), and 
+.Fa progname
+is the name of the program (to be used in the help text), and 
 .Fa extra_string
 is a string to print after the actual options to indicate more
 arguments. The usefulness of this function is realised only be people
@@ -55,7 +53,6 @@ the code does.
 The
 .Fa getargs
 struct has the following elements.
-
 .Bd -literal
 struct getargs{
     const char *long_name;
@@ -176,7 +173,7 @@ and
 .Fa *optarg ,
 but to do this correct you (more or less) have to know about the inner
 workings of getarg.
- 
+.Pp 
 You can skip parts of arguments by increasing
 .Fa *optarg
 (you could
@@ -233,8 +230,6 @@ and if you're really confused you can do it multiple times
 .Pf ( Fl -no-no-help= Ns Ar false ,
 or even 
 .Fl -no-no-help= Ns Ar maybe ) .
-
-.Pp
 .Sh EXAMPLE
 .Bd -literal
 #include <stdio.h>
@@ -276,11 +271,11 @@ main(int argc, char **argv)
 	exit (0);
     }
     if (destination == NULL) {
-	fprintf(stderr, "%s: must specify destination\n", progname);
+	fprintf(stderr, "%s: must specify destination\en", progname);
 	exit(1);
     }
     if (strcmp(source, destination) == 0) {
-	fprintf(stderr, "%s: destination must be different from source\n");
+	fprintf(stderr, "%s: destination must be different from source\en");
 	exit(1);
     }
     /* include more stuff here ... */
@@ -298,7 +293,6 @@ Usage: ship++ [--source=city] [-s city] [--destination=city] [-d city]
 -w tons, --weight=tons      weight of shippment
 -c, --no-catalog            include product catalog
 .Ed
-
 .Sh BUGS
 It should be more flexible, so it would be possible to use other more
 complicated option syntaxes, such as what
diff --git a/crypto/heimdal/lib/roken/getarg.c b/crypto/heimdal/lib/roken/getarg.c
index d9a03a5..342388e 100644
--- a/crypto/heimdal/lib/roken/getarg.c
+++ b/crypto/heimdal/lib/roken/getarg.c
@@ -33,10 +33,12 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: getarg.c,v 1.34 2000/02/13 21:06:43 assar Exp $");
+RCSID("$Id: getarg.c,v 1.37 2000/12/25 17:03:15 assar Exp $");
 #endif
 
 #include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
 #include <roken.h>
 #include "getarg.h"
 
@@ -56,11 +58,12 @@ print_arg (char *string, size_t len, int mdoc, int longp, struct getargs *arg)
 	if(longp)
 	    strlcat(string, "= Ns", len);
 	strlcat(string, " Ar ", len);
-    }else
+    } else {
 	if (longp)
 	    strlcat (string, "=", len);
 	else
 	    strlcat (string, " ", len);
+    }
 
     if (arg->arg_help)
 	s = arg->arg_help;
@@ -68,6 +71,8 @@ print_arg (char *string, size_t len, int mdoc, int longp, struct getargs *arg)
 	s = "integer";
     else if (arg->type == arg_string)
 	s = "string";
+    else if (arg->type == arg_strings)
+	s = "strings";
     else if (arg->type == arg_double)
 	s = "float";
     else
@@ -461,8 +466,10 @@ arg_match_short (struct getargs *args, size_t num_args,
 		    ++*optind;
 		    optarg = rargv[*optind];
 		}
-		if(optarg == NULL)
+		if(optarg == NULL) {
+		    --*optind;
 		    return ARG_ERR_NO_ARG;
+		}
 		if(args[k].type == arg_integer) {
 		    int tmp;
 		    if(sscanf(optarg, "%d", &tmp) != 1)
diff --git a/crypto/heimdal/lib/roken/getifaddrs.c b/crypto/heimdal/lib/roken/getifaddrs.c
new file mode 100644
index 0000000..e8e3e54
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getifaddrs.c
@@ -0,0 +1,271 @@
+/*
+ * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: getifaddrs.c,v 1.4 2001/01/28 23:02:46 assar Exp $");
+#endif
+#include "roken.h"
+
+#ifdef __osf__
+/* hate */
+struct rtentry;
+struct mbuf;
+#endif
+#ifdef HAVE_NET_IF_H
+#include <net/if.h>
+#endif
+
+#ifdef HAVE_SYS_SOCKIO_H
+#include <sys/sockio.h>
+#endif /* HAVE_SYS_SOCKIO_H */
+
+#ifdef HAVE_NETINET_IN6_VAR_H
+#include <netinet/in6_var.h>
+#endif /* HAVE_NETINET_IN6_VAR_H */
+
+#include <ifaddrs.h>
+
+static int
+getifaddrs2(struct ifaddrs **ifap, 
+	    int af, int siocgifconf, int siocgifflags,
+	    size_t ifreq_sz)
+{
+    int ret;
+    int fd;
+    size_t buf_size;
+    char *buf;
+    struct ifconf ifconf;
+    int num, j = 0;
+    char *p;
+    size_t sz;
+    struct sockaddr sa_zero;
+    struct ifreq *ifr;
+
+    struct ifaddrs *start,  **end = &start;
+
+    buf = NULL;
+
+    memset (&sa_zero, 0, sizeof(sa_zero));
+    fd = socket(af, SOCK_DGRAM, 0);
+    if (fd < 0)
+	return -1;
+
+    buf_size = 8192;
+    for (;;) {
+	buf = calloc(1, buf_size);
+	if (buf == NULL) {
+	    ret = ENOMEM;
+	    goto error_out;
+	}
+	ifconf.ifc_len = buf_size;
+	ifconf.ifc_buf = buf;
+
+	/*
+	 * Solaris returns EINVAL when the buffer is too small.
+	 */
+	if (ioctl (fd, siocgifconf, &ifconf) < 0 && errno != EINVAL) {
+	    ret = errno;
+	    goto error_out;
+	}
+	/*
+	 * Can the difference between a full and a overfull buf
+	 * be determined?
+	 */
+
+	if (ifconf.ifc_len < buf_size)
+	    break;
+	free (buf);
+	buf_size *= 2;
+    }
+
+    num = ifconf.ifc_len / ifreq_sz;
+    j = 0;
+    for (p = ifconf.ifc_buf;
+	 p < ifconf.ifc_buf + ifconf.ifc_len;
+	 p += sz) {
+	struct ifreq ifreq;
+	struct sockaddr *sa;
+	size_t salen;
+
+	ifr = (struct ifreq *)p;
+	sa  = &ifr->ifr_addr;
+
+	sz = ifreq_sz;
+	salen = sizeof(struct sockaddr);
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+	salen = sa->sa_len;
+	sz = max(sz, sizeof(ifr->ifr_name) + sa->sa_len);
+#endif
+#ifdef SA_LEN
+	salen = SA_LEN(sa);
+	sz = max(sz, sizeof(ifr->ifr_name) + SA_LEN(sa));
+#endif
+	memset (&ifreq, 0, sizeof(ifreq));
+	memcpy (ifreq.ifr_name, ifr->ifr_name, sizeof(ifr->ifr_name));
+
+	if (ioctl(fd, siocgifflags, &ifreq) < 0) {
+	    ret = errno;
+	    goto error_out;
+	}
+
+	*end = malloc(sizeof(**end));
+
+	(*end)->ifa_next = NULL;
+	(*end)->ifa_name = strdup(ifr->ifr_name);
+	(*end)->ifa_flags = ifreq.ifr_flags;
+	(*end)->ifa_addr = malloc(salen);
+	memcpy((*end)->ifa_addr, sa, salen);
+	(*end)->ifa_netmask = NULL;
+
+#if 0
+	/* fix these when we actually need them */
+	if(ifreq.ifr_flags & IFF_BROADCAST) {
+	    (*end)->ifa_broadaddr = malloc(sizeof(ifr->ifr_broadaddr));
+	    memcpy((*end)->ifa_broadaddr, &ifr->ifr_broadaddr, 
+		   sizeof(ifr->ifr_broadaddr));
+	} else if(ifreq.ifr_flags & IFF_POINTOPOINT) {
+	    (*end)->ifa_dstaddr = malloc(sizeof(ifr->ifr_dstaddr));
+	    memcpy((*end)->ifa_dstaddr, &ifr->ifr_dstaddr, 
+		   sizeof(ifr->ifr_dstaddr));
+	} else
+	    (*end)->ifa_dstaddr = NULL;
+#else
+	    (*end)->ifa_dstaddr = NULL;
+#endif
+
+	(*end)->ifa_data = NULL;
+
+	end = &(*end)->ifa_next;
+	
+    }
+    *ifap = start;
+    free(buf);
+    return 0;
+  error_out:
+    free(buf);
+    errno = ret;
+    return -1;
+}
+
+int
+getifaddrs(struct ifaddrs **ifap) 
+{
+    int ret = -1;
+    errno = ENXIO;
+#if defined(AF_INET6) && defined(SIOCGIF6CONF) && defined(SIOCGIF6FLAGS)
+    if (ret)
+	ret = getifaddrs2 (ifap, AF_INET6, SIOCGIF6CONF, SIOCGIF6FLAGS,
+			   sizeof(struct in6_ifreq));
+#endif
+#if defined(HAVE_IPV6) && defined(SIOCGIFCONF)
+    if (ret)
+	ret = getifaddrs2 (ifap, AF_INET6, SIOCGIFCONF, SIOCGIFFLAGS,
+			   sizeof(struct ifreq));
+#endif
+#if defined(AF_INET) && defined(SIOCGIFCONF) && defined(SIOCGIFFLAGS)
+    if (ret)
+	ret = getifaddrs2 (ifap, AF_INET, SIOCGIFCONF, SIOCGIFFLAGS,
+			   sizeof(struct ifreq));
+#endif
+    return ret;
+}
+
+void
+freeifaddrs(struct ifaddrs *ifp)
+{
+    struct ifaddrs *p, *q;
+    
+    for(p = ifp; p; ) {
+	free(p->ifa_name);
+	if(p->ifa_addr)
+	    free(p->ifa_addr);
+	if(p->ifa_dstaddr) 
+	    free(p->ifa_dstaddr);
+	if(p->ifa_netmask) 
+	    free(p->ifa_netmask);
+	if(p->ifa_data)
+	    free(p->ifa_data);
+	q = p;
+	p = p->ifa_next;
+	free(q);
+    }
+}
+
+#ifdef TEST
+
+void
+print_addr(const char *s, struct sockaddr *sa)
+{
+    int i;
+    printf("  %s=%d/", s, sa->sa_family);
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+    for(i = 0; i < sa->sa_len - ((long)sa->sa_data - (long)&sa->sa_family); i++)
+	printf("%02x", ((unsigned char*)sa->sa_data)[i]);
+#else
+    for(i = 0; i < sizeof(sa->sa_data); i++) 
+	printf("%02x", ((unsigned char*)sa->sa_data)[i]);
+#endif
+    printf("\n");
+}
+
+void 
+print_ifaddrs(struct ifaddrs *x)
+{
+    struct ifaddrs *p;
+    
+    for(p = x; p; p = p->ifa_next) {
+	printf("%s\n", p->ifa_name);
+	printf("  flags=%x\n", p->ifa_flags);
+	if(p->ifa_addr)
+	    print_addr("addr", p->ifa_addr);
+	if(p->ifa_dstaddr) 
+	    print_addr("dstaddr", p->ifa_dstaddr);
+	if(p->ifa_netmask) 
+	    print_addr("netmask", p->ifa_netmask);
+	printf("  %p\n", p->ifa_data);
+    }
+}
+
+int
+main()
+{
+    struct ifaddrs *a = NULL, *b;
+    getifaddrs2(&a, AF_INET, SIOCGIFCONF, SIOCGIFFLAGS, sizeof(struct ifreq));
+    print_ifaddrs(a);
+    printf("---\n");
+    getifaddrs(&b);
+    print_ifaddrs(b);
+    return 0;
+}
+#endif
diff --git a/crypto/heimdal/lib/roken/getnameinfo_verified.c b/crypto/heimdal/lib/roken/getnameinfo_verified.c
index 2a23d24..30384ed 100644
--- a/crypto/heimdal/lib/roken/getnameinfo_verified.c
+++ b/crypto/heimdal/lib/roken/getnameinfo_verified.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: getnameinfo_verified.c,v 1.2 1999/12/05 10:52:09 assar Exp $");
+RCSID("$Id: getnameinfo_verified.c,v 1.3 2000/06/28 01:21:53 assar Exp $");
 #endif
 
 #include "roken.h"
@@ -58,9 +58,12 @@ getnameinfo_verified(const struct sockaddr *sa, socklen_t salen,
 	return ret;
     for (a = ai; a != NULL; a = a->ai_next) {
 	if (a->ai_addrlen == salen
-	    && memcmp (a->ai_addr, sa, salen) == 0)
+	    && memcmp (a->ai_addr, sa, salen) == 0) {
+	    freeaddrinfo (ai);
 	    return 0;
+	}
     }
+    freeaddrinfo (ai);
     if (flags & NI_NAMEREQD)
 	return EAI_NONAME;
     ret = getnameinfo (sa, salen, host, hostlen, serv, servlen,
diff --git a/crypto/heimdal/lib/roken/getusershell.c b/crypto/heimdal/lib/roken/getusershell.c
index 87a48ec..eb990f3 100644
--- a/crypto/heimdal/lib/roken/getusershell.c
+++ b/crypto/heimdal/lib/roken/getusershell.c
@@ -35,12 +35,13 @@
 #include <config.h>
 #endif
 
-RCSID("$Id: getusershell.c,v 1.8 1997/04/20 06:18:03 assar Exp $");
+RCSID("$Id: getusershell.c,v 1.10 2000/05/22 09:11:59 joda Exp $");
 
 #ifndef HAVE_GETUSERSHELL
 
 #include <stdio.h>
 #include <stdlib.h>
+#include <string.h>
 #ifdef HAVE_PATHS_H
 #include <paths.h>
 #endif
@@ -54,6 +55,14 @@ RCSID("$Id: getusershell.c,v 1.8 1997/04/20 06:18:03 assar Exp $");
 #include <sys/param.h>
 #endif
 
+#ifdef HAVE_USERSEC_H
+struct aud_rec;
+#include <usersec.h>
+#endif
+#ifdef HAVE_USERCONF_H
+#include <userconf.h>
+#endif
+
 #ifndef _PATH_SHELLS
 #define _PATH_SHELLS "/etc/shells"
 #endif
@@ -81,80 +90,102 @@ static char **initshells (void);
 char *
 getusershell()
 {
-	char *ret;
-
-	if (curshell == NULL)
-		curshell = initshells();
-	ret = *curshell;
-	if (ret != NULL)
-		curshell++;
-	return (ret);
+    char *ret;
+
+    if (curshell == NULL)
+	curshell = initshells();
+    ret = *curshell;
+    if (ret != NULL)
+	curshell++;
+    return (ret);
 }
 
 void
 endusershell()
 {
-	
-	if (shells != NULL)
-		free(shells);
-	shells = NULL;
-	if (strings != NULL)
-		free(strings);
-	strings = NULL;
-	curshell = NULL;
+    if (shells != NULL)
+	free(shells);
+    shells = NULL;
+    if (strings != NULL)
+	free(strings);
+    strings = NULL;
+    curshell = NULL;
 }
 
 void
 setusershell()
 {
-
-	curshell = initshells();
+    curshell = initshells();
 }
 
 static char **
 initshells()
 {
-	char **sp, *cp;
-	FILE *fp;
-	struct stat statb;
+    char **sp, *cp;
+#ifdef HAVE_GETCONFATTR
+    char *tmp;
+    int nsh;
+#else
+    FILE *fp;
+#endif
+    struct stat statb;
+
+    free(shells);
+    shells = NULL;
+    free(strings);
+    strings = NULL;
+#ifdef HAVE_GETCONFATTR
+    if(getconfattr(SC_SYS_LOGIN, SC_SHELLS, &tmp, SEC_LIST) != 0)
+	return okshells;
+
+    for(cp = tmp, nsh = 0; *cp; cp += strlen(cp) + 1, nsh++);
 
-	if (shells != NULL)
-		free(shells);
+    shells = calloc(nsh + 1, sizeof(*shells));
+    if(shells == NULL)
+	return okshells;
+
+    strings = malloc(cp - tmp);
+    if(strings == NULL) {
+	free(shells);
 	shells = NULL;
-	if (strings != NULL)
-		free(strings);
-	strings = NULL;
-	if ((fp = fopen(_PATH_SHELLS, "r")) == NULL)
-		return (okshells);
-	if (fstat(fileno(fp), &statb) == -1) {
-		fclose(fp);
-		return (okshells);
-	}
-	if ((strings = malloc((u_int)statb.st_size)) == NULL) {
-		fclose(fp);
-		return (okshells);
-	}
-	shells = calloc((unsigned)statb.st_size / 3, sizeof (char *));
-	if (shells == NULL) {
-		fclose(fp);
-		free(strings);
-		strings = NULL;
-		return (okshells);
-	}
-	sp = shells;
-	cp = strings;
-	while (fgets(cp, MaxPathLen + 1, fp) != NULL) {
-		while (*cp != '#' && *cp != '/' && *cp != '\0')
-			cp++;
-		if (*cp == '#' || *cp == '\0')
-			continue;
-		*sp++ = cp;
-		while (!isspace(*cp) && *cp != '#' && *cp != '\0')
-			cp++;
-		*cp++ = '\0';
-	}
-	*sp = NULL;
+	return okshells;
+    }
+    memcpy(strings, tmp, cp - tmp);
+    for(sp = shells, cp = strings; *cp; cp += strlen(cp) + 1, sp++)
+	*sp = cp;
+#else
+    if ((fp = fopen(_PATH_SHELLS, "r")) == NULL)
+	return (okshells);
+    if (fstat(fileno(fp), &statb) == -1) {
 	fclose(fp);
-	return (shells);
+	return (okshells);
+    }
+    if ((strings = malloc((u_int)statb.st_size)) == NULL) {
+	fclose(fp);
+	return (okshells);
+    }
+    shells = calloc((unsigned)statb.st_size / 3, sizeof (char *));
+    if (shells == NULL) {
+	fclose(fp);
+	free(strings);
+	strings = NULL;
+	return (okshells);
+    }
+    sp = shells;
+    cp = strings;
+    while (fgets(cp, MaxPathLen + 1, fp) != NULL) {
+	while (*cp != '#' && *cp != '/' && *cp != '\0')
+	    cp++;
+	if (*cp == '#' || *cp == '\0')
+	    continue;
+	*sp++ = cp;
+	while (!isspace(*cp) && *cp != '#' && *cp != '\0')
+	    cp++;
+	*cp++ = '\0';
+    }
+    fclose(fp);
+#endif
+    *sp = NULL;
+    return (shells);
 }
 #endif /* HAVE_GETUSERSHELL */
diff --git a/crypto/heimdal/lib/roken/glob.hin b/crypto/heimdal/lib/roken/glob.hin
new file mode 100644
index 0000000..bece48a
--- /dev/null
+++ b/crypto/heimdal/lib/roken/glob.hin
@@ -0,0 +1,84 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * This code is derived from software contributed to Berkeley by
+ * Guido van Rossum.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)glob.h	8.1 (Berkeley) 6/2/93
+ */
+
+#ifndef _GLOB_H_
+#define	_GLOB_H_
+
+struct stat;
+typedef struct {
+	int gl_pathc;		/* Count of total paths so far. */
+	int gl_matchc;		/* Count of paths matching pattern. */
+	int gl_offs;		/* Reserved at beginning of gl_pathv. */
+	int gl_flags;		/* Copy of flags parameter to glob. */
+	char **gl_pathv;	/* List of paths matching pattern. */
+				/* Copy of errfunc parameter to glob. */
+	int (*gl_errfunc) (const char *, int);
+
+	/*
+	 * Alternate filesystem access methods for glob; replacement
+	 * versions of closedir(3), readdir(3), opendir(3), stat(2)
+	 * and lstat(2).
+	 */
+	void (*gl_closedir) (void *);
+	struct dirent *(*gl_readdir) (void *);	
+	void *(*gl_opendir) (const char *);
+	int (*gl_lstat) (const char *, struct stat *);
+	int (*gl_stat) (const char *, struct stat *);
+} glob_t;
+
+#define	GLOB_APPEND	0x0001	/* Append to output from previous call. */
+#define	GLOB_DOOFFS	0x0002	/* Use gl_offs. */
+#define	GLOB_ERR	0x0004	/* Return on error. */
+#define	GLOB_MARK	0x0008	/* Append / to matching directories. */
+#define	GLOB_NOCHECK	0x0010	/* Return pattern itself if nothing matches. */
+#define	GLOB_NOSORT	0x0020	/* Don't sort. */
+
+#define	GLOB_ALTDIRFUNC	0x0040	/* Use alternately specified directory funcs. */
+#define	GLOB_BRACE	0x0080	/* Expand braces ala csh. */
+#define	GLOB_MAGCHAR	0x0100	/* Pattern had globbing characters. */
+#define	GLOB_NOMAGIC	0x0200	/* GLOB_NOCHECK without magic chars (csh). */
+#define	GLOB_QUOTE	0x0400	/* Quote special chars with \. */
+#define	GLOB_TILDE	0x0800	/* Expand tilde names from the passwd file. */
+
+#define	GLOB_NOSPACE	(-1)	/* Malloc call failed. */
+#define	GLOB_ABEND	(-2)	/* Unignored error. */
+
+int	glob (const char *, int, int (*)(const char *, int), glob_t *);
+void	globfree (glob_t *);
+
+#endif /* !_GLOB_H_ */
diff --git a/crypto/heimdal/lib/roken/ifaddrs.hin b/crypto/heimdal/lib/roken/ifaddrs.hin
new file mode 100644
index 0000000..d2b9be8
--- /dev/null
+++ b/crypto/heimdal/lib/roken/ifaddrs.hin
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: ifaddrs.hin,v 1.3 2000/12/11 00:01:13 assar Exp $ */
+
+#ifndef __ifaddrs_h__
+#define __ifaddrs_h__
+
+/*
+ * the interface is defined in terms of the fields below, and this is
+ * sometimes #define'd, so there seems to be no simple way of solving
+ * this and this seemed the best. */
+
+#undef ifa_dstaddr
+
+struct ifaddrs {
+    struct ifaddrs *ifa_next;
+    char *ifa_name;
+    unsigned int ifa_flags;
+    struct sockaddr *ifa_addr;
+    struct sockaddr *ifa_netmask;
+    struct sockaddr *ifa_dstaddr;
+    void *ifa_data;
+};
+
+#ifndef ifa_broadaddr
+#define ifa_broadaddr ifa_dstaddr
+#endif
+
+int getifaddrs(struct ifaddrs**);
+
+void freeifaddrs(struct ifaddrs*);
+
+#endif /* __ifaddrs_h__ */
diff --git a/crypto/heimdal/lib/roken/inet_ntop.c b/crypto/heimdal/lib/roken/inet_ntop.c
index f79a35e..382b351 100644
--- a/crypto/heimdal/lib/roken/inet_ntop.c
+++ b/crypto/heimdal/lib/roken/inet_ntop.c
@@ -33,24 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: inet_ntop.c,v 1.3 1999/12/02 16:58:47 joda Exp $");
-#endif
-
-#include <errno.h>
-#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_SYS_SOCKET_H
-#include <sys/socket.h>
-#endif
-#ifdef HAVE_NETINET_IN_H
-#include <netinet/in.h>
-#endif
-#ifdef HAVE_NETINET_IN6_H
-#include <netinet/in6.h>
-#endif
-#ifdef HAVE_NETINET6_IN6_H
-#include <netinet6/in6.h>
+RCSID("$Id: inet_ntop.c,v 1.4 2000/07/27 16:24:00 assar Exp $");
 #endif
 
 #include <roken.h>
diff --git a/crypto/heimdal/lib/roken/inet_pton.c b/crypto/heimdal/lib/roken/inet_pton.c
index 9b195c2..d9c976c 100644
--- a/crypto/heimdal/lib/roken/inet_pton.c
+++ b/crypto/heimdal/lib/roken/inet_pton.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -33,24 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: inet_pton.c,v 1.2 1999/12/02 16:58:47 joda Exp $");
-#endif
-
-#include <errno.h>
-#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_SYS_SOCKET_H
-#include <sys/socket.h>
-#endif
-#ifdef HAVE_NETINET_IN_H
-#include <netinet/in.h>
-#endif
-#ifdef HAVE_NETINET_IN6_H
-#include <netinet/in6.h>
-#endif
-#ifdef HAVE_NETINET6_IN6_H
-#include <netinet6/in6.h>
+RCSID("$Id: inet_pton.c,v 1.3 2000/07/27 04:56:13 assar Exp $");
 #endif
 
 #include <roken.h>
diff --git a/crypto/heimdal/lib/roken/install-sh b/crypto/heimdal/lib/roken/install-sh
new file mode 100755
index 0000000..e9de238
--- /dev/null
+++ b/crypto/heimdal/lib/roken/install-sh
@@ -0,0 +1,251 @@
+#!/bin/sh
+#
+# install - install a program, script, or datafile
+# This comes from X11R5 (mit/util/scripts/install.sh).
+#
+# Copyright 1991 by the Massachusetts Institute of Technology
+#
+# Permission to use, copy, modify, distribute, and sell this software and its
+# documentation for any purpose is hereby granted without fee, provided that
+# the above copyright notice appear in all copies and that both that
+# copyright notice and this permission notice appear in supporting
+# documentation, and that the name of M.I.T. not be used in advertising or
+# publicity pertaining to distribution of the software without specific,
+# written prior permission.  M.I.T. makes no representations about the
+# suitability of this software for any purpose.  It is provided "as is"
+# without express or implied warranty.
+#
+# Calling this script install-sh is preferred over install.sh, to prevent
+# `make' implicit rules from creating a file called install from it
+# when there is no Makefile.
+#
+# This script is compatible with the BSD install script, but was written
+# from scratch.  It can only install one file at a time, a restriction
+# shared with many OS's install programs.
+
+
+# set DOITPROG to echo to test this script
+
+# Don't use :- since 4.3BSD and earlier shells don't like it.
+doit="${DOITPROG-}"
+
+
+# put in absolute paths if you don't have them in your path; or use env. vars.
+
+mvprog="${MVPROG-mv}"
+cpprog="${CPPROG-cp}"
+chmodprog="${CHMODPROG-chmod}"
+chownprog="${CHOWNPROG-chown}"
+chgrpprog="${CHGRPPROG-chgrp}"
+stripprog="${STRIPPROG-strip}"
+rmprog="${RMPROG-rm}"
+mkdirprog="${MKDIRPROG-mkdir}"
+
+transformbasename=""
+transform_arg=""
+instcmd="$mvprog"
+chmodcmd="$chmodprog 0755"
+chowncmd=""
+chgrpcmd=""
+stripcmd=""
+rmcmd="$rmprog -f"
+mvcmd="$mvprog"
+src=""
+dst=""
+dir_arg=""
+
+while [ x"$1" != x ]; do
+    case $1 in
+	-c) instcmd="$cpprog"
+	    shift
+	    continue;;
+
+	-d) dir_arg=true
+	    shift
+	    continue;;
+
+	-m) chmodcmd="$chmodprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-o) chowncmd="$chownprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-g) chgrpcmd="$chgrpprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-s) stripcmd="$stripprog"
+	    shift
+	    continue;;
+
+	-t=*) transformarg=`echo $1 | sed 's/-t=//'`
+	    shift
+	    continue;;
+
+	-b=*) transformbasename=`echo $1 | sed 's/-b=//'`
+	    shift
+	    continue;;
+
+	*)  if [ x"$src" = x ]
+	    then
+		src=$1
+	    else
+		# this colon is to work around a 386BSD /bin/sh bug
+		:
+		dst=$1
+	    fi
+	    shift
+	    continue;;
+    esac
+done
+
+if [ x"$src" = x ]
+then
+	echo "install:	no input file specified"
+	exit 1
+else
+	true
+fi
+
+if [ x"$dir_arg" != x ]; then
+	dst=$src
+	src=""
+	
+	if [ -d $dst ]; then
+		instcmd=:
+		chmodcmd=""
+	else
+		instcmd=mkdir
+	fi
+else
+
+# Waiting for this to be detected by the "$instcmd $src $dsttmp" command
+# might cause directories to be created, which would be especially bad 
+# if $src (and thus $dsttmp) contains '*'.
+
+	if [ -f $src -o -d $src ]
+	then
+		true
+	else
+		echo "install:  $src does not exist"
+		exit 1
+	fi
+	
+	if [ x"$dst" = x ]
+	then
+		echo "install:	no destination specified"
+		exit 1
+	else
+		true
+	fi
+
+# If destination is a directory, append the input filename; if your system
+# does not like double slashes in filenames, you may need to add some logic
+
+	if [ -d $dst ]
+	then
+		dst="$dst"/`basename $src`
+	else
+		true
+	fi
+fi
+
+## this sed command emulates the dirname command
+dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'`
+
+# Make sure that the destination directory exists.
+#  this part is taken from Noah Friedman's mkinstalldirs script
+
+# Skip lots of stat calls in the usual case.
+if [ ! -d "$dstdir" ]; then
+defaultIFS='	
+'
+IFS="${IFS-${defaultIFS}}"
+
+oIFS="${IFS}"
+# Some sh's can't handle IFS=/ for some reason.
+IFS='%'
+set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'`
+IFS="${oIFS}"
+
+pathcomp=''
+
+while [ $# -ne 0 ] ; do
+	pathcomp="${pathcomp}${1}"
+	shift
+
+	if [ ! -d "${pathcomp}" ] ;
+        then
+		$mkdirprog "${pathcomp}"
+	else
+		true
+	fi
+
+	pathcomp="${pathcomp}/"
+done
+fi
+
+if [ x"$dir_arg" != x ]
+then
+	$doit $instcmd $dst &&
+
+	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi &&
+	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi &&
+	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi &&
+	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi
+else
+
+# If we're going to rename the final executable, determine the name now.
+
+	if [ x"$transformarg" = x ] 
+	then
+		dstfile=`basename $dst`
+	else
+		dstfile=`basename $dst $transformbasename | 
+			sed $transformarg`$transformbasename
+	fi
+
+# don't allow the sed command to completely eliminate the filename
+
+	if [ x"$dstfile" = x ] 
+	then
+		dstfile=`basename $dst`
+	else
+		true
+	fi
+
+# Make a temp file name in the proper directory.
+
+	dsttmp=$dstdir/#inst.$$#
+
+# Move or copy the file name to the temp name
+
+	$doit $instcmd $src $dsttmp &&
+
+	trap "rm -f ${dsttmp}" 0 &&
+
+# and set any options; do chmod last to preserve setuid bits
+
+# If any of these fail, we abort the whole thing.  If we want to
+# ignore errors from any of these, just make sure not to ignore
+# errors from the above "$doit $instcmd $src $dsttmp" command.
+
+	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi &&
+	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi &&
+	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi &&
+	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi &&
+
+# Now rename the file to the real destination.
+
+	$doit $rmcmd -f $dstdir/$dstfile &&
+	$doit $mvcmd $dsttmp $dstdir/$dstfile 
+
+fi &&
+
+
+exit 0
diff --git a/crypto/heimdal/lib/roken/make-print-version.c b/crypto/heimdal/lib/roken/make-print-version.c
index d08e023..b29cf31 100644
--- a/crypto/heimdal/lib/roken/make-print-version.c
+++ b/crypto/heimdal/lib/roken/make-print-version.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,13 +33,13 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: make-print-version.c,v 1.2 1999/12/02 16:58:51 joda Exp $");
+RCSID("$Id: make-print-version.c,v 1.3 2000/08/16 11:30:04 assar Exp $");
 #endif
 
 #include <stdio.h>
 
 #ifdef KRB5
-extern char *heimdal_version;
+extern const char *heimdal_version;
 #endif
 #ifdef KRB4
 extern char *krb4_version;
diff --git a/crypto/heimdal/lib/roken/mini_inetd.c b/crypto/heimdal/lib/roken/mini_inetd.c
index 9b8a650..bb31962 100644
--- a/crypto/heimdal/lib/roken/mini_inetd.c
+++ b/crypto/heimdal/lib/roken/mini_inetd.c
@@ -33,35 +33,11 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: mini_inetd.c,v 1.25 2000/01/26 00:54:48 assar Exp $");
-#endif
-
-#include <stdio.h>
-
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_SYS_TIME_H
-#include <sys/time.h>
-#endif
-#ifdef HAVE_SYS_SOCKET_H
-#include <sys/socket.h>
-#endif
-#ifdef HAVE_NETINET_IN_H
-#include <netinet/in.h>
-#endif
-#ifdef HAVE_NETINET_IN6_H
-#include <netinet/in6.h>
-#endif
-#ifdef HAVE_NETINET6_IN6_H
-#include <netinet6/in6.h>
+RCSID("$Id: mini_inetd.c,v 1.28 2000/10/08 13:38:47 assar Exp $");
 #endif
 
 #include <err.h>
-#include <roken.h>
+#include "roken.h"
 
 /*
  * accept a connection on `s' and pretend it's served by inetd.
@@ -72,7 +48,7 @@ accept_it (int s)
 {
     int s2;
 
-    s2 = accept(s, NULL, 0);
+    s2 = accept(s, NULL, NULL);
     if(s2 < 0)
 	err (1, "accept");
     close(s);
@@ -127,6 +103,8 @@ mini_inetd (int port)
 	    err (1, "bind");
 	if (listen (fds[i], SOMAXCONN) < 0)
 	    err (1, "listen");
+	if (fds[i] >= FD_SETSIZE)
+	    errx (1, "fd too large");
 	FD_SET(fds[i], &orig_read_set);
 	max_fd = max(max_fd, fds[i]);
 	++i;
diff --git a/crypto/heimdal/lib/roken/missing b/crypto/heimdal/lib/roken/missing
new file mode 100755
index 0000000..7789652
--- /dev/null
+++ b/crypto/heimdal/lib/roken/missing
@@ -0,0 +1,190 @@
+#! /bin/sh
+# Common stub for a few missing GNU programs while installing.
+# Copyright (C) 1996, 1997 Free Software Foundation, Inc.
+# Franc,ois Pinard <pinard@iro.umontreal.ca>, 1996.
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+# 02111-1307, USA.
+
+if test $# -eq 0; then
+  echo 1>&2 "Try \`$0 --help' for more information"
+  exit 1
+fi
+
+case "$1" in
+
+  -h|--h|--he|--hel|--help)
+    echo "\
+$0 [OPTION]... PROGRAM [ARGUMENT]...
+
+Handle \`PROGRAM [ARGUMENT]...' for when PROGRAM is missing, or return an
+error status if there is no known handling for PROGRAM.
+
+Options:
+  -h, --help      display this help and exit
+  -v, --version   output version information and exit
+
+Supported PROGRAM values:
+  aclocal      touch file \`aclocal.m4'
+  autoconf     touch file \`configure'
+  autoheader   touch file \`config.h.in'
+  automake     touch all \`Makefile.in' files
+  bison        create \`y.tab.[ch]', if possible, from existing .[ch]
+  flex         create \`lex.yy.c', if possible, from existing .c
+  lex          create \`lex.yy.c', if possible, from existing .c
+  makeinfo     touch the output file
+  yacc         create \`y.tab.[ch]', if possible, from existing .[ch]"
+    ;;
+
+  -v|--v|--ve|--ver|--vers|--versi|--versio|--version)
+    echo "missing - GNU libit 0.0"
+    ;;
+
+  -*)
+    echo 1>&2 "$0: Unknown \`$1' option"
+    echo 1>&2 "Try \`$0 --help' for more information"
+    exit 1
+    ;;
+
+  aclocal)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+         you modified \`acinclude.m4' or \`configure.in'.  You might want
+         to install the \`Automake' and \`Perl' packages.  Grab them from
+         any GNU archive site."
+    touch aclocal.m4
+    ;;
+
+  autoconf)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+         you modified \`configure.in'.  You might want to install the
+         \`Autoconf' and \`GNU m4' packages.  Grab them from any GNU
+         archive site."
+    touch configure
+    ;;
+
+  autoheader)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+         you modified \`acconfig.h' or \`configure.in'.  You might want
+         to install the \`Autoconf' and \`GNU m4' packages.  Grab them
+         from any GNU archive site."
+    files=`sed -n 's/^[ ]*A[CM]_CONFIG_HEADER(\([^)]*\)).*/\1/p' configure.in`
+    test -z "$files" && files="config.h"
+    touch_files=
+    for f in $files; do
+      case "$f" in
+      *:*) touch_files="$touch_files "`echo "$f" |
+				       sed -e 's/^[^:]*://' -e 's/:.*//'`;;
+      *) touch_files="$touch_files $f.in";;
+      esac
+    done
+    touch $touch_files
+    ;;
+
+  automake)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+         you modified \`Makefile.am', \`acinclude.m4' or \`configure.in'.
+         You might want to install the \`Automake' and \`Perl' packages.
+         Grab them from any GNU archive site."
+    find . -type f -name Makefile.am -print |
+	   sed 's/\.am$/.in/' |
+	   while read f; do touch "$f"; done
+    ;;
+
+  bison|yacc)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+         you modified a \`.y' file.  You may need the \`Bison' package
+         in order for those modifications to take effect.  You can get
+         \`Bison' from any GNU archive site."
+    rm -f y.tab.c y.tab.h
+    if [ $# -ne 1 ]; then
+        eval LASTARG="\${$#}"
+	case "$LASTARG" in
+	*.y)
+	    SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'`
+	    if [ -f "$SRCFILE" ]; then
+	         cp "$SRCFILE" y.tab.c
+	    fi
+	    SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'`
+	    if [ -f "$SRCFILE" ]; then
+	         cp "$SRCFILE" y.tab.h
+	    fi
+	  ;;
+	esac
+    fi
+    if [ ! -f y.tab.h ]; then
+	echo >y.tab.h
+    fi
+    if [ ! -f y.tab.c ]; then
+	echo 'main() { return 0; }' >y.tab.c
+    fi
+    ;;
+
+  lex|flex)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+         you modified a \`.l' file.  You may need the \`Flex' package
+         in order for those modifications to take effect.  You can get
+         \`Flex' from any GNU archive site."
+    rm -f lex.yy.c
+    if [ $# -ne 1 ]; then
+        eval LASTARG="\${$#}"
+	case "$LASTARG" in
+	*.l)
+	    SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'`
+	    if [ -f "$SRCFILE" ]; then
+	         cp "$SRCFILE" lex.yy.c
+	    fi
+	  ;;
+	esac
+    fi
+    if [ ! -f lex.yy.c ]; then
+	echo 'main() { return 0; }' >lex.yy.c
+    fi
+    ;;
+
+  makeinfo)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+         you modified a \`.texi' or \`.texinfo' file, or any other file
+         indirectly affecting the aspect of the manual.  The spurious
+         call might also be the consequence of using a buggy \`make' (AIX,
+         DU, IRIX).  You might want to install the \`Texinfo' package or
+         the \`GNU make' package.  Grab either from any GNU archive site."
+    file=`echo "$*" | sed -n 's/.*-o \([^ ]*\).*/\1/p'`
+    if test -z "$file"; then
+      file=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'`
+      file=`sed -n '/^@setfilename/ { s/.* \([^ ]*\) *$/\1/; p; q; }' $file`
+    fi
+    touch $file
+    ;;
+
+  *)
+    echo 1>&2 "\
+WARNING: \`$1' is needed, and you do not seem to have it handy on your
+         system.  You might have modified some files without having the
+         proper tools for further handling them.  Check the \`README' file,
+         it often tells you about the needed prerequirements for installing
+         this package.  You may also peek at any GNU archive site, in case
+         some other package would contain this missing \`$1' program."
+    exit 1
+    ;;
+esac
+
+exit 0
diff --git a/crypto/heimdal/lib/roken/mkinstalldirs b/crypto/heimdal/lib/roken/mkinstalldirs
new file mode 100755
index 0000000..6b3b5fc
--- /dev/null
+++ b/crypto/heimdal/lib/roken/mkinstalldirs
@@ -0,0 +1,40 @@
+#! /bin/sh
+# mkinstalldirs --- make directory hierarchy
+# Author: Noah Friedman <friedman@prep.ai.mit.edu>
+# Created: 1993-05-16
+# Public domain
+
+# $Id$
+
+errstatus=0
+
+for file
+do
+   set fnord `echo ":$file" | sed -ne 's/^:\//#/;s/^://;s/\// /g;s/^#/\//;p'`
+   shift
+
+   pathcomp=
+   for d
+   do
+     pathcomp="$pathcomp$d"
+     case "$pathcomp" in
+       -* ) pathcomp=./$pathcomp ;;
+     esac
+
+     if test ! -d "$pathcomp"; then
+        echo "mkdir $pathcomp"
+
+        mkdir "$pathcomp" || lasterr=$?
+
+        if test ! -d "$pathcomp"; then
+  	  errstatus=$lasterr
+        fi
+     fi
+
+     pathcomp="$pathcomp/"
+   done
+done
+
+exit $errstatus
+
+# mkinstalldirs ends here
diff --git a/crypto/heimdal/lib/roken/print_version.c b/crypto/heimdal/lib/roken/print_version.c
index 3b35ee1..8b505fa 100644
--- a/crypto/heimdal/lib/roken/print_version.c
+++ b/crypto/heimdal/lib/roken/print_version.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1998 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: print_version.c,v 1.6 2000/02/06 06:52:32 assar Exp $");
+RCSID("$Id: print_version.c,v 1.7 2001/01/30 03:05:29 assar Exp $");
 #endif
 #include "roken.h"
 
@@ -72,7 +72,7 @@ print_version(const char *progname)
 	}
     }
     fprintf(stderr, "%s (%s)\n", progname, msg);
-    fprintf(stderr, "Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan\n");
+    fprintf(stderr, "Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan\n");
     if(num_args != 0)
 	free(msg);
 }
diff --git a/crypto/heimdal/lib/roken/putenv.c b/crypto/heimdal/lib/roken/putenv.c
index 80951d1..a6bdf60 100644
--- a/crypto/heimdal/lib/roken/putenv.c
+++ b/crypto/heimdal/lib/roken/putenv.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: putenv.c,v 1.6 1999/12/02 16:58:51 joda Exp $");
+RCSID("$Id: putenv.c,v 1.7 2000/03/26 23:08:24 assar Exp $");
 #endif
 
 #include <stdlib.h>
@@ -47,30 +47,34 @@ extern char **environ;
  *      Makes the value of the environment variable name equal to
  *      value by altering an existing variable or creating a new one.
  */
-int putenv(const char *string)
+
+int
+putenv(const char *string)
 {
     int i;
+    const char *eq = (const char *)strchr(string, '=');
     int len;
     
-    len = string - strchr(string, '=') + 1;
+    if (eq == NULL)
+	return 1;
+    len = eq - string;
 
-    if(environ == NULL){
+    if(environ == NULL) {
 	environ = malloc(sizeof(char*));
 	if(environ == NULL)
 	    return 1;
 	environ[0] = NULL;
     }
 
-    for(i = 0; environ[i]; i++)
-	if(strncmp(string, environ[i], len)){
-	    environ[len] = string;
+    for(i = 0; environ[i] != NULL; i++)
+	if(strncmp(string, environ[i], len) == 0) {
+	    environ[i] = string;
 	    return 0;
 	}
-    environ = realloc(environ, sizeof(char*) * (i + 1));
+    environ = realloc(environ, sizeof(char*) * (i + 2));
     if(environ == NULL)
 	return 1;
-    environ[i] = string;
+    environ[i]   = string;
     environ[i+1] = NULL;
     return 0;
 }
-
diff --git a/crypto/heimdal/lib/roken/resolve.c b/crypto/heimdal/lib/roken/resolve.c
index 8840740..76df287 100644
--- a/crypto/heimdal/lib/roken/resolve.c
+++ b/crypto/heimdal/lib/roken/resolve.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -43,7 +43,7 @@
 #endif
 #include "resolve.h"
 
-RCSID("$Id: resolve.c,v 1.22 1999/12/02 16:58:52 joda Exp $");
+RCSID("$Id: resolve.c,v 1.26 2000/06/27 01:15:53 assar Exp $");
 
 #if defined(HAVE_RES_SEARCH) && defined(HAVE_DN_EXPAND)
 
@@ -56,18 +56,22 @@ static struct stot{
     DECL(A),
     DECL(NS),
     DECL(CNAME),
+    DECL(SOA),
     DECL(PTR),
     DECL(MX),
     DECL(TXT),
     DECL(AFSDB),
+    DECL(SIG),
+    DECL(KEY),
     DECL(SRV),
+    DECL(NAPTR),
     {NULL, 	0}
 };
 
-int _resolve_debug;
+int _resolve_debug = 0;
 
-static int
-string_to_type(const char *name)
+int
+dns_string_to_type(const char *name)
 {
     struct stot *p = stot;
     for(p = stot; p->name; p++)
@@ -76,8 +80,8 @@ string_to_type(const char *name)
     return -1;
 }
 
-static const char *
-type_to_string(int type)
+const char *
+dns_type_to_string(int type)
 {
     struct stot *p = stot;
     for(p = stot; p->name; p++)
@@ -235,7 +239,72 @@ parse_reply(unsigned char *data, int len)
 	    (*rr)->u.txt[*p] = 0;
 	    break;
 	}
-	    
+	case T_KEY : {
+	    size_t key_len;
+
+	    key_len = size - 4;
+	    (*rr)->u.key = malloc (sizeof(*(*rr)->u.key) + key_len - 1);
+	    if ((*rr)->u.key == NULL) {
+		dns_free_data (r);
+		return NULL;
+	    }
+
+	    (*rr)->u.key->flags     = (p[0] << 8) | p[1];
+	    (*rr)->u.key->protocol  = p[2];
+	    (*rr)->u.key->algorithm = p[3];
+	    (*rr)->u.key->key_len   = key_len;
+	    memcpy ((*rr)->u.key->key_data, p + 4, key_len);
+	    break;
+	}
+	case T_SIG : {
+	    size_t sig_len;
+
+	    status = dn_expand (data, data + len, p + 18, host, sizeof(host));
+	    if (status < 0) {
+		dns_free_data (r);
+		return NULL;
+	    }
+	    sig_len = len - 18 - status;
+	    (*rr)->u.sig = malloc(sizeof(*(*rr)->u.sig)
+				  + strlen(host) + sig_len);
+	    if ((*rr)->u.sig == NULL) {
+		dns_free_data (r);
+		return NULL;
+	    }
+	    (*rr)->u.sig->type           = (p[0] << 8) | p[1];
+	    (*rr)->u.sig->algorithm      = p[2];
+	    (*rr)->u.sig->labels         = p[3];
+	    (*rr)->u.sig->orig_ttl       = (p[4] << 24) | (p[5] << 16)
+		| (p[6] << 8) | p[7];
+	    (*rr)->u.sig->sig_expiration = (p[8] << 24) | (p[9] << 16)
+		| (p[10] << 8) | p[11];
+	    (*rr)->u.sig->sig_inception  = (p[12] << 24) | (p[13] << 16)
+		| (p[14] << 8) | p[15];
+	    (*rr)->u.sig->key_tag        = (p[16] << 8) | p[17];
+	    (*rr)->u.sig->sig_len        = sig_len;
+	    memcpy ((*rr)->u.sig->sig_data, p + 18 + status, sig_len);
+	    (*rr)->u.sig->signer         = &(*rr)->u.sig->sig_data[sig_len];
+	    strcpy((*rr)->u.sig->signer, host);
+	    break;
+	}
+
+	case T_CERT : {
+	    size_t cert_len;
+
+	    cert_len = size - 5;
+	    (*rr)->u.cert = malloc (sizeof(*(*rr)->u.cert) + cert_len - 1);
+	    if ((*rr)->u.cert == NULL) {
+		dns_free_data (r);
+		return NULL;
+	    }
+
+	    (*rr)->u.cert->type      = (p[0] << 8) | p[1];
+	    (*rr)->u.cert->tag       = (p[2] << 8) | p[3];
+	    (*rr)->u.cert->algorithm = p[4];
+	    (*rr)->u.cert->cert_len  = cert_len;
+	    memcpy ((*rr)->u.cert->cert_data, p + 5, cert_len);
+	    break;
+	}
 	default:
 	    (*rr)->u.data = (unsigned char*)malloc(size);
 	    if(size != 0 && (*rr)->u.data == NULL) {
@@ -263,13 +332,13 @@ dns_lookup_int(const char *domain, int rr_class, int rr_type)
         old_options = _res.options;
 	_res.options |= RES_DEBUG;
 	fprintf(stderr, "dns_lookup(%s, %d, %s)\n", domain,
-		rr_class, type_to_string(rr_type));
+		rr_class, dns_type_to_string(rr_type));
     }
     len = res_search(domain, rr_class, rr_type, reply, sizeof(reply));
     if (_resolve_debug) {
         _res.options = old_options;
 	fprintf(stderr, "dns_lookup(%s, %d, %s) --> %d\n",
-		domain, rr_class, type_to_string(rr_type), len);
+		domain, rr_class, dns_type_to_string(rr_type), len);
     }
     if (len >= 0)
 	r = parse_reply(reply, len);
@@ -281,7 +350,7 @@ dns_lookup(const char *domain, const char *type_name)
 {
     int type;
     
-    type = string_to_type(type_name);
+    type = dns_string_to_type(type_name);
     if(type == -1) {
 	if(_resolve_debug)
 	    fprintf(stderr, "dns_lookup: unknown resource type: `%s'\n", 
@@ -318,30 +387,49 @@ main(int argc, char **argv)
 	return 1;
     }
     for(rr = r->head; rr;rr=rr->next){
-	printf("%s %s %d ", rr->domain, type_to_string(rr->type), rr->ttl);
+	printf("%s %s %d ", rr->domain, dns_type_to_string(rr->type), rr->ttl);
 	switch(rr->type){
 	case T_NS:
+	case T_CNAME:
+	case T_PTR:
 	    printf("%s\n", (char*)rr->u.data);
 	    break;
 	case T_A:
-	    printf("%d.%d.%d.%d\n", 
-		   ((unsigned char*)rr->u.data)[0],
-		   ((unsigned char*)rr->u.data)[1],
-		   ((unsigned char*)rr->u.data)[2],
-		   ((unsigned char*)rr->u.data)[3]);
+	    printf("%s\n", inet_ntoa(*rr->u.a));
 	    break;
 	case T_MX:
 	case T_AFSDB:{
-	    struct mx_record *mx = (struct mx_record*)rr->u.data;
-	    printf("%d %s\n", mx->preference, mx->domain);
+	    printf("%d %s\n", rr->u.mx->preference, rr->u.mx->domain);
 	    break;
 	}
 	case T_SRV:{
-	    struct srv_record *srv = (struct srv_record*)rr->u.data;
+	    struct srv_record *srv = rr->u.srv;
 	    printf("%d %d %d %s\n", srv->priority, srv->weight, 
 		   srv->port, srv->target);
 	    break;
 	}
+	case T_TXT: {
+	    printf("%s\n", rr->u.txt);
+	    break;
+	}
+	case T_SIG : {
+	    struct sig_record *sig = rr->u.sig;
+	    const char *type_string = dns_type_to_string (sig->type);
+
+	    printf ("type %u (%s), algorithm %u, labels %u, orig_ttl %u, sig_expiration %u, sig_inception %u, key_tag %u, signer %s\n",
+		    sig->type, type_string ? type_string : "",
+		    sig->algorithm, sig->labels, sig->orig_ttl,
+		    sig->sig_expiration, sig->sig_inception, sig->key_tag,
+		    sig->signer);
+	    break;
+	}
+	case T_KEY : {
+	    struct key_record *key = rr->u.key;
+
+	    printf ("flags %u, protocol %u, algorithm %u\n",
+		    key->flags, key->protocol, key->algorithm);
+	    break;
+	}
 	default:
 	    printf("\n");
 	    break;
diff --git a/crypto/heimdal/lib/roken/resolve.h b/crypto/heimdal/lib/roken/resolve.h
index c90f6b5..1c2e9a7 100644
--- a/crypto/heimdal/lib/roken/resolve.h
+++ b/crypto/heimdal/lib/roken/resolve.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: resolve.h,v 1.8 1999/12/02 16:58:52 joda Exp $ */
+/* $Id: resolve.h,v 1.12 2000/10/15 21:28:56 assar Exp $ */
 
 #ifndef __RESOLVE_H__
 #define __RESOLVE_H__
@@ -44,12 +44,21 @@
 #ifndef T_AFSDB
 #define T_AFSDB		18
 #endif
+#ifndef T_SIG
+#define T_SIG		24
+#endif
+#ifndef T_KEY
+#define T_KEY		25
+#endif
 #ifndef T_SRV
 #define T_SRV		33
 #endif
 #ifndef T_NAPTR
 #define T_NAPTR		35
 #endif
+#ifndef T_CERT
+#define T_CERT		37
+#endif
 
 struct dns_query{
     char *domain;
@@ -69,6 +78,35 @@ struct srv_record{
     char target[1];
 };
 
+struct key_record {
+    unsigned flags;
+    unsigned protocol;
+    unsigned algorithm;
+    size_t   key_len;
+    u_char   key_data[1];
+};
+
+struct sig_record {
+    unsigned type;
+    unsigned algorithm;
+    unsigned labels;
+    unsigned orig_ttl;
+    unsigned sig_expiration;
+    unsigned sig_inception;
+    unsigned key_tag;
+    char     *signer;
+    unsigned sig_len;
+    char     sig_data[1];	/* also includes signer */
+};
+
+struct cert_record {
+    unsigned type;
+    unsigned tag;
+    unsigned algorithm;
+    size_t   cert_len;
+    u_char   cert_data[1];
+};
+
 struct resource_record{
     char *domain;
     unsigned type;
@@ -82,6 +120,9 @@ struct resource_record{
 	struct srv_record *srv;
 	struct in_addr *a;
 	char *txt;
+	struct key_record *key;
+	struct cert_record *cert;
+	struct sig_record *sig;
     }u;
     struct resource_record *next;
 };
@@ -99,5 +140,7 @@ struct dns_reply{
 
 struct dns_reply* dns_lookup(const char *, const char *);
 void dns_free_data(struct dns_reply *);
+int dns_string_to_type(const char *name);
+const char *dns_type_to_string(int type);
 
 #endif /* __RESOLVE_H__ */
diff --git a/crypto/heimdal/lib/roken/roken-common.h b/crypto/heimdal/lib/roken/roken-common.h
index 8bdc986..2227336 100644
--- a/crypto/heimdal/lib/roken/roken-common.h
+++ b/crypto/heimdal/lib/roken/roken-common.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -31,11 +31,19 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: roken-common.h,v 1.27 2000/02/14 02:24:44 assar Exp $ */
+/* $Id: roken-common.h,v 1.42 2001/01/29 02:09:09 assar Exp $ */
 
 #ifndef __ROKEN_COMMON_H__
 #define __ROKEN_COMMON_H__
 
+#ifdef __cplusplus
+#define ROKEN_CPP_START	extern "C" {
+#define ROKEN_CPP_END	}
+#else
+#define ROKEN_CPP_START
+#define ROKEN_CPP_END
+#endif
+
 #ifndef INADDR_NONE
 #define INADDR_NONE 0xffffffff
 #endif
@@ -116,12 +124,20 @@
 #define _PATH_HEQUIV "/etc/hosts.equiv"
 #endif
 
+#ifndef _PATH_VARRUN
+#define _PATH_VARRUN "/var/run/"
+#endif
+
+#ifndef _PATH_BSHELL
+#define _PATH_BSHELL "/bin/sh"
+#endif
+
 #ifndef MAXPATHLEN
 #define MAXPATHLEN (1024+4)
 #endif
 
 #ifndef SIG_ERR
-#define SIG_ERR ((RETSIGTYPE (*)())-1)
+#define SIG_ERR ((RETSIGTYPE (*)(int))-1)
 #endif
 
 /*
@@ -233,9 +249,11 @@
 #define __attribute__(x)
 #endif
 
+ROKEN_CPP_START
+
 #if IRIX != 4 /* fix for compiler bug */
 #ifdef RETSIGTYPE
-typedef RETSIGTYPE (*SigAction)(/* int??? */);
+typedef RETSIGTYPE (*SigAction)(int);
 SigAction signal(int iSig, SigAction pAction); /* BSD compatible */
 #endif
 #endif
@@ -244,6 +262,7 @@ int ROKEN_LIB_FUNCTION simple_execve(const char*, char*const[], char*const[]);
 int ROKEN_LIB_FUNCTION simple_execvp(const char*, char *const[]);
 int ROKEN_LIB_FUNCTION simple_execlp(const char*, ...);
 int ROKEN_LIB_FUNCTION simple_execle(const char*, ...);
+int ROKEN_LIB_FUNCTION simple_execl(const char *file, ...);
 
 void ROKEN_LIB_FUNCTION print_version(const char *);
 
@@ -255,6 +274,9 @@ ssize_t ROKEN_LIB_FUNCTION eread (int fd, void *buf, size_t nbytes);
 ssize_t ROKEN_LIB_FUNCTION ewrite (int fd, const void *buf, size_t nbytes);
 
 void
+esetenv(const char *var, const char *val, int rewrite);
+
+void
 socket_set_address_and_port (struct sockaddr *sa, const void *ptr, int port);
 
 size_t
@@ -290,5 +312,19 @@ vstrcollect(va_list *ap);
 char **
 strcollect(char *first, ...);
 
+void timevalfix(struct timeval *t1);
+void timevaladd(struct timeval *t1, const struct timeval *t2);
+void timevalsub(struct timeval *t1, const struct timeval *t2);
+
+char *pid_file_write (const char *progname);
+void pid_file_delete (char **);
+
+int
+read_environment(const char *file, char ***env);
+
+void warnerr(int doerrno, const char *fmt, va_list ap)
+    __attribute__ ((format (printf, 2, 0)));
+
+ROKEN_CPP_END
 
 #endif /* __ROKEN_COMMON_H__ */
diff --git a/crypto/heimdal/lib/roken/roken.awk b/crypto/heimdal/lib/roken/roken.awk
index 626fae5..c1676f7 100644
--- a/crypto/heimdal/lib/roken/roken.awk
+++ b/crypto/heimdal/lib/roken/roken.awk
@@ -1,3 +1,5 @@
+# $Id: roken.awk,v 1.6 2000/08/16 01:56:30 assar Exp $
+
 BEGIN {
 	print "#include <stdio.h>"
 	print "#ifdef HAVE_CONFIG_H"
@@ -13,8 +15,10 @@ BEGIN {
 	print "puts(\"\");"
 }
 END {
+	print "puts(\"#define ROKEN_VERSION \" VERSION );"
+	print "puts(\"\");"
 	print "puts(\"#endif /* __ROKEN_H__ */\");"
-	print "exit(0);"
+	print "return 0;"
 	print "}"
 }
 
diff --git a/crypto/heimdal/lib/roken/roken.h.in b/crypto/heimdal/lib/roken/roken.h.in
index 3abe6eb..b16ae5d 100644
--- a/crypto/heimdal/lib/roken/roken.h.in
+++ b/crypto/heimdal/lib/roken/roken.h.in
@@ -1,6 +1,6 @@
 /* -*- C -*- */
 /*
- * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -32,13 +32,18 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: roken.h.in,v 1.135 2000/02/14 02:24:20 assar Exp $ */
+/* $Id: roken.h.in,v 1.148 2001/01/27 05:28:09 assar Exp $ */
 
 #include <stdio.h>
 #include <stdlib.h>
 #include <stdarg.h>
 #include <string.h>
 #include <signal.h>
+
+#ifdef _AIX
+struct ether_addr;
+struct sockaddr_dl;
+#endif
 #ifdef HAVE_SYS_PARAM_H
 #include <sys/param.h>
 #endif
@@ -109,9 +114,6 @@
 #include <paths.h>
 #endif
 
-#ifdef __cplusplus
-extern "C" {
-#endif
 
 #ifndef ROKEN_LIB_FUNCTION
 #if defined(__BORLANDC__)
@@ -125,6 +127,8 @@ extern "C" {
 
 #include <roken-common.h>
 
+ROKEN_CPP_START
+
 #if !defined(HAVE_SETSID) && defined(HAVE__SETSID)
 #define setsid _setsid
 #endif
@@ -196,6 +200,10 @@ size_t strnlen(const char*, size_t);
 char *strsep(char**, const char*);
 #endif
 
+#if !defined(HAVE_STRSEP_COPY) || defined(NEED_STRSEP_COPY_PROTO)
+ssize_t strsep_copy(const char**, const char*, char*, size_t);
+#endif
+
 #ifndef HAVE_STRCASECMP
 int strcasecmp(const char *s1, const char *s2);
 #endif
@@ -340,6 +348,10 @@ int
 mkstemp(char *template);
 #endif
 
+#ifndef HAVE_PIDFILE
+void pidfile (const char*);
+#endif
+
 #ifndef HAVE_FLOCK
 #ifndef LOCK_SH
 #define LOCK_SH   1		/* Shared lock */
@@ -450,7 +462,7 @@ typedef unsigned short sa_family_t;
 
 typedef unsigned char roken_sa_family_t;
 
-#define _SS_PAD1SIZE   (_SS_ALIGNSIZE - sizeof (roken_sa_family_t) - sizeof(unsigned char))
+#define _SS_PAD1SIZE   ((2 * _SS_ALIGNSIZE - sizeof (roken_sa_family_t) - sizeof(unsigned char)) % _SS_ALIGNSIZE)
 #define _SS_PAD2SIZE   (_SS_MAXSIZE - (sizeof (roken_sa_family_t) + sizeof(unsigned char) + _SS_PAD1SIZE + _SS_ALIGNSIZE))
 
 struct sockaddr_storage {
@@ -464,7 +476,7 @@ struct sockaddr_storage {
 
 typedef unsigned short roken_sa_family_t;
 
-#define _SS_PAD1SIZE   (_SS_ALIGNSIZE - sizeof (roken_sa_family_t))
+#define _SS_PAD1SIZE   ((2 * _SS_ALIGNSIZE - sizeof (roken_sa_family_t)) % _SS_ALIGNSIZE)
 #define _SS_PAD2SIZE   (_SS_MAXSIZE - (sizeof (roken_sa_family_t) + _SS_PAD1SIZE + _SS_ALIGNSIZE))
 
 struct sockaddr_storage {
@@ -521,8 +533,8 @@ getnameinfo_verified(const struct sockaddr *sa, socklen_t salen,
 		     char *serv, size_t servlen,
 		     int flags);
 
-int
-roken_getaddrinfo_hostspec(const char *, int, struct addrinfo **);
+int roken_getaddrinfo_hostspec(const char *, int, struct addrinfo **); 
+int roken_getaddrinfo_hostspec2(const char *, int, int, struct addrinfo **);
 
 #ifndef HAVE_STRFTIME
 size_t
@@ -569,8 +581,13 @@ struct hostent* roken_gethostbyaddr(const void*, size_t, int);
 #define roken_openlog(a,b,c) openlog((char *)a,b,c)
 #endif
 
+#ifdef GETSOCKNAME_PROTO_COMPATIBLE
+#define roken_getsockname(a,b,c) getsockname(a,b,c)
+#else
+#define roken_getsockname(a,b,c) getsockname(a, b, (void*)c)
+#endif
+
 void set_progname(char *argv0);
+const char *get_progname(void);
 
-#ifdef __cplusplus
-}
-#endif
+ROKEN_CPP_END
diff --git a/crypto/heimdal/lib/roken/rtbl.c b/crypto/heimdal/lib/roken/rtbl.c
new file mode 100644
index 0000000..098b601
--- /dev/null
+++ b/crypto/heimdal/lib/roken/rtbl.c
@@ -0,0 +1,278 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID ("$Id: rtbl.c,v 1.3 2000/07/20 14:42:31 assar Exp $");
+#endif
+#include "roken.h"
+#include "rtbl.h"
+
+struct column_entry {
+    char *data;
+};
+
+struct column_data {
+    char *header;
+    char *prefix;
+    int width;
+    unsigned flags;
+    size_t num_rows;
+    struct column_entry *rows;
+};
+
+struct rtbl_data {
+    char *column_prefix;
+    size_t num_columns;
+    struct column_data **columns;
+};
+
+rtbl_t
+rtbl_create (void)
+{
+    return calloc (1, sizeof (struct rtbl_data));
+}
+
+static struct column_data *
+rtbl_get_column (rtbl_t table, const char *column)
+{
+    int i;
+    for(i = 0; i < table->num_columns; i++)
+	if(strcmp(table->columns[i]->header, column) == 0)
+	    return table->columns[i];
+    return NULL;
+}
+
+void
+rtbl_destroy (rtbl_t table)
+{
+    int i, j;
+
+    for (i = 0; i < table->num_columns; i++) {
+	struct column_data *c = table->columns[i];
+
+	for (j = 0; j < c->num_rows; j++)
+	    free (c->rows[j].data);
+	free (c->header);
+	free (c->prefix);
+	free (c);
+    }
+    free (table->column_prefix);
+    free (table->columns);
+}
+
+int
+rtbl_add_column (rtbl_t table, const char *header, unsigned int flags)
+{
+    struct column_data *col, **tmp;
+
+    tmp = realloc (table->columns, (table->num_columns + 1) * sizeof (*tmp));
+    if (tmp == NULL)
+	return ENOMEM;
+    table->columns = tmp;
+    col = malloc (sizeof (*col));
+    if (col == NULL)
+	return ENOMEM;
+    col->header = strdup (header);
+    if (col->header == NULL) {
+	free (col);
+	return ENOMEM;
+    }
+    col->prefix   = NULL;
+    col->width    = 0;
+    col->flags    = flags;
+    col->num_rows = 0;
+    col->rows     = NULL;
+    table->columns[table->num_columns++] = col;
+    return 0;
+}
+
+static void
+column_compute_width (struct column_data *column)
+{
+    int i;
+
+    column->width = strlen (column->header);
+    for (i = 0; i < column->num_rows; i++)
+	column->width = max (column->width, strlen (column->rows[i].data));
+}
+
+int
+rtbl_set_prefix (rtbl_t table, const char *prefix)
+{
+    if (table->column_prefix)
+	free (table->column_prefix);
+    table->column_prefix = strdup (prefix);
+    if (table->column_prefix == NULL)
+	return ENOMEM;
+    return 0;
+}
+
+int
+rtbl_set_column_prefix (rtbl_t table, const char *column,
+			const char *prefix)
+{
+    struct column_data *c = rtbl_get_column (table, column);
+
+    if (c == NULL)
+	return -1;
+    if (c->prefix)
+	free (c->prefix);
+    c->prefix = strdup (prefix);
+    if (c->prefix == NULL)
+	return ENOMEM;
+    return 0;
+}
+
+
+static const char *
+get_column_prefix (rtbl_t table, struct column_data *c)
+{
+    if (c == NULL)
+	return "";
+    if (c->prefix)
+	return c->prefix;
+    if (table->column_prefix)
+	return table->column_prefix;
+    return "";
+}
+
+int
+rtbl_add_column_entry (rtbl_t table, const char *column, const char *data)
+{
+    struct column_entry row, *tmp;
+
+    struct column_data *c = rtbl_get_column (table, column);
+
+    if (c == NULL)
+	return -1;
+
+    row.data = strdup (data);
+    if (row.data == NULL)
+	return ENOMEM;
+    tmp = realloc (c->rows, (c->num_rows + 1) * sizeof (*tmp));
+    if (tmp == NULL) {
+	free (row.data);
+	return ENOMEM;
+    }
+    c->rows = tmp;
+    c->rows[c->num_rows++] = row;
+    return 0;
+}
+
+int
+rtbl_format (rtbl_t table, FILE * f)
+{
+    int i, j;
+
+    for (i = 0; i < table->num_columns; i++)
+	column_compute_width (table->columns[i]);
+    for (i = 0; i < table->num_columns; i++) {
+	struct column_data *c = table->columns[i];
+
+	fprintf (f, "%s", get_column_prefix (table, c));
+	fprintf (f, "%-*s", (int)c->width, c->header);
+    }
+    fprintf (f, "\n");
+
+    for (j = 0;; j++) {
+	int flag = 0;
+
+	for (i = 0; flag == 0 && i < table->num_columns; ++i) {
+	    struct column_data *c = table->columns[i];
+
+	    if (c->num_rows > j) {
+		++flag;
+		break;
+	    }
+	}
+	if (flag == 0)
+	    break;
+
+	for (i = 0; i < table->num_columns; i++) {
+	    int w;
+	    struct column_data *c = table->columns[i];
+
+	    w = c->width;
+
+	    if ((c->flags & RTBL_ALIGN_RIGHT) == 0)
+		w = -w;
+	    fprintf (f, "%s", get_column_prefix (table, c));
+	    if (c->num_rows <= j)
+		fprintf (f, "%*s", w, "");
+	    else
+		fprintf (f, "%*s", w, c->rows[j].data);
+	}
+	fprintf (f, "\n");
+    }
+    return 0;
+}
+
+#ifdef TEST
+int
+main (int argc, char **argv)
+{
+    rtbl_t table;
+    unsigned int a, b, c, d;
+
+    table = rtbl_create ();
+    rtbl_add_column (table, "Issued", 0, &a);
+    rtbl_add_column (table, "Expires", 0, &b);
+    rtbl_add_column (table, "Foo", RTBL_ALIGN_RIGHT, &d);
+    rtbl_add_column (table, "Principal", 0, &c);
+
+    rtbl_add_column_entry (table, a, "Jul  7 21:19:29");
+    rtbl_add_column_entry (table, b, "Jul  8 07:19:29");
+    rtbl_add_column_entry (table, d, "73");
+    rtbl_add_column_entry (table, d, "0");
+    rtbl_add_column_entry (table, d, "-2000");
+    rtbl_add_column_entry (table, c, "krbtgt/NADA.KTH.SE@NADA.KTH.SE");
+
+    rtbl_add_column_entry (table, a, "Jul  7 21:19:29");
+    rtbl_add_column_entry (table, b, "Jul  8 07:19:29");
+    rtbl_add_column_entry (table, c, "afs/pdc.kth.se@NADA.KTH.SE");
+
+    rtbl_add_column_entry (table, a, "Jul  7 21:19:29");
+    rtbl_add_column_entry (table, b, "Jul  8 07:19:29");
+    rtbl_add_column_entry (table, c, "afs@NADA.KTH.SE");
+
+    rtbl_set_prefix (table, "  ");
+    rtbl_set_column_prefix (table, a, "");
+
+    rtbl_format (table, stdout);
+
+    rtbl_destroy (table);
+
+}
+
+#endif
diff --git a/crypto/heimdal/lib/roken/rtbl.h b/crypto/heimdal/lib/roken/rtbl.h
new file mode 100644
index 0000000..16496a7
--- /dev/null
+++ b/crypto/heimdal/lib/roken/rtbl.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef __rtbl_h__
+#define __rtbl_h__
+
+struct rtbl_data;
+typedef struct rtbl_data *rtbl_t;
+
+#define RTBL_ALIGN_LEFT		0
+#define RTBL_ALIGN_RIGHT	1
+
+rtbl_t rtbl_create (void);
+
+void rtbl_destroy (rtbl_t);
+
+int rtbl_set_prefix (rtbl_t, const char*);
+
+int rtbl_set_column_prefix (rtbl_t, const char*, const char*);
+
+int rtbl_add_column (rtbl_t, const char*, unsigned int);
+
+int rtbl_add_column_entry (rtbl_t, const char*, const char*);
+
+int rtbl_format (rtbl_t, FILE*);
+
+#endif /* __rtbl_h__ */
diff --git a/crypto/heimdal/lib/roken/signal.c b/crypto/heimdal/lib/roken/signal.c
index 85f36ee..1d482a0 100644
--- a/crypto/heimdal/lib/roken/signal.c
+++ b/crypto/heimdal/lib/roken/signal.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -33,10 +33,11 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: signal.c,v 1.10 1999/12/14 01:37:58 assar Exp $");
+RCSID("$Id: signal.c,v 1.12 2000/07/08 12:39:06 assar Exp $");
 #endif
 
 #include <signal.h>
+#include "roken.h"
 
 /*
  * We would like to always use this signal but there is a link error
@@ -49,8 +50,6 @@ RCSID("$Id: signal.c,v 1.10 1999/12/14 01:37:58 assar Exp $");
  * Do we need any extra hacks for SIGCLD and/or SIGCHLD?
  */
 
-typedef RETSIGTYPE (*SigAction)(/* int??? */);
-
 SigAction
 signal(int iSig, SigAction pAction)
 {
diff --git a/crypto/heimdal/lib/roken/simple_exec.c b/crypto/heimdal/lib/roken/simple_exec.c
index 4aa22fa..c7e22d9 100644
--- a/crypto/heimdal/lib/roken/simple_exec.c
+++ b/crypto/heimdal/lib/roken/simple_exec.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: simple_exec.c,v 1.7 2000/01/09 10:58:51 assar Exp $");
+RCSID("$Id: simple_exec.c,v 1.8 2000/11/05 16:41:06 joda Exp $");
 #endif
 
 #include <stdarg.h>
@@ -148,3 +148,20 @@ simple_execle(const char *file, ... /* ,char *const envp[] */)
     free(argv);
     return ret;
 }
+
+int
+simple_execl(const char *file, ...) 
+{
+    va_list ap;
+    char **argv;
+    int ret;
+
+    va_start(ap, file);
+    argv = vstrcollect(&ap);
+    va_end(ap);
+    if(argv == NULL)
+	return -1;
+    ret = simple_execve(file, argv, environ);
+    free(argv);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/roken/snprintf.c b/crypto/heimdal/lib/roken/snprintf.c
index 4f69e66..205dc58 100644
--- a/crypto/heimdal/lib/roken/snprintf.c
+++ b/crypto/heimdal/lib/roken/snprintf.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: snprintf.c,v 1.25 2000/02/16 01:38:52 assar Exp $");
+RCSID("$Id: snprintf.c,v 1.28 2000/12/15 14:04:42 joda Exp $");
 #endif
 #include <stdio.h>
 #include <stdarg.h>
@@ -214,28 +214,31 @@ append_string (struct state *state,
 	       int prec,
 	       int flags)
 {
-  if(prec != -1)
-    width -= prec;
-  else
-    width -= strlen((char *)arg);
-  if(!(flags & minus_flag))
-    while(width-- > 0)
-      if((*state->append_char) (state, ' '))
-	return 1;
-  if (prec != -1) {
-    while (*arg && prec--)
-      if ((*state->append_char) (state, *arg++))
-	return 1;
-  } else {
-    while (*arg)
-      if ((*state->append_char) (state, *arg++))
-	return 1;
-  }
-  if(flags & minus_flag)
-    while(width-- > 0)
-      if((*state->append_char) (state, ' '))
-	return 1;
-  return 0;
+    if(arg == NULL)
+	arg = (unsigned char*)"(null)";
+
+    if(prec != -1)
+	width -= prec;
+    else
+	width -= strlen((char *)arg);
+    if(!(flags & minus_flag))
+	while(width-- > 0)
+	    if((*state->append_char) (state, ' '))
+		return 1;
+    if (prec != -1) {
+	while (*arg && prec--)
+	    if ((*state->append_char) (state, *arg++))
+		return 1;
+    } else {
+	while (*arg)
+	    if ((*state->append_char) (state, *arg++))
+		return 1;
+    }
+    if(flags & minus_flag)
+	while(width-- > 0)
+	    if((*state->append_char) (state, ' '))
+		return 1;
+    return 0;
 }
 
 static int
diff --git a/crypto/heimdal/lib/roken/socket.c b/crypto/heimdal/lib/roken/socket.c
index 6e9c3df..d8463d5 100644
--- a/crypto/heimdal/lib/roken/socket.c
+++ b/crypto/heimdal/lib/roken/socket.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -33,28 +33,10 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: socket.c,v 1.3 1999/12/02 16:58:52 joda Exp $");
-#endif
-
-#include <string.h>
-#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_SYS_SOCKET_H
-#include <sys/socket.h>
-#endif
-#ifdef HAVE_NETINET_IN_H
-#include <netinet/in.h>
-#endif
-#ifdef HAVE_NETINET_IN_SYSTM_H
-#include <netinet/in_systm.h>
-#endif
-#ifdef HAVE_NETINET_IP_H
-#include <netinet/ip.h>
+RCSID("$Id: socket.c,v 1.5 2000/07/27 04:41:06 assar Exp $");
 #endif
 
 #include <roken.h>
-
 #include <err.h>
 
 /*
@@ -246,9 +228,9 @@ socket_set_port (struct sockaddr *sa, int port)
 void
 socket_set_debug (int sock)
 {
+#if defined(SO_DEBUG) && defined(HAVE_SETSOCKOPT)
     int on = 1;
 
-#if defined(SO_DEBUG) && defined(HAVE_SETSOCKOPT)
     if (setsockopt (sock, SOL_SOCKET, SO_DEBUG, (void *) &on, sizeof (on)) < 0)
 	warn ("setsockopt SO_DEBUG (ignored)");
 #endif
diff --git a/crypto/heimdal/lib/roken/strftime.c b/crypto/heimdal/lib/roken/strftime.c
index b90614b..6056073 100644
--- a/crypto/heimdal/lib/roken/strftime.c
+++ b/crypto/heimdal/lib/roken/strftime.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -35,7 +35,7 @@
 #endif
 #include "roken.h"
 
-RCSID("$Id: strftime.c,v 1.10 1999/11/13 04:18:33 assar Exp $");
+RCSID("$Id: strftime.c,v 1.11 2000/07/08 14:22:12 assar Exp $");
 
 static const char *abb_weekdays[] = {
     "Sun",
diff --git a/crypto/heimdal/lib/roken/strsep_copy.c b/crypto/heimdal/lib/roken/strsep_copy.c
new file mode 100644
index 0000000..f097022
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strsep_copy.c
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strsep_copy.c,v 1.3 2000/06/29 03:13:36 assar Exp $");
+#endif
+
+#include <string.h>
+
+#include "roken.h"
+
+#ifndef HAVE_STRSEP_COPY
+
+/* strsep, but with const stringp, so return string in buf */
+
+ssize_t
+strsep_copy(const char **stringp, const char *delim, char *buf, size_t len)
+{
+    const char *save = *stringp;
+    size_t l;
+    if(save == NULL)
+	return -1;
+    *stringp = *stringp + strcspn(*stringp, delim);
+    l = min(len, *stringp - save);
+    memcpy(buf, save, l);
+    buf[l] = '\0';
+
+    l = *stringp - save;
+    if(**stringp == '\0')
+	*stringp = NULL;
+    else
+	(*stringp)++;
+    return l;
+}
+
+#endif
diff --git a/crypto/heimdal/lib/roken/timeval.c b/crypto/heimdal/lib/roken/timeval.c
new file mode 100644
index 0000000..ea4dee8
--- /dev/null
+++ b/crypto/heimdal/lib/roken/timeval.c
@@ -0,0 +1,84 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Timeval stuff
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: timeval.c,v 1.1 2000/03/03 09:02:42 assar Exp $");
+#endif
+
+#include "roken.h"
+
+/*
+ * Make `t1' consistent.
+ */
+
+void
+timevalfix(struct timeval *t1)
+{
+    if (t1->tv_usec < 0) {
+        t1->tv_sec--;
+        t1->tv_usec += 1000000;
+    }
+    if (t1->tv_usec >= 1000000) {
+        t1->tv_sec++;
+        t1->tv_usec -= 1000000;
+    }
+}
+ 
+/*
+ * t1 += t2
+ */
+
+void
+timevaladd(struct timeval *t1, const struct timeval *t2)
+{
+    t1->tv_sec  += t2->tv_sec;
+    t1->tv_usec += t2->tv_usec;
+    timevalfix(t1);
+}
+ 
+/*
+ * t1 -= t2
+ */
+
+void
+timevalsub(struct timeval *t1, const struct timeval *t2)
+{
+    t1->tv_sec  -= t2->tv_sec;
+    t1->tv_usec -= t2->tv_usec;
+    timevalfix(t1);
+}
diff --git a/crypto/heimdal/lib/roken/unvis.c b/crypto/heimdal/lib/roken/unvis.c
new file mode 100644
index 0000000..363564c
--- /dev/null
+++ b/crypto/heimdal/lib/roken/unvis.c
@@ -0,0 +1,288 @@
+/*	$NetBSD: unvis.c,v 1.19 2000/01/22 22:19:13 mycroft Exp $	*/
+
+/*-
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#if 1
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: unvis.c,v 1.2 2000/12/06 21:41:46 joda Exp $");
+#endif
+#include <roken.h>
+#ifndef _DIAGASSERT
+#define _DIAGASSERT(X)
+#endif
+#else
+#include <sys/cdefs.h>
+#if defined(LIBC_SCCS) && !defined(lint)
+#if 0
+static char sccsid[] = "@(#)unvis.c	8.1 (Berkeley) 6/4/93";
+#else
+__RCSID("$NetBSD: unvis.c,v 1.19 2000/01/22 22:19:13 mycroft Exp $");
+#endif
+#endif /* LIBC_SCCS and not lint */
+
+#define __LIBC12_SOURCE__
+
+#include "namespace.h"
+#endif
+#include <sys/types.h>
+
+#include <assert.h>
+#include <ctype.h>
+#include <stdio.h>
+#include <vis.h>
+
+#if 0
+#ifdef __weak_alias
+__weak_alias(strunvis,_strunvis)
+__weak_alias(unvis,_unvis)
+#endif
+
+__warn_references(unvis,
+    "warning: reference to compatibility unvis(); include <vis.h> for correct reference")
+#endif
+
+/*
+ * decode driven by state machine
+ */
+#define	S_GROUND	0	/* haven't seen escape char */
+#define	S_START		1	/* start decoding special sequence */
+#define	S_META		2	/* metachar started (M) */
+#define	S_META1		3	/* metachar more, regular char (-) */
+#define	S_CTRL		4	/* control char started (^) */
+#define	S_OCTAL2	5	/* octal digit 2 */
+#define	S_OCTAL3	6	/* octal digit 3 */
+
+#define	isoctal(c)	(((u_char)(c)) >= '0' && ((u_char)(c)) <= '7')
+
+/*
+ * unvis - decode characters previously encoded by vis
+ */
+#ifndef HAVE_UNVIS
+int
+unvis(char *cp, int c, int *astate, int flag)
+{
+
+	_DIAGASSERT(cp != NULL);
+	_DIAGASSERT(astate != NULL);
+
+	if (flag & UNVIS_END) {
+		if (*astate == S_OCTAL2 || *astate == S_OCTAL3) {
+			*astate = S_GROUND;
+			return (UNVIS_VALID);
+		} 
+		return (*astate == S_GROUND ? UNVIS_NOCHAR : UNVIS_SYNBAD);
+	}
+
+	switch (*astate) {
+
+	case S_GROUND:
+		*cp = 0;
+		if (c == '\\') {
+			*astate = S_START;
+			return (0);
+		} 
+		*cp = c;
+		return (UNVIS_VALID);
+
+	case S_START:
+		switch(c) {
+		case '\\':
+			*cp = c;
+			*astate = S_GROUND;
+			return (UNVIS_VALID);
+		case '0': case '1': case '2': case '3':
+		case '4': case '5': case '6': case '7':
+			*cp = (c - '0');
+			*astate = S_OCTAL2;
+			return (0);
+		case 'M':
+			*cp = (char)0200;
+			*astate = S_META;
+			return (0);
+		case '^':
+			*astate = S_CTRL;
+			return (0);
+		case 'n':
+			*cp = '\n';
+			*astate = S_GROUND;
+			return (UNVIS_VALID);
+		case 'r':
+			*cp = '\r';
+			*astate = S_GROUND;
+			return (UNVIS_VALID);
+		case 'b':
+			*cp = '\b';
+			*astate = S_GROUND;
+			return (UNVIS_VALID);
+		case 'a':
+			*cp = '\007';
+			*astate = S_GROUND;
+			return (UNVIS_VALID);
+		case 'v':
+			*cp = '\v';
+			*astate = S_GROUND;
+			return (UNVIS_VALID);
+		case 't':
+			*cp = '\t';
+			*astate = S_GROUND;
+			return (UNVIS_VALID);
+		case 'f':
+			*cp = '\f';
+			*astate = S_GROUND;
+			return (UNVIS_VALID);
+		case 's':
+			*cp = ' ';
+			*astate = S_GROUND;
+			return (UNVIS_VALID);
+		case 'E':
+			*cp = '\033';
+			*astate = S_GROUND;
+			return (UNVIS_VALID);
+		case '\n':
+			/*
+			 * hidden newline
+			 */
+			*astate = S_GROUND;
+			return (UNVIS_NOCHAR);
+		case '$':
+			/*
+			 * hidden marker
+			 */
+			*astate = S_GROUND;
+			return (UNVIS_NOCHAR);
+		}
+		*astate = S_GROUND;
+		return (UNVIS_SYNBAD);
+		 
+	case S_META:
+		if (c == '-')
+			*astate = S_META1;
+		else if (c == '^')
+			*astate = S_CTRL;
+		else {
+			*astate = S_GROUND;
+			return (UNVIS_SYNBAD);
+		}
+		return (0);
+		 
+	case S_META1:
+		*astate = S_GROUND;
+		*cp |= c;
+		return (UNVIS_VALID);
+		 
+	case S_CTRL:
+		if (c == '?')
+			*cp |= 0177;
+		else
+			*cp |= c & 037;
+		*astate = S_GROUND;
+		return (UNVIS_VALID);
+
+	case S_OCTAL2:	/* second possible octal digit */
+		if (isoctal(c)) {
+			/* 
+			 * yes - and maybe a third 
+			 */
+			*cp = (*cp << 3) + (c - '0');
+			*astate = S_OCTAL3;	
+			return (0);
+		} 
+		/* 
+		 * no - done with current sequence, push back passed char 
+		 */
+		*astate = S_GROUND;
+		return (UNVIS_VALIDPUSH);
+
+	case S_OCTAL3:	/* third possible octal digit */
+		*astate = S_GROUND;
+		if (isoctal(c)) {
+			*cp = (*cp << 3) + (c - '0');
+			return (UNVIS_VALID);
+		}
+		/*
+		 * we were done, push back passed char
+		 */
+		return (UNVIS_VALIDPUSH);
+			
+	default:	
+		/* 
+		 * decoder in unknown state - (probably uninitialized) 
+		 */
+		*astate = S_GROUND;
+		return (UNVIS_SYNBAD);
+	}
+}
+#endif
+
+/*
+ * strunvis - decode src into dst 
+ *
+ *	Number of chars decoded into dst is returned, -1 on error.
+ *	Dst is null terminated.
+ */
+
+#ifndef HAVE_STRUNVIS
+int
+strunvis(char *dst, const char *src)
+{
+	char c;
+	char *start = dst;
+	int state = 0;
+
+	_DIAGASSERT(src != NULL);
+	_DIAGASSERT(dst != NULL);
+
+	while ((c = *src++) != '\0') {
+	again:
+		switch (unvis(dst, c, &state, 0)) {
+		case UNVIS_VALID:
+			dst++;
+			break;
+		case UNVIS_VALIDPUSH:
+			dst++;
+			goto again;
+		case 0:
+		case UNVIS_NOCHAR:
+			break;
+		default:
+			return (-1);
+		}
+	}
+	if (unvis(dst, c, &state, UNVIS_END) == UNVIS_VALID)
+		dst++;
+	*dst = '\0';
+	return (dst - start);
+}
+#endif
diff --git a/crypto/heimdal/lib/roken/verr.c b/crypto/heimdal/lib/roken/verr.c
index 511e640..67b4512 100644
--- a/crypto/heimdal/lib/roken/verr.c
+++ b/crypto/heimdal/lib/roken/verr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan 
  * (Royal Institute of Technology, Stockholm, Sweden).  
  * All rights reserved.
  * 
@@ -33,10 +33,11 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: verr.c,v 1.8 1999/12/02 16:58:53 joda Exp $");
+RCSID("$Id: verr.c,v 1.10 2001/01/25 12:41:39 assar Exp $");
 #endif
 
-#include "err.h"
+#include "roken.h"
+#include <err.h>
 
 void
 verr(int eval, const char *fmt, va_list ap)
diff --git a/crypto/heimdal/lib/roken/verrx.c b/crypto/heimdal/lib/roken/verrx.c
index f4578d3..5df5c8d 100644
--- a/crypto/heimdal/lib/roken/verrx.c
+++ b/crypto/heimdal/lib/roken/verrx.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan 
  * (Royal Institute of Technology, Stockholm, Sweden).  
  * All rights reserved.
  * 
@@ -33,10 +33,11 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: verrx.c,v 1.8 1999/12/02 16:58:53 joda Exp $");
+RCSID("$Id: verrx.c,v 1.10 2001/01/25 12:41:39 assar Exp $");
 #endif
 
-#include "err.h"
+#include "roken.h"
+#include <err.h>
 
 void
 verrx(int eval, const char *fmt, va_list ap)
diff --git a/crypto/heimdal/lib/roken/vis.c b/crypto/heimdal/lib/roken/vis.c
new file mode 100644
index 0000000..82a6ba5
--- /dev/null
+++ b/crypto/heimdal/lib/roken/vis.c
@@ -0,0 +1,301 @@
+/*	$NetBSD: vis.c,v 1.19 2000/01/22 22:42:45 mycroft Exp $	*/
+
+/*-
+ * Copyright (c) 1999 The NetBSD Foundation, Inc.
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+
+#if 1
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: vis.c,v 1.3 2000/12/10 23:10:48 assar Exp $");
+#endif
+#include <roken.h>
+#ifndef _DIAGASSERT
+#define _DIAGASSERT(X)
+#endif
+#else
+#include <sys/cdefs.h>
+#if !defined(lint)
+__RCSID("$NetBSD: vis.c,v 1.19 2000/01/22 22:42:45 mycroft Exp $");
+#endif /* not lint */
+#endif
+
+#if 0
+#include "namespace.h"
+#endif
+#include <sys/types.h>
+
+#include <assert.h>
+#include <ctype.h>
+#include <limits.h>
+#include <stdio.h>
+#include <string.h>
+#include <vis.h>
+
+#if 0
+#ifdef __weak_alias
+__weak_alias(strsvis,_strsvis)
+__weak_alias(strsvisx,_strsvisx)
+__weak_alias(strvis,_strvis)
+__weak_alias(strvisx,_strvisx)
+__weak_alias(svis,_svis)
+__weak_alias(vis,_vis)
+#endif
+#endif
+
+#undef BELL
+#if defined(__STDC__)
+#define BELL '\a'
+#else
+#define BELL '\007'
+#endif
+
+#define isoctal(c)	(((u_char)(c)) >= '0' && ((u_char)(c)) <= '7')
+#define iswhite(c)	(c == ' ' || c == '\t' || c == '\n')
+#define issafe(c)	(c == '\b' || c == BELL || c == '\r')
+
+#define MAXEXTRAS       5
+
+
+#define MAKEEXTRALIST(flag, extra)					      \
+do {									      \
+	char *pextra = extra;						      \
+	if (flag & VIS_SP) *pextra++ = ' ';				      \
+	if (flag & VIS_TAB) *pextra++ = '\t';				      \
+	if (flag & VIS_NL) *pextra++ = '\n';				      \
+	if ((flag & VIS_NOSLASH) == 0) *pextra++ = '\\';		      \
+	*pextra = '\0';							      \
+} while (/*CONSTCOND*/0)
+
+/*
+ * This is SVIS, the central macro of vis.
+ * dst:	      Pointer to the destination buffer
+ * c:	      Character to encode
+ * flag:      Flag word
+ * nextc:     The character following 'c'
+ * extra:     Pointer to the list of extra characters to be
+ *	      backslash-protected.
+ */
+#define SVIS(dst, c, flag, nextc, extra)				      \
+do {									      \
+	int isextra, isc;						      \
+	isextra = strchr(extra, c) != NULL;				      \
+	if (!isextra && isascii(c) && (isgraph(c) || iswhite(c) ||	      \
+	    ((flag & VIS_SAFE) && issafe(c)))) {			      \
+		*dst++ = c;						      \
+		break;							      \
+	}								      \
+	isc = 0;							      \
+	if (flag & VIS_CSTYLE) {					      \
+		switch (c) {						      \
+		case '\n':						      \
+			isc = 1; *dst++ = '\\'; *dst++ = 'n';		      \
+			break;						      \
+		case '\r':						      \
+			isc = 1; *dst++ = '\\'; *dst++ = 'r';		      \
+			break;						      \
+		case '\b':						      \
+			isc = 1; *dst++ = '\\'; *dst++ = 'b';		      \
+			break;						      \
+		case BELL:						      \
+			isc = 1; *dst++ = '\\'; *dst++ = 'a';		      \
+			break;						      \
+		case '\v':						      \
+			isc = 1; *dst++ = '\\'; *dst++ = 'v';		      \
+			break;						      \
+		case '\t':						      \
+			isc = 1; *dst++ = '\\'; *dst++ = 't';		      \
+			break;						      \
+		case '\f':						      \
+			isc = 1; *dst++ = '\\'; *dst++ = 'f';		      \
+			break;						      \
+		case ' ':						      \
+			isc = 1; *dst++ = '\\'; *dst++ = 's';		      \
+			break;						      \
+		case '\0':						      \
+			isc = 1; *dst++ = '\\'; *dst++ = '0';		      \
+			if (isoctal(nextc)) {				      \
+				*dst++ = '0';				      \
+				*dst++ = '0';				      \
+			}						      \
+		}							      \
+	}								      \
+	if (isc) break;							      \
+	if (isextra || ((c & 0177) == ' ') || (flag & VIS_OCTAL)) {	      \
+		*dst++ = '\\';						      \
+		*dst++ = (u_char)(((unsigned)(u_char)c >> 6) & 03) + '0';     \
+		*dst++ = (u_char)(((unsigned)(u_char)c >> 3) & 07) + '0';     \
+		*dst++ =			     (c	      & 07) + '0';    \
+	} else {							      \
+		if ((flag & VIS_NOSLASH) == 0) *dst++ = '\\';		      \
+		if (c & 0200) {						      \
+			c &= 0177; *dst++ = 'M';			      \
+		}							      \
+		if (iscntrl(c)) {					      \
+			*dst++ = '^';					      \
+			if (c == 0177)					      \
+				*dst++ = '?';				      \
+			else						      \
+				*dst++ = c + '@';			      \
+		} else {						      \
+			*dst++ = '-'; *dst++ = c;			      \
+		}							      \
+	}								      \
+} while (/*CONSTCOND*/0)
+
+
+/*
+ * svis - visually encode characters, also encoding the characters
+ * 	  pointed to by `extra'
+ */
+#ifndef HAVE_SVIS
+char *
+svis(char *dst, int c, int flag, int nextc, const char *extra)
+{
+	_DIAGASSERT(dst != NULL);
+	_DIAGASSERT(extra != NULL);
+
+	SVIS(dst, c, flag, nextc, extra);
+	*dst = '\0';
+	return(dst);
+}
+#endif
+
+
+/*
+ * strsvis, strsvisx - visually encode characters from src into dst
+ *
+ *	Extra is a pointer to a \0-terminated list of characters to
+ *	be encoded, too. These functions are useful e. g. to
+ *	encode strings in such a way so that they are not interpreted
+ *	by a shell.
+ *	
+ *	Dst must be 4 times the size of src to account for possible
+ *	expansion.  The length of dst, not including the trailing NULL,
+ *	is returned. 
+ *
+ *	Strsvisx encodes exactly len bytes from src into dst.
+ *	This is useful for encoding a block of data.
+ */
+#ifndef HAVE_STRSVIS
+int
+strsvis(char *dst, const char *src, int flag, const char *extra)
+{
+	char c;
+	char *start;
+
+	_DIAGASSERT(dst != NULL);
+	_DIAGASSERT(src != NULL);
+	_DIAGASSERT(extra != NULL);
+
+	for (start = dst; (c = *src++) != '\0'; /* empty */)
+	    SVIS(dst, c, flag, *src, extra);
+	*dst = '\0';
+	return (dst - start);
+}
+#endif
+
+
+#ifndef HAVE_STRVISX
+int
+strsvisx(char *dst, const char *src, size_t len, int flag, const char *extra)
+{
+	char c;
+	char *start;
+
+	_DIAGASSERT(dst != NULL);
+	_DIAGASSERT(src != NULL);
+	_DIAGASSERT(extra != NULL);
+
+	for (start = dst; len > 0; len--) {
+		c = *src++;
+		SVIS(dst, c, flag, len ? *src : '\0', extra);
+	}
+	*dst = '\0';
+	return (dst - start);
+}
+#endif
+
+
+/*
+ * vis - visually encode characters
+ */
+#ifndef HAVE_VIS
+char *
+vis(char *dst, int c, int flag, int nextc)
+{
+	char extra[MAXEXTRAS];
+
+	_DIAGASSERT(dst != NULL);
+
+	MAKEEXTRALIST(flag, extra);
+	SVIS(dst, c, flag, nextc, extra);
+	*dst = '\0';
+	return (dst);
+}
+#endif
+
+
+/*
+ * strvis, strvisx - visually encode characters from src into dst
+ *	
+ *	Dst must be 4 times the size of src to account for possible
+ *	expansion.  The length of dst, not including the trailing NULL,
+ *	is returned. 
+ *
+ *	Strvisx encodes exactly len bytes from src into dst.
+ *	This is useful for encoding a block of data.
+ */
+#ifndef HAVE_STRVIS
+int
+strvis(char *dst, const char *src, int flag)
+{
+	char extra[MAXEXTRAS];
+
+	MAKEEXTRALIST(flag, extra);
+	return (strsvis(dst, src, flag, extra));
+}
+#endif
+
+
+#ifndef HAVE_STRVISX
+int
+strvisx(char *dst, const char *src, size_t len, int flag)
+{
+	char extra[MAXEXTRAS];
+
+	MAKEEXTRALIST(flag, extra);
+	return (strsvisx(dst, src, len, flag, extra));
+}
+#endif
diff --git a/crypto/heimdal/lib/roken/vis.hin b/crypto/heimdal/lib/roken/vis.hin
new file mode 100644
index 0000000..a9d09da9
--- /dev/null
+++ b/crypto/heimdal/lib/roken/vis.hin
@@ -0,0 +1,86 @@
+/*	$NetBSD: vis.h,v 1.11 1999/11/25 16:55:50 wennmach Exp $	*/
+/*	$Id: vis.hin,v 1.1 2000/12/06 21:35:47 joda Exp $	*/
+
+/*-
+ * Copyright (c) 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)vis.h	8.1 (Berkeley) 6/2/93
+ */
+
+#ifndef _VIS_H_
+#define	_VIS_H_
+
+/*
+ * to select alternate encoding format
+ */
+#define	VIS_OCTAL	0x01	/* use octal \ddd format */
+#define	VIS_CSTYLE	0x02	/* use \[nrft0..] where appropiate */
+
+/*
+ * to alter set of characters encoded (default is to encode all
+ * non-graphic except space, tab, and newline).
+ */
+#define	VIS_SP		0x04	/* also encode space */
+#define	VIS_TAB		0x08	/* also encode tab */
+#define	VIS_NL		0x10	/* also encode newline */
+#define	VIS_WHITE	(VIS_SP | VIS_TAB | VIS_NL)
+#define	VIS_SAFE	0x20	/* only encode "unsafe" characters */
+
+/*
+ * other
+ */
+#define	VIS_NOSLASH	0x40	/* inhibit printing '\' */
+
+/*
+ * unvis return codes
+ */
+#define	UNVIS_VALID	 1	/* character valid */
+#define	UNVIS_VALIDPUSH	 2	/* character valid, push back passed char */
+#define	UNVIS_NOCHAR	 3	/* valid sequence, no character produced */
+#define	UNVIS_SYNBAD	-1	/* unrecognized escape sequence */
+#define	UNVIS_ERROR	-2	/* decoder in unknown state (unrecoverable) */
+
+/*
+ * unvis flags
+ */
+#define	UNVIS_END	1	/* no more characters */
+
+char	*vis (char *, int, int, int);
+char	*svis (char *, int, int, int, const char *);
+int	strvis (char *, const char *, int);
+int	strsvis (char *, const char *, int, const char *);
+int	strvisx (char *, const char *, size_t, int);
+int	strsvisx (char *, const char *, size_t, int, const char *);
+int	strunvis (char *, const char *);
+int	unvis (char *, int, int *, int);
+
+#endif /* !_VIS_H_ */
diff --git a/crypto/heimdal/lib/roken/vsyslog.c b/crypto/heimdal/lib/roken/vsyslog.c
index 22e6a35..c72cf33 100644
--- a/crypto/heimdal/lib/roken/vsyslog.c
+++ b/crypto/heimdal/lib/roken/vsyslog.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: vsyslog.c,v 1.3 1999/12/02 16:58:54 joda Exp $");
+RCSID("$Id: vsyslog.c,v 1.6 2000/05/22 22:09:25 assar Exp $");
 #endif
 
 #ifndef HAVE_VSYSLOG
@@ -44,14 +44,72 @@ RCSID("$Id: vsyslog.c,v 1.3 1999/12/02 16:58:54 joda Exp $");
 
 #include "roken.h"
 
+/*
+ * the theory behind this is that we might be trying to call vsyslog
+ * when there's no memory left, and we should try to be as useful as
+ * possible.  And the format string should say something about what's
+ * failing.
+ */
+
+static void
+simple_vsyslog(int pri, const char *fmt, va_list ap)
+{
+    syslog (pri, "%s", fmt);
+}
+
+/*
+ * do like syslog but with a `va_list'
+ */
+
 void
 vsyslog(int pri, const char *fmt, va_list ap)
 {
-    char *p;
+    char *fmt2;
+    const char *p;
+    char *p2;
+    int saved_errno = errno;
+    int fmt_len  = strlen (fmt);
+    int fmt2_len = fmt_len;
+    char *buf;
 
-    vasprintf (&p, fmt, ap);
-    syslog (pri, "%s", p);
-    free (p);
-}
+    fmt2 = malloc (fmt_len + 1);
+    if (fmt2 == NULL) {
+	simple_vsyslog (pri, fmt, ap);
+	return;
+    }
 
+    for (p = fmt, p2 = fmt2; *p != '\0'; ++p) {
+	if (p[0] == '%' && p[1] == 'm') {
+	    const char *e = strerror (saved_errno);
+	    int e_len = strlen (e);
+	    char *tmp;
+	    int pos;
+
+	    pos = p2 - fmt2;
+	    fmt2_len += e_len - 2;
+	    tmp = realloc (fmt2, fmt2_len + 1);
+	    if (tmp == NULL) {
+		free (fmt2);
+		simple_vsyslog (pri, fmt, ap);
+		return;
+	    }
+	    fmt2 = tmp;
+	    p2   = fmt2 + pos;
+	    memmove (p2, e, e_len);
+	    p2 += e_len;
+	    ++p;
+	} else
+	    *p2++ = *p;
+    }
+    *p2 = '\0';
+
+    vasprintf (&buf, fmt2, ap);
+    free (fmt2);
+    if (buf == NULL) {
+	simple_vsyslog (pri, fmt, ap);
+	return;
+    }
+    syslog (pri, "%s", buf);
+    free (buf);
+}
 #endif
diff --git a/crypto/heimdal/lib/roken/vwarn.c b/crypto/heimdal/lib/roken/vwarn.c
index 15f9a38..4034b1b 100644
--- a/crypto/heimdal/lib/roken/vwarn.c
+++ b/crypto/heimdal/lib/roken/vwarn.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan 
  * (Royal Institute of Technology, Stockholm, Sweden).  
  * All rights reserved.
  * 
@@ -33,10 +33,11 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: vwarn.c,v 1.8 1999/12/02 16:58:54 joda Exp $");
+RCSID("$Id: vwarn.c,v 1.10 2001/01/25 12:41:39 assar Exp $");
 #endif
 
-#include "err.h"
+#include "roken.h"
+#include <err.h>
 
 void
 vwarn(const char *fmt, va_list ap)
diff --git a/crypto/heimdal/lib/roken/vwarnx.c b/crypto/heimdal/lib/roken/vwarnx.c
index 48f1ffd..7449a75 100644
--- a/crypto/heimdal/lib/roken/vwarnx.c
+++ b/crypto/heimdal/lib/roken/vwarnx.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan 
  * (Royal Institute of Technology, Stockholm, Sweden).  
  * All rights reserved.
  * 
@@ -33,10 +33,11 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: vwarnx.c,v 1.8 1999/12/02 16:58:54 joda Exp $");
+RCSID("$Id: vwarnx.c,v 1.10 2001/01/25 12:41:39 assar Exp $");
 #endif
 
-#include "err.h"
+#include "roken.h"
+#include <err.h>
 
 void
 vwarnx(const char *fmt, va_list ap)
diff --git a/crypto/heimdal/lib/roken/warnerr.c b/crypto/heimdal/lib/roken/warnerr.c
index 4df375d..f57c90e 100644
--- a/crypto/heimdal/lib/roken/warnerr.c
+++ b/crypto/heimdal/lib/roken/warnerr.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: warnerr.c,v 1.8 1999/12/02 16:58:54 joda Exp $");
+RCSID("$Id: warnerr.c,v 1.9 2000/07/25 09:54:05 joda Exp $");
 #endif
 
 #include "roken.h"
@@ -43,6 +43,12 @@ RCSID("$Id: warnerr.c,v 1.8 1999/12/02 16:58:54 joda Exp $");
 const char *__progname;
 #endif
 
+const char *
+get_progname(void)
+{
+    return __progname;
+}
+
 void
 set_progname(char *argv0)
 {
diff --git a/crypto/heimdal/lib/roken/write_pid.c b/crypto/heimdal/lib/roken/write_pid.c
new file mode 100644
index 0000000..7d4fa24
--- /dev/null
+++ b/crypto/heimdal/lib/roken/write_pid.c
@@ -0,0 +1,95 @@
+/*
+ * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: write_pid.c,v 1.4 2000/08/04 11:19:41 joda Exp $");
+#endif
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <roken.h>
+
+#include "roken.h"
+
+char *
+pid_file_write (const char *progname)
+{
+    FILE *fp;
+    char *ret;
+
+    asprintf (&ret, "%s%s.pid", _PATH_VARRUN, progname);
+    if (ret == NULL)
+	return NULL;
+    fp = fopen (ret, "w");
+    if (fp == NULL) {
+	free (ret);
+	return NULL;
+    }
+    fprintf (fp, "%u", (unsigned)getpid());
+    fclose (fp);
+    return ret;
+}
+
+void
+pid_file_delete (char **filename)
+{
+    if (*filename != NULL) {
+	unlink (*filename);
+	free (*filename);
+	*filename = NULL;
+    }
+}
+
+#ifndef HAVE_PIDFILE
+static char *pidfile_path;
+
+static void
+pidfile_cleanup(void)
+{
+    if(pidfile_path != NULL)
+	pid_file_delete(&pidfile_path);
+}
+
+void
+pidfile(const char *basename)
+{
+    if(pidfile_path != NULL)
+	return;
+    if(basename == NULL)
+	basename = __progname;
+    pidfile_path = pid_file_write(basename);
+    atexit(pidfile_cleanup);
+}
+#endif
diff --git a/crypto/heimdal/lib/roken/xdbm.h b/crypto/heimdal/lib/roken/xdbm.h
index 78d7330..429c3d1 100644
--- a/crypto/heimdal/lib/roken/xdbm.h
+++ b/crypto/heimdal/lib/roken/xdbm.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: xdbm.h,v 1.8 2000/02/06 05:03:27 assar Exp $ */
+/* $Id: xdbm.h,v 1.12 2000/08/16 03:57:21 assar Exp $ */
 
 /* Generic *dbm include file */
 
@@ -43,13 +43,17 @@
 #include <db.h>
 #endif
 
+#ifndef DBM_INSERT
 #if defined(HAVE_NDBM_H)
 #include <ndbm.h>
+#elif defined(HAVE_GDBM_NDBM_H)
+#include <gdbm/ndbm.h>
 #elif defined(HAVE_DBM_H)
 #include <dbm.h>
 #elif defined(HAVE_RPCSVC_DBM_H)
 #include <rpcsvc/dbm.h>
 #endif
+#endif
 
 /* Macros to convert ndbm names to dbm names.
  * Note that dbm_nextkey() cannot be simply converted using a macro, since
@@ -58,7 +62,7 @@
  * Instead, all routines call "dbm_next" instead.
  */
 
-#ifndef NDBM
+#if !defined(NDBM) && !defined(HAVE_DB_H)
 typedef char DBM;
 
 #define dbm_open(file, flags, mode) ((dbminit(file) == 0)?"":((char *)0))
diff --git a/crypto/heimdal/lib/sl/ChangeLog b/crypto/heimdal/lib/sl/ChangeLog
index eca7217..1893e1c 100644
--- a/crypto/heimdal/lib/sl/ChangeLog
+++ b/crypto/heimdal/lib/sl/ChangeLog
@@ -1,3 +1,49 @@
+2001-01-26  Johan Danielsson  <joda@pdc.kth.se>
+
+	* sl.h: proto
+
+	* sl.c (sl_command_loop): try to handle user pressing C-c
+
+2000-12-11  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libss_la_LDFLAGS): bump version to 1:2:1
+
+2000-08-19  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: add dependencies for libss/libsl shared libraries
+
+2000-07-25  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: bump ss version to 1:1:1
+
+2000-06-27  Assar Westerlund  <assar@sics.se>
+
+	* parse.y (yyerror): static-ize
+	* make_cmds.h (error_message, yylex): add prototypes
+	* lex.l: fix prototypes and kill warnings
+
+2000-05-24  Assar Westerlund  <assar@sics.se>
+
+	* ss.h (SS_ET_COMMAND_NOT_FOUND): add
+	* ss.c: check allocation and return some other error codes too
+
+2000-04-29  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: add LIB_tgetent.  From Derrick J Brashear
+	<shadow@dementia.org>
+
+2000-04-03  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 1:0:1
+
+2000-03-07  Assar Westerlund  <assar@sics.se>
+
+	* sl.h (SL_BADCOMMAND): define
+	(sl_apropos): add prototype
+
+	* sl.c: mandoc-generation
+	(sl_apropos): stolen from arla
+
 2000-01-06  Assar Westerlund  <assar@sics.se>
 
 	* Makefile.am: bump both versions to 0:1:0
diff --git a/crypto/heimdal/lib/sl/Makefile.am b/crypto/heimdal/lib/sl/Makefile.am
index e572e21..df01306 100644
--- a/crypto/heimdal/lib/sl/Makefile.am
+++ b/crypto/heimdal/lib/sl/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.15 2000/01/06 21:52:20 assar Exp $
+# $Id: Makefile.am,v 1.21 2001/01/26 15:00:09 joda Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
@@ -7,8 +7,11 @@ YFLAGS = -d
 include_HEADERS = sl.h
 
 lib_LTLIBRARIES = libsl.la libss.la
-libsl_la_LDFLAGS = -version-info 0:1:0
-libss_la_LDFLAGS = -version-info 0:1:0
+libsl_la_LDFLAGS = -version-info 1:1:1
+libss_la_LDFLAGS = -version-info 1:3:1
+
+libsl_la_LIBADD = @LIB_readline@
+libss_la_LIBADD = @LIB_readline@
 
 RENAME_SRC = roken_rename.h strtok_r.c snprintf.c
 
@@ -19,7 +22,7 @@ EXTRA_libsl_la_SOURCES = strtok_r.c snprintf.c roken_rename.h
 
 # install these?
 
-noinst_PROGRAMS = mk_cmds
+bin_PROGRAMS = mk_cmds
 
 mk_cmds_SOURCES = make_cmds.c make_cmds.h parse.y lex.l
 
@@ -34,8 +37,8 @@ CLEANFILES = lex.c parse.c parse.h snprintf.c strtok_r.c
 
 $(mk_cmds_OBJECTS): parse.h
 
-LDADD = \
-	$(LIB_roken) \
+LDADD =						\
+	$(LIB_roken)				\
 	$(LEXLIB)
 
 strtok_r.c:
diff --git a/crypto/heimdal/lib/sl/Makefile.in b/crypto/heimdal/lib/sl/Makefile.in
index 634cd74..6c1088b 100644
--- a/crypto/heimdal/lib/sl/Makefile.in
+++ b/crypto/heimdal/lib/sl/Makefile.in
@@ -1,6 +1,6 @@
-# Makefile.in generated automatically by automake 1.4 from Makefile.am
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
 
-# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -10,15 +10,6 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-# $Id: Makefile.am,v 1.15 2000/01/06 21:52:20 assar Exp $
-
-
-# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
-
-
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -40,8 +31,6 @@ mandir = @mandir@
 includedir = @includedir@
 oldincludedir = /usr/include
 
-DESTDIR =
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@
 AUTOHEADER = @AUTOHEADER@
 
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
 transform = @program_transform_name@
 
 NORMAL_INSTALL = :
@@ -65,26 +55,39 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+
+@SET_MAKE@
 host_alias = @host_alias@
 host_triplet = @host@
-AFS_EXTRA_LD = @AFS_EXTRA_LD@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
-LD = @LD@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -92,31 +95,43 @@ LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
-MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
-MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
-MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NM = @NM@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 RANLIB = @RANLIB@
+STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
 YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.21 2001/01/26 15:00:09 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
 
 AM_CFLAGS =  $(WFLAGS)
 
+CP = cp
+
 COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
 
 buildinclude = $(top_builddir)/include
@@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
@@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 
+LIBS = @LIBS@
+
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
 INCLUDE_hesiod = @INCLUDE_hesiod@
@@ -152,24 +170,20 @@ LIB_hesiod = @LIB_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 LIB_krb4 = @LIB_krb4@
 
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
 INCLUDE_readline = @INCLUDE_readline@
 
 LEXLIB = @LEXLIB@
 
-cat1dir = $(mandir)/cat1
-cat3dir = $(mandir)/cat3
-cat5dir = $(mandir)/cat5
-cat8dir = $(mandir)/cat8
-
-MANRX = \(.*\)\.\([0-9]\)
-CATSUFFIX = @CATSUFFIX@
-
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
 CHECK_LOCAL = $(PROGRAMS)
 
@@ -178,8 +192,11 @@ YFLAGS = -d
 include_HEADERS = sl.h
 
 lib_LTLIBRARIES = libsl.la libss.la
-libsl_la_LDFLAGS = -version-info 0:1:0
-libss_la_LDFLAGS = -version-info 0:1:0
+libsl_la_LDFLAGS = -version-info 1:1:1
+libss_la_LDFLAGS = -version-info 1:3:1
+
+libsl_la_LIBADD = @LIB_readline@
+libss_la_LIBADD = @LIB_readline@
 
 RENAME_SRC = roken_rename.h strtok_r.c snprintf.c
 
@@ -190,7 +207,7 @@ EXTRA_libsl_la_SOURCES = strtok_r.c snprintf.c roken_rename.h
 
 # install these?
 
-noinst_PROGRAMS = mk_cmds
+bin_PROGRAMS = mk_cmds
 
 mk_cmds_SOURCES = make_cmds.c make_cmds.h parse.y lex.l
 
@@ -203,8 +220,11 @@ ssinclude_HEADERS = ss.h
 
 CLEANFILES = lex.c parse.c parse.h snprintf.c strtok_r.c
 
-LDADD =  	$(LIB_roken) 	$(LEXLIB)
+LDADD = \
+	$(LIB_roken)				\
+	$(LEXLIB)
 
+subdir = lib/sl
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../../include/config.h
 CONFIG_CLEAN_FILES = 
@@ -214,43 +234,48 @@ LTLIBRARIES =  $(lib_LTLIBRARIES)
 DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
-LIBS = @LIBS@
 X_CFLAGS = @X_CFLAGS@
 X_LIBS = @X_LIBS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
-libsl_la_LIBADD = 
-libsl_la_OBJECTS =  sl.lo
-libss_la_LIBADD = 
-libss_la_OBJECTS =  sl.lo ss.lo
-noinst_PROGRAMS =  mk_cmds$(EXEEXT)
-PROGRAMS =  $(noinst_PROGRAMS)
-
-mk_cmds_OBJECTS =  make_cmds.$(OBJEXT) parse.$(OBJEXT) lex.$(OBJEXT)
+libsl_la_DEPENDENCIES = 
+am_libsl_la_OBJECTS =  sl.lo
+libsl_la_OBJECTS =  $(am_libsl_la_OBJECTS)
+libss_la_DEPENDENCIES = 
+am_libss_la_OBJECTS =  sl.lo ss.lo
+libss_la_OBJECTS =  $(am_libss_la_OBJECTS)
+bin_PROGRAMS =  mk_cmds$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS)
+
+am_mk_cmds_OBJECTS =  make_cmds.$(OBJEXT) parse.$(OBJEXT) lex.$(OBJEXT)
+mk_cmds_OBJECTS =  $(am_mk_cmds_OBJECTS)
 mk_cmds_LDADD = $(LDADD)
 mk_cmds_DEPENDENCIES = 
 mk_cmds_LDFLAGS = 
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(libsl_la_SOURCES) $(EXTRA_libsl_la_SOURCES) \
+$(libss_la_SOURCES) $(mk_cmds_SOURCES) $(EXTRA_mk_cmds_SOURCES)
 HEADERS =  $(include_HEADERS) $(ssinclude_HEADERS)
 
-DIST_COMMON =  ChangeLog Makefile.am Makefile.in lex.c parse.c
+depcomp = 
+DIST_COMMON =  $(include_HEADERS) $(ssinclude_HEADERS) ChangeLog \
+Makefile.am Makefile.in lex.c parse.c parse.h
 
 
-DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
-TAR = tar
 GZIP_ENV = --best
 SOURCES = $(libsl_la_SOURCES) $(EXTRA_libsl_la_SOURCES) $(libss_la_SOURCES) $(mk_cmds_SOURCES) $(EXTRA_mk_cmds_SOURCES)
-OBJECTS = $(libsl_la_OBJECTS) $(libss_la_OBJECTS) $(mk_cmds_OBJECTS)
+OBJECTS = $(am_libsl_la_OBJECTS) $(am_libss_la_OBJECTS) $(am_mk_cmds_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .l .lo .o .obj .s .x .y
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .l .lo .o .obj .x .y
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/sl/Makefile
 
@@ -273,31 +298,18 @@ install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 	$(mkinstalldirs) $(DESTDIR)$(libdir)
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    echo "$(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p"; \
-	    $(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p; \
 	  else :; fi; \
 	done
 
 uninstall-libLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  echo " $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \
 	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
 	done
 
-.c.o:
-	$(COMPILE) -c $<
-
-# FIXME: We should only use cygpath when building on Windows,
-# and only if it is available.
-.c.obj:
-	$(COMPILE) -c `cygpath -w $<`
-
-.s.o:
-	$(COMPILE) -c $<
-
-.S.o:
-	$(COMPILE) -c $<
-
 mostlyclean-compile:
 	-rm -f *.o core *.core
 	-rm -f *.$(OBJEXT)
@@ -309,15 +321,6 @@ distclean-compile:
 
 maintainer-clean-compile:
 
-.c.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.s.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
-.S.lo:
-	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -334,18 +337,43 @@ libsl.la: $(libsl_la_OBJECTS) $(libsl_la_DEPENDENCIES)
 libss.la: $(libss_la_OBJECTS) $(libss_la_DEPENDENCIES)
 	$(LINK) -rpath $(libdir) $(libss_la_LDFLAGS) $(libss_la_OBJECTS) $(libss_la_LIBADD) $(LIBS)
 
-mostlyclean-noinstPROGRAMS:
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
 
-clean-noinstPROGRAMS:
-	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+distclean-binPROGRAMS:
 
-distclean-noinstPROGRAMS:
+maintainer-clean-binPROGRAMS:
 
-maintainer-clean-noinstPROGRAMS:
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
 
 mk_cmds$(EXEEXT): $(mk_cmds_OBJECTS) $(mk_cmds_DEPENDENCIES)
 	@rm -f mk_cmds$(EXEEXT)
 	$(LINK) $(mk_cmds_LDFLAGS) $(mk_cmds_OBJECTS) $(mk_cmds_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
 .l.c:
 	$(LEX) $(AM_LFLAGS) $(LFLAGS) $< && mv $(LEX_OUTPUT_ROOT).c $@
 .y.c:
@@ -361,14 +389,17 @@ install-includeHEADERS: $(include_HEADERS)
 	$(mkinstalldirs) $(DESTDIR)$(includedir)
 	@list='$(include_HEADERS)'; for p in $$list; do \
 	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
-	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p"; \
-	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f; \
 	done
 
 uninstall-includeHEADERS:
 	@$(NORMAL_UNINSTALL)
-	list='$(include_HEADERS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(includedir)/$$p; \
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(includedir)/$$f"; \
+	  rm -f $(DESTDIR)$(includedir)/$$f; \
 	done
 
 install-ssincludeHEADERS: $(ssinclude_HEADERS)
@@ -376,35 +407,42 @@ install-ssincludeHEADERS: $(ssinclude_HEADERS)
 	$(mkinstalldirs) $(DESTDIR)$(ssincludedir)
 	@list='$(ssinclude_HEADERS)'; for p in $$list; do \
 	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
-	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(ssincludedir)/$$p"; \
-	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(ssincludedir)/$$p; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(ssincludedir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(ssincludedir)/$$f; \
 	done
 
 uninstall-ssincludeHEADERS:
 	@$(NORMAL_UNINSTALL)
-	list='$(ssinclude_HEADERS)'; for p in $$list; do \
-	  rm -f $(DESTDIR)$(ssincludedir)/$$p; \
+	@list='$(ssinclude_HEADERS)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(ssincludedir)/$$f"; \
+	  rm -f $(DESTDIR)$(ssincludedir)/$$f; \
 	done
 
 tags: TAGS
 
-ID: $(HEADERS) $(SOURCES) $(LISP)
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	here=`pwd` && cd $(srcdir) \
-	  && mkid -f$$here/ID $$unique $(LISP)
+	mkid -fID $$unique $(LISP)
 
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)'; \
-	unique=`for i in $$list; do echo $$i; done | \
-	  awk '    { files[$$0] = 1; } \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
 mostlyclean-tags:
 
@@ -417,17 +455,16 @@ maintainer-clean-tags:
 
 distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
 
-subdir = lib/sl
-
 distdir: $(DISTFILES)
 	@for file in $(DISTFILES); do \
 	  d=$(srcdir); \
 	  if test -d $$d/$$file; then \
-	    cp -pr $$/$$file $(distdir)/$$file; \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
 	  else \
 	    test -f $(distdir)/$$file \
-	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
-	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
@@ -440,7 +477,7 @@ check-am: all-am
 check: check-am
 installcheck-am:
 installcheck: installcheck-am
-install-exec-am: install-libLTLIBRARIES
+install-exec-am: install-libLTLIBRARIES install-binPROGRAMS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 install-exec: install-exec-am
@@ -452,16 +489,16 @@ install-data: install-data-am
 install-am: all-am
 	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
 install: install-am
-uninstall-am: uninstall-libLTLIBRARIES uninstall-includeHEADERS \
-		uninstall-ssincludeHEADERS
+uninstall-am: uninstall-libLTLIBRARIES uninstall-binPROGRAMS \
+		uninstall-includeHEADERS uninstall-ssincludeHEADERS
 uninstall: uninstall-am
 all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local
 all-redirect: all-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
 installdirs:
-	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(includedir) \
-		$(DESTDIR)$(ssincludedir)
+	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(bindir) \
+		$(DESTDIR)$(includedir) $(DESTDIR)$(ssincludedir)
 
 
 mostlyclean-generic:
@@ -474,29 +511,30 @@ distclean-generic:
 	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
 
 maintainer-clean-generic:
-	-test -z "lexlparsehparsec" || rm -f lexl parseh parsec
+	-rm -f Makefile.in
+	-test -z "lex.cparse.hparse.c" || rm -f lex.c parse.h parse.c
 mostlyclean-am:  mostlyclean-libLTLIBRARIES mostlyclean-compile \
-		mostlyclean-libtool mostlyclean-noinstPROGRAMS \
+		mostlyclean-libtool mostlyclean-binPROGRAMS \
 		mostlyclean-tags mostlyclean-generic
 
 mostlyclean: mostlyclean-am
 
 clean-am:  clean-libLTLIBRARIES clean-compile clean-libtool \
-		clean-noinstPROGRAMS clean-tags clean-generic \
+		clean-binPROGRAMS clean-tags clean-generic \
 		mostlyclean-am
 
 clean: clean-am
 
 distclean-am:  distclean-libLTLIBRARIES distclean-compile \
-		distclean-libtool distclean-noinstPROGRAMS \
-		distclean-tags distclean-generic clean-am
+		distclean-libtool distclean-binPROGRAMS distclean-tags \
+		distclean-generic clean-am
 	-rm -f libtool
 
 distclean: distclean-am
 
 maintainer-clean-am:  maintainer-clean-libLTLIBRARIES \
 		maintainer-clean-compile maintainer-clean-libtool \
-		maintainer-clean-noinstPROGRAMS maintainer-clean-tags \
+		maintainer-clean-binPROGRAMS maintainer-clean-tags \
 		maintainer-clean-generic distclean-am
 	@echo "This command is intended for maintainers to use;"
 	@echo "it deletes files that may require special tools to rebuild."
@@ -508,15 +546,15 @@ clean-libLTLIBRARIES maintainer-clean-libLTLIBRARIES \
 uninstall-libLTLIBRARIES install-libLTLIBRARIES mostlyclean-compile \
 distclean-compile clean-compile maintainer-clean-compile \
 mostlyclean-libtool distclean-libtool clean-libtool \
-maintainer-clean-libtool mostlyclean-noinstPROGRAMS \
-distclean-noinstPROGRAMS clean-noinstPROGRAMS \
-maintainer-clean-noinstPROGRAMS uninstall-includeHEADERS \
-install-includeHEADERS uninstall-ssincludeHEADERS \
-install-ssincludeHEADERS tags mostlyclean-tags distclean-tags \
-clean-tags maintainer-clean-tags distdir info-am info dvi-am dvi \
-check-local check check-am installcheck-am installcheck install-exec-am \
-install-exec install-data-local install-data-am install-data install-am \
-install uninstall-am uninstall all-local all-redirect all-am all \
+maintainer-clean-libtool mostlyclean-binPROGRAMS distclean-binPROGRAMS \
+clean-binPROGRAMS maintainer-clean-binPROGRAMS uninstall-binPROGRAMS \
+install-binPROGRAMS uninstall-includeHEADERS install-includeHEADERS \
+uninstall-ssincludeHEADERS install-ssincludeHEADERS tags \
+mostlyclean-tags distclean-tags clean-tags maintainer-clean-tags \
+distdir info-am info dvi-am dvi check-local check check-am \
+installcheck-am installcheck install-exec-am install-exec \
+install-data-local install-data-am install-data install-am install \
+uninstall-am uninstall all-local all-redirect all-am all install-strip \
 installdirs mostlyclean-generic distclean-generic clean-generic \
 maintainer-clean-generic clean mostlyclean distclean maintainer-clean
 
@@ -526,7 +564,10 @@ install-suid-programs:
 	for file in $$foo; do \
 	x=$(DESTDIR)$(bindir)/$$file; \
 	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	chmod 0 $$x; fi; done
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
 
 install-exec-hook: install-suid-programs
 
@@ -538,8 +579,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 		else file="$$f"; fi; \
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
-			echo " cp $$file $(buildinclude)/$$f"; \
-			cp $$file $(buildinclude)/$$f; \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
 	done
 
@@ -608,87 +649,8 @@ dist-cat8-mans:
 
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
-install-cat1-mans:
-	@ext=1;\
-	foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat3-mans:
-	@ext=3;\
-	foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat5-mans:
-	@ext=5;\
-	foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat8-mans:
-	@ext=8;\
-	foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done; \
-	if test "$$foo"; then \
-		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
-		for x in $$foo; do \
-			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
-			if test -f "$(srcdir)/$$f"; then \
-				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
-				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
-				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
-			 fi; \
-		done ;\
-	fi
-
-install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-local: install-cat-mans
 
diff --git a/crypto/heimdal/lib/sl/lex.l b/crypto/heimdal/lib/sl/lex.l
index b7c1c44..c83e5d1 100644
--- a/crypto/heimdal/lib/sl/lex.l
+++ b/crypto/heimdal/lib/sl/lex.l
@@ -1,6 +1,6 @@
 %{
 /*
- * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,14 +32,17 @@
  * SUCH DAMAGE. 
  */
 
+#undef ECHO
+
 #include "make_cmds.h"
 #include "parse.h"
 
-RCSID("$Id: lex.l,v 1.3 1999/12/02 16:58:55 joda Exp $");
+RCSID("$Id: lex.l,v 1.5 2000/12/05 09:21:46 joda Exp $");
 
 static unsigned lineno = 1;
-void error_message(char *, ...);
-int getstring(void);
+static int getstring(void);
+
+#define YY_NO_UNPUT
 
 %}
 
@@ -66,7 +69,7 @@ yywrap ()
 }
 #endif
 
-int
+static int
 getstring(void)
 {
     char x[128];
@@ -102,7 +105,7 @@ getstring(void)
 }
 
 void
-error_message (char *format, ...)
+error_message (const char *format, ...)
 {
      va_list args;
 
diff --git a/crypto/heimdal/lib/sl/make_cmds.h b/crypto/heimdal/lib/sl/make_cmds.h
index 24dbd60..6d64d97 100644
--- a/crypto/heimdal/lib/sl/make_cmds.h
+++ b/crypto/heimdal/lib/sl/make_cmds.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: make_cmds.h,v 1.2 1999/12/02 16:58:55 joda Exp $ */
+/* $Id: make_cmds.h,v 1.3 2000/06/27 02:36:56 assar Exp $ */
 
 #ifndef __MAKE_CMDS_H__
 #define __MAKE_CMDS_H__
@@ -45,6 +45,8 @@
 #include <stdlib.h>
 #include <stdarg.h>
 
+#include <roken.h>
+
 extern char *filename;
 extern char *table_name;
 extern int numerror;
@@ -66,4 +68,9 @@ struct string_list {
 
 void add_command(char*, char*, struct string_list*, unsigned);
 
+void error_message(const char *, ...)
+    __attribute__ ((format (printf, 1,2)));
+
+int yylex (void);
+
 #endif /* __MAKE_CMDS_H__ */
diff --git a/crypto/heimdal/lib/sl/parse.y b/crypto/heimdal/lib/sl/parse.y
index 18ef5ca..deff933 100644
--- a/crypto/heimdal/lib/sl/parse.y
+++ b/crypto/heimdal/lib/sl/parse.y
@@ -1,6 +1,6 @@
 %{
 /*
- * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,10 +33,9 @@
  */
 
 #include "make_cmds.h"
-RCSID("$Id: parse.y,v 1.6 1999/12/16 10:34:11 assar Exp $");
+RCSID("$Id: parse.y,v 1.7 2000/06/27 02:37:18 assar Exp $");
 
-void yyerror (char *s);
-void error_message(char *, ...);
+static void yyerror (char *s);
 
 struct string_list* append_string(struct string_list*, char*);
 void free_string_list(struct string_list *list);
@@ -129,7 +128,7 @@ flag		: STRING
 
 %%
 
-void
+static void
 yyerror (char *s)
 {
     error_message ("%s\n", s);
diff --git a/crypto/heimdal/lib/sl/roken_rename.h b/crypto/heimdal/lib/sl/roken_rename.h
index c668802..1d3d893 100644
--- a/crypto/heimdal/lib/sl/roken_rename.h
+++ b/crypto/heimdal/lib/sl/roken_rename.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: roken_rename.h,v 1.3 1999/12/02 16:58:55 joda Exp $ */
+/* $Id: roken_rename.h,v 1.4 2000/05/31 20:07:56 assar Exp $ */
 
 #ifndef __roken_rename_h__
 #define __roken_rename_h__
@@ -57,5 +57,8 @@
 #ifndef HAVE_VSNPRINTF
 #define vsnprintf _sl_vsnprintf
 #endif
+#ifndef HAVE_STRUPR
+#define strupr _sl_strupr
+#endif
 
 #endif /* __roken_rename_h__ */
diff --git a/crypto/heimdal/lib/sl/sl.c b/crypto/heimdal/lib/sl/sl.c
index 688ca8b..ebc7657 100644
--- a/crypto/heimdal/lib/sl/sl.c
+++ b/crypto/heimdal/lib/sl/sl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -33,10 +33,101 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: sl.c,v 1.25 1999/12/02 16:58:55 joda Exp $");
+RCSID("$Id: sl.c,v 1.28 2001/01/26 14:58:26 joda Exp $");
 #endif
 
 #include "sl_locl.h"
+#include <setjmp.h>
+
+static size_t
+print_sl (FILE *stream, int mdoc, int longp, SL_cmd *c)
+    __attribute__ ((unused));
+
+static size_t
+print_sl (FILE *stream, int mdoc, int longp, SL_cmd *c)
+{
+    if(mdoc){
+	if(longp)
+	    fprintf(stream, "= Ns");
+	fprintf(stream, " Ar ");
+    }else
+	if (longp)
+	    putc ('=', stream);
+	else
+	    putc (' ', stream);
+
+    return 1;
+}
+
+static void
+mandoc_template(SL_cmd *cmds,
+		const char *extra_string)
+{
+    SL_cmd *c, *prev;
+    char timestr[64], cmd[64];
+    const char *p;
+    time_t t;
+
+    printf(".\\\" Things to fix:\n");
+    printf(".\\\"   * correct section, and operating system\n");
+    printf(".\\\"   * remove Op from mandatory flags\n");
+    printf(".\\\"   * use better macros for arguments (like .Pa for files)\n");
+    printf(".\\\"\n");
+    t = time(NULL);
+    strftime(timestr, sizeof(timestr), "%b %d, %Y", localtime(&t));
+    printf(".Dd %s\n", timestr);
+    p = strrchr(__progname, '/');
+    if(p) p++; else p = __progname;
+    strncpy(cmd, p, sizeof(cmd));
+    cmd[sizeof(cmd)-1] = '\0';
+    strupr(cmd);
+       
+    printf(".Dt %s SECTION\n", cmd);
+    printf(".Os OPERATING_SYSTEM\n");
+    printf(".Sh NAME\n");
+    printf(".Nm %s\n", p);
+    printf(".Nd\n");
+    printf("in search of a description\n");
+    printf(".Sh SYNOPSIS\n");
+    printf(".Nm\n");
+    for(c = cmds; c->name; ++c) {
+/*	if (c->func == NULL)
+	    continue; */
+	printf(".Op Fl %s", c->name);
+/*	print_sl(stdout, 1, 0, c);*/
+	printf("\n");
+	
+    }
+    if (extra_string && *extra_string)
+	printf (".Ar %s\n", extra_string);
+    printf(".Sh DESCRIPTION\n");
+    printf("Supported options:\n");
+    printf(".Bl -tag -width Ds\n");
+    prev = NULL;
+    for(c = cmds; c->name; ++c) {
+	if (c->func) {
+	    if (prev)
+		printf ("\n%s\n", prev->usage);
+
+	    printf (".It Fl %s", c->name);
+	    prev = c;
+	} else
+	    printf (", %s\n", c->name);
+    }
+    if (prev)
+	printf ("\n%s\n", prev->usage);
+
+    printf(".El\n");
+    printf(".\\\".Sh ENVIRONMENT\n");
+    printf(".\\\".Sh FILES\n");
+    printf(".\\\".Sh EXAMPLES\n");
+    printf(".\\\".Sh DIAGNOSTICS\n");
+    printf(".\\\".Sh SEE ALSO\n");
+    printf(".\\\".Sh STANDARDS\n");
+    printf(".\\\".Sh HISTORY\n");
+    printf(".\\\".Sh AUTHORS\n");
+    printf(".\\\".Sh BUGS\n");
+}
 
 static SL_cmd *
 sl_match (SL_cmd *cmds, char *cmd, int exactp)
@@ -66,6 +157,11 @@ sl_help (SL_cmd *cmds, int argc, char **argv)
 {
     SL_cmd *c, *prev_c;
 
+    if (getenv("SLMANDOC")) {
+	mandoc_template(cmds, NULL);
+	return;
+    }
+
     if (argc == 1) {
 	prev_c = NULL;
 	for (c = cmds; c->name; ++c) {
@@ -178,9 +274,28 @@ sl_make_argv(char *line, int *ret_argc, char ***ret_argv)
     return 0;
 }
 
+static jmp_buf sl_jmp;
+
+static void sl_sigint(int sig)
+{
+    longjmp(sl_jmp, 1);
+}
+
+static char *sl_readline(const char *prompt)
+{
+    char *s;
+    void (*old)(int);
+    old = signal(SIGINT, sl_sigint);
+    if(setjmp(sl_jmp))
+	printf("\n");
+    s = readline((char*)prompt);
+    signal(SIGINT, old);
+    return s;
+}
+
 /* return values: 0 on success, -1 on fatal error, or return value of command */
 int
-sl_command_loop(SL_cmd *cmds, char *prompt, void **data)
+sl_command_loop(SL_cmd *cmds, const char *prompt, void **data)
 {
     int ret = 0;
     char *buf;
@@ -188,7 +303,7 @@ sl_command_loop(SL_cmd *cmds, char *prompt, void **data)
     char **argv;
 	
     ret = 0;
-    buf = readline(prompt);
+    buf = sl_readline(prompt);
     if(buf == NULL)
 	return 1;
 
@@ -213,7 +328,7 @@ sl_command_loop(SL_cmd *cmds, char *prompt, void **data)
 }
 
 int 
-sl_loop(SL_cmd *cmds, char *prompt)
+sl_loop(SL_cmd *cmds, const char *prompt)
 {
     void *data = NULL;
     int ret;
@@ -221,3 +336,11 @@ sl_loop(SL_cmd *cmds, char *prompt)
 	;
     return ret;
 }
+
+void
+sl_apropos (SL_cmd *cmd, const char *topic)
+{
+    for (; cmd->name != NULL; ++cmd)
+        if (cmd->usage != NULL && strstr(cmd->usage, topic) != NULL)
+	    printf ("%-20s%s\n", cmd->name, cmd->usage);
+}
diff --git a/crypto/heimdal/lib/sl/sl.h b/crypto/heimdal/lib/sl/sl.h
index 1a6d3fa..5b3e4b7 100644
--- a/crypto/heimdal/lib/sl/sl.h
+++ b/crypto/heimdal/lib/sl/sl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -31,11 +31,13 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: sl.h,v 1.7 1999/12/02 16:58:55 joda Exp $ */
+/* $Id: sl.h,v 1.9 2001/01/26 14:58:41 joda Exp $ */
 
 #ifndef _SL_H
 #define _SL_H
 
+#define SL_BADCOMMAND -1
+
 typedef int (*cmd_func)(int, char **);
 
 struct sl_cmd {
@@ -48,10 +50,11 @@ struct sl_cmd {
 typedef struct sl_cmd SL_cmd;
 
 void sl_help (SL_cmd *, int argc, char **argv);
-int  sl_loop (SL_cmd *, char *prompt);
-int  sl_command_loop (SL_cmd *cmds, char *prompt, void **data);
+int  sl_loop (SL_cmd *, const char *prompt);
+int  sl_command_loop (SL_cmd *cmds, const char *prompt, void **data);
 int  sl_command (SL_cmd *cmds, int argc, char **argv);
 int sl_make_argv(char*, int*, char***);
+void sl_apropos (SL_cmd *cmd, const char *topic);
 
 
 #endif /* _SL_H */
diff --git a/crypto/heimdal/lib/sl/ss.c b/crypto/heimdal/lib/sl/ss.c
index f3c0546..7655a9e 100644
--- a/crypto/heimdal/lib/sl/ss.c
+++ b/crypto/heimdal/lib/sl/ss.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -35,7 +35,7 @@
 #include <com_err.h>
 #include "ss.h"
 
-RCSID("$Id: ss.c,v 1.4 1999/12/02 16:58:55 joda Exp $");
+RCSID("$Id: ss.c,v 1.6 2000/05/25 00:14:58 assar Exp $");
 
 struct ss_subst {
     char *name;
@@ -55,14 +55,34 @@ ss_create_invocation(const char *subsystem,
 		     int *code)
 {
     struct ss_subst *ss;
+
     if(num_subsystems >= sizeof(subsystems) / sizeof(subsystems[0])) {
 	*code = 17;
 	return 0;
     }
     ss = &subsystems[num_subsystems];
-    ss->name = subsystem ? strdup(subsystem) : NULL;
-    ss->version = version ? strdup(version) : NULL;
-    ss->info = info ? strdup(info) : NULL;
+    ss->name = ss->version = ss->info = NULL;
+    if (subsystem != NULL) {
+	ss->name = strdup (subsystem);
+	if (ss->name == NULL) {
+	    *code = ENOMEM;
+	    return 0;
+	}
+    }
+    if (version != NULL) {
+	ss->version = strdup (version);
+	if (ss->version == NULL) {
+	    *code = ENOMEM;
+	    return 0;
+	}
+    }
+    if (info != NULL) {
+	ss->info = strdup (info);
+	if (ss->info == NULL) {
+	    *code = ENOMEM;
+	    return 0;
+	}
+    }
     ss->table = table;
     *code = 0;
     return num_subsystems++;
@@ -87,8 +107,12 @@ int
 ss_execute_command(int index, char **argv)
 {
     int argc = 0;
+    int ret;
+
     while(argv[argc++]);
-    sl_command(subsystems[index].table, argc, argv);
+    ret = sl_command(subsystems[index].table, argc, argv);
+    if (ret == SL_BADCOMMAND)
+	return SS_ET_COMMAND_NOT_FOUND;
     return 0;
 }
 
@@ -98,10 +122,15 @@ ss_execute_line (int index, const char *line)
     char *buf = strdup(line);
     int argc;
     char **argv;
+    int ret;
     
+    if (buf == NULL)
+	return ENOMEM;
     sl_make_argv(buf, &argc, &argv);
-    sl_command(subsystems[index].table, argc, argv);
+    ret = sl_command(subsystems[index].table, argc, argv);
     free(buf);
+    if (ret == SL_BADCOMMAND)
+	return SS_ET_COMMAND_NOT_FOUND;
     return 0;
 }
 
@@ -109,9 +138,9 @@ int
 ss_listen (int index)
 {
     char *prompt = malloc(strlen(subsystems[index].name) + 3);
-    if(prompt == NULL) {
-	abort();
-    }
+    if (prompt == NULL)
+	return ENOMEM;
+
     strcpy(prompt, subsystems[index].name);
     strcat(prompt, ": ");
     sl_loop(subsystems[index].table, prompt);
diff --git a/crypto/heimdal/lib/sl/ss.h b/crypto/heimdal/lib/sl/ss.h
index 0d9d297..0149fa1 100644
--- a/crypto/heimdal/lib/sl/ss.h
+++ b/crypto/heimdal/lib/sl/ss.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -30,7 +30,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
  * SUCH DAMAGE. 
  */
-/* $Id: ss.h,v 1.2 1999/12/02 16:58:55 joda Exp $ */
+/* $Id: ss.h,v 1.3 2000/05/25 00:15:21 assar Exp $ */
 
 /* SS compatibility for SL */
 
@@ -52,4 +52,6 @@ int ss_listen (int);
 void ss_perror (int, long, const char*);
 int ss_quit (int argc, char**);
 
+#define SS_ET_COMMAND_NOT_FOUND (-1)
+
 #endif /* __ss_h__ */
diff --git a/crypto/heimdal/lib/vers/ChangeLog b/crypto/heimdal/lib/vers/ChangeLog
new file mode 100644
index 0000000..459c940
--- /dev/null
+++ b/crypto/heimdal/lib/vers/ChangeLog
@@ -0,0 +1,13 @@
+2001-01-31  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: remove -static turning this into a convenience
+	library
+
+2000-11-15  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: make the library static and don't install it
+
+2000-07-08  Assar Westerlund  <assar@sics.se>
+
+	* make-print-version.c (heimdal_version, krb4_version): const-ize,
+	based on thorpej@netbsd.org's change to NetBSD
diff --git a/crypto/heimdal/lib/vers/Makefile.am b/crypto/heimdal/lib/vers/Makefile.am
new file mode 100644
index 0000000..87ef246
--- /dev/null
+++ b/crypto/heimdal/lib/vers/Makefile.am
@@ -0,0 +1,28 @@
+# $Id: Makefile.am,v 1.3 2001/01/31 03:50:48 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+CLEANFILES		= print_version.h
+
+noinst_LTLIBRARIES	= libvers.la
+
+build_HEADERZ		= vers.h
+
+noinst_PROGRAMS		= make-print-version
+
+if KRB4
+if KRB5
+## need to link with des here; otherwise, if krb4 is shared the link
+## will fail with unresolved references
+make_print_version_LDADD += $(LIB_krb4) -ldes
+endif
+endif
+
+libvers_la_SOURCES	= print_version.c
+
+print_version.lo: print_version.h
+
+print_version.h: make-print-version$(EXEEXT)
+	./make-print-version$(EXEEXT) print_version.h
+
+make-print-version.o: $(top_builddir)/include/version.h
diff --git a/crypto/heimdal/lib/vers/Makefile.in b/crypto/heimdal/lib/vers/Makefile.in
new file mode 100644
index 0000000..8b8da03
--- /dev/null
+++ b/crypto/heimdal/lib/vers/Makefile.in
@@ -0,0 +1,574 @@
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
+
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.3 2001/01/31 03:50:48 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+CLEANFILES = print_version.h
+
+noinst_LTLIBRARIES = libvers.la
+
+build_HEADERZ = vers.h
+
+noinst_PROGRAMS = make-print-version
+
+@KRB4_TRUE@@KRB5_TRUE@make_print_version_LDADD = @KRB4_TRUE@@KRB5_TRUE@ $(LIB_krb4) -ldes
+
+libvers_la_SOURCES = print_version.c
+subdir = lib/vers
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+LTLIBRARIES =  $(noinst_LTLIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+libvers_la_LDFLAGS = 
+libvers_la_LIBADD = 
+am_libvers_la_OBJECTS =  print_version.lo
+libvers_la_OBJECTS =  $(am_libvers_la_OBJECTS)
+noinst_PROGRAMS =  make-print-version$(EXEEXT)
+PROGRAMS =  $(noinst_PROGRAMS)
+
+make_print_version_SOURCES = make-print-version.c
+make_print_version_OBJECTS =  make-print-version.$(OBJEXT)
+@KRB4_TRUE@@KRB5_TRUE@make_print_version_DEPENDENCIES = 
+make_print_version_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(libvers_la_SOURCES) make-print-version.c
+depcomp = 
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(libvers_la_SOURCES) make-print-version.c
+OBJECTS = $(am_libvers_la_OBJECTS) make-print-version.$(OBJEXT)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/vers/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-noinstLTLIBRARIES:
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+
+distclean-noinstLTLIBRARIES:
+
+maintainer-clean-noinstLTLIBRARIES:
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+libvers.la: $(libvers_la_OBJECTS) $(libvers_la_DEPENDENCIES)
+	$(LINK)  $(libvers_la_LDFLAGS) $(libvers_la_OBJECTS) $(libvers_la_LIBADD) $(LIBS)
+
+mostlyclean-noinstPROGRAMS:
+
+clean-noinstPROGRAMS:
+	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+
+distclean-noinstPROGRAMS:
+
+maintainer-clean-noinstPROGRAMS:
+
+make-print-version$(EXEEXT): $(make_print_version_OBJECTS) $(make_print_version_DEPENDENCIES)
+	@rm -f make-print-version$(EXEEXT)
+	$(LINK) $(make_print_version_LDFLAGS) $(make_print_version_OBJECTS) $(make_print_version_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am:
+uninstall: uninstall-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-noinstLTLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-noinstPROGRAMS \
+		mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-noinstLTLIBRARIES clean-compile clean-libtool \
+		clean-noinstPROGRAMS clean-tags clean-generic \
+		mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-noinstLTLIBRARIES distclean-compile \
+		distclean-libtool distclean-noinstPROGRAMS \
+		distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-noinstLTLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-noinstPROGRAMS maintainer-clean-tags \
+		maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-noinstLTLIBRARIES distclean-noinstLTLIBRARIES \
+clean-noinstLTLIBRARIES maintainer-clean-noinstLTLIBRARIES \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool mostlyclean-noinstPROGRAMS \
+distclean-noinstPROGRAMS clean-noinstPROGRAMS \
+maintainer-clean-noinstPROGRAMS tags mostlyclean-tags distclean-tags \
+clean-tags maintainer-clean-tags distdir info-am info dvi-am dvi \
+check-local check check-am installcheck-am installcheck install-exec-am \
+install-exec install-data-local install-data-am install-data install-am \
+install uninstall-am uninstall all-local all-redirect all-am all \
+install-strip installdirs mostlyclean-generic distclean-generic \
+clean-generic maintainer-clean-generic clean mostlyclean distclean \
+maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+print_version.lo: print_version.h
+
+print_version.h: make-print-version$(EXEEXT)
+	./make-print-version$(EXEEXT) print_version.h
+
+make-print-version.o: $(top_builddir)/include/version.h
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/vers/make-print-version.c b/crypto/heimdal/lib/vers/make-print-version.c
new file mode 100644
index 0000000..6102e75
--- /dev/null
+++ b/crypto/heimdal/lib/vers/make-print-version.c
@@ -0,0 +1,68 @@
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: make-print-version.c,v 1.2 2000/07/08 10:46:36 assar Exp $");
+#endif
+
+#include <stdio.h>
+
+#ifdef KRB5
+extern const char *heimdal_version;
+#endif
+#ifdef KRB4
+extern const char *krb4_version;
+#endif
+#include <version.h>
+
+int
+main(int argc, char **argv)
+{
+    FILE *f;
+    if(argc != 2)
+	return 1;
+    f = fopen(argv[1], "w");
+    if(f == NULL)
+	return 1;
+    fprintf(f, "#define VERSIONLIST { ");
+#ifdef KRB5
+    fprintf(f, "\"%s\", ", heimdal_version);
+#endif
+#ifdef KRB4
+    fprintf(f, "\"%s\", ", krb4_version);
+#endif
+    fprintf(f, "}\n");
+    fclose(f);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/vers/print_version.c b/crypto/heimdal/lib/vers/print_version.c
new file mode 100644
index 0000000..cb324d0
--- /dev/null
+++ b/crypto/heimdal/lib/vers/print_version.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: print_version.c,v 1.1 2000/07/01 19:47:35 assar Exp $");
+#endif
+#include "roken.h"
+
+#include "print_version.h"
+
+void
+print_version(const char *progname)
+{
+    const char *arg[] = VERSIONLIST;
+    const int num_args = sizeof(arg) / sizeof(arg[0]);
+    char *msg;
+    size_t len = 0;
+    int i;
+    
+    if(progname == NULL)
+	progname = __progname;
+    
+    if(num_args == 0)
+	msg = "no version information";
+    else {
+	for(i = 0; i < num_args; i++) {
+	    if(i > 0)
+		len += 2;
+	    len += strlen(arg[i]);
+	}
+	msg = malloc(len + 1);
+	if(msg == NULL) {
+	    fprintf(stderr, "%s: out of memory\n", progname);
+	    return;
+	}
+	msg[0] = '\0';
+	for(i = 0; i < num_args; i++) {
+	    if(i > 0)
+		strcat(msg, ", ");
+	    strcat(msg, arg[i]);
+	}
+    }
+    fprintf(stderr, "%s (%s)\n", progname, msg);
+    fprintf(stderr, "Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan\n");
+    if(num_args != 0)
+	free(msg);
+}
diff --git a/crypto/heimdal/lib/vers/vers.h b/crypto/heimdal/lib/vers/vers.h
new file mode 100644
index 0000000..cc70355
--- /dev/null
+++ b/crypto/heimdal/lib/vers/vers.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: vers.h,v 1.1 2000/07/01 19:47:36 assar Exp $ */
+
+#ifndef __VERS_H__
+#define __VERS_H__
+
+void print_version(const char *);
+
+#endif /*  __VERS_H__ */
diff --git a/crypto/heimdal/ltconfig b/crypto/heimdal/ltconfig
index 62ac479..335271c 100755
--- a/crypto/heimdal/ltconfig
+++ b/crypto/heimdal/ltconfig
@@ -1,8 +1,8 @@
 #! /bin/sh
 
 # ltconfig - Create a system-specific libtool.
-# Copyright (C) 1996-1998 Free Software Foundation, Inc.
-# Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+# Copyright (C) 1996-2000 Free Software Foundation, Inc.
+# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
 #
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -32,12 +32,8 @@ if test "X$1" = X--no-reexec; then
   # Discard the --no-reexec flag, and continue.
   shift
 elif test "X$1" = X--fallback-echo; then
-  # used as fallback echo
-  shift
-  cat <<EOF
-$*
-EOF
-  exit 0
+  # Avoid inline document here, it may be left over
+  :
 elif test "X`($echo '\t') 2>/dev/null`" = 'X\t'; then
   # Yippee, $echo works!
   :
@@ -46,11 +42,30 @@ else
   exec "$SHELL" "$0" --no-reexec ${1+"$@"}
 fi
 
+if test "X$1" = X--fallback-echo; then
+  # used as fallback echo
+  shift
+  cat <<EOF
+$*
+EOF
+  exit 0
+fi
+
+# Find the correct PATH separator.  Usually this is `:', but
+# DJGPP uses `;' like DOS.
+if test "X${PATH_SEPARATOR+set}" != Xset; then
+  UNAME=${UNAME-`uname 2>/dev/null`}
+  case X$UNAME in
+    *-DOS) PATH_SEPARATOR=';' ;;
+    *)     PATH_SEPARATOR=':' ;;
+  esac
+fi
+
 # The HP-UX ksh and POSIX shell print the target directory to stdout
 # if CDPATH is set.
-if test "${CDPATH+set}" = set; then CDPATH=; export CDPATH; fi
+if test "X${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi
 
-if test "X${echo_test_string+set}" != "Xset"; then
+if test "X${echo_test_string+set}" != Xset; then
   # find a string as large as possible, as long as the shell can cope with it
   for cmd in 'sed 50q "$0"' 'sed 20q "$0"' 'sed 10q "$0"' 'sed 2q "$0"' 'echo test'; do
     # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
@@ -62,19 +77,23 @@ if test "X${echo_test_string+set}" != "Xset"; then
   done
 fi
 
-if test "X`($echo '\t') 2>/dev/null`" != 'X\t' ||
-   test "X`($echo "$echo_test_string") 2>/dev/null`" != X"$echo_test_string"; then
+if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
+   echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
+   test "X$echo_testing_string" = "X$echo_test_string"; then
+  :
+else
   # The Solaris, AIX, and Digital Unix default echo programs unquote
   # backslashes.  This makes it impossible to quote backslashes using
   #   echo "$something" | sed 's/\\/\\\\/g'
   #
   # So, first we look for a working echo in the user's PATH.
 
-  IFS="${IFS= 	}"; save_ifs="$IFS"; IFS="${IFS}:"
+  IFS="${IFS= 	}"; save_ifs="$IFS"; IFS="${IFS}${PATH_SEPARATOR}"
   for dir in $PATH /usr/ucb; do
-    if test -f $dir/echo &&
+    if (test -f $dir/echo || test -f $dir/echo$ac_exeext) &&
        test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' &&
-       test "X`($dir/echo "$echo_test_string") 2>/dev/null`" = X"$echo_test_string"; then
+       echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` &&
+       test "X$echo_testing_string" = "X$echo_test_string"; then
       echo="$dir/echo"
       break
     fi
@@ -84,10 +103,12 @@ if test "X`($echo '\t') 2>/dev/null`" != 'X\t' ||
   if test "X$echo" = Xecho; then
     # We didn't find a better echo, so look for alternatives.
     if test "X`(print -r '\t') 2>/dev/null`" = 'X\t' &&
-       test "X`(print -r "$echo_test_string") 2>/dev/null`" = X"$echo_test_string"; then
+       echo_testing_string=`(print -r "$echo_test_string") 2>/dev/null` &&
+       test "X$echo_testing_string" = "X$echo_test_string"; then
       # This shell has a builtin print -r that does the trick.
       echo='print -r'
-    elif test -f /bin/ksh && test "X$CONFIG_SHELL" != X/bin/ksh; then
+    elif (test -f /bin/ksh || test -f /bin/ksh$ac_exeext) &&
+	 test "X$CONFIG_SHELL" != X/bin/ksh; then
       # If we have ksh, try running ltconfig again with it.
       ORIGINAL_CONFIG_SHELL="${CONFIG_SHELL-/bin/sh}"
       export ORIGINAL_CONFIG_SHELL
@@ -98,21 +119,26 @@ if test "X`($echo '\t') 2>/dev/null`" != 'X\t' ||
       # Try using printf.
       echo='printf %s\n'
       if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
-         test "X`($echo "$echo_test_string") 2>/dev/null`" = X"$echo_test_string"; then
-        # Cool, printf works
+	 echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
+	 test "X$echo_testing_string" = "X$echo_test_string"; then
+	# Cool, printf works
 	:
-      elif test "X`("$ORIGINAL_CONFIG_SHELL" "$0" --fallback-echo '\t') 2>/dev/null`" = 'X\t' &&
-	   test "X`("$ORIGINAL_CONFIG_SHELL" "$0" --fallback-echo "$echo_test_string") 2>/dev/null`" = X"$echo_test_string"; then
+      elif echo_testing_string=`("$ORIGINAL_CONFIG_SHELL" "$0" --fallback-echo '\t') 2>/dev/null` &&
+	   test "X$echo_testing_string" = 'X\t' &&
+	   echo_testing_string=`("$ORIGINAL_CONFIG_SHELL" "$0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
+	   test "X$echo_testing_string" = "X$echo_test_string"; then
 	CONFIG_SHELL="$ORIGINAL_CONFIG_SHELL"
 	export CONFIG_SHELL
 	SHELL="$CONFIG_SHELL"
 	export SHELL
 	echo="$CONFIG_SHELL $0 --fallback-echo"
-      elif test "X`("$CONFIG_SHELL" "$0" --fallback-echo '\t') 2>/dev/null`" = 'X\t' &&
-	   test "X`("$CONFIG_SHELL" "$0" --fallback-echo "$echo_test_string") 2>/dev/null`" = X"$echo_test_string"; then
-        echo="$CONFIG_SHELL $0 --fallback-echo"
+      elif echo_testing_string=`("$CONFIG_SHELL" "$0" --fallback-echo '\t') 2>/dev/null` &&
+	   test "X$echo_testing_string" = 'X\t' &&
+	   echo_testing_string=`("$CONFIG_SHELL" "$0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
+	   test "X$echo_testing_string" = "X$echo_test_string"; then
+	echo="$CONFIG_SHELL $0 --fallback-echo"
       else
-        # maybe with a smaller string...
+	# maybe with a smaller string...
 	prev=:
 
 	for cmd in 'echo test' 'sed 2q "$0"' 'sed 10q "$0"' 'sed 20q "$0"' 'sed 50q "$0"'; do
@@ -125,7 +151,7 @@ if test "X`($echo '\t') 2>/dev/null`" != 'X\t' ||
 	if test "$prev" != 'sed 50q "$0"'; then
 	  echo_test_string=`eval $prev`
 	  export echo_test_string
-	  exec "${ORIGINAL_CONFIG_SHELL}" "$0" ${1+"$@"}
+	  exec "${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}}" "$0" ${1+"$@"}
 	else
 	  # Oops.  We lost completely, so just stick with echo.
 	  echo=echo
@@ -143,15 +169,20 @@ sed_quote_subst='s/\([\\"\\`$\\\\]\)/\\\1/g'
 # Same as above, but do not quote variable references.
 double_quote_subst='s/\([\\"\\`\\\\]\)/\\\1/g'
 
+# Sed substitution to delay expansion of an escaped shell variable in a
+# double_quote_subst'ed string.
+delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
+
 # The name of this program.
 progname=`$echo "X$0" | $Xsed -e 's%^.*/%%'`
 
 # Constants:
 PROGRAM=ltconfig
 PACKAGE=libtool
-VERSION=1.2d
-ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.c 1>&5'
-ac_link='${CC-cc} -o conftest $CFLAGS $CPPFLAGS $LDFLAGS conftest.c $LIBS 1>&5'
+VERSION=1.3c
+TIMESTAMP=" (1.731 2000/07/10 09:42:21)"
+ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
+ac_link='${CC-cc} -o conftest $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
 rm="rm -f"
 
 help="Try \`$progname --help' for more information."
@@ -160,33 +191,51 @@ help="Try \`$progname --help' for more information."
 default_ofile=libtool
 can_build_shared=yes
 enable_shared=yes
-# All known linkers require a `.a' archive for static linking.
+# All known linkers require a `.a' archive for static linking (except M$VC,
+# which needs '.lib').
 enable_static=yes
+enable_fast_install=yes
+enable_dlopen=unknown
+enable_win32_dll=no
+pic_mode=default
 ltmain=
 silent=
 srcdir=
 ac_config_guess=
 ac_config_sub=
 host=
-nonopt=
+build=NONE
+nonopt=NONE
 ofile="$default_ofile"
 verify_host=yes
 with_gcc=no
 with_gnu_ld=no
 need_locks=yes
-objext=o
+ac_ext=c
 libext=a
+cache_file=
 
 old_AR="$AR"
+old_AR_FLAGS="$AR_FLAGS"
 old_CC="$CC"
 old_CFLAGS="$CFLAGS"
 old_CPPFLAGS="$CPPFLAGS"
+old_LDFLAGS="$LDFLAGS"
+old_LIBS="$LIBS"
+old_MAGIC="$MAGIC"
 old_LD="$LD"
 old_LN_S="$LN_S"
 old_NM="$NM"
 old_RANLIB="$RANLIB"
-old_DLLTOOL="$DLLTOOL"
+old_STRIP="$STRIP"
 old_AS="$AS"
+old_DLLTOOL="$DLLTOOL"
+old_OBJDUMP="$OBJDUMP"
+old_OBJEXT="$OBJEXT"
+old_EXEEXT="$EXEEXT"
+old_reload_Flag="$reload_flag"
+old_deplibs_check_method="$deplibs_check_method"
+old_file_magic_cmd="$file_magic_cmd"
 
 # Parse the command line options.
 args=
@@ -207,13 +256,17 @@ do
 
   case "$option" in
   --help) cat <<EOM
-Usage: $progname [OPTION]... [HOST [LTMAIN]]
+Usage: $progname [OPTION]... LTMAIN [HOST]
 
 Generate a system-specific libtool script.
 
+    --build                configure for building on BUILD [BUILD=HOST]
     --debug                enable verbose shell tracing
     --disable-shared       do not build shared libraries
     --disable-static       do not build static libraries
+    --disable-fast-install do not optimize for fast installation
+    --enable-dlopen        enable dlopen support
+    --enable-win32-dll     enable building dlls on win32 hosts
     --help                 display this help and exit
     --no-verify            do not verify that HOST is a valid host type
 -o, --output=FILE          specify the output file [default=$default_ofile]
@@ -223,7 +276,10 @@ Generate a system-specific libtool script.
     --version              output version information and exit
     --with-gcc             assume that the GNU C compiler will be used
     --with-gnu-ld          assume that the C compiler uses the GNU linker
+    --prefer-pic           try to use only PIC objects
+    --prefer-non-pic       try to use only non-PIC objects
     --disable-lock         disable file locking
+    --cache-file=FILE      configure cache file
 
 LTMAIN is the \`ltmain.sh' shell script fragment or \`ltmain.c' program
 that provides basic libtool functionality.
@@ -233,6 +289,9 @@ EOM
   exit 0
   ;;
 
+  --build) prev=build ;;
+  --build=*) build="$optarg" ;;
+
   --debug)
     echo "$progname: enabling shell trace mode"
     set -x
@@ -242,6 +301,12 @@ EOM
 
   --disable-static) enable_static=no ;;
 
+  --disable-fast-install) enable_fast_install=no ;;
+
+  --enable-dlopen) enable_dlopen=yes ;;
+
+  --enable-win32-dll) enable_win32_dll=yes ;;
+
   --quiet | --silent) silent=yes ;;
 
   --srcdir) prev=srcdir ;;
@@ -252,13 +317,18 @@ EOM
   --output | -o) prev=ofile ;;
   --output=*) ofile="$optarg" ;;
 
-  --version) echo "$PROGRAM (GNU $PACKAGE) $VERSION"; exit 0 ;;
+  --version) echo "$PROGRAM (GNU $PACKAGE) $VERSION$TIMESTAMP"; exit 0 ;;
 
   --with-gcc) with_gcc=yes ;;
   --with-gnu-ld) with_gnu_ld=yes ;;
 
+  --prefer-pic) pic_mode=yes ;;
+  --prefer-non-pic) pic_mode=no ;;
+
   --disable-lock) need_locks=no ;;
 
+  --cache-file=*) cache_file="$optarg" ;;
+
   -*)
     echo "$progname: unrecognized option \`$option'" 1>&2
     echo "$help" 1>&2
@@ -326,8 +396,13 @@ exec 5>>./config.log
 # Only set LANG and LC_ALL to C if already set.
 # These must not be set unconditionally because not all systems understand
 # e.g. LANG=C (notably SCO).
-if test "${LC_ALL+set}" = set; then LC_ALL=C; export LC_ALL; fi
-if test "${LANG+set}"   = set; then LANG=C;   export LANG;   fi
+if test "X${LC_ALL+set}" = Xset; then LC_ALL=C; export LC_ALL; fi
+if test "X${LANG+set}"   = Xset; then LANG=C;   export LANG;   fi
+
+if test -n "$cache_file" && test -r "$cache_file" && test -f "$cache_file"; then
+  echo "loading cache $cache_file within ltconfig"
+  . $cache_file
+fi
 
 if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null; then
   # Stardent Vistra SVR4 grep lacks -e, says ghazi@caip.rutgers.edu.
@@ -343,7 +418,7 @@ fi
 
 if test -z "$srcdir"; then
   # Assume the source directory is the same one as the path to LTMAIN.
-  srcdir=`$echo "$ltmain" | $Xsed -e 's%/[^/]*$%%'`
+  srcdir=`$echo "X$ltmain" | $Xsed -e 's%/[^/]*$%%'`
   test "$srcdir" = "$ltmain" && srcdir=.
 fi
 
@@ -391,30 +466,56 @@ if test "$verify_host" = yes; then
   # Make sure the host verified.
   test -z "$host" && exit 1
 
+  # Check for the build system type
+  echo $ac_n "checking build system type... $ac_c" 1>&6
+
+  build_alias=$build
+  case "$build_alias" in
+  NONE)
+    case $nonopt in
+    NONE) build_alias=$host_alias ;;
+    *) build_alias=$nonopt ;;
+    esac ;;
+  esac
+
+  build=`$SHELL $ac_config_sub $build_alias`
+  build_cpu=`echo $build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
+  build_vendor=`echo $build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
+  build_os=`echo $build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
+  echo "$ac_t""$build" 1>&6
+
 elif test -z "$host"; then
   echo "$progname: you must specify a host type if you use \`--no-verify'" 1>&2
   echo "$help" 1>&2
   exit 1
 else
   host_alias=$host
+  build_alias=$host_alias
+  build=$host
+fi
+
+if test x"$host" != x"$build"; then
+  ac_tool_prefix=${host_alias}-
+else
+  ac_tool_prefix=
 fi
 
+host_cpu=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
+host_vendor=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
+host_os=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
+
 # Transform linux* to *-*-linux-gnu*, to support old configure scripts.
 case "$host_os" in
 linux-gnu*) ;;
 linux*) host=`echo $host | sed 's/^\(.*-.*-linux\)\(.*\)$/\1-gnu\2/'`
 esac
 
-host_cpu=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
-host_vendor=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
-host_os=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
-
 case "$host_os" in
 aix3*)
   # AIX sometimes has problems with the GCC collect2 program.  For some
   # reason, if we set the COLLECT_NAMES environment variable, the problems
   # vanish in a puff of smoke.
-  if test "${COLLECT_NAMES+set}" != set; then
+  if test "X${COLLECT_NAMES+set}" != Xset; then
     COLLECT_NAMES=
     export COLLECT_NAMES
   fi
@@ -422,296 +523,292 @@ aix3*)
 esac
 
 # Determine commands to create old-style static archives.
-old_archive_cmds='$AR cru $oldlib$oldobjs'
+old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs'
 old_postinstall_cmds='chmod 644 $oldlib'
 old_postuninstall_cmds=
 
-# Set a sane default for `AR'.
-test -z "$AR" && AR=ar
-
-# If RANLIB is not set, then run the test.
-if test "${RANLIB+set}" != "set"; then
-  result=no
-
-  echo $ac_n "checking for ranlib... $ac_c" 1>&6
-  IFS="${IFS= 	}"; save_ifs="$IFS"; IFS="${IFS}:"
-  for dir in $PATH; do
-    test -z "$dir" && dir=.
-    if test -f $dir/ranlib; then
-      RANLIB="ranlib"
-      result="ranlib"
-      break
-    fi
-  done
-  IFS="$save_ifs"
-
-  echo "$ac_t$result" 1>&6
-fi
-
 if test -n "$RANLIB"; then
   old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
   old_postinstall_cmds="\$RANLIB \$oldlib~$old_postinstall_cmds"
 fi
 
-# Set sane defaults for `DLLTOOL' and `AS', used on cygwin32.
-test -z "$DLLTOOL" && DLLTOOL=dlltool
+# Set sane defaults for various variables
+test -z "$AR" && AR=ar
+test -z "$AR_FLAGS" && AR_FLAGS=cru
 test -z "$AS" && AS=as
+test -z "$CC" && CC=cc
+test -z "$DLLTOOL" && DLLTOOL=dlltool
+test -z "$MAGIC" && MAGIC=file
+test -z "$LD" && LD=ld
+test -z "$LN_S" && LN_S="ln -s"
+test -z "$NM" && NM=nm
+test -z "$OBJDUMP" && OBJDUMP=objdump
+test -z "$RANLIB" && RANLIB=:
+test -z "$STRIP" && STRIP=:
+test -z "$objext" && objext=o
 
-# Check to see if we are using GCC.
-if test "$with_gcc" != yes || test -z "$CC"; then
-  # If CC is not set, then try to find GCC or a usable CC.
-  if test -z "$CC"; then
-    echo $ac_n "checking for gcc... $ac_c" 1>&6
-    IFS="${IFS= 	}"; save_ifs="$IFS"; IFS="${IFS}:"
-    for dir in $PATH; do
-      IFS="$save_ifs"
-      test -z "$dir" && dir=.
-      if test -f $dir/gcc; then
-	CC="gcc"
-	break
-      fi
-    done
-    IFS="$save_ifs"
-
-    if test -n "$CC"; then
-      echo "$ac_t$CC" 1>&6
-    else
-      echo "$ac_t"no 1>&6
-    fi
-  fi
-
-  # Not "gcc", so try "cc", rejecting "/usr/ucb/cc".
-  if test -z "$CC"; then
-    echo $ac_n "checking for cc... $ac_c" 1>&6
-    IFS="${IFS= 	}"; save_ifs="$IFS"; IFS="${IFS}:"
-    cc_rejected=no
-    for dir in $PATH; do
-      test -z "$dir" && dir=.
-      if test -f $dir/cc; then
-	if test "$dir/cc" = "/usr/ucb/cc"; then
-	  cc_rejected=yes
-	  continue
-	fi
-	CC="cc"
-	break
-      fi
-    done
-    IFS="$save_ifs"
-    if test $cc_rejected = yes; then
-      # We found a bogon in the path, so make sure we never use it.
-      set dummy $CC
-      shift
-      if test $# -gt 0; then
-	# We chose a different compiler from the bogus one.
-	# However, it has the same name, so the bogon will be chosen
-	# first if we set CC to just the name; use the full file name.
-	shift
-	set dummy "$dir/cc" "$@"
-	shift
-	CC="$@"
-      fi
-    fi
-
-    if test -n "$CC"; then
-      echo "$ac_t$CC" 1>&6
-    else
-      echo "$ac_t"no 1>&6
-    fi
-
-    if test -z "$CC"; then
-      echo "$progname: error: no acceptable cc found in \$PATH" 1>&2
-      exit 1
-    fi
-  fi
-
-  # Now see if the compiler is really GCC.
-  with_gcc=no
-  echo $ac_n "checking whether we are using GNU C... $ac_c" 1>&6
-  echo "$progname:530: checking whether we are using GNU C" >&5
-
-  $rm conftest.c
-  cat > conftest.c <<EOF
-#ifdef __GNUC__
-  yes;
-#endif
-EOF
-  if { ac_try='${CC-cc} -E conftest.c'; { (eval echo $progname:538: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
-    with_gcc=yes
-  fi
-  $rm conftest.c
-  echo "$ac_t$with_gcc" 1>&6
+echo $ac_n "checking for objdir... $ac_c" 1>&6
+rm -f .libs 2>/dev/null
+mkdir .libs 2>/dev/null
+if test -d .libs; then
+  objdir=.libs
+else
+  # MS-DOS does not allow filenames that begin with a dot.
+  objdir=_libs
 fi
+rmdir .libs 2>/dev/null
+echo "$ac_t$objdir" 1>&6
 
 # Allow CC to be a program name with arguments.
 set dummy $CC
 compiler="$2"
 
-echo $ac_n "checking for object suffix... $ac_c" 1>&6
-$rm conftest*
-echo 'int i = 1;' > conftest.c
-echo "$progname:552: checking for object suffix" >& 5
-if { (eval echo $progname:553: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>conftest.err; }; then
-  # Append any warnings to the config.log.
-  cat conftest.err 1>&5
-
-  for ac_file in conftest.*; do
-    case $ac_file in
-    *.c) ;;
-    *) objext=`echo $ac_file | sed -e s/conftest.//` ;;
-    esac
-  done
+# We assume here that the value for ac_cv_prog_cc_pic will not be cached
+# in isolation, and that seeing it set (from the cache) indicates that
+# the associated values are set (in the cache) correctly too.
+echo $ac_n "checking for $compiler option to produce PIC... $ac_c" 1>&6
+echo "$progname:565:checking for $compiler option to produce PIC" 1>&5
+if test "X${ac_cv_prog_cc_pic+set}" = Xset; then
+  echo $ac_n "(cached) $ac_c" 1>&6
 else
-  cat conftest.err 1>&5
-  echo "$progname: failed program was:" >&5
-  cat conftest.c >&5
-fi
-$rm conftest*
-echo "$ac_t$objext" 1>&6
+  ac_cv_prog_cc_pic=
+  ac_cv_prog_cc_shlib=
+  ac_cv_prog_cc_wl=
+  ac_cv_prog_cc_static=
+  ac_cv_prog_cc_no_builtin=
+  ac_cv_prog_cc_can_build_shared=$can_build_shared
 
-echo $ac_n "checking for $compiler option to produce PIC... $ac_c" 1>&6
-pic_flag=
-special_shlib_compile_flags=
-wl=
-link_static_flag=
-no_builtin_flag=
+  if test "$with_gcc" = yes; then
+    ac_cv_prog_cc_wl='-Wl,'
+    ac_cv_prog_cc_static='-static'
 
-if test "$with_gcc" = yes; then
-  wl='-Wl,'
-  link_static_flag='-static'
+    case "$host_os" in
+    beos* | irix5* | irix6* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+    aix*)
+      # Below there is a dirty hack to force normal static linking with -ldl
+      # The problem is because libdl dynamically linked with both libc and
+      # libC (AIX C++ library), which obviously doesn't included in libraries
+      # list by gcc. This cause undefined symbols with -static flags.
+      # This hack allows C programs to be linked with "-static -ldl", but
+      # we not sure about C++ programs.
+      ac_cv_prog_cc_static="$ac_cv_prog_cc_static ${ac_cv_prog_cc_wl}-lC"
+      ;;
+    cygwin* | mingw* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      ac_cv_prog_cc_pic='-DDLL_EXPORT'
+      ;;
+    amigaos*)
+      # FIXME: we need at least 68020 code to build shared libraries, but
+      # adding the `-m68020' flag to GCC prevents building anything better,
+      # like `-m68040'.
+      ac_cv_prog_cc_pic='-m68020 -resident32 -malways-restore-a4'
+      ;;
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	 ac_cv_prog_cc_pic=-Kconform_pic
+      fi
+      ;;
+    *)
+      ac_cv_prog_cc_pic='-fPIC'
+      ;;
+    esac
+  else
+    # PORTME Check for PIC flags for the system compiler.
+    case "$host_os" in
+    aix3* | aix4*)
+     # All AIX code is PIC.
+      ac_cv_prog_cc_static='-bnso -bI:/lib/syscalls.exp'
+      ;;
 
-  case "$host_os" in
-  aix3* | aix4* | irix5* | irix6* | osf3* | osf4*)
-    # PIC is the default for these OSes.
-    ;;
-  cygwin32* | mingw32* | os2*)
-    # We can build DLLs from non-PIC.
-    ;;
-  amigaos*)
-    # FIXME: we need at least 68020 code to build shared libraries, but
-    # adding the `-m68020' flag to GCC prevents building anything better,
-    # like `-m68040'.
-    pic_flag='-m68020 -resident32 -malways-restore-a4'
-    ;;
-  *)
-    pic_flag='-fPIC'
-    ;;
-  esac
-else
-  # PORTME Check for PIC flags for the system compiler.
-  case "$host_os" in
-  aix3* | aix4*)
-    # All AIX code is PIC.
-    link_static_flag='-bnso -bI:/lib/syscalls.exp'
-    ;;
+    hpux9* | hpux10* | hpux11*)
+      # Is there a better ac_cv_prog_cc_static that works with the bundled CC?
+      ac_cv_prog_cc_wl='-Wl,'
+      ac_cv_prog_cc_static="${ac_cv_prog_cc_wl}-a ${ac_cv_prog_cc_wl}archive"
+      ac_cv_prog_cc_pic='+Z'
+      ;;
 
-  hpux9* | hpux10* | hpux11*)
-    # Is there a better link_static_flag that works with the bundled CC?
-    wl='-Wl,'
-    link_static_flag="${wl}-a ${wl}archive"
-    pic_flag='+Z'
-    ;;
+    irix5* | irix6*)
+      ac_cv_prog_cc_wl='-Wl,'
+      ac_cv_prog_cc_static='-non_shared'
+      # PIC (with -KPIC) is the default.
+      ;;
 
-  irix5* | irix6*)
-    wl='-Wl,'
-    link_static_flag='-non_shared'
-    # PIC (with -KPIC) is the default.
-    ;;
+    cygwin* | mingw* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      ac_cv_prog_cc_pic='-DDLL_EXPORT'
+      ;;
 
-  cygwin32* | mingw32* | os2*)
-    # We can build DLLs from non-PIC.
-    ;;
+    osf3* | osf4* | osf5*)
+      # All OSF/1 code is PIC.
+      ac_cv_prog_cc_wl='-Wl,'
+      ac_cv_prog_cc_static='-non_shared'
+      ;;
 
-  osf3* | osf4*)
-    # All OSF/1 code is PIC.
-    wl='-Wl,'
-    link_static_flag='-non_shared'
-    ;;
+    sco3.2v5*)
+      ac_cv_prog_cc_pic='-Kpic'
+      ac_cv_prog_cc_static='-dn'
+      ac_cv_prog_cc_shlib='-belf'
+      ;;
 
-  sco3.2v5*)
-    pic_flag='-Kpic'
-    link_static_flag='-dn'
-    special_shlib_compile_flags='-belf'
-    ;;
+    solaris*)
+      ac_cv_prog_cc_pic='-KPIC'
+      ac_cv_prog_cc_static='-Bstatic'
+      ac_cv_prog_cc_wl='-Wl,'
+      ;;
 
-  solaris*)
-    pic_flag='-KPIC'
-    link_static_flag='-Bstatic'
-    wl='-Wl,'
-    ;;
+    sunos4*)
+      ac_cv_prog_cc_pic='-PIC'
+      ac_cv_prog_cc_static='-Bstatic'
+      ac_cv_prog_cc_wl='-Qoption ld '
+      ;;
 
-  sunos4*)
-    pic_flag='-PIC'
-    link_static_flag='-Bstatic'
-    wl='-Qoption ld '
-    ;;
+    sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+      ac_cv_prog_cc_pic='-KPIC'
+      ac_cv_prog_cc_static='-Bstatic'
+      ac_cv_prog_cc_wl='-Wl,'
+      ;;
 
-  sysv4.2uw2* | sysv5*)
-    pic_flag='-KPIC'
-    link_static_flag='-Bstatic'
-    wl='-Wl,'
-    ;;
+    uts4*)
+      ac_cv_prog_cc_pic='-pic'
+      ac_cv_prog_cc_static='-Bstatic'
+      ;;
 
-  uts4*)
-    pic_flag='-pic'
-    link_static_flag='-Bstatic'
-    ;;
+    sysv4*MP*)
+      if test -d /usr/nec ;then
+	ac_cv_prog_cc_pic='-Kconform_pic'
+	ac_cv_prog_cc_static='-Bstatic'
+      fi
+      ;;
 
-  *)
-    can_build_shared=no
-    ;;
-  esac
+    *)
+      ac_cv_prog_cc_can_build_shared=no
+      ;;
+    esac
+  fi
 fi
-
-if test -n "$pic_flag"; then
-  echo "$ac_t$pic_flag" 1>&6
+if test -z "$ac_cv_prog_cc_pic"; then
+  echo "$ac_t"none 1>&6
+else
+  echo "$ac_t""$ac_cv_prog_cc_pic" 1>&6
 
   # Check to make sure the pic_flag actually works.
-  echo $ac_n "checking if $compiler PIC flag $pic_flag works... $ac_c" 1>&6
-  $rm conftest*
-  echo "int some_variable = 0;" > conftest.c
-  save_CFLAGS="$CFLAGS"
-  CFLAGS="$CFLAGS $pic_flag -DPIC"
-  echo "$progname:674: checking if $compiler PIC flag $pic_flag works" >&5
-  if { (eval echo $progname:675: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>conftest.err; } && test -s conftest.$objext; then
-    # Append any warnings to the config.log.
-    cat conftest.err 1>&5
+  echo $ac_n "checking if $compiler PIC flag $ac_cv_prog_cc_pic works... $ac_c" 1>&6
+  echo "$progname:695:checking that $compiler PIC flag $ac_cv_prog_cc_pic works." 1>&5
+  if test "X${ac_cv_prog_cc_pic_works+set}" = Xset; then
+    echo $ac_n "(cached) $ac_c" 1>&6
+  else
+    ac_cv_prog_cc_pic_works=yes
+    $rm conftest*
+    echo "int some_variable = 0;" > conftest.c
+    save_CFLAGS="$CFLAGS"
+    CFLAGS="$CFLAGS $ac_cv_prog_cc_pic -DPIC"
+    if { (eval echo $progname:704: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>conftest.err; } && test -s conftest.$objext; then
+      # Append any warnings to the config.log.
+      cat conftest.err 1>&5
 
-    # On HP-UX, both CC and GCC only warn that PIC is supported... then they
-    # create non-PIC objects.  So, if there were any warnings, we assume that
-    # PIC is not supported.
-    if test -s conftest.err; then
-      echo "$ac_t"no 1>&6
-      can_build_shared=no
-      pic_flag=
+      case "$host_os" in
+      hpux9* | hpux10* | hpux11*)
+	# On HP-UX, both CC and GCC only warn that PIC is supported... then
+	# they create non-PIC objects.  So, if there were any warnings, we
+	# assume that PIC is not supported.
+	if test -s conftest.err; then
+	  ac_cv_prog_cc_pic_works=no
+	  ac_cv_prog_cc_can_build_shared=no
+	  ac_cv_prog_cc_pic=
+	else
+	  ac_cv_prog_cc_pic_works=yes
+	  ac_cv_prog_cc_pic=" $ac_cv_prog_cc_pic"
+	fi
+	;;
+      *)
+	ac_cv_prog_cc_pic_works=yes
+	ac_cv_prog_cc_pic=" $ac_cv_prog_cc_pic"
+	;;
+      esac
     else
-      echo "$ac_t"yes 1>&6
-      pic_flag=" $pic_flag"
+      # Append any errors to the config.log.
+      cat conftest.err 1>&5
+      ac_cv_prog_cc_pic_works=no
+      ac_cv_prog_cc_can_build_shared=no
+      ac_cv_prog_cc_pic=
     fi
+    CFLAGS="$save_CFLAGS"
+    $rm conftest*
+  fi
+  # Belt *and* braces to stop my trousers falling down:
+  if test "X$ac_cv_prog_cc_pic_works" = Xno; then
+    ac_cv_prog_cc_pic=
+    ac_cv_prog_cc_can_build_shared=no
+  fi
+  echo "$ac_t""$ac_cv_prog_cc_pic_works" 1>&6
+fi
+
+# Check for any special shared library compilation flags.
+if test -n "$ac_cv_prog_cc_shlib"; then
+  echo "$progname: warning: \`$CC' requires \`$ac_cv_prog_cc_shlib' to build shared libraries" 1>&2
+  if echo "$old_CC $old_CFLAGS " | egrep -e "[ 	]$ac_cv_prog_cc_shlib[ 	]" >/dev/null; then :
   else
-    # Append any errors to the config.log.
-    cat conftest.err 1>&5
-    can_build_shared=no
-    pic_flag=
-    echo "$ac_t"no 1>&6
+    echo "$progname: add \`$ac_cv_prog_cc_shlib' to the CC or CFLAGS env variable and reconfigure" 1>&2
+    ac_cv_prog_cc_can_build_shared=no
   fi
-  CFLAGS="$save_CFLAGS"
-  $rm conftest*
+fi
+
+echo $ac_n "checking if $compiler static flag $ac_cv_prog_cc_static works... $ac_c" 1>&6
+echo "$progname:756: checking if $compiler static flag $ac_cv_prog_cc_static works" >&5
+if test "X${ac_cv_prog_cc_static_works+set}" = Xset; then
+  echo $ac_n "(cached) $ac_c" 1>&6
 else
-  echo "$ac_t"none 1>&6
+  $rm conftest*
+  echo 'main(){return(0);}' > conftest.c
+  save_LDFLAGS="$LDFLAGS"
+  LDFLAGS="$LDFLAGS $ac_cv_prog_cc_static"
+  if { (eval echo $progname:764: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+    ac_cv_prog_cc_static_works=yes
+  else
+    ac_cv_prog_cc_static_works=no
+    ac_cv_prog_cc_static=
+  fi
+  LDFLAGS="$save_LDFLAGS"
+  $rm conftest*
+fi
+# Belt *and* braces to stop my trousers falling down:
+if test "X$ac_cv_prog_cc_static_works" = Xno; then
+  ac_cv_prog_cc_static=
 fi
+echo "$ac_t""$ac_cv_prog_cc_static_works" 1>&6
+pic_flag="$ac_cv_prog_cc_pic"
+special_shlib_compile_flags="$ac_cv_prog_cc_shlib"
+wl="$ac_cv_prog_cc_wl"
+link_static_flag="$ac_cv_prog_cc_static"
+no_builtin_flag="$ac_cv_prog_cc_no_builtin"
+can_build_shared="$ac_cv_prog_cc_can_build_shared"
 
 # Check to see if options -o and -c are simultaneously supported by compiler
 echo $ac_n "checking if $compiler supports -c -o file.o... $ac_c" 1>&6
+$rm -r conftest 2>/dev/null
+mkdir conftest
+cd conftest
 $rm conftest*
 echo "int some_variable = 0;" > conftest.c
+mkdir out
+# According to Tom Tromey, Ian Lance Taylor reported there are C compilers
+# that will create temporary files in the current directory regardless of
+# the output directory.  Thus, making CWD read-only will cause this test
+# to fail, enabling locking or at least warning the user not to do parallel
+# builds.
+chmod -w .
 save_CFLAGS="$CFLAGS"
-CFLAGS="$CFLAGS -c -o conftest2.o"
-echo "$progname:709: checking if $compiler supports -c -o file.o" >&5
-if { (eval echo $progname:710: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>conftest.err; } && test -s conftest2.o; then
+CFLAGS="$CFLAGS -o out/conftest2.o"
+echo "$progname:801: checking if $compiler supports -c -o file.o" >&5
+if { (eval echo $progname:802: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>out/conftest.err; } && test -s out/conftest2.o; then
 
   # The compiler can only warn and ignore the option if not recognized
   # So say no if there are warnings
-    if test -s conftest.err; then
+    if test -s out/conftest.err; then
       echo "$ac_t"no 1>&6
       compiler_c_o=no
     else
@@ -720,12 +817,17 @@ if { (eval echo $progname:710: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>conft
     fi
 else
   # Append any errors to the config.log.
-  cat conftest.err 1>&5
+  cat out/conftest.err 1>&5
   compiler_c_o=no
   echo "$ac_t"no 1>&6
 fi
 CFLAGS="$save_CFLAGS"
-$rm conftest*
+chmod u+w .
+$rm conftest* out/*
+rmdir out
+cd ..
+rmdir conftest
+$rm -r conftest 2>/dev/null
 
 if test x"$compiler_c_o" = x"yes"; then
   # Check to see if we can write to a .lo
@@ -734,8 +836,8 @@ if test x"$compiler_c_o" = x"yes"; then
   echo "int some_variable = 0;" > conftest.c
   save_CFLAGS="$CFLAGS"
   CFLAGS="$CFLAGS -c -o conftest.lo"
-  echo "$progname:737: checking if $compiler supports -c -o file.lo" >&5
-if { (eval echo $progname:738: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>conftest.err; } && test -s conftest.lo; then
+  echo "$progname:834: checking if $compiler supports -c -o file.lo" >&5
+if { (eval echo $progname:835: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>conftest.err; } && test -s conftest.lo; then
 
     # The compiler can only warn and ignore the option if not recognized
     # So say no if there are warnings
@@ -743,8 +845,8 @@ if { (eval echo $progname:738: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>conft
 	echo "$ac_t"no 1>&6
 	compiler_o_lo=no
       else
-        echo "$ac_t"yes 1>&6
-        compiler_o_lo=yes
+	echo "$ac_t"yes 1>&6
+	compiler_o_lo=yes
       fi
   else
     # Append any errors to the config.log.
@@ -786,17 +888,17 @@ if test "$with_gcc" = yes; then
   echo "int some_variable = 0;" > conftest.c
   save_CFLAGS="$CFLAGS"
   CFLAGS="$CFLAGS -fno-rtti -fno-exceptions -c conftest.c"
-  echo "$progname:789: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
-  if { (eval echo $progname:790: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>conftest.err; } && test -s conftest.o; then
+  echo "$progname:886: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
+  if { (eval echo $progname:887: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>conftest.err; } && test -s conftest.o; then
 
     # The compiler can only warn and ignore the option if not recognized
     # So say no if there are warnings
       if test -s conftest.err; then
-        echo "$ac_t"no 1>&6
-        compiler_rtti_exceptions=no
+	echo "$ac_t"no 1>&6
+	compiler_rtti_exceptions=no
       else
-        echo "$ac_t"yes 1>&6
-        compiler_rtti_exceptions=yes
+	echo "$ac_t"yes 1>&6
+	compiler_rtti_exceptions=yes
       fi
   else
     # Append any errors to the config.log.
@@ -812,287 +914,255 @@ if test "$with_gcc" = yes; then
   else
     no_builtin_flag=' -fno-builtin'
   fi
-  
-fi
 
-# Check for any special shared library compilation flags.
-if test -n "$special_shlib_compile_flags"; then
-  echo "$progname: warning: \`$CC' requires \`$special_shlib_compile_flags' to build shared libraries" 1>&2
-  if echo "$old_CC $old_CFLAGS " | egrep -e "[ 	]$special_shlib_compile_flags[ 	]" >/dev/null; then :
-  else
-    echo "$progname: add \`$special_shlib_compile_flags' to the CC or CFLAGS env variable and reconfigure" 1>&2
-    can_build_shared=no
-  fi
 fi
 
-echo $ac_n "checking if $compiler static flag $link_static_flag works... $ac_c" 1>&6
-$rm conftest*
-echo 'main(){return(0);}' > conftest.c
-save_LDFLAGS="$LDFLAGS"
-LDFLAGS="$LDFLAGS $link_static_flag"
-echo "$progname:833: checking if $compiler static flag $link_static_flag works" >&5
-if { (eval echo $progname:834: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
-  echo "$ac_t$link_static_flag" 1>&6
-else
-  echo "$ac_t"none 1>&6
-  link_static_flag=
-fi
-LDFLAGS="$save_LDFLAGS"
-$rm conftest*
-
-if test -z "$LN_S"; then
-  # Check to see if we can use ln -s, or we need hard links.
-  echo $ac_n "checking whether ln -s works... $ac_c" 1>&6
-  $rm conftestdata
-  if ln -s X conftestdata 2>/dev/null; then
-    $rm conftestdata
-    LN_S="ln -s"
-  else
-    LN_S=ln
-  fi
-  if test "$LN_S" = "ln -s"; then
-    echo "$ac_t"yes 1>&6
-  else
-    echo "$ac_t"no 1>&6
-  fi
-fi
-
-# Make sure LD is an absolute path.
-if test -z "$LD"; then
-  ac_prog=ld
-  if test "$with_gcc" = yes; then
-    # Check if gcc -print-prog-name=ld gives a path.
-    echo $ac_n "checking for ld used by GCC... $ac_c" 1>&6
-    echo "$progname:866: checking for ld used by GCC" >&5
-    ac_prog=`($CC -print-prog-name=ld) 2>&5`
-    case "$ac_prog" in
-    # Accept absolute paths.
-    /* | [A-Za-z]:/*)
-      re_direlt='/[^/][^/]*/\.\./'
-      sub_uncdrive='s%^\([A-Za-z]\):/%//\1/%'
-      # Canonicalize the path of ld
-      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
-        ac_prog=`echo $ac_prog| sed "s%$re_direlt%/%"`
-      done
-      case "$host_os" in
-      cygwin*)
-        # Convert to a UNC path for cygwin
-        test -z "$LD" && LD=`echo X$ac_prog | $Xsed -e "$sub_uncdrive"`
-	;;
-      *)
-        test -z "$LD" && LD="$ac_prog"
-	;;
-      esac
-      ;;
-    ##
-    ## FIXME:  The code fails later on if we try to use an $LD with
-    ##         '\\' path separators.
-    ##
-    [A-Za-z]:[\\]*)
-      re_direlt='\\[^\\][^\\]*\\\.\.\(\\\)'
-      sub_uncdrive='s%^\([A-Za-z]\):\\%//\1/%'
-      sub_uncdir='s%\\%/%g'
-      # Canonicalize the path of ld
-      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
-        ac_prog=`echo $ac_prog| sed "s%$re_direlt%\1%"`
-      done
-      case "$host_os" in
-      cygwin*)
-        # Convert to a UNC path for cygwin
-        test -z "$LD" && LD=`echo X$ac_prog | $Xsed -e "$sub_uncdrive" -e "$sub_uncdir"`
-	;;
-      *)
-        test -z "$LD" && LD="$ac_prog"
-	;;
-      esac
-      ;;
-    "")
-      # If it fails, then pretend we are not using GCC.
-      ac_prog=ld
-      ;;
-    *)
-      # If it is relative, then search for the first ld in PATH.
-      with_gnu_ld=unknown
-      ;;
-    esac
-  elif test "$with_gnu_ld" = yes; then
-    echo $ac_n "checking for GNU ld... $ac_c" 1>&6
-    echo "$progname:920: checking for GNU ld" >&5
-  else
-    echo $ac_n "checking for non-GNU ld""... $ac_c" 1>&6
-    echo "$progname:923: checking for non-GNU ld" >&5
-  fi
-
-  if test -z "$LD"; then
-    IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:"
-    for ac_dir in $PATH; do
-      test -z "$ac_dir" && ac_dir=.
-      if test -f "$ac_dir/$ac_prog"; then
-	LD="$ac_dir/$ac_prog"
-	# Check to see if the program is GNU ld.  I'd rather use --version,
-	# but apparently some GNU ld's only accept -v.
-	# Break only if it was the GNU/non-GNU ld that we prefer.
-	if "$LD" -v 2>&1 < /dev/null | egrep '(GNU|with BFD)' > /dev/null; then
-	  test "$with_gnu_ld" != no && break
-	else
-	  test "$with_gnu_ld" != yes && break
-	fi
-      fi
-    done
-    IFS="$ac_save_ifs"
-  fi
-
-  if test -n "$LD"; then
-    echo "$ac_t$LD" 1>&6
-  else
-    echo "$ac_t"no 1>&6
-  fi
-
-  if test -z "$LD"; then
-    echo "$progname: error: no acceptable ld found in \$PATH" 1>&2
-    exit 1
-  fi
-fi
-
-# Check to see if it really is or is not GNU ld.
-echo $ac_n "checking if the linker ($LD) is GNU ld... $ac_c" 1>&6
-# I'd rather use --version here, but apparently some GNU ld's only accept -v.
-if $LD -v 2>&1 </dev/null | egrep '(GNU|with BFD)' 1>&5; then
-  with_gnu_ld=yes
-else
-  with_gnu_ld=no
-fi
-echo "$ac_t$with_gnu_ld" 1>&6
-
 # See if the linker supports building shared libraries.
 echo $ac_n "checking whether the linker ($LD) supports shared libraries... $ac_c" 1>&6
 
 allow_undefined_flag=
 no_undefined_flag=
+need_lib_prefix=unknown
+need_version=unknown
+# when you set need_version to no, make sure it does not cause -set_version
+# flags to be left without arguments
 archive_cmds=
-archive_sym_cmds=
+archive_expsym_cmds=
 old_archive_from_new_cmds=
+old_archive_from_expsyms_cmds=
+striplib=
+old_striplib=
 export_dynamic_flag_spec=
 whole_archive_flag_spec=
+thread_safe_flag_spec=
+hardcode_into_libs=no
 hardcode_libdir_flag_spec=
 hardcode_libdir_separator=
 hardcode_direct=no
 hardcode_minus_L=no
 hardcode_shlibpath_var=unsupported
 runpath_var=
+link_all_deplibs=unknown
+always_export_symbols=no
+export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | sed '\''s/.* //'\'' | sort | uniq > $export_symbols'
+# include_expsyms should be a list of space-separated symbols to be *always*
+# included in the symbol list
+include_expsyms=
+# exclude_expsyms can be an egrep regular expression of symbols to exclude
+# it will be wrapped by ` (' and `)$', so one must not match beginning or
+# end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
+# as well as any symbol that contains `d'.
+exclude_expsyms="_GLOBAL_OFFSET_TABLE_"
+# Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
+# platforms (ab)use it in PIC code, but their linkers get confused if
+# the symbol is explicitly referenced.  Since portable code cannot
+# rely on this symbol name, it's probably fine to never include it in
+# preloaded symbol tables.
+extract_expsyms_cmds=
 
 case "$host_os" in
-aix3* | aix4*)
-  # On AIX, the GNU linker works like the native linker.
-  with_gnu_ld=no
+cygwin* | mingw*)
+  # FIXME: the MSVC++ port hasn't been tested in a loooong time
+  # When not using gcc, we currently assume that we are using
+  # Microsoft Visual C++.
+  if test "$with_gcc" != yes; then
+    with_gnu_ld=no
+  fi
   ;;
+
 esac
 
 ld_shlibs=yes
 if test "$with_gnu_ld" = yes; then
+  # If archive_cmds runs LD, not CC, wlarc should be empty
+  wlarc='${wl}'
 
   # See if GNU ld supports shared libraries.
   case "$host_os" in
+  aix3* | aix4*)
+    # On AIX, the GNU linker is very broken
+    ld_shlibs=no
+    cat <<EOF 1>&2
+
+*** Warning: the GNU linker, at least up to release 2.9.1, is reported
+*** to be unable to reliably create shared libraries on AIX.
+*** Therefore, libtool is disabling shared libraries support.  If you
+*** really care for shared libraries, you may want to modify your PATH
+*** so that a non-GNU linker is found, and then restart.
+
+EOF
+    ;;
+
   amigaos*)
-    archive_cmds='$rm $objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $objdir/a2ixlibrary.data~$AR cru $lib$libobjs~$RANLIB $lib~(cd $objdir && a2ixlibrary -32)'
+    archive_cmds='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
     hardcode_libdir_flag_spec='-L$libdir'
     hardcode_minus_L=yes
-    ;;
 
-  sunos4*)
-    archive_cmds='$LD -assert pure-text -Bstatic -o $lib$libobjs$deplibs'
-    hardcode_direct=yes
-    hardcode_minus_L=yes
-    hardcode_shlibpath_var=no
+    # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
+    # that the semantics of dynamic libraries on AmigaOS, at least up
+    # to version 4, is to share data among multiple programs linked
+    # with the same dynamic library.  Since this doesn't match the
+    # behavior of shared libraries on other platforms, we can use
+    # them.
+    ld_shlibs=no
     ;;
 
-  cygwin32* | mingw32*)
-    if test "$with_gcc" = yes; then
-      # hardcode_libdir_flag_spec is actually meaningless, as there is
-      # no search path for DLLs.
-      hardcode_libdir_flag_spec='-L$libdir'
+  beos*)
+    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
       allow_undefined_flag=unsupported
-      # Very, very bogus.
-      echo '
-#define WIN32_LEAN_AND_MEAN
-#include <windows.h>
-#undef WIN32_LEAN_AND_MEAN
-#include <stdio.h>
+      # Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+      # support --undefined.  This deserves some investigation.  FIXME
+      archive_cmds='$CC -nostart $libobjs $deplibs $linker_flags ${wl}-soname $wl$soname -o $lib'
+    else
+      ld_shlibs=no
+    fi
+    ;;
+
+  cygwin* | mingw*)
+    # hardcode_libdir_flag_spec is actually meaningless, as there is
+    # no search path for DLLs.
+    hardcode_libdir_flag_spec='-L$libdir'
+    allow_undefined_flag=unsupported
+    always_export_symbols=yes
+
+    extract_expsyms_cmds='test -f $output_objdir/impgen.c || \
+      sed -e "/^# \/\* impgen\.c starts here \*\//,/^# \/\* impgen.c ends here \*\// { s/^# //; p; }" -e d < $0 > $output_objdir/impgen.c~
+      test -f $output_objdir/impgen.exe || (cd $output_objdir && \
+      if test "x$HOST_CC" != "x" ; then $HOST_CC -o impgen impgen.c ; \
+      else $CC -o impgen impgen.c ; fi)~
+      $output_objdir/impgen $dir/$soname > $output_objdir/$soname-def'
+
+    old_archive_from_expsyms_cmds='$DLLTOOL --as=$AS --dllname $soname --def $output_objdir/$soname-def --output-lib $output_objdir/$newlib'
+
+    # cygwin and mingw dlls have different entry points and sets of symbols
+    # to exclude.
+    # FIXME: what about values for MSVC?
+    dll_entry=__cygwin_dll_entry@12
+    dll_exclude_symbols=DllMain@12,_cygwin_dll_entry@12,_cygwin_noncygwin_dll_entry@12~
+    case "$host_os" in
+    mingw*)
+      # mingw values
+      dll_entry=_DllMainCRTStartup@12
+      dll_exclude_symbols=DllMain@12,DllMainCRTStartup@12,DllEntryPoint@12~
+      ;;
+    esac
+
+    # mingw and cygwin differ, and it's simplest to just exclude the union
+    # of the two symbol sets.
+    dll_exclude_symbols=DllMain@12,_cygwin_dll_entry@12,_cygwin_noncygwin_dll_entry@12,DllMainCRTStartup@12,DllEntryPoint@12
 
-BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved);
+    # recent cygwin and mingw systems supply a stub DllMain which the user
+    # can override, but on older systems we have to supply one (in ltdll.c)
+    if test "x$lt_cv_need_dllmain" = "xyes"; then
+      ltdll_obj='$output_objdir/$soname-ltdll.'"$objext "
+      ltdll_cmds='test -f $output_objdir/$soname-ltdll.c || sed -e "/^# \/\* ltdll\.c starts here \*\//,/^# \/\* ltdll.c ends here \*\// { s/^# //; p; }" -e d < $0 > $output_objdir/$soname-ltdll.c~
+	test -f $output_objdir/$soname-ltdll.$objext || (cd $output_objdir && $CC -c $soname-ltdll.c)~'
+    else
+      ltdll_obj=
+      ltdll_cmds=
+    fi
 
-#include <cygwin/cygwin_dll.h>
-DECLARE_CYGWIN_DLL( DllMain );
-HINSTANCE __hDllInstance_base;
+    # Extract the symbol export list from an `--export-all' def file,
+    # then regenerate the def file from the symbol export list, so that
+    # the compiled dll only exports the symbol export list.
+    # Be careful not to strip the DATA tag left be newer dlltools.
+    export_symbols_cmds="$ltdll_cmds"'
+      $DLLTOOL --export-all --exclude-symbols '$dll_exclude_symbols' --output-def $output_objdir/$soname-def '$ltdll_obj'$libobjs $convenience~
+      sed -e "1,/EXPORTS/d" -e "s/ @ [0-9]*//" -e "s/ *;.*$//" < $output_objdir/$soname-def > $export_symbols'
+
+    # If DATA tags from a recent dlltool are present, honour them!
+    archive_expsym_cmds='echo EXPORTS > $output_objdir/$soname-def~
+      _lt_hint=1;
+      cat $export_symbols | while read symbol; do
+	set dummy \$symbol;
+	case \$# in
+	  2) echo "	\$2 @ \$_lt_hint ; " >> $output_objdir/$soname-def;;
+	  *) echo "     \$2 @ \$_lt_hint \$3 ; " >> $output_objdir/$soname-def;;
+	esac;
+	_lt_hint=`expr 1 + \$_lt_hint`;
+      done~
+      '"$ltdll_cmds"'
+      $CC -Wl,--base-file,$output_objdir/$soname-base '$lt_cv_cc_dll_switch' -Wl,-e,'$dll_entry' -o $lib '$ltdll_obj'$libobjs $deplibs $compiler_flags~
+      $DLLTOOL --as=$AS --dllname $soname --exclude-symbols '$dll_exclude_symbols' --def $output_objdir/$soname-def --base-file $output_objdir/$soname-base --output-exp $output_objdir/$soname-exp~
+      $CC -Wl,--base-file,$output_objdir/$soname-base $output_objdir/$soname-exp '$lt_cv_cc_dll_switch' -Wl,-e,'$dll_entry' -o $lib '$ltdll_obj'$libobjs $deplibs $compiler_flags~
+      $DLLTOOL --as=$AS --dllname $soname --exclude-symbols '$dll_exclude_symbols' --def $output_objdir/$soname-def --base-file $output_objdir/$soname-base --output-exp $output_objdir/$soname-exp~
+      $CC $output_objdir/$soname-exp '$lt_cv_cc_dll_switch' -Wl,-e,'$dll_entry' -o $lib '$ltdll_obj'$libobjs $deplibs $compiler_flags'
+    ;;
 
-BOOL APIENTRY
-DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved)
-{
-  __hDllInstance_base = hInst;
-  return TRUE;
-}
-' > ltdll.c
-      archive_cmds='$CC -c '"`pwd`"'/ltdll.c~echo EXPORTS > $lib-def~
-      $DLLTOOL --export-all --output-def $lib-def $libobjs ltdll.$objext~
-      $CC -Wl,--base-file,$soname-base -Wl,--dll -nostartfiles -Wl,-e,__cygwin_dll_entry@12 $libobjs ltdll.$objext~
-      $DLLTOOL --as=$AS --dllname $soname --exclude-symbol=_cygwin_dll_entry@12 --def $lib-def --base-file $soname-base --output-exp $soname-exp~
-      $CC -Wl,--base-file,$soname-base $soname-exp -Wl,--dll -nostartfiles -Wl,-e,__cygwin_dll_entry@12 -o $lib $libobjs ltdll.$objext$deplibs~
-      $DLLTOOL --as=$AS --dllname $soname --exclude-symbol=_cygwin_dll_entry@12 --def $lib-def --base-file $soname-base --output-exp $soname-exp~
-      $CC $soname-exp -Wl,--dll -nostartfiles -Wl,-e,__cygwin_dll_entry@12 -o $lib $libobjs ltdll.$objext$deplibs~
-      $rm ltdll.$objext $soname-base $soname-exp'
-      archive_sym_cmds='$CC -c '"`pwd`"'/ltdll.c~echo EXPORTS > $lib-def~
-      cat "$export_symbols" >> $lib-def~
-      $CC -Wl,--base-file,$soname-base -Wl,--dll -nostartfiles -Wl,-e,__cygwin_dll_entry@12 $libobjs ltdll.$objext~
-      $DLLTOOL --as=$AS --dllname $soname --exclude-symbol=_cygwin_dll_entry@12 --def $lib-def --base-file $soname-base --output-exp $soname-exp~
-      $CC -Wl,--base-file,$soname-base $soname-exp -Wl,--dll -nostartfiles -Wl,-e,__cygwin_dll_entry@12 -o $lib $libobjs ltdll.$objext$deplibs~
-      $DLLTOOL --as=$AS --dllname $soname --exclude-symbol=_cygwin_dll_entry@12 --def $lib-def --base-file $soname-base --output-exp $soname-exp~
-      $CC $soname-exp -Wl,--dll -nostartfiles -Wl,-e,__cygwin_dll_entry@12 -o $lib $libobjs ltdll.$objext$deplibs~
-      $rm ltdll.$objext $soname-base $soname-exp'
-      old_archive_from_new_cmds='$DLLTOOL --as=$AS --dllname $soname --def $lib-def --output-lib $objdir/$libname.a~$rm $lib.exp'
-   else
-      # When not using gcc, we currently assume that we are using
-      # Microsoft Visual C++.
-      with_gnu_ld=no
-      # hardcode_libdir_flag_spec is actually meaningless, as there is
-      # no search path for DLLs.
-      hardcode_libdir_flag_spec=' '
-      allow_undefined_flag=unsupported
-      # Tell ltmain to make .lib files, not .a files.
-      libext=lib
-      # FIXME: Setting linknames here is a bad hack.
-      archive_cmds='$CC -o $lib$libobjs`echo "$deplibs" | sed -e '\''s/ -lc$//'\''` -link -dll~linknames='
-      # The linker will automatically build a .lib file if we build a DLL.
-      old_archive_from_new_cmds='true'
-      # FIXME: Should let the user specify the lib program.
-      old_archive_cmds='lib /OUT:$oldlib$oldobjs'
-      fix_srcfile_path='`cygpath -w $srcfile`'
+  netbsd*)
+    if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+      archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
+      wlarc=
+    else
+      archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
     fi
     ;;
 
+  solaris* | sysv5*)
+    if $LD -v 2>&1 | egrep 'BFD 2\.8' > /dev/null; then
+      ld_shlibs=no
+      cat <<EOF 1>&2
+
+*** Warning: The releases 2.8.* of the GNU linker cannot reliably
+*** create shared libraries on Solaris systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.9.1 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+EOF
+    elif $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
+      archive_cmds='$CC -shared $libobjs $deplibs $linker_flags ${wl}-soname $wl$soname -o $lib'
+      archive_expsym_cmds='$CC -shared $libobjs $deplibs $linker_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+    else
+      ld_shlibs=no
+    fi
+    ;;
+
+  sunos4*)
+    archive_cmds='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+    wlarc=
+    hardcode_direct=yes
+    hardcode_shlibpath_var=no
+    ;;
+
   *)
     if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
-      archive_cmds='$CC -shared ${wl}-soname $wl$soname -o $lib$libobjs$deplibs'
-      archive_sym_cmds='$CC -shared ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib$libobjs$deplibs'
+      archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
     else
       ld_shlibs=no
     fi
     ;;
   esac
 
-  if test "$ld_shlibs" = yes && test "$with_gnu_ld" = yes; then
+  if test "$ld_shlibs" = yes; then
     runpath_var=LD_RUN_PATH
-    hardcode_libdir_flag_spec='${wl}--rpath ${wl}$libdir'
-    export_dynamic_flag_spec='${wl}--export-dynamic'
-    whole_archive_flag_spec='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
+    hardcode_libdir_flag_spec="$wlarc"'--rpath '"$wlarc"'$libdir'
+    export_dynamic_flag_spec="$wlarc"'--export-dynamic'
+    case $host_os in
+    cygwin* | mingw*)
+      # dlltool doesn't understand --whole-archive et. al.
+      whole_archive_flag_spec=
+      ;;
+    *)
+      # ancient GNU ld didn't support --whole-archive et. al.
+      if $LD --help 2>&1 | egrep 'no-whole-archive' > /dev/null; then
+	whole_archive_flag_spec="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+      else
+	whole_archive_flag_spec=
+      fi
+      ;;
+    esac
   fi
 else
   # PORTME fill in a description of your system's linker (not GNU ld)
   case "$host_os" in
   aix3*)
     allow_undefined_flag=unsupported
-    archive_cmds='$NM$libobjs | $global_symbol_pipe | sed '\''s/.* //'\' | sort | uniq' > $lib.exp~
-        $LD -o $objdir/$soname$libobjs$deplibs -bE:$lib.exp -T512 -H512 -bM:SRE~$AR cru $lib $objdir/$soname'
-    archive_sym_cmds='$LD -o $objdir/$soname$libobjs$deplibs -bE:$export_symbols -T512 -H512 -bM:SRE~$AR cru $lib $objdir/$soname'
+    always_export_symbols=yes
+    archive_expsym_cmds='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
     # Note: this linker hardcodes the directories in LIBPATH if there
     # are no directories specified by -L.
     hardcode_minus_L=yes
@@ -1104,80 +1174,67 @@ else
     ;;
 
   aix4*)
-    allow_undefined_flag=unsupported
-    archive_cmds='$NM$libobjs | $global_symbol_pipe | sed '\''s/.* //'\' | sort | uniq' > $lib.exp        else cat $export_symbols > $lib.exp~
-    	$CC -o $objdir/$soname$libobjs$deplibs ${wl}-bE:$lib.exp ${wl}-bM:SRE ${wl}-bnoentry~$AR cru $lib $objdir/$soname'
-    archive_sym_cmds='$CC -o $objdir/$soname$libobjs$deplibs ${wl}-bE:$export_symbols ${wl}-bM:SRE ${wl}-bnoentry~$AR cru $lib $objdir/$soname'
-    hardcode_direct=yes
-    hardcode_minus_L=yes
-    ;;
+    hardcode_libdir_flag_spec='${wl}-b ${wl}nolibpath ${wl}-b ${wl}libpath:$libdir:/usr/lib:/lib'
+    hardcode_libdir_separator=':'
+    if test "$with_gcc" = yes; then
+      collect2name=`${CC} -print-prog-name=collect2`
+      if test -f "$collect2name" && \
+	 strings "$collect2name" | grep resolve_lib_name >/dev/null
+      then
+	# We have reworked collect2
+	hardcode_direct=yes
+      else
+	# We have old collect2
+	hardcode_direct=unsupported
+	# It fails to find uninstalled libraries when the uninstalled
+	# path is not listed in the libpath.  Setting hardcode_minus_L
+	# to unsupported forces relinking
+	hardcode_minus_L=yes
+	hardcode_libdir_flag_spec='-L$libdir'
+	hardcode_libdir_separator=
+      fi
+      shared_flag='-shared'
+    else
+      shared_flag='${wl}-bM:SRE'
+      hardcode_direct=yes
+    fi
+    allow_undefined_flag=' ${wl}-berok'
+    archive_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bexpall ${wl}-bnoentry${allow_undefined_flag}'
+    archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}'
+    case "$host_os" in aix4.[01]|aix4.[01].*)
+      # According to Greg Wooledge, -bexpall is only supported from AIX 4.2 on
+      always_export_symbols=yes ;;
+    esac
+   ;;
 
   amigaos*)
-    archive_cmds='$rm $objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $objdir/a2ixlibrary.data~$AR cru $lib$libobjs~$RANLIB $lib~(cd $objdir && a2ixlibrary -32)'
+    archive_cmds='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
     hardcode_libdir_flag_spec='-L$libdir'
     hardcode_minus_L=yes
+    # see comment about different semantics on the GNU ld section
+    ld_shlibs=no
     ;;
 
-  cygwin32* | mingw32*)
-    if test "$with_gcc" = yes; then
-      # hardcode_libdir_flag_spec is actually meaningless, as there is
-      # no search path for DLLs.
-      hardcode_libdir_flag_spec='-L$libdir'
-      allow_undefined_flag=unsupported
-      # Very, very bogus.
-      echo '
-#define WIN32_LEAN_AND_MEAN
-#include <windows.h>
-#undef WIN32_LEAN_AND_MEAN
-#include <stdio.h>
-
-BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved);
-
-#include <cygwin/cygwin_dll.h>
-DECLARE_CYGWIN_DLL( DllMain );
-HINSTANCE __hDllInstance_base;
+  cygwin* | mingw*)
+    # When not using gcc, we currently assume that we are using
+    # Microsoft Visual C++.
+    # hardcode_libdir_flag_spec is actually meaningless, as there is
+    # no search path for DLLs.
+    hardcode_libdir_flag_spec=' '
+    allow_undefined_flag=unsupported
+    # Tell ltmain to make .lib files, not .a files.
+    libext=lib
+    # FIXME: Setting linknames here is a bad hack.
+    archive_cmds='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | sed -e '\''s/ -lc$//'\''` -link -dll~linknames='
+    # The linker will automatically build a .lib file if we build a DLL.
+    old_archive_from_new_cmds='true'
+    # FIXME: Should let the user specify the lib program.
+    old_archive_cmds='lib /OUT:$oldlib$oldobjs$old_deplibs'
+    fix_srcfile_path='`cygpath -w $srcfile`'
+    ;;
 
-BOOL APIENTRY
-DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved)
-{
-  __hDllInstance_base = hInst;
-  return TRUE;
-}
-' > ltdll.c
-      archive_cmds='$CC -c '"`pwd`"'/ltdll.c~echo EXPORTS > $lib-def~
-      $DLLTOOL --export-all --output-def $lib-def $libobjs ltdll.$objext~
-      $CC -Wl,--base-file,$soname-base -Wl,--dll -nostartfiles -Wl,-e,__cygwin_dll_entry@12 $libobjs ltdll.$objext~
-      $DLLTOOL --as=$AS --dllname $soname --exclude-symbol=_cygwin_dll_entry@12 --def $lib-def --base-file $soname-base --output-exp $soname-exp~
-      $CC -Wl,--base-file,$soname-base $soname-exp -Wl,--dll -nostartfiles -Wl,-e,__cygwin_dll_entry@12 -o $lib $libobjs ltdll.$objext$deplibs~
-      $DLLTOOL --as=$AS --dllname $soname --exclude-symbol=_cygwin_dll_entry@12 --def $lib-def --base-file $soname-base --output-exp $soname-exp~
-      $CC $soname-exp -Wl,--dll -nostartfiles -Wl,-e,__cygwin_dll_entry@12 -o $lib $libobjs ltdll.$objext$deplibs~
-      $rm ltdll.$objext $soname-base $soname-exp'
-      archive_sym_cmds='$CC -c '"`pwd`"'/ltdll.c~echo EXPORTS > $lib-def~
-      cat "$export_symbols" >> $lib-def~
-      $CC -Wl,--base-file,$soname-base -Wl,--dll -nostartfiles -Wl,-e,__cygwin_dll_entry@12 $libobjs ltdll.$objext~
-      $DLLTOOL --as=$AS --dllname $soname --exclude-symbol=_cygwin_dll_entry@12 --def $lib-def --base-file $soname-base --output-exp $soname-exp~
-      $CC -Wl,--base-file,$soname-base $soname-exp -Wl,--dll -nostartfiles -Wl,-e,__cygwin_dll_entry@12 -o $lib $libobjs ltdll.$objext$deplibs~
-      $DLLTOOL --as=$AS --dllname $soname --exclude-symbol=_cygwin_dll_entry@12 --def $lib-def --base-file $soname-base --output-exp $soname-exp~
-      $CC $soname-exp -Wl,--dll -nostartfiles -Wl,-e,__cygwin_dll_entry@12 -o $lib $libobjs ltdll.$objext$deplibs~
-      $rm ltdll.$objext $soname-base $soname-exp'
-      old_archive_from_new_cmds='$DLLTOOL --as=$AS --dllname $soname --def $lib-def --output-lib $objdir/$libname.a~$rm $lib.exp'
-    else
-      # When not using gcc, we currently assume that we are using
-      # Microsoft Visual C++.
-      # hardcode_libdir_flag_spec is actually meaningless, as there is
-      # no search path for DLLs.
-      hardcode_libdir_flag_spec=' '
-      allow_undefined_flag=unsupported
-      # Tell ltmain to make .lib files, not .a files.
-      libext=lib
-      # FIXME: Setting linknames here is a bad hack.
-      archive_cmds='$CC -o $lib$libobjs`echo "$deplibs" | sed -e '\''s/ -lc$//'\''` -link -dll~linknames='
-      # The linker will automatically build a .lib file if we build a DLL.
-      old_archive_from_new_cmds='true'
-      # FIXME: Should let the user specify the lib program.
-      old_archive_cmds='lib /OUT:$oldlib$oldobjs'
-      fix_srcfile_path='`cygpath -w $srcfile`'
-    fi
+  freebsd1*)
+    ld_shlibs=no
     ;;
 
   # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
@@ -1185,65 +1242,65 @@ DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved)
   # does not break anything, and helps significantly (at the cost of a little
   # extra space).
   freebsd2.2*)
-    archive_cmds='$LD -Bshareable -o $lib$libobjs$deplibs /usr/lib/c++rt0.o'
+    archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
     hardcode_libdir_flag_spec='-R$libdir'
     hardcode_direct=yes
-    hardcode_minus_L=yes
     hardcode_shlibpath_var=no
     ;;
 
   # Unfortunately, older versions of FreeBSD 2 do not have this feature.
   freebsd2*)
-    archive_cmds='$LD -Bshareable -o $lib$libobjs$deplibs'
+    archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
     hardcode_direct=yes
     hardcode_minus_L=yes
     hardcode_shlibpath_var=no
     ;;
 
-  # FreeBSD 3, at last, uses gcc -shared to do shared libraries.
-  freebsd3*)
-    archive_cmds='$CC -shared -o $lib$libobjs$deplibs'
+  # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
+  freebsd*)
+    archive_cmds='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
     hardcode_libdir_flag_spec='-R$libdir'
     hardcode_direct=yes
-    hardcode_minus_L=no
     hardcode_shlibpath_var=no
     ;;
 
-  hpux9*)
-    archive_cmds='$rm $objdir/$soname~$LD -b +s +b $install_libdir -o $objdir/$soname$libobjs$deplibs~test $objdir/$soname = $lib || mv $objdir/$soname $lib'
-    hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
-    hardcode_direct=yes
-    hardcode_minus_L=yes
-    export_dynamic_flag_spec='${wl}-E'
-    ;;
-
-  hpux10* | hpux11*)
-    archive_cmds='$LD -b +h $soname +s +b $install_libdir -o $lib$libobjs$deplibs'
+  hpux9* | hpux10* | hpux11*)
+    case "$host_os" in
+    hpux9*) archive_cmds='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' ;;
+    *) archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags' ;;
+    esac
     hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
+    hardcode_libdir_separator=:
     hardcode_direct=yes
-    hardcode_minus_L=yes
+    hardcode_minus_L=yes # Not in the search PATH, but as the default
+			 # location of the library.
     export_dynamic_flag_spec='${wl}-E'
     ;;
 
   irix5* | irix6*)
     if test "$with_gcc" = yes; then
-      archive_cmds='$CC -shared -o $lib ${wl}-soname ${wl}$soname ${wl}-set_version ${wl}$verstring$libobjs$deplibs'
+      archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
     else
-      archive_cmds='$LD -shared -o $lib -soname $soname -set_version $verstring$libobjs$deplibs'
+      archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
     fi
     hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+    hardcode_libdir_separator=:
+    link_all_deplibs=yes
     ;;
 
   netbsd*)
-    # Tested with NetBSD 1.2 ld
-    archive_cmds='$LD -Bshareable -o $lib$libobjs$deplibs'
-    hardcode_libdir_flag_spec='-R$libdir'
+    if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+      archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
+    else
+      archive_cmds='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
+    fi
+    hardcode_libdir_flag_spec='${wl}-R$libdir'
     hardcode_direct=yes
     hardcode_shlibpath_var=no
     ;;
 
   openbsd*)
-    archive_cmds='$LD -Bshareable -o $lib$libobjs$deplibs'
+    archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
     hardcode_libdir_flag_spec='-R$libdir'
     hardcode_direct=yes
     hardcode_shlibpath_var=no
@@ -1253,51 +1310,71 @@ DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved)
     hardcode_libdir_flag_spec='-L$libdir'
     hardcode_minus_L=yes
     allow_undefined_flag=unsupported
-    archive_cmds='$echo "LIBRARY $libname INITINSTANCE" > $objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $objdir/$libname.def~$echo DATA >> $objdir/$libname.def~$echo " SINGLE NONSHARED" >> $objdir/$libname.def~$echo EXPORTS >> $objdir/$libname.def~emxexp$libobjs >> $objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib$libobjs$deplibs $objdir/$libname.def'
-    old_archive_from_new_cmds='emximp -o $objdir/$libname.a $objdir/$libname.def'
+    archive_cmds='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
+    old_archive_from_new_cmds='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
     ;;
 
-  osf3* | osf4*)
+  osf3*)
     if test "$with_gcc" = yes; then
       allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*'
-      archive_cmds='$CC -shared${allow_undefined_flag} -o $lib ${wl}-soname ${wl}$soname ${wl}-set_version ${wl}$verstring$libobjs$deplibs'
+      archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
     else
       allow_undefined_flag=' -expect_unresolved \*'
-      archive_cmds='$LD -shared${allow_undefined_flag} -o $lib -soname $soname -set_version $verstring$libobjs$deplibs'
+      archive_cmds='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
     fi
     hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
     hardcode_libdir_separator=:
     ;;
 
-  sco3.2v5*)
-    archive_cmds='$LD -G -o $lib$libobjs$deplibs'
+  osf4* | osf5*)	# as osf3* with the addition of -msym flag
+    if test "$with_gcc" = yes; then
+      allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*'
+      archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+    else
+      allow_undefined_flag=' -expect_unresolved \*'
+      archive_cmds='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+    fi
+    hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+    hardcode_libdir_separator=:
+    ;;
+  rhapsody*)
+    archive_cmds='$CC -bundle -undefined suppress -o $lib $libobjs $deplibs $linkopts'
+    hardcode_libdir_flags_spec='-L$libdir'
     hardcode_direct=yes
+    hardcode_shlibpath_var=no
+    ;;
+
+  sco3.2v5*)
+    archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+    hardcode_shlibpath_var=no
+    runpath_var=LD_RUN_PATH
+    hardcode_runpath_var=yes
     ;;
 
   solaris*)
     no_undefined_flag=' -z text'
     # $CC -shared without GNU ld will not create a library from C++
     # object files and a static libstdc++, better avoid it by now
-    archive_cmds='$LD -G${allow_undefined_flag} -h $soname -o $lib$libobjs$deplibs'
-    archive_sym_cmds='$echo "{ global:" > $lib.exp~sed $export_symbols -e "s/.*/\1;/" >> $lib.exp~$echo "local: * }" >> $lib.exp~
-		$LD -G${allow_undefined_flag} -M $export_symbols -h $soname -o $lib$libobjs$deplibs~$rm $lib.exp'
+    archive_cmds='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
+    archive_expsym_cmds='$echo "{ global:" > $lib.exp~cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+		$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
     hardcode_libdir_flag_spec='-R$libdir'
     hardcode_shlibpath_var=no
-
-    # Solaris 2 before 2.5 hardcodes -L paths.
     case "$host_os" in
-    solaris2.[0-4]*)
-      hardcode_minus_L=yes
-      ;;
+    solaris2.[0-5] | solaris2.[0-5].*) ;;
+    *) # Supported since Solaris 2.6 (maybe 2.5.1?)
+      whole_archive_flag_spec='-z allextract$convenience -z defaultextract' ;;
     esac
+    link_all_deplibs=yes
     ;;
 
   sunos4*)
-    # Why do we need -Bstatic?  To avoid inter-library dependencies, maybe...
-    if test "$with_gcc" = yes; then
-      archive_cmds='$CC -shared ${wl}-Bstatic -o $lib$libobjs$deplibs'
+    if test "x$host_vendor" = xsequent; then
+      # Use $CC to link under sequent, because it throws in some extra .o 
+      # files that make .init and .fini sections work.
+      archive_cmds='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $linkopts'
     else
-      archive_cmds='$LD -assert pure-text -Bstatic -o $lib$libobjs$deplibs'
+      archive_cmds='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
     fi
     hardcode_libdir_flag_spec='-L$libdir'
     hardcode_direct=yes
@@ -1305,210 +1382,75 @@ DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved)
     hardcode_shlibpath_var=no
     ;;
 
+  sysv4)
+    archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+    runpath_var='LD_RUN_PATH'
+    hardcode_shlibpath_var=no
+    hardcode_direct=no #Motorola manual says yes, but my tests say they lie
+    ;;
+
+  sysv4.3*)
+    archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+    hardcode_shlibpath_var=no
+    export_dynamic_flag_spec='-Bexport'
+    ;;
+
+  sysv5*)
+    no_undefined_flag=' -z text'
+    # $CC -shared without GNU ld will not create a library from C++
+    # object files and a static libstdc++, better avoid it by now
+    archive_cmds='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
+    archive_expsym_cmds='$echo "{ global:" > $lib.exp~cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+		$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
+    hardcode_libdir_flag_spec=
+    hardcode_shlibpath_var=no
+    runpath_var='LD_RUN_PATH'
+    ;;
+
   uts4*)
-    archive_cmds='$LD -G -h $soname -o $lib$libobjs$deplibs'
+    archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
     hardcode_libdir_flag_spec='-L$libdir'
-    hardcode_direct=no
-    hardcode_minus_L=no
     hardcode_shlibpath_var=no
     ;;
 
   dgux*)
-    archive_cmds='$LD -G -h $soname -o $lib$libobjs$deplibs'
+    archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
     hardcode_libdir_flag_spec='-L$libdir'
-    hardcode_direct=no
+    hardcode_shlibpath_var=no
+    ;;
+
+  sysv4*MP*)
+    if test -d /usr/nec; then
+      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_shlibpath_var=no
+      runpath_var=LD_RUN_PATH
+      hardcode_runpath_var=yes
+      ld_shlibs=yes
+    fi
+    ;;
+
+  sysv4.2uw2*)
+    archive_cmds='$LD -G -o $lib $libobjs $deplibs $linker_flags'
+    hardcode_direct=yes
     hardcode_minus_L=no
     hardcode_shlibpath_var=no
+    hardcode_runpath_var=yes
+    runpath_var=LD_RUN_PATH
     ;;
 
-  *)
-    ld_shlibs=no
-    can_build_shared=no
+  unixware7*)
+    archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+    runpath_var='LD_RUN_PATH'
+    hardcode_shlibpath_var=no
     ;;
-  esac
-fi
-echo "$ac_t$ld_shlibs" 1>&6
 
-if test -z "$NM"; then
-  echo $ac_n "checking for BSD-compatible nm... $ac_c" 1>&6
-  case "$NM" in
-  /* | [A-Za-z]:[/\\]*) ;; # Let the user override the test with a path.
   *)
-    IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:"
-    for ac_dir in /usr/ucb /usr/ccs/bin $PATH /bin; do
-      test -z "$ac_dir" && ac_dir=.
-      if test -f $ac_dir/nm; then
-        # Check to see if the nm accepts a BSD-compat flag.
-        # Adding the `sed 1q' prevents false positives on HP-UX, which says:
-        #   nm: unknown option "B" ignored
-        if ($ac_dir/nm -B /dev/null 2>&1 | sed '1q'; exit 0) | egrep /dev/null >/dev/null; then
-          NM="$ac_dir/nm -B"
-        elif ($ac_dir/nm -p /dev/null 2>&1 | sed '1q'; exit 0) | egrep /dev/null >/dev/null; then
-          NM="$ac_dir/nm -p"
-	else
-          NM="$ac_dir/nm"
-	fi
-        break
-      fi
-    done
-    IFS="$ac_save_ifs"
-    test -z "$NM" && NM=nm
+    ld_shlibs=no
     ;;
   esac
-  echo "$ac_t$NM" 1>&6
-fi
-
-# Check for command to grab the raw symbol name followed by C symbol from nm.
-echo $ac_n "checking command to parse $NM output... $ac_c" 1>&6
-
-# These are sane defaults that work on at least a few old systems.
-# [They come from Ultrix.  What could be older than Ultrix?!! ;)]
-
-# Character class describing NM global symbol codes.
-symcode='[BCDEGRSTU]'
-
-# Regexp to match symbols that can be accessed directly from C.
-sympat='\([_A-Za-z][_A-Za-z0-9]*\)'
-
-# Transform the above into a raw symbol and a C symbol.
-symxfrm='\1 \1'
-
-# Define system-specific variables.
-case "$host_os" in
-aix*)
-  symcode='[BCDTU]'
-  ;;
-sunos* | cygwin32* | mingw32*)
-  sympat='_\([_A-Za-z][_A-Za-z0-9]*\)'
-  symxfrm='_\1 \1'
-  ;;
-irix*)
-  # Cannot use undefined symbols on IRIX because inlined functions mess us up.
-  symcode='[BCDEGRST]'
-  ;;
-solaris*)
-  symcode='[BDTU]'
-  ;;
-esac
-
-# If we're using GNU nm, then use its standard symbol codes.
-if $NM -V 2>&1 | egrep '(GNU|with BFD)' > /dev/null; then
-  symcode='[ABCDGISTUW]'
 fi
-
-case "$host_os" in
-cygwin32* | mingw32*)
-  # We do not want undefined symbols on cygwin32.  The user must
-  # arrange to define them via -l arguments.
-  symcode='[ABCDGISTW]'
-  ;;
-esac
-
-# Write the raw and C identifiers.
-global_symbol_pipe="sed -n -e 's/^.* $symcode $sympat$/$symxfrm/p'"
-
-# Check to see that the pipe works correctly.
-pipe_works=no
-$rm conftest*
-cat > conftest.c <<EOF
-#ifdef __cplusplus
-extern "C" {
-#endif
-char nm_test_var;
-void nm_test_func(){}
-#ifdef __cplusplus
-}
-#endif
-main(){nm_test_var='a';nm_test_func();return(0);}
-EOF
-
-echo "$progname:1425: checking if global_symbol_pipe works" >&5
-if { (eval echo $progname:1426: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; } && test -s conftest.$objext; then
-  # Now try to grab the symbols.
-  nlist=conftest.nm
-  if { echo "$progname:1429: eval \"$NM conftest.$objext | $global_symbol_pipe > $nlist\"" >&5; eval "$NM conftest.$objext | $global_symbol_pipe > $nlist 2>&5"; } && test -s "$nlist"; then
-
-    # Try sorting and uniquifying the output.
-    if sort "$nlist" | uniq > "$nlist"T; then
-      mv -f "$nlist"T "$nlist"
-      wcout=`wc "$nlist" 2>/dev/null`
-      count=`$echo "X$wcout" | $Xsed -e 's/^[ 	]*\([0-9][0-9]*\).*$/\1/'`
-      (test "$count" -ge 0) 2>/dev/null || count=-1
-    else
-      rm -f "$nlist"T
-      count=-1
-    fi
-
-    # Make sure that we snagged all the symbols we need.
-    if egrep ' nm_test_var$' "$nlist" >/dev/null; then
-      if egrep ' nm_test_func$' "$nlist" >/dev/null; then
-	cat <<EOF > conftest.c
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-EOF
-        # Now generate the symbol file.
-        sed 's/^.* \(.*\)$/extern char \1;/' < "$nlist" >> conftest.c
-
-	cat <<EOF >> conftest.c
-#if defined (__STDC__) && __STDC__
-# define __ptr_t void *
-#else
-# define __ptr_t char *
-#endif
-
-/* The number of symbols in dld_preloaded_symbols, -1 if unsorted. */
-int dld_preloaded_symbol_count = $count;
-
-/* The mapping between symbol names and symbols. */
-struct {
-  char *name;
-  __ptr_t address;
-}
-dld_preloaded_symbols[] =
-{
-EOF
-        sed 's/^\(.*\) \(.*\)$/  {"\1", (__ptr_t) \&\2},/' < "$nlist" >> conftest.c
-        cat <<\EOF >> conftest.c
-  {0, (__ptr_t) 0}
-};
-
-#ifdef __cplusplus
-}
-#endif
-EOF
-        # Now try linking the two files.
-        mv conftest.$objext conftestm.$objext
-	save_LIBS="$LIBS"
-	save_CFLAGS="$CFLAGS"
-        LIBS="conftestm.$objext"
-	CFLAGS="$CFLAGS$no_builtin_flag"
-        if { (eval echo $progname:1487: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
-          pipe_works=yes
-        else
-          echo "$progname: failed program was:" >&5
-          cat conftest.c >&5
-        fi
-        LIBS="$save_LIBS"
-      else
-        echo "cannot find nm_test_func in $nlist" >&5
-      fi
-    else
-      echo "cannot find nm_test_var in $nlist" >&5
-    fi
-  else
-    echo "cannot run $global_symbol_pipe" >&5
-  fi
-else
-  echo "$progname: failed program was:" >&5
-  cat conftest.c >&5
-fi
-$rm conftest*
-
-# Do not use the global_symbol_pipe unless it works.
-echo "$ac_t$pipe_works" 1>&6
-test "$pipe_works" = yes || global_symbol_pipe=
+echo "$ac_t$ld_shlibs" 1>&6
+test "$ld_shlibs" = no && can_build_shared=no
 
 # Check hardcoding attributes.
 echo $ac_n "checking how to hardcode library paths into programs... $ac_c" 1>&6
@@ -1517,10 +1459,12 @@ if test -n "$hardcode_libdir_flag_spec" || \
    test -n "$runpath_var"; then
 
   # We can hardcode non-existant directories.
-  if test "$hardcode_direct" != no && \
-     test "$hardcode_minus_L" != no && \
-     test "$hardcode_shlibpath_var" != no; then
-
+  if test "$hardcode_direct" != no &&
+     # If the only mechanism to avoid hardcoding is shlibpath_var, we
+     # have to relink, otherwise we might link with an installed library
+     # when we should be linking with a yet-to-be-installed one
+     ## test "$hardcode_shlibpath_var" != no &&
+     test "$hardcode_minus_L" != no; then
     # Linking always hardcodes the temporary library directory.
     hardcode_action=relink
   else
@@ -1534,14 +1478,17 @@ else
 fi
 echo "$ac_t$hardcode_action" 1>&6
 
+echo $ac_n "checking whether stripping libraries is possible... $ac_c" 1>&6
+if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then
+  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
+  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
+  echo "${ac_t}yes" 1>&6
+else
+  echo "${ac_t}no" 1>&6
+fi
 
-reload_flag=
 reload_cmds='$LD$reload_flag -o $output$reload_objs'
-echo $ac_n "checking for $LD option to reload object files... $ac_c" 1>&6
-# PORTME Some linkers may need a different reload flag.
-reload_flag='-r'
-echo "$ac_t$reload_flag" 1>&6
-test -n "$reload_flag" && reload_flag=" $reload_flag"
+test -z "$deplibs_check_method" && deplibs_check_method=unknown
 
 # PORTME Fill in your ld.so characteristics
 library_names_spec=
@@ -1552,26 +1499,15 @@ postuninstall_cmds=
 finish_cmds=
 finish_eval=
 shlibpath_var=
+shlibpath_overrides_runpath=unknown
 version_type=none
 dynamic_linker="$host_os ld.so"
-sys_lib_search_path="/lib /usr/lib /usr/local/lib"
-check_shared_deplibs_method='none'
-# Need to set the preceding variable on all platforms that support
-# interlibrary dependencies.
-# 'none' -- dependencies not supported.
-# 'pass_all' -- all dependencies passed with no checks.
-# 'test_compile' -- check by making test program.
-# 'file_regex' -- check by looking for filenames that look like the shared
-# library in the library path.
-# 'file_magic [regex]' -- check by looking for files in library path which
-# responds to the "file" command with a given regex.  This is actually a
-# superset of the file_regex command.  If you have file on your system, you'll
-# want to use this instead.
-# Notes: regexes are run through expr.
+sys_lib_dlsearch_path_spec="/lib /usr/lib"
+sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
 
 echo $ac_n "checking dynamic linker characteristics... $ac_c" 1>&6
 case "$host_os" in
-aix3* | aix4*)
+aix3*)
   version_type=linux
   library_names_spec='${libname}${release}.so$versuffix $libname.a'
   shlibpath_var=LIBPATH
@@ -1580,44 +1516,105 @@ aix3* | aix4*)
   soname_spec='${libname}${release}.so$major'
   ;;
 
+aix4*)
+  version_type=linux
+  # AIX has no versioning support, so currently we can not hardcode correct
+  # soname into executable. Probably we can add versioning support to
+  # collect2, so additional links can be useful in future.
+  # We preserve .a as extension for shared libraries though AIX4.2
+  # and later linker supports .so
+  library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.a'
+  shlibpath_var=LIBPATH
+  ;;
+
 amigaos*)
   library_names_spec='$libname.ixlibrary $libname.a'
   # Create ${libname}_ixlibrary.a entries in /sys/libs.
   finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "(cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a)"; (cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a) || exit 1; done'
   ;;
 
+beos*)
+  library_names_spec='${libname}.so'
+  dynamic_linker="$host_os ld.so"
+  shlibpath_var=LIBRARY_PATH
+  lt_cv_dlopen="load_add_on"
+  lt_cv_dlopen_libs=
+  lt_cv_dlopen_self=yes
+  ;;
+
 bsdi4*)
   version_type=linux
-  library_names_spec='${libname}.so.$major ${libname}.so'
-  soname_spec='${libname}.so'
-  finish_cmds='PATH="$PATH:/sbin" ldconfig $libdir'
+  need_version=no
+  library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so'
+  soname_spec='${libname}${release}.so$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
   shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
+  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
+  export_dynamic_flag_spec=-rdynamic
+  # the default ld.so.conf also contains /usr/contrib/lib and
+  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
+  # libtool to hard-code these into programs
   ;;
 
-cygwin32* | mingw32*)
+cygwin* | mingw*)
   version_type=windows
+  need_version=no
+  need_lib_prefix=no
   if test "$with_gcc" = yes; then
-    library_names_spec='${libname}`echo ${release} | sed -e 's/[.]/-/g'`${versuffix}.dll $libname.a'
+    library_names_spec='${libname}`echo ${release} | sed -e 's/[.]/-/g'`${versuffix}.dll'
   else
     library_names_spec='${libname}`echo ${release} | sed -e 's/[.]/-/g'`${versuffix}.dll $libname.lib'
   fi
   dynamic_linker='Win32 ld.exe'
-  libname_spec='$name'
+  # FIXME: first we should search . and the directory the executable is in
   shlibpath_var=PATH
+  lt_cv_dlopen="LoadLibrary"
+  lt_cv_dlopen_libs=
   ;;
 
-freebsd2* | freebsd3*)
+freebsd1*)
+  dynamic_linker=no
+  ;;
+
+freebsd*)
   objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout`
   version_type=freebsd-$objformat
-  library_names_spec='${libname}${release}.so$versuffix $libname.so'
-  finish_cmds='PATH="$PATH:/sbin" OBJFORMAT="$objformat" ldconfig -m $libdir'
+  case "$version_type" in
+    freebsd-elf*)
+      library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so $libname.so'
+      need_version=no
+      need_lib_prefix=no
+      ;;
+    freebsd-*)
+      library_names_spec='${libname}${release}.so$versuffix $libname.so$versuffix'
+      need_version=yes
+      ;;
+  esac
   shlibpath_var=LD_LIBRARY_PATH
+  case "$host_os" in
+  freebsd2*)
+    shlibpath_overrides_runpath=yes
+    ;;
+  freebsd3.[01]* | freebsdelf3.[01]*)
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  *) # from 3.2 on
+    shlibpath_overrides_runpath=no
+    hardcode_into_libs=yes
+    ;;
+  esac
   ;;
 
 gnu*)
   version_type=linux
-  library_names_spec='${libname}${release}.so$versuffix ${libname}.so'
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so${major} ${libname}.so'
+  soname_spec='${libname}${release}.so$major'
   shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
   ;;
 
 hpux9* | hpux10* | hpux11*)
@@ -1625,25 +1622,39 @@ hpux9* | hpux10* | hpux11*)
   # link against other versions.
   dynamic_linker="$host_os dld.sl"
   version_type=sunos
+  need_lib_prefix=no
+  need_version=no
   shlibpath_var=SHLIB_PATH
+  shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
   library_names_spec='${libname}${release}.sl$versuffix ${libname}${release}.sl$major $libname.sl'
   soname_spec='${libname}${release}.sl$major'
   # HP-UX runs *really* slowly unless shared libraries are mode 555.
   postinstall_cmds='chmod 555 $lib'
   ;;
 
-irix5*)
-  version_type=osf
-  soname_spec='${libname}${release}.so'
-  library_names_spec='${libname}${release}.so$versuffix $libname.so'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-irix6*)
-  version_type=osf
-  soname_spec='${libname}${release}.so'
-  library_names_spec='${libname}${release}.so$versuffix $libname.so'
-  shlibpath_var=LD_LIBRARYN32_PATH
+irix5* | irix6*)
+  version_type=irix
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}.so.$major'
+  library_names_spec='${libname}${release}.so.$versuffix ${libname}${release}.so.$major ${libname}${release}.so $libname.so'
+  case "$host_os" in
+  irix5*)
+    libsuff= shlibsuff=
+    ;;
+  *)
+    case "$LD" in # libtool.m4 will add one of these switches to LD
+    *-32|*"-32 ") libsuff= shlibsuff= libmagic=32-bit;;
+    *-n32|*"-n32 ") libsuff=32 shlibsuff=N32 libmagic=N32;;
+    *-64|*"-64 ") libsuff=64 shlibsuff=64 libmagic=64-bit;;
+    *) libsuff= shlibsuff= libmagic=never-match;;
+    esac
+    ;;
+  esac
+  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
+  shlibpath_overrides_runpath=no
+  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
+  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
   ;;
 
 # No shared lib support for Linux oldld, aout, or coff.
@@ -1654,44 +1665,76 @@ linux-gnuoldld* | linux-gnuaout* | linux-gnucoff*)
 # This must be Linux ELF.
 linux-gnu*)
   version_type=linux
+  need_lib_prefix=no
+  need_version=no
   library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so'
   soname_spec='${libname}${release}.so$major'
   finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
   shlibpath_var=LD_LIBRARY_PATH
-  check_shared_deplibs_method='file_magic ELF 32-bit LSB shared object'
-  sys_lib_search_path="/lib /usr/lib /usr/local/lib `echo $LD_LIBRARY_PATH | sed -e 's/:/ /g'`"
+  shlibpath_overrides_runpath=no
+  # This implies no fast_install, which is unacceptable.
+  # Some rework will be needed to allow for fast_install
+  # before this can be enabled.
+  hardcode_into_libs=yes
+
+  # We used to test for /lib/ld.so.1 and disable shared libraries on
+  # powerpc, because MkLinux only supported shared libraries with the
+  # GNU dynamic linker.  Since this was broken with cross compilers,
+  # most powerpc-linux boxes support dynamic linking these days and
+  # people can always --disable-shared, the test was removed, and we
+  # assume the GNU/Linux dynamic linker is in use.
+  dynamic_linker='GNU/Linux ld.so'
+  ;;
 
-  if test -f /lib/ld.so.1; then
-    dynamic_linker='GNU ld.so'
+netbsd*)
+  version_type=sunos
+  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+    library_names_spec='${libname}${release}.so$versuffix ${libname}.so$versuffix'
+    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+    dynamic_linker='NetBSD (a.out) ld.so'
   else
-    # Only the GNU ld.so supports shared libraries on MkLinux.
-    case "$host_cpu" in
-    powerpc*) dynamic_linker=no ;;
-    *) dynamic_linker='Linux ld.so' ;;
-    esac
+    library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major ${libname}${release}.so ${libname}.so'
+    soname_spec='${libname}${release}.so$major'
+    dynamic_linker='NetBSD ld.elf_so'
   fi
+  shlibpath_var=LD_LIBRARY_PATH
   ;;
 
-netbsd* | openbsd*)
+openbsd*)
   version_type=sunos
-  library_names_spec='${libname}${release}.so$versuffix'
+  if test "$with_gnu_ld" = yes; then
+    need_lib_prefix=no
+    need_version=no
+  fi
+  library_names_spec='${libname}${release}.so$versuffix ${libname}.so$versuffix'
   finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
   shlibpath_var=LD_LIBRARY_PATH
   ;;
 
 os2*)
   libname_spec='$name'
+  need_lib_prefix=no
   library_names_spec='$libname.dll $libname.a'
   dynamic_linker='OS/2 ld.exe'
   shlibpath_var=LIBPATH
   ;;
 
-osf3* | osf4*)
+osf3* | osf4* | osf5*)
   version_type=osf
+  need_version=no
   soname_spec='${libname}${release}.so'
-  library_names_spec='${libname}${release}.so$versuffix $libname.so'
+  library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so $libname.so'
   shlibpath_var=LD_LIBRARY_PATH
-  check_shared_deplibs_method='pass_all'
+  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
+  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
+  ;;
+
+rhapsody*)
+  version_type=sunos
+  library_names_spec='${libname}.so'
+  soname_spec='${libname}.so'
+  shlibpath_var=DYLD_LIBRARY_PATH
+  deplibs_check_method=pass_all
   ;;
 
 sco3.2v5*)
@@ -1703,9 +1746,13 @@ sco3.2v5*)
 
 solaris*)
   version_type=linux
+  need_lib_prefix=no
+  need_version=no
   library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so'
   soname_spec='${libname}${release}.so$major'
   shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
   # ldd complains unless libraries are executable
   postinstall_cmds='chmod +x $lib'
   ;;
@@ -1715,29 +1762,57 @@ sunos4*)
   library_names_spec='${libname}${release}.so$versuffix ${libname}.so$versuffix'
   finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
   shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  if test "$with_gnu_ld" = yes; then
+    need_lib_prefix=no
+  fi
+  need_version=yes
   ;;
 
-sysv4.2uw2*)
+sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
   version_type=linux
   library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so'
   soname_spec='${libname}${release}.so$major'
   shlibpath_var=LD_LIBRARY_PATH
+  case "$host_vendor" in
+    sequent)
+      file_magic_cmd='/bin/file'
+      deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB (shared object|dynamic lib )'
+      ;;
+    motorola)
+      need_lib_prefix=no
+      need_version=no
+      shlibpath_overrides_runpath=no
+      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
+      ;;
+  esac
   ;;
 
 uts4*)
   version_type=linux
-  library_names_spec='${libname}${release}.so.$versuffix ${libname}${release}.so.$major $libname.so'
-  soname_spec='${libname}${release}.so.$major'
+  library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so'
+  soname_spec='${libname}${release}.so$major'
   shlibpath_var=LD_LIBRARY_PATH
   ;;
 
 dgux*)
   version_type=linux
+  need_lib_prefix=no
+  need_version=no
   library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so'
   soname_spec='${libname}${release}.so$major'
   shlibpath_var=LD_LIBRARY_PATH
   ;;
 
+sysv4*MP*)
+  if test -d /usr/nec ;then
+    version_type=linux
+    library_names_spec='$libname.so.$versuffix $libname.so.$major $libname.so'
+    soname_spec='$libname.so.$major'
+    shlibpath_var=LD_LIBRARY_PATH
+  fi
+  ;;
+
 *)
   dynamic_linker=no
   ;;
@@ -1745,22 +1820,206 @@ esac
 echo "$ac_t$dynamic_linker" 1>&6
 test "$dynamic_linker" = no && can_build_shared=no
 
+# Check for command to grab the raw symbol name followed by C symbol from nm.
+echo $ac_n "checking command to parse $NM output... $ac_c" 1>&6
+
+# These are sane defaults that work on at least a few old systems.
+# [They come from Ultrix.  What could be older than Ultrix?!! ;)]
+
+# Character class describing NM global symbol codes.
+symcode='[BCDEGRST]'
+
+# Regexp to match symbols that can be accessed directly from C.
+sympat='\([_A-Za-z][_A-Za-z0-9]*\)'
+
+# Transform the above into a raw symbol and a C symbol.
+symxfrm='\1 \2\3 \3'
+
+# Transform an extracted symbol line into a proper C declaration
+global_symbol_to_cdecl="sed -n -e 's/^. .* \(.*\)$/extern char \1;/p'"
+
+# Define system-specific variables.
+case "$host_os" in
+aix*)
+  symcode='[BCDT]'
+  ;;
+cygwin* | mingw*)
+  symcode='[ABCDGISTW]'
+  ;;
+hpux*) # Its linker distinguishes data from code symbols
+  global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern char \1();/p' -e 's/^. .* \(.*\)$/extern char \1;/p'"
+  ;;
+irix*)
+  symcode='[BCDEGRST]'
+  ;;
+solaris* | sysv5*)
+  symcode='[BDT]'
+  ;;
+sysv4)
+  symcode='[DFNSTU]'
+  ;;
+esac
+
+# Handle CRLF in mingw too chain
+opt_cr=
+case "$host_os" in
+mingw*)
+  opt_cr=`echo 'x\{0,1\}' | tr x '\015'` # option cr in regexp
+  ;;
+esac
+
+# If we're using GNU nm, then use its standard symbol codes.
+if $NM -V 2>&1 | egrep '(GNU|with BFD)' > /dev/null; then
+  symcode='[ABCDGISTW]'
+fi
+
+# Try without a prefix undercore, then with it.
+for ac_symprfx in "" "_"; do
+
+  # Write the raw and C identifiers.
+global_symbol_pipe="sed -n -e 's/^.*[ 	]\($symcode\)[ 	][ 	]*\($ac_symprfx\)$sympat$opt_cr$/$symxfrm/p'"
+
+  # Check to see that the pipe works correctly.
+  pipe_works=no
+  $rm conftest*
+  cat > conftest.c <<EOF
+#ifdef __cplusplus
+extern "C" {
+#endif
+char nm_test_var;
+void nm_test_func(){}
+#ifdef __cplusplus
+}
+#endif
+main(){nm_test_var='a';nm_test_func();return(0);}
+EOF
+
+  echo "$progname:1892: checking if global_symbol_pipe works" >&5
+  if { (eval echo $progname:1893: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; } && test -s conftest.$objext; then
+    # Now try to grab the symbols.
+    nlist=conftest.nm
+    if { echo "$progname:1896: eval \"$NM conftest.$objext | $global_symbol_pipe > $nlist\"" >&5; eval "$NM conftest.$objext | $global_symbol_pipe > $nlist 2>&5"; } && test -s "$nlist"; then
+
+      # Try sorting and uniquifying the output.
+      if sort "$nlist" | uniq > "$nlist"T; then
+	mv -f "$nlist"T "$nlist"
+      else
+	rm -f "$nlist"T
+      fi
+
+      # Make sure that we snagged all the symbols we need.
+      if egrep ' nm_test_var$' "$nlist" >/dev/null; then
+	if egrep ' nm_test_func$' "$nlist" >/dev/null; then
+	  cat <<EOF > conftest.c
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+EOF
+	  # Now generate the symbol file.
+	  eval "$global_symbol_to_cdecl"' < "$nlist" >> conftest.c'
+
+	  cat <<EOF >> conftest.c
+#if defined (__STDC__) && __STDC__
+# define lt_ptr_t void *
+#else
+# define lt_ptr_t char *
+# define const
+#endif
+
+/* The mapping between symbol names and symbols. */
+const struct {
+  const char *name;
+  lt_ptr_t address;
+}
+lt_preloaded_symbols[] =
+{
+EOF
+	  sed 's/^. \(.*\) \(.*\)$/  {"\2", (lt_ptr_t) \&\2},/' < "$nlist" >> conftest.c
+	  cat <<\EOF >> conftest.c
+  {0, (lt_ptr_t) 0}
+};
+
+#ifdef __cplusplus
+}
+#endif
+EOF
+	  # Now try linking the two files.
+	  mv conftest.$objext conftstm.$objext
+	  save_LIBS="$LIBS"
+	  save_CFLAGS="$CFLAGS"
+	  LIBS="conftstm.$objext"
+	  CFLAGS="$CFLAGS$no_builtin_flag"
+	  if { (eval echo $progname:1948: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+	    pipe_works=yes
+	  else
+	    echo "$progname: failed program was:" >&5
+	    cat conftest.c >&5
+	  fi
+	  LIBS="$save_LIBS"
+	else
+	  echo "cannot find nm_test_func in $nlist" >&5
+	fi
+      else
+	echo "cannot find nm_test_var in $nlist" >&5
+      fi
+    else
+      echo "cannot run $global_symbol_pipe" >&5
+    fi
+  else
+    echo "$progname: failed program was:" >&5
+    cat conftest.c >&5
+  fi
+  $rm conftest* conftst*
+
+  # Do not use the global_symbol_pipe unless it works.
+  if test "$pipe_works" = yes; then
+    break
+  else
+    global_symbol_pipe=
+  fi
+done
+if test "$pipe_works" = yes; then
+  echo "${ac_t}ok" 1>&6
+else
+  echo "${ac_t}failed" 1>&6
+fi
+
+if test -z "$global_symbol_pipe"; then
+  global_symbol_to_cdecl=
+fi
+
 # Report the final consequences.
 echo "checking if libtool supports shared libraries... $can_build_shared" 1>&6
 
+# Only try to build win32 dlls if AC_LIBTOOL_WIN32_DLL was used in
+# configure.in, otherwise build static only libraries.
+case "$host_os" in
+cygwin* | mingw* | os2*)
+  if test x$can_build_shared = xyes; then
+    test x$enable_win32_dll = xno && can_build_shared=no
+    echo "checking if package supports dlls... $can_build_shared" 1>&6
+  fi
+;;
+esac
+
 echo $ac_n "checking whether to build shared libraries... $ac_c" 1>&6
 test "$can_build_shared" = "no" && enable_shared=no
 
 # On AIX, shared libraries and static libraries use the same namespace, and
 # are all built from PIC.
 case "$host_os" in
-aix*)
+aix3*)
   test "$enable_shared" = yes && enable_static=no
   if test -n "$RANLIB"; then
     archive_cmds="$archive_cmds~\$RANLIB \$lib"
     postinstall_cmds='$RANLIB $lib'
   fi
   ;;
+
+aix4*)
+  test "$enable_shared" = yes && enable_static=no
+  ;;
 esac
 
 echo "$ac_t$enable_shared" 1>&6
@@ -1770,17 +2029,463 @@ test "$enable_shared" = yes || enable_static=yes
 
 echo "checking whether to build static libraries... $enable_static" 1>&6
 
-echo $ac_n "checking for objdir... $ac_c" 1>&6
-rm -f .libs 2>/dev/null
-mkdir .libs 2>/dev/null
-if test -d .libs; then
-  objdir=.libs
+if test "$hardcode_action" = relink || test "$hardcode_into_libs" = all; then
+  # Fast installation is not supported
+  enable_fast_install=no
+elif test "$shlibpath_overrides_runpath" = yes ||
+     test "$enable_shared" = no; then
+  # Fast installation is not necessary
+  enable_fast_install=needless
+fi
+
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test "$with_gcc" = yes; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
+fi
+
+# Check whether we must set pic_mode to default
+test -z "$pic_flag" && pic_mode=default
+
+if test "x$enable_dlopen" != xyes; then
+  enable_dlopen=unknown
+  enable_dlopen_self=unknown
+  enable_dlopen_self_static=unknown
 else
-  # MS-DOS does not allow filenames that begin with a dot.
-  objdir=_libs
+if test "X${lt_cv_dlopen+set}" != Xset; then
+  lt_cv_dlopen=no lt_cv_dlopen_libs=
+echo $ac_n "checking for dlopen in -ldl""... $ac_c" 1>&6
+echo "$progname:2052: checking for dlopen in -ldl" >&5
+if test "X${ac_cv_lib_dl_dlopen+set}" = Xset; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-ldl  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 2059 "ltconfig"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dlopen();
+
+int main() {
+dlopen()
+; return 0; }
+EOF
+if { (eval echo $progname:2072: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  ac_cv_lib_dl_dlopen=yes
+else
+  echo "$progname: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_lib_dl_dlopen=no
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if test "X$ac_cv_lib_dl_dlopen" = Xyes; then
+  echo "$ac_t""yes" 1>&6
+  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
+else
+  echo "$ac_t""no" 1>&6
+echo $ac_n "checking for dlopen""... $ac_c" 1>&6
+echo "$progname:2091: checking for dlopen" >&5
+if test "X${ac_cv_func_dlopen+set}" = Xset; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2096 "ltconfig"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char dlopen(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dlopen();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_dlopen) || defined (__stub___dlopen)
+choke me
+#else
+dlopen();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo $progname:2121: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  ac_cv_func_dlopen=yes
+else
+  echo "$progname: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_func_dlopen=no
+fi
+rm -f conftest*
+fi
+if test "X$ac_cv_func_dlopen" = Xyes; then
+  echo "$ac_t""yes" 1>&6
+  lt_cv_dlopen="dlopen"
+else
+  echo "$ac_t""no" 1>&6
+echo $ac_n "checking for dld_link in -ldld""... $ac_c" 1>&6
+echo "$progname:2138: checking for dld_link in -ldld" >&5
+if test "X${ac_cv_lib_dld_dld_link+set}" = Xset; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-ldld  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 2145 "ltconfig"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dld_link();
+
+int main() {
+dld_link()
+; return 0; }
+EOF
+if { (eval echo $progname:2158: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  ac_cv_lib_dld_dld_link=yes
+else
+  echo "$progname: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_lib_dld_dld_link=no
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if test "X$ac_cv_lib_dld_dld_link" = Xyes; then
+  echo "$ac_t""yes" 1>&6
+  lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld"
+else
+  echo "$ac_t""no" 1>&6
+echo $ac_n "checking for shl_load""... $ac_c" 1>&6
+echo "$progname:2177: checking for shl_load" >&5
+if test "X${ac_cv_func_shl_load+set}" = Xset; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2182 "ltconfig"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char shl_load(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char shl_load();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_shl_load) || defined (__stub___shl_load)
+choke me
+#else
+shl_load();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo $progname:2207: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  ac_cv_func_shl_load=yes
+else
+  echo "$progname: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_func_shl_load=no
+fi
+rm -f conftest*
+fi
+
+if test "X$ac_cv_func_shl_load" = Xyes; then
+  echo "$ac_t""yes" 1>&6
+  lt_cv_dlopen="shl_load"
+else
+  echo "$ac_t""no" 1>&6
+echo $ac_n "checking for shl_load in -ldld""... $ac_c" 1>&6
+echo "$progname:2225: checking for shl_load in -ldld" >&5
+if test "X${ac_cv_lib_dld_shl_load+set}" = Xset; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-ldld  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 2232 "ltconfig"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char shl_load();
+
+int main() {
+shl_load()
+; return 0; }
+EOF
+if { (eval echo $progname:2246: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  ac_cv_lib_dld_shl_load=yes
+else
+  echo "$progname: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_lib_dld_shl_load=no
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if test "X$ac_cv_lib_dld_shl_load" = Xyes; then
+  echo "$ac_t""yes" 1>&6
+  lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld"
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+
+fi
+
+
+fi
+
+
+fi
+
+
+fi
+
+fi
+
+  if test "x$lt_cv_dlopen" != xno; then
+    enable_dlopen=yes
+  fi
+
+  case "$lt_cv_dlopen" in
+  dlopen)
+for ac_hdr in dlfcn.h; do
+ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+echo "$progname:2289: checking for $ac_hdr" >&5
+if eval "test \"`echo 'X$''{'ac_cv_header_$ac_safe'+set}'`\" = Xset"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2294 "ltconfig"
+#include <$ac_hdr>
+int fnord = 0;
+int main () { return (0); }
+EOF
+ac_try="$ac_compile >/dev/null 2>conftest.out"
+{ (eval echo $progname:2300: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=yes"
+else
+  echo "$ac_err" >&5
+  echo "$progname: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=no"
+fi
+rm -f conftest*
+fi
+if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+    if test "x$ac_cv_header_dlfcn_h" = xyes; then
+      CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
+    fi
+    eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
+    LIBS="$lt_cv_dlopen_libs $LIBS"
+
+  echo $ac_n "checking whether a program can dlopen itself""... $ac_c" 1>&6
+echo "$progname:2328: checking whether a program can dlopen itself" >&5
+if test "X${lt_cv_dlopen_self+set}" = Xset; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test "$cross_compiling" = yes; then
+    lt_cv_dlopen_self=cross
+  else
+    cat > conftest.c <<EOF
+#line 2336 "ltconfig"
+
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#include <stdio.h>
+
+#ifdef RTLD_GLOBAL
+# define LTDL_GLOBAL	RTLD_GLOBAL
+#else
+# ifdef DL_GLOBAL
+#  define LTDL_GLOBAL	DL_GLOBAL
+# else
+#  define LTDL_GLOBAL	0
+# endif
+#endif
+
+/* We may have to define LTDL_LAZY_OR_NOW in the command line if we
+   find out it does not work in some platform. */
+#ifndef LTDL_LAZY_OR_NOW
+# ifdef RTLD_LAZY
+#  define LTDL_LAZY_OR_NOW	RTLD_LAZY
+# else
+#  ifdef DL_LAZY
+#   define LTDL_LAZY_OR_NOW	DL_LAZY
+#  else
+#   ifdef RTLD_NOW
+#    define LTDL_LAZY_OR_NOW	RTLD_NOW
+#   else
+#    ifdef DL_NOW
+#     define LTDL_LAZY_OR_NOW	DL_NOW
+#    else
+#     define LTDL_LAZY_OR_NOW	0
+#    endif
+#   endif
+#  endif
+# endif
+#endif
+
+fnord() { int i=42;}
+main() { void *self, *ptr1, *ptr2; self=dlopen(0,LTDL_GLOBAL|LTDL_LAZY_OR_NOW);
+    if(self) { ptr1=dlsym(self,"fnord"); ptr2=dlsym(self,"_fnord");
+	       if(ptr1 || ptr2) { dlclose(self); exit(0); } } exit(1); }
+
+EOF
+if { (eval echo $progname:2382: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest && (./conftest; exit) 2>/dev/null
+then
+  lt_cv_dlopen_self=yes
+else
+  echo "$progname: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  lt_cv_dlopen_self=no
+fi
+rm -fr conftest*
+fi
+
+fi
+
+echo "$ac_t""$lt_cv_dlopen_self" 1>&6
+
+  if test "$lt_cv_dlopen_self" = yes; then
+    LDFLAGS="$LDFLAGS $link_static_flag"
+  echo $ac_n "checking whether a statically linked program can dlopen itself""... $ac_c" 1>&6
+echo "$progname:2401: checking whether a statically linked program can dlopen itself" >&5
+if test "X${lt_cv_dlopen_self_static+set}" = Xset; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test "$cross_compiling" = yes; then
+    lt_cv_dlopen_self_static=cross
+  else
+    cat > conftest.c <<EOF
+#line 2409 "ltconfig"
+
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#include <stdio.h>
+
+#ifdef RTLD_GLOBAL
+# define LTDL_GLOBAL	RTLD_GLOBAL
+#else
+# ifdef DL_GLOBAL
+#  define LTDL_GLOBAL	DL_GLOBAL
+# else
+#  define LTDL_GLOBAL	0
+# endif
+#endif
+
+/* We may have to define LTDL_LAZY_OR_NOW in the command line if we
+   find out it does not work in some platform. */
+#ifndef LTDL_LAZY_OR_NOW
+# ifdef RTLD_LAZY
+#  define LTDL_LAZY_OR_NOW	RTLD_LAZY
+# else
+#  ifdef DL_LAZY
+#   define LTDL_LAZY_OR_NOW	DL_LAZY
+#  else
+#   ifdef RTLD_NOW
+#    define LTDL_LAZY_OR_NOW	RTLD_NOW
+#   else
+#    ifdef DL_NOW
+#     define LTDL_LAZY_OR_NOW	DL_NOW
+#    else
+#     define LTDL_LAZY_OR_NOW	0
+#    endif
+#   endif
+#  endif
+# endif
+#endif
+
+fnord() { int i=42;}
+main() { void *self, *ptr1, *ptr2; self=dlopen(0,LTDL_GLOBAL|LTDL_LAZY_OR_NOW);
+    if(self) { ptr1=dlsym(self,"fnord"); ptr2=dlsym(self,"_fnord");
+    if(ptr1 || ptr2) { dlclose(self); exit(0); } } exit(1); }
+
+EOF
+if { (eval echo $progname:2455: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest && (./conftest; exit) 2>/dev/null
+then
+  lt_cv_dlopen_self_static=yes
+else
+  echo "$progname: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  lt_cv_dlopen_self_static=no
+fi
+rm -fr conftest*
+fi
+
+fi
+
+echo "$ac_t""$lt_cv_dlopen_self_static" 1>&6
+fi
+    ;;
+  esac
+
+  case "$lt_cv_dlopen_self" in
+  yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;;
+  *) enable_dlopen_self=unknown ;;
+  esac
+
+  case "$lt_cv_dlopen_self_static" in
+  yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;;
+  *) enable_dlopen_self_static=unknown ;;
+  esac
 fi
-rmdir .libs 2>/dev/null
-echo "$ac_t$objdir" 1>&6
 
 # Copy echo and quote the copy, instead of the original, because it is
 # used later.
@@ -1790,41 +2495,52 @@ if test "X$ltecho" = "X$CONFIG_SHELL $0 --fallback-echo"; then
 fi
 LTSHELL="$SHELL"
 
+LTCONFIG_VERSION="$VERSION"
+
 # Only quote variables if we're using ltmain.sh.
 case "$ltmain" in
 *.sh)
   # Now quote all the things that may contain metacharacters.
-  for var in ltecho old_CC old_CFLAGS old_CPPFLAGS old_LD old_NM old_RANLIB \
-    old_LN_S old_DLLTOOL old_AS AR CC LD LN_S NM LTSHELL VERSION \
+  for var in ltecho old_AR old_ARFLAGS old_CC old_CFLAGS old_CPPFLAGS \
+    old_MAGIC old_LD old_LDFLAGS old_LIBS \
+    old_LN_S old_NM old_RANLIB old_STRIP \
+    old_AS old_DLLTOOL old_OBJDUMP \
+    old_OBJEXT old_EXEEXT old_reload_flag \
+    old_deplibs_check_method old_file_magic_cmd \
+    AR AR_FLAGS CC LD LN_S NM LTSHELL LTCONFIG_VERSION \
     reload_flag reload_cmds wl \
     pic_flag link_static_flag no_builtin_flag export_dynamic_flag_spec \
-    whole_archive_flag_spec libname_spec library_names_spec soname_spec \
+    thread_safe_flag_spec whole_archive_flag_spec libname_spec \
+    library_names_spec soname_spec \
     RANLIB old_archive_cmds old_archive_from_new_cmds old_postinstall_cmds \
-    old_postuninstall_cmds archive_cmds archive_sym_cmds postinstall_cmds postuninstall_cmds \
-    check_shared_deplibs_method allow_undefined_flag no_undefined_flag \
-    finish_cmds finish_eval global_symbol_pipe \
-    hardcode_libdir_flag_spec hardcode_libdir_separator sys_lib_search_path \
-    compiler_c_o compiler_o_lo need_locks; do
+    old_postuninstall_cmds archive_cmds archive_expsym_cmds postinstall_cmds \
+    postuninstall_cmds extract_expsyms_cmds old_archive_from_expsyms_cmds \
+    old_striplib striplib file_magic_cmd export_symbols_cmds \
+    deplibs_check_method allow_undefined_flag no_undefined_flag \
+    finish_cmds finish_eval global_symbol_pipe global_symbol_to_cdecl \
+    hardcode_libdir_flag_spec hardcode_libdir_separator  \
+    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
+    compiler_c_o compiler_o_lo need_locks exclude_expsyms include_expsyms; do
 
     case "$var" in
     reload_cmds | old_archive_cmds | old_archive_from_new_cmds | \
     old_postinstall_cmds | old_postuninstall_cmds | \
-    archive_cmds | archive_sym_cmds | \
+    export_symbols_cmds | archive_cmds | archive_expsym_cmds | \
+    extract_expsyms_cmds | old_archive_from_expsyms_cmds | \
     postinstall_cmds | postuninstall_cmds | \
-    finish_cmds | sys_lib_search_path)
+    finish_cmds | sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
       # Double-quote double-evaled strings.
-      eval "$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\"\`\\\""
+      eval "$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\"" ### testsuite: skip nested quoting test
       ;;
     *)
-      eval "$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
+      eval "$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\"" ### testsuite: skip nested quoting test
       ;;
     esac
   done
 
   case "$ltecho" in
   *'\$0 --fallback-echo"')
-    ltecho=`$echo "X$ltecho" |
-	    $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
+    ltecho=`$echo "X$ltecho" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
     ;;
   esac
 
@@ -1835,11 +2551,11 @@ case "$ltmain" in
 #! $SHELL
 
 # `$echo "$ofile" | sed 's%^.*/%%'` - Provide generalized library-building support services.
-# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION)
+# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP)
 # NOTE: Changes made to this file will be lost: look at ltconfig or ltmain.sh.
 #
-# Copyright (C) 1996-1998 Free Software Foundation, Inc.
-# Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+# Copyright (C) 1996-2000 Free Software Foundation, Inc.
+# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1865,7 +2581,7 @@ Xsed="sed -e s/^X//"
 
 # The HP-UX ksh and POSIX shell print the target directory to stdout
 # if CDPATH is set.
-if test "\${CDPATH+set}" = set; then CDPATH=; export CDPATH; fi
+if test "X\${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi
 
 ### BEGIN LIBTOOL CONFIG
 EOF
@@ -1874,8 +2590,12 @@ EOF
 
 *)
   # Double-quote the variables that need it (for aesthetics).
-  for var in old_CC old_CFLAGS old_CPPFLAGS old_LD old_NM old_RANLIB \
-    old_LN_S old_DLLTOOL old_AS; do
+  for var in old_AR old_AR_FLAGS old_CC old_CFLAGS old_CPPFLAGS \
+    old_MAGIC old_LD old_LDFLAGS old_LIBS \
+    old_LN_S old_NM old_RANLIB old_STRIP \
+    old_AS old_DLLTOOL old_OBJDUMP \
+    old_OBJEXT old_EXEEXT old_reload_flag \
+    old_deplibs_check_method old_file_magic_cmd; do
     eval "$var=\\\"\$var\\\""
   done
 
@@ -1886,7 +2606,7 @@ EOF
   $rm "$cfgfile"
   cat <<EOF > "$cfgfile"
 # `$echo "$cfgfile" | sed 's%^.*/%%'` - Libtool configuration file.
-# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION)
+# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP)
 EOF
   ;;
 esac
@@ -1894,16 +2614,18 @@ esac
 cat <<EOF >> "$cfgfile"
 # Libtool was configured as follows, on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
 #
-# CC=$old_CC CFLAGS=$old_CFLAGS CPPFLAGS=$old_CPPFLAGS \\
-# LD=$old_LD NM=$old_NM RANLIB=$old_RANLIB LN_S=$old_LN_S \\
-# DLLTOOL="$old_DLLTOOL" AS="$old_AS" \\
+# AR=$old_AR AR_FLAGS=$old_AR_FLAGS CC=$old_CC CFLAGS=$old_CFLAGS \\
+# CPPFLAGS=$old_CPPFLAGS MAGIC=$old_MAGIC LD=$old_LD LDFLAGS=$old_LDFLAGS \\
+# LIBS=$old_LIBS LN_S=$old_LN_S NM=$old_NM RANLIB=$old_RANLIB \\
+# STRIP=$old_STRIP AS=$old_AS DLLTOOL=$old_DLLTOOL OBJDUMP=$old_OBJDUMP \\
+# objext=$old_OBJEXT exeext=$old_EXEEXT reload_flag=$old_reload_flag \\
+# deplibs_check_method=$old_deplibs_check_method file_magic_cmd=$old_file_magic_cmd \\
 #   $0$ltconfig_args
 #
 # Compiler and other test output produced by $progname, useful for
 # debugging $progname, is in ./config.log if it exists.
-
 # The version of $progname that generated this script.
-LTCONFIG_VERSION=$VERSION
+LTCONFIG_VERSION=$LTCONFIG_VERSION
 
 # Shell to use when invoking shell scripts.
 SHELL=$LTSHELL
@@ -1914,6 +2636,9 @@ build_libtool_libs=$enable_shared
 # Whether or not to build static libraries.
 build_old_libs=$enable_static
 
+# Whether or not to optimize for fast installation.
+fast_install=$enable_fast_install
+
 # The host system.
 host_alias=$host_alias
 host=$host
@@ -1923,6 +2648,7 @@ echo=$ltecho
 
 # The archiver.
 AR=$AR
+AR_FLAGS=$AR_FLAGS
 
 # The default C compiler.
 CC=$CC
@@ -1936,10 +2662,19 @@ LN_S=$LN_S
 # A BSD-compatible nm program.
 NM=$NM
 
-# Used on cygwin32: DLL creation program.
+# A symbol stripping program
+STRIP=$STRIP
+
+# Used to examine libraries when file_magic_cmd begins "file"
+MAGIC=$MAGIC
+
+# Used on cygwin: DLL creation program.
 DLLTOOL="$DLLTOOL"
 
-# Used on cygwin32: assembler.
+# Used on cygwin: object dumper.
+OBJDUMP="$OBJDUMP"
+
+# Used on cygwin: assembler.
 AS="$AS"
 
 # The name of the directory that contains temporary libtool files.
@@ -1958,10 +2693,14 @@ objext="$objext"
 # Old archive suffix (normally "a").
 libext="$libext"
 
+# Executable file suffix (normally "").
+exeext="$exeext"
+
 # Additional compiler flags for building library objects.
 pic_flag=$pic_flag
+pic_mode=$pic_mode
 
-# Does compiler simultaneously support -c and -o options
+# Does compiler simultaneously support -c and -o options?
 compiler_c_o=$compiler_c_o
 
 # Can we write directly to a .lo ?
@@ -1970,6 +2709,21 @@ compiler_o_lo=$compiler_o_lo
 # Must we lock files when doing compilation ?
 need_locks=$need_locks
 
+# Do we need the lib prefix for modules?
+need_lib_prefix=$need_lib_prefix
+
+# Do we need a version for libraries?
+need_version=$need_version
+
+# Whether dlopen is supported.
+dlopen_support=$enable_dlopen
+
+# Whether dlopen of programs is supported.
+dlopen_self=$enable_dlopen_self
+
+# Whether dlopen of statically linked programs is supported.
+dlopen_self_static=$enable_dlopen_self_static
+
 # Compiler flag to prevent dynamic linking.
 link_static_flag=$link_static_flag
 
@@ -1982,6 +2736,9 @@ export_dynamic_flag_spec=$export_dynamic_flag_spec
 # Compiler flag to generate shared objects directly from archives.
 whole_archive_flag_spec=$whole_archive_flag_spec
 
+# Compiler flag to generate thread-safe objects.
+thread_safe_flag_spec=$thread_safe_flag_spec
+
 # Library versioning type.
 version_type=$version_type
 
@@ -2004,14 +2761,24 @@ old_postuninstall_cmds=$old_postuninstall_cmds
 # Create an old-style archive from a shared archive.
 old_archive_from_new_cmds=$old_archive_from_new_cmds
 
+# Create a temporary old-style archive to link instead of a shared archive.
+old_archive_from_expsyms_cmds=$old_archive_from_expsyms_cmds
+
 # Commands used to build and install a shared archive.
 archive_cmds=$archive_cmds
-archive_sym_cmds=$archive_sym_cmds
+archive_expsym_cmds=$archive_expsym_cmds
 postinstall_cmds=$postinstall_cmds
 postuninstall_cmds=$postuninstall_cmds
 
+# Commands to strip libraries.
+old_striplib=$old_striplib
+striplib=$striplib
+
 # Method to check whether dependent libraries are shared objects.
-check_shared_deplibs_method=$check_shared_deplibs_method
+deplibs_check_method=$deplibs_check_method
+
+# Command to use when deplibs_check_method == file_magic.
+file_magic_cmd=$file_magic_cmd
 
 # Flag that allows shared libraries with undefined symbols to be built.
 allow_undefined_flag=$allow_undefined_flag
@@ -2028,15 +2795,24 @@ finish_eval=$finish_eval
 # Take the output of nm and produce a listing of raw symbols and C names.
 global_symbol_pipe=$global_symbol_pipe
 
+# Transform the output of nm in a proper C declaration
+global_symbol_to_cdecl=$global_symbol_to_cdecl
+
 # This is the shared library runtime path variable.
 runpath_var=$runpath_var
 
 # This is the shared library path variable.
 shlibpath_var=$shlibpath_var
 
+# Is shlibpath searched before the hard-coded library search path?
+shlibpath_overrides_runpath=$shlibpath_overrides_runpath
+
 # How to hardcode a shared library path into an executable.
 hardcode_action=$hardcode_action
 
+# Whether we should hardcode library paths into libraries.
+hardcode_into_libs=$hardcode_into_libs
+
 # Flag to hardcode \$libdir into a binary during linking.
 # This must work even if \$libdir does not exist.
 hardcode_libdir_flag_spec=$hardcode_libdir_flag_spec
@@ -2056,11 +2832,37 @@ hardcode_minus_L=$hardcode_minus_L
 # the resulting binary.
 hardcode_shlibpath_var=$hardcode_shlibpath_var
 
-# System search path for libraries
-sys_lib_search_path=$sys_lib_search_path
+# Variables whose values should be saved in libtool wrapper scripts and
+# restored at relink time.
+variables_saved_for_relink="$variables_saved_for_relink"
+
+# Whether libtool must link a program against all its dependency libraries.
+link_all_deplibs=$link_all_deplibs
+
+# Compile-time system search path for libraries
+sys_lib_search_path_spec=$sys_lib_search_path_spec
+
+# Run-time system search path for libraries
+sys_lib_dlsearch_path_spec=$sys_lib_dlsearch_path_spec
 
 # Fix the shell variable \$srcfile for the compiler.
 fix_srcfile_path="$fix_srcfile_path"
+
+# Set to yes if exported symbols are required.
+always_export_symbols=$always_export_symbols
+
+# The commands to list exported symbols.
+export_symbols_cmds=$export_symbols_cmds
+
+# The commands to extract the exported symbol list from a shared archive.
+extract_expsyms_cmds=$extract_expsyms_cmds
+
+# Symbols that should not be listed in the preloaded symbols.
+exclude_expsyms=$exclude_expsyms
+
+# Symbols that must always be exported.
+include_expsyms=$include_expsyms
+
 EOF
 
 case "$ltmain" in
@@ -2074,16 +2876,200 @@ case "$ltmain" in
 # AIX sometimes has problems with the GCC collect2 program.  For some
 # reason, if we set the COLLECT_NAMES environment variable, the problems
 # vanish in a puff of smoke.
-if test "${COLLECT_NAMES+set}" != set; then
+if test "X${COLLECT_NAMES+set}" != Xset; then
   COLLECT_NAMES=
   export COLLECT_NAMES
 fi
 EOF
     ;;
   esac
+  case "$host" in
+  *-*-cygwin* | *-*-mingw* | *-*-os2*)
+    cat <<'EOF' >> "$ofile"
+      # This is a source program that is used to create dlls on Windows
+      # Don't remove nor modify the starting and closing comments
+# /* ltdll.c starts here */
+# #define WIN32_LEAN_AND_MEAN
+# #include <windows.h>
+# #undef WIN32_LEAN_AND_MEAN
+# #include <stdio.h>
+#
+# #ifndef __CYGWIN__
+# #  ifdef __CYGWIN32__
+# #    define __CYGWIN__ __CYGWIN32__
+# #  endif
+# #endif
+#
+# #ifdef __cplusplus
+# extern "C" {
+# #endif
+# BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved);
+# #ifdef __cplusplus
+# }
+# #endif
+#
+# #ifdef __CYGWIN__
+# #include <cygwin/cygwin_dll.h>
+# DECLARE_CYGWIN_DLL( DllMain );
+# #endif
+# HINSTANCE __hDllInstance_base;
+#
+# BOOL APIENTRY
+# DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved)
+# {
+#   __hDllInstance_base = hInst;
+#   return TRUE;
+# }
+# /* ltdll.c ends here */
+      # This is a source program that is used to create import libraries
+      # on Windows for dlls which lack them. Don't remove nor modify the
+      # starting and closing comments
+# /* impgen.c starts here */
+# /*   Copyright (C) 1999-2000 Free Software Foundation, Inc.
+#
+#  This file is part of GNU libtool.
+#
+#  This program is free software; you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation; either version 2 of the License, or
+#  (at your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program; if not, write to the Free Software
+#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#  */
+#
+#  #include <stdio.h>		/* for printf() */
+#  #include <unistd.h>		/* for open(), lseek(), read() */
+#  #include <fcntl.h>		/* for O_RDONLY, O_BINARY */
+#  #include <string.h>		/* for strdup() */
+#
+#  /* O_BINARY isn't required (or even defined sometimes) under Unix */
+#  #ifndef O_BINARY
+#  #define O_BINARY 0
+#  #endif
+#
+#  static unsigned int
+#  pe_get16 (fd, offset)
+#       int fd;
+#       int offset;
+#  {
+#    unsigned char b[2];
+#    lseek (fd, offset, SEEK_SET);
+#    read (fd, b, 2);
+#    return b[0] + (b[1]<<8);
+#  }
+#
+#  static unsigned int
+#  pe_get32 (fd, offset)
+#      int fd;
+#      int offset;
+#  {
+#    unsigned char b[4];
+#    lseek (fd, offset, SEEK_SET);
+#    read (fd, b, 4);
+#    return b[0] + (b[1]<<8) + (b[2]<<16) + (b[3]<<24);
+#  }
+#
+#  static unsigned int
+#  pe_as32 (ptr)
+#       void *ptr;
+#  {
+#    unsigned char *b = ptr;
+#    return b[0] + (b[1]<<8) + (b[2]<<16) + (b[3]<<24);
+#  }
+#
+#  int
+#  main (argc, argv)
+#      int argc;
+#      char *argv[];
+#  {
+#      int dll;
+#      unsigned long pe_header_offset, opthdr_ofs, num_entries, i;
+#      unsigned long export_rva, export_size, nsections, secptr, expptr;
+#      unsigned long name_rvas, nexp;
+#      unsigned char *expdata, *erva;
+#      char *filename, *dll_name;
+#
+#      filename = argv[1];
+#
+#      dll = open(filename, O_RDONLY|O_BINARY);
+#      if (!dll)
+#  	return 1;
+#
+#      dll_name = filename;
+#
+#      for (i=0; filename[i]; i++)
+#  	if (filename[i] == '/' || filename[i] == '\\'  || filename[i] == ':')
+#  	    dll_name = filename + i +1;
+#
+#      pe_header_offset = pe_get32 (dll, 0x3c);
+#      opthdr_ofs = pe_header_offset + 4 + 20;
+#      num_entries = pe_get32 (dll, opthdr_ofs + 92);
+#
+#      if (num_entries < 1) /* no exports */
+#  	return 1;
+#
+#      export_rva = pe_get32 (dll, opthdr_ofs + 96);
+#      export_size = pe_get32 (dll, opthdr_ofs + 100);
+#      nsections = pe_get16 (dll, pe_header_offset + 4 +2);
+#      secptr = (pe_header_offset + 4 + 20 +
+#  	      pe_get16 (dll, pe_header_offset + 4 + 16));
+#
+#      expptr = 0;
+#      for (i = 0; i < nsections; i++)
+#      {
+#  	char sname[8];
+#  	unsigned long secptr1 = secptr + 40 * i;
+#  	unsigned long vaddr = pe_get32 (dll, secptr1 + 12);
+#  	unsigned long vsize = pe_get32 (dll, secptr1 + 16);
+#  	unsigned long fptr = pe_get32 (dll, secptr1 + 20);
+#  	lseek(dll, secptr1, SEEK_SET);
+#  	read(dll, sname, 8);
+#  	if (vaddr <= export_rva && vaddr+vsize > export_rva)
+#  	{
+#  	    expptr = fptr + (export_rva - vaddr);
+#  	    if (export_rva + export_size > vaddr + vsize)
+#  		export_size = vsize - (export_rva - vaddr);
+#  	    break;
+#  	}
+#      }
+#
+#      expdata = (unsigned char*)malloc(export_size);
+#      lseek (dll, expptr, SEEK_SET);
+#      read (dll, expdata, export_size);
+#      erva = expdata - export_rva;
+#
+#      nexp = pe_as32 (expdata+24);
+#      name_rvas = pe_as32 (expdata+32);
+#
+#      printf ("EXPORTS\n");
+#      for (i = 0; i<nexp; i++)
+#      {
+#  	unsigned long name_rva = pe_as32 (erva+name_rvas+i*4);
+#  	printf ("\t%s @ %ld ;\n", erva+name_rva, 1+ i);
+#      }
+#
+#      return 0;
+#  }
+# /* impgen.c ends here */
+
+EOF
+    ;;
+  esac
+
 
   # Append the ltmain.sh script.
-  cat "$ltmain" >> "$ofile" || (rm -f "$ofile"; exit 1)
+  sed '$q' "$ltmain" >> "$ofile" || (rm -f "$ofile"; exit 1)
+  # We use sed instead of cat because bash on DJGPP gets confused if
+  # if finds mixed CR/LF and LF-only lines.  Since sed operates in
+  # text mode, it properly converts lines to CR/LF.  This bash problem
+  # is reportedly fixed, but why not run on old versions too?
 
   chmod +x "$ofile"
   ;;
@@ -2093,6 +3079,58 @@ EOF
   echo "FIXME: would compile $ltmain"
   ;;
 esac
+
+test -n "$cache_file" || exit 0
+
+# AC_CACHE_SAVE
+trap '' 1 2 15
+cat > confcache <<\EOF
+# This file is a shell script that caches the results of configure
+# tests run on this system so they can be shared between configure
+# scripts and configure runs.  It is not useful on other systems.
+# If it contains results you don't want to keep, you may remove or edit it.
+#
+# By default, configure uses ./config.cache as the cache file,
+# creating it if it does not exist already.  You can give configure
+# the --cache-file=FILE option to use a different cache file; that is
+# what configure does when it calls configure scripts in
+# subdirectories, so they share the cache.
+# Giving --cache-file=/dev/null disables caching, for debugging configure.
+# config.status only pays attention to the cache file if you give it the
+# --recheck option to rerun configure.
+#
+EOF
+# The following way of writing the cache mishandles newlines in values,
+# but we know of no workaround that is simple, portable, and efficient.
+# So, don't put newlines in cache variables' values.
+# Ultrix sh set writes to stderr and can't be redirected directly,
+# and sets the high bit in the cache file unless we assign to the vars.
+(set) 2>&1 |
+  case `(ac_space=' '; set | grep ac_space) 2>&1` in
+  *ac_space=\ *)
+    # `set' does not quote correctly, so add quotes (double-quote substitution
+    # turns \\\\ into \\, and sed turns \\ into \).
+    sed -n \
+      -e "s/'/'\\\\''/g" \
+      -e "s/^\\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\\)=\\(.*\\)/\\1=\${\\1='\\2'}/p"
+    ;;
+  *)
+    # `set' quotes correctly as required by POSIX, so do not add quotes.
+    sed -n -e 's/^\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\)=\(.*\)/\1=${\1=\2}/p'
+    ;;
+  esac >> confcache
+if cmp -s $cache_file confcache; then
+  :
+else
+  if test -w $cache_file; then
+    echo "updating cache $cache_file"
+    cat confcache > $cache_file
+  else
+    echo "not updating unwritable cache $cache_file"
+  fi
+fi
+rm -f confcache
+
 exit 0
 
 # Local Variables:
diff --git a/crypto/heimdal/ltmain.sh b/crypto/heimdal/ltmain.sh
index 397cc1e..19a0e7d 100644
--- a/crypto/heimdal/ltmain.sh
+++ b/crypto/heimdal/ltmain.sh
@@ -1,8 +1,8 @@
 # ltmain.sh - Provide generalized library-building support services.
 # NOTE: Changing this file will not affect anything until you rerun ltconfig.
 #
-# Copyright (C) 1996-1998 Free Software Foundation, Inc.
-# Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+# Copyright (C) 1996-2000 Free Software Foundation, Inc.
+# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -28,12 +28,8 @@ if test "X$1" = X--no-reexec; then
   # Discard the --no-reexec flag, and continue.
   shift
 elif test "X$1" = X--fallback-echo; then
-  # used as fallback echo
-  shift
-  cat <<EOF
-$*
-EOF
-  exit 0
+  # Avoid inline document here, it may be left over
+  :
 elif test "X`($echo '\t') 2>/dev/null`" = 'X\t'; then
   # Yippee, $echo works!
   :
@@ -42,6 +38,15 @@ else
   exec $SHELL "$0" --no-reexec ${1+"$@"}
 fi
 
+if test "X$1" = X--fallback-echo; then
+  # used as fallback echo
+  shift
+  cat <<EOF
+$*
+EOF
+  exit 0
+fi
+
 # The name of this program.
 progname=`$echo "$0" | sed 's%^.*/%%'`
 modename="$progname"
@@ -49,7 +54,8 @@ modename="$progname"
 # Constants.
 PROGRAM=ltmain.sh
 PACKAGE=libtool
-VERSION=1.2d
+VERSION=1.3c
+TIMESTAMP=" (1.731 2000/07/10 09:42:21)"
 
 default_mode=
 help="Try \`$progname --help' for more information."
@@ -60,8 +66,10 @@ rm="rm -f"
 
 # Sed substitution that helps us do robust quoting.  It backslashifies
 # metacharacters that are still active within double-quoted strings.
-Xsed='sed -e s/^X//'
+Xsed='sed -e 1s/^X//'
 sed_quote_subst='s/\([\\`\\"$\\\\]\)/\\\1/g'
+SP2NL='tr \040 \012'
+NL2SP='tr \015\012 \040\040'
 
 # NLS nuisances.
 # Only set LANG and LC_ALL to C if already set.
@@ -97,7 +105,7 @@ show="$echo"
 show_help=
 execute_dlfiles=
 lo2o="s/\\.lo\$/.${objext}/"
-los2o="s/\\.lo /.${objext} /g"
+o2lo="s/\\.${objext}\$/.lo/"
 
 # Parse our command line options once, thoroughly.
 while test $# -gt 0
@@ -133,7 +141,7 @@ do
     ;;
 
   --version)
-    echo "$PROGRAM (GNU $PACKAGE) $VERSION"
+    echo "$PROGRAM (GNU $PACKAGE) $VERSION$TIMESTAMP"
     exit 0
     ;;
 
@@ -208,12 +216,12 @@ if test -z "$show_help"; then
       mode=link
       for arg
       do
-        case "$arg" in
-        -c)
-           mode=compile
-           break
-           ;;
-        esac
+	case "$arg" in
+	-c)
+	   mode=compile
+	   break
+	   ;;
+	esac
       done
       ;;
     *db | *dbx | *strace | *truss)
@@ -231,11 +239,11 @@ if test -z "$show_help"; then
 
       # Just use the default operation mode.
       if test -z "$mode"; then
-        if test -n "$nonopt"; then
-          $echo "$modename: warning: cannot infer operation mode from \`$nonopt'" 1>&2
-        else
-          $echo "$modename: warning: cannot infer operation mode without MODE-ARGS" 1>&2
-        fi
+	if test -n "$nonopt"; then
+	  $echo "$modename: warning: cannot infer operation mode from \`$nonopt'" 1>&2
+	else
+	  $echo "$modename: warning: cannot infer operation mode without MODE-ARGS" 1>&2
+	fi
       fi
       ;;
     esac
@@ -259,47 +267,112 @@ if test -z "$show_help"; then
     modename="$modename: compile"
     # Get the compilation command and the source file.
     base_compile=
+    prev=
     lastarg=
     srcfile="$nonopt"
     suppress_output=
-    force_static=no
 
     user_target=no
     for arg
     do
+      case "$prev" in
+      "") ;;
+      xcompiler)
+	# Aesthetically quote the previous argument.
+	prev=
+	lastarg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+
+	case "$arg" in
+	# Double-quote args containing other shell metacharacters.
+	# Many Bourne shells cannot handle close brackets correctly
+	# in scan sets, so we specify it separately.
+	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	  arg="\"$arg\""
+	  ;;
+	esac
+
+	# Add the previous argument to base_compile.
+	if test -z "$base_compile"; then
+	  base_compile="$lastarg"
+	else
+	  base_compile="$base_compile $lastarg"
+	fi
+	continue
+	;;
+      esac
+
       # Accept any command-line options.
       case "$arg" in
       -o)
-        if test "$user_target" != "no"; then
-          $echo "$modename: you cannot specify \`-o' more than once" 1>&2
+	if test "$user_target" != "no"; then
+	  $echo "$modename: you cannot specify \`-o' more than once" 1>&2
 	  exit 1
-        fi
-        user_target=next
+	fi
+	user_target=next
 	;;
 
-      -force-static)
-        force_static=yes
-        continue
-        ;;
-	
       -static)
-        build_old_libs=yes
-        continue
-        ;;
+	build_old_libs=yes
+	continue
+	;;
+
+      -prefer-pic)
+	pic_mode=yes
+	continue
+	;;
+
+      -prefer-non-pic)
+	pic_mode=no
+	continue
+	;;
+
+      -Xcompiler)
+	prev=xcompiler
+	continue
+	;;
+
+      -Wc,*)
+	args=`$echo "X$arg" | $Xsed -e "s/^-Wc,//"`
+	lastarg=
+	IFS="${IFS= 	}"; save_ifs="$IFS"; IFS=','
+	for arg in $args; do
+	  IFS="$save_ifs"
+
+	  # Double-quote args containing other shell metacharacters.
+	  # Many Bourne shells cannot handle close brackets correctly
+	  # in scan sets, so we specify it separately.
+	  case "$arg" in
+	    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	    arg="\"$arg\""
+	    ;;
+	  esac
+	  lastarg="$lastarg $arg"
+	done
+	IFS="$save_ifs"
+	lastarg=`$echo "X$lastarg" | $Xsed -e "s/^ //"`
+
+	# Add the arguments to base_compile.
+	if test -z "$base_compile"; then
+	  base_compile="$lastarg"
+	else
+	  base_compile="$base_compile $lastarg"
+	fi
+	continue
+	;;
       esac
 
       case "$user_target" in
       next)
-        # The next one is the -o target name
-        user_target=yes
-        continue
-        ;;
+	# The next one is the -o target name
+	user_target=yes
+	continue
+	;;
       yes)
-        # We got the output file
-        user_target=set
-        libobj="$arg"
-        continue
-        ;;
+	# We got the output file
+	user_target=set
+	libobj="$arg"
+	continue
+	;;
       esac
 
       # Accept the current argument as the source file.
@@ -314,19 +387,19 @@ if test -z "$show_help"; then
       lastarg=`$echo "X$lastarg" | $Xsed -e "$sed_quote_subst"`
 
       # Double-quote args containing other shell metacharacters.
-      # Many Bourne shells cannot handle close brackets correctly in scan
-      # sets, so we specify it separately.
+      # Many Bourne shells cannot handle close brackets correctly
+      # in scan sets, so we specify it separately.
       case "$lastarg" in
-      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
-        lastarg="\"$lastarg\""
-        ;;
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	lastarg="\"$lastarg\""
+	;;
       esac
 
       # Add the previous argument to base_compile.
       if test -z "$base_compile"; then
-        base_compile="$lastarg"
+	base_compile="$lastarg"
       else
-        base_compile="$base_compile $lastarg"
+	base_compile="$base_compile $lastarg"
       fi
     done
 
@@ -377,14 +450,25 @@ if test -z "$show_help"; then
 
     # Delete any leftover library objects.
     if test "$build_old_libs" = yes; then
-      removelist="$obj $libobj $lockfile"
+      removelist="$obj $libobj"
     else
-      removelist="$libobj $lockfile"
+      removelist="$libobj"
     fi
 
     $run $rm $removelist
     trap "$run $rm $removelist; exit 1" 1 2 15
 
+    # On Cygwin there's no "real" PIC flag so we must build both object types
+    case "$host_os" in
+    cygwin* | mingw* | os2*)
+      pic_mode=default
+      ;;
+    esac
+    if test $pic_mode = no && test "$deplibs_check_method" != pass_all; then
+      # non-PIC code in shared libraries is not supported
+      pic_mode=default
+    fi
+
     # Calculate the filename of the output object if compiler does
     # not support -o with -c
     if test "$compiler_c_o" = no; then
@@ -401,8 +485,8 @@ if test -z "$show_help"; then
     # We use this script file to make the link, it avoids creating a new file
     if test "$need_locks" = yes; then
       until ln "$0" "$lockfile" 2>/dev/null; do
-        $show "Waiting for $lockfile to be removed"
-        sleep 2
+	$show "Waiting for $lockfile to be removed"
+	sleep 2
       done
     elif test "$need_locks" = warn; then
       if test -f "$lockfile"; then
@@ -432,21 +516,49 @@ compiler."
       # Without this assignment, base_compile gets emptied.
       fbsd_hideous_sh_bug=$base_compile
 
-      # All platforms use -DPIC, to notify preprocessed assembler code.
-      command="$base_compile$pic_flag -DPIC $srcfile"
+      if test "$pic_mode" != no; then
+	# All platforms use -DPIC, to notify preprocessed assembler code.
+	command="$base_compile $srcfile $pic_flag -DPIC"
+      else
+	# Don't build PIC code
+	command="$base_compile $srcfile"
+      fi
+      if test "$build_old_libs" = yes; then
+	lo_libobj="$libobj"
+	dir=`$echo "X$libobj" | $Xsed -e 's%/[^/]*$%%'`
+	if test "X$dir" = "X$libobj"; then
+	  dir="$objdir"
+	else
+	  dir="$dir/$objdir"
+	fi
+	libobj="$dir/"`$echo "X$libobj" | $Xsed -e 's%^.*/%%'`
+
+	if test -d "$dir"; then
+	  $show "$rm $libobj"
+	  $run $rm $libobj
+	else
+	  $show "$mkdir $dir"
+	  $run $mkdir $dir
+	  status=$?
+	  if test $status -ne 0 && test ! -d $dir; then
+	    exit $status
+	  fi
+	fi
+      fi
       if test "$compiler_o_lo" = yes; then
-        command="$command -o $libobj"
-        output_obj="$libobj"
+	output_obj="$libobj"
+	command="$command -o $output_obj"
       elif test "$compiler_c_o" = yes; then
-        command="$command -o $obj"
-        output_obj="$obj"
+	output_obj="$obj"
+	command="$command -o $output_obj"
       fi
 
+      $run $rm "$output_obj"
       $show "$command"
       if $run eval "$command"; then :
       else
-        test -n "$output_obj" && $run $rm $removelist
-        exit 1
+	test -n "$output_obj" && $run $rm $removelist
+	exit 1
       fi
 
       if test "$need_locks" = warn &&
@@ -470,9 +582,9 @@ compiler."
       fi
 
       # Just move the object if needed, then go on to compile the next one
-      if test "$compiler_o_lo" = no && test x"$output_obj" != x"$libobj"; then
-        $show "$mv $output_obj $libobj"
-        if $run $mv $output_obj $libobj; then :
+      if test x"$output_obj" != x"$libobj"; then
+	$show "$mv $output_obj $libobj"
+	if $run $mv $output_obj $libobj; then :
 	else
 	  error=$?
 	  $run $rm $removelist
@@ -480,14 +592,37 @@ compiler."
 	fi
       fi
 
-      # If we have no pic_flag and do not have -force-static, 
-      # then copy the object into place and finish.
-      if test -z "$pic_flag" && test "$force_static" = no; then
-        $show "$LN_S $libobj $obj"
-        if $run $LN_S $libobj $obj; then
+      # If we have no pic_flag, then copy the object into place and finish.
+      if (test -z "$pic_flag" || test "$pic_mode" != default) &&
+	 test "$build_old_libs" = yes; then
+	# Rename the .lo from within objdir to obj
+	if test -f $obj; then
+	  $show $rm $obj
+	  $run $rm $obj
+	fi
+
+	$show "$mv $libobj $obj"
+	if $run $mv $libobj $obj; then :
+	else
+	  error=$?
+	  $run $rm $removelist
+	  exit $error
+	fi
+
+	xdir=`$echo "X$obj" | $Xsed -e 's%/[^/]*$%%'`
+	if test "X$xdir" = "X$obj"; then
+	  xdir="."
+	else
+	  xdir="$xdir"
+	fi
+	baseobj=`$echo "X$obj" | $Xsed -e "s%.*/%%"`
+	libobj=`$echo "X$baseobj" | $Xsed -e "$o2lo"`
+	# Now arrange that obj and lo_libobj become the same file
+	$show "(cd $xdir && $LN_S $baseobj $libobj)"
+	if $run eval '(cd $xdir && $LN_S $baseobj $libobj)'; then
 	  exit 0
 	else
-          error=$?
+	  error=$?
 	  $run $rm $removelist
 	  exit $error
 	fi
@@ -499,22 +634,26 @@ compiler."
 
     # Only build a position-dependent object if we build old libraries.
     if test "$build_old_libs" = yes; then
-      command="$base_compile $srcfile"
-      if test "$force_static" = yes; then
-        command="$command -DLIBTOOL_STATIC"
+      if test "$pic_mode" != yes; then
+	# Don't build PIC code
+	command="$base_compile $srcfile"
+      else
+	# All platforms use -DPIC, to notify preprocessed assembler code.
+	command="$base_compile $srcfile $pic_flag -DPIC"
       fi
       if test "$compiler_c_o" = yes; then
-        command="$command -o $obj"
-        output_obj="$obj"
+	command="$command -o $obj"
+	output_obj="$obj"
       fi
 
       # Suppress compiler output if we already did a PIC compilation.
       command="$command$suppress_output"
+      $run $rm "$output_obj"
       $show "$command"
       if $run eval "$command"; then :
       else
-        $run $rm $removelist
-        exit 1
+	$run $rm $removelist
+	exit 1
       fi
 
       if test "$need_locks" = warn &&
@@ -538,9 +677,25 @@ compiler."
       fi
 
       # Just move the object if needed
-      if test "$compiler_c_o" = no && test x"$output_obj" != x"$obj"; then
-        $show "$mv $output_obj $obj"
-        if $run $mv $output_obj $obj; then :
+      if test x"$output_obj" != x"$obj"; then
+	$show "$mv $output_obj $obj"
+	if $run $mv $output_obj $obj; then :
+	else
+	  error=$?
+	  $run $rm $removelist
+	  exit $error
+	fi
+      fi
+
+      # Create an invalid libtool object if no PIC, so that we do not
+      # accidentally link it into a program.
+      if test "$build_libtool_libs" != yes; then
+	$show "echo timestamp > $libobj"
+	$run eval "echo timestamp > \$libobj" || exit $?
+      else
+	# Move the .lo from within objdir
+	$show "$mv $libobj $lo_libobj"
+	if $run $mv $libobj $lo_libobj; then :
 	else
 	  error=$?
 	  $run $rm $removelist
@@ -554,49 +709,71 @@ compiler."
       $rm "$lockfile"
     fi
 
-    # Create an invalid libtool object if no PIC, so that we do not
-    # accidentally link it into a program.
-    if test "$build_libtool_libs" != yes; then
-      $show "echo timestamp > $libobj"
-      $run eval "echo timestamp > \$libobj" || exit $?
-    fi
-
     exit 0
     ;;
 
   # libtool link mode
-  link)
+  link | relink)
     modename="$modename: link"
-    C_compiler="$CC" # save it, to compile generated C sources
-    CC="$nonopt"
-    allow_undefined=yes
-    compile_command="$CC"
-    finalize_command="$CC"
+    case "$host" in
+    *-*-cygwin* | *-*-mingw* | *-*-os2*)
+      # It is impossible to link a dll without this setting, and
+      # we shouldn't force the makefile maintainer to figure out
+      # which system we are compiling for in order to pass an extra
+      # flag for every libtool invokation.
+      # allow_undefined=no
+
+      # FIXME: Unfortunately, there are problems with the above when trying
+      # to make a dll which has undefined symbols, in which case not
+      # even a static library is built.  For now, we need to specify
+      # -no-undefined on the libtool link line when we can be certain
+      # that all symbols are satisfied, otherwise we get a static library.
+      allow_undefined=yes
+      ;;
+    *)
+      allow_undefined=yes
+      ;;
+    esac
+    libtool_args="$nonopt"
+    compile_command="$nonopt"
+    finalize_command="$nonopt"
 
+    compile_rpath=
+    finalize_rpath=
     compile_shlibpath=
     finalize_shlibpath=
     convenience=
     old_convenience=
     deplibs=
-    eval lib_search_path=\"$sys_lib_search_path\"
-    
+    old_deplibs=
+    compiler_flags=
+    linker_flags=
+    dllsearchpath=
+    lib_search_path=`pwd`
+
+    avoid_version=no
     dlfiles=
     dlprefiles=
+    dlself=no
     export_dynamic=no
     export_symbols=
+    export_symbols_regex=
     generated=
-    hardcode_libdirs=
     libobjs=
-    link_against_libtool_libs=
     ltlibs=
     module=no
+    no_install=no
     objs=
+    prefer_static_libs=no
+    preload=no
     prev=
     prevarg=
     release=
     rpath=
+    xrpath=
     perm_rpath=
     temp_rpath=
+    thread_safe=no
     vinfo=
 
     # We need to know -static, to get the right output filenames.
@@ -604,13 +781,23 @@ compiler."
     do
       case "$arg" in
       -all-static | -static)
-        if test "X$arg" = "X-all-static" && test "$build_libtool_libs" = yes && test -z "$link_static_flag"; then
+	if test "X$arg" = "X-all-static"; then
+	  if test "$build_libtool_libs" = yes && test -z "$link_static_flag"; then
 	    $echo "$modename: warning: complete static linking is impossible in this configuration" 1>&2
-        fi
-        build_libtool_libs=no
+	  fi
+	  if test -n "$link_static_flag"; then
+	    dlopen_self=$dlopen_self_static
+	  fi
+	else
+	  if test -z "$pic_flag" && test -n "$link_static_flag"; then
+	    dlopen_self=$dlopen_self_static
+	  fi
+	fi
+	build_libtool_libs=no
 	build_old_libs=yes
-        break
-        ;;
+	prefer_static_libs=yes
+	break
+	;;
       esac
     done
 
@@ -621,51 +808,127 @@ compiler."
     while test $# -gt 0; do
       arg="$1"
       shift
+      case "$arg" in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	qarg=\"`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`\" ### testsuite: skip nested quoting test
+	;;
+      *) qarg=$arg ;;
+      esac
+      libtool_args="$libtool_args $qarg"
 
       # If the previous option needs an argument, assign it.
       if test -n "$prev"; then
-        case "$prev" in
-        output)
-          compile_command="$compile_command @OUTPUT@"
-          finalize_command="$finalize_command @OUTPUT@"
-          ;;
-        esac
-
-        case "$prev" in
-        dlfiles|dlprefiles)
-          case "$arg" in
-          *.la | *.lo) ;;  # We handle these cases below.
-          *)
-            dlprefiles="$dlprefiles $arg"
-            test "$prev" = dlfiles && dlfiles="$dlfiles $arg"
-            prev=
-            ;;
-          esac
-          ;;
-	exportsyms)
+	case "$prev" in
+	output)
+	  compile_command="$compile_command @OUTPUT@"
+	  finalize_command="$finalize_command @OUTPUT@"
+	  ;;
+	esac
+
+	case "$prev" in
+	dlfiles|dlprefiles)
+	  if test "$preload" = no; then
+	    # Add the symbol object into the linking commands.
+	    compile_command="$compile_command @SYMFILE@"
+	    finalize_command="$finalize_command @SYMFILE@"
+	    preload=yes
+	  fi
+	  case "$arg" in
+	  *.la | *.lo) ;;  # We handle these cases below.
+	  force)
+	    if test "$dlself" = no; then
+	      dlself=needless
+	      export_dynamic=yes
+	    fi
+	    prev=
+	    continue
+	    ;;
+	  self)
+	    if test "$prev" = dlprefiles; then
+	      dlself=yes
+	    elif test "$prev" = dlfiles && test "$dlopen_self" != yes; then
+	      dlself=yes
+	    else
+	      dlself=needless
+	      export_dynamic=yes
+	    fi
+	    prev=
+	    continue
+	    ;;
+	  *)
+	    if test "$prev" = dlfiles; then
+	      dlfiles="$dlfiles $arg"
+	    else
+	      dlprefiles="$dlprefiles $arg"
+	    fi
+	    prev=
+	    continue
+	    ;;
+	  esac
+	  ;;
+	expsyms)
 	  export_symbols="$arg"
-          if test ! -f "$arg"; then
-            $echo "$modename: symbol file \`$arg' does not exist"
-            exit 1
-          fi
+	  if test ! -f "$arg"; then
+	    $echo "$modename: symbol file \`$arg' does not exist"
+	    exit 1
+	  fi
 	  prev=
+	  continue
+	  ;;
+	expsyms_regex)
+	  export_symbols_regex="$arg"
+	  prev=
+	  continue
 	  ;;
 	release)
 	  release="-$arg"
 	  prev=
 	  continue
 	  ;;
-        rpath)
-          rpath="$rpath $arg"
+	rpath | xrpath)
+	  # We need an absolute path.
+	  case "$arg" in
+	  [\\/]* | [A-Za-z]:[\\/]*) ;;
+	  *)
+	    $echo "$modename: only absolute run-paths are allowed" 1>&2
+	    exit 1
+	    ;;
+	  esac
+	  if test "$prev" = rpath; then
+	    case "$rpath " in
+	    *" $arg "*) ;;
+	    *) rpath="$rpath $arg" ;;
+	    esac
+	  else
+	    case "$xrpath " in
+	    *" $arg "*) ;;
+	    *) xrpath="$xrpath $arg" ;;
+	    esac
+	  fi
+	  prev=
+	  continue
+	  ;;
+	xcompiler)
+	  compiler_flags="$compiler_flags $qarg"
 	  prev=
+	  compile_command="$compile_command $qarg"
+	  finalize_command="$finalize_command $qarg"
 	  continue
 	  ;;
-        *)
-          eval "$prev=\"\$arg\""
-          prev=
-          continue
-          ;;
-        esac
+	xlinker)
+	  linker_flags="$linker_flags $qarg"
+	  compiler_flags="$compiler_flags $wl$qarg"
+	  prev=
+	  compile_command="$compile_command $wl$qarg"
+	  finalize_command="$finalize_command $wl$qarg"
+	  continue
+	  ;;
+	*)
+	  eval "$prev=\"\$arg\""
+	  prev=
+	  continue
+	  ;;
+	esac
       fi
 
       prevarg="$arg"
@@ -673,10 +936,10 @@ compiler."
       case "$arg" in
       -all-static)
 	if test -n "$link_static_flag"; then
-          compile_command="$compile_command $link_static_flag"
+	  compile_command="$compile_command $link_static_flag"
 	  finalize_command="$finalize_command $link_static_flag"
-        fi
-        continue
+	fi
+	continue
 	;;
 
       -allow-undefined)
@@ -685,68 +948,121 @@ compiler."
 	continue
 	;;
 
+      -avoid-version)
+	avoid_version=yes
+	continue
+	;;
+
       -dlopen)
-        prev=dlfiles
-        continue
-        ;;
+	prev=dlfiles
+	continue
+	;;
 
       -dlpreopen)
-        prev=dlprefiles
-        continue
-        ;;
+	prev=dlprefiles
+	continue
+	;;
 
       -export-dynamic)
-        if test "$export_dynamic" != yes; then
-          export_dynamic=yes
-	  if test -n "$export_dynamic_flag_spec"; then
-	    eval arg=\"$export_dynamic_flag_spec\"
-	  else
-	    arg=
-	  fi
-
-          # Add the symbol object into the linking commands.
-	  compile_command="$compile_command @SYMFILE@"
-	  finalize_command="$finalize_command @SYMFILE@"
-        fi
-        ;;
+	export_dynamic=yes
+	continue
+	;;
 
-      -export-symbols)
-        if test -n "$export_symbols"; then
-          $echo "$modename: cannot have more than one -exported-symbols"
-          exit 1
-        fi
-	prev=exportsyms
+      -export-symbols | -export-symbols-regex)
+	if test -n "$export_symbols" || test -n "$export_symbols_regex"; then
+	  $echo "$modename: not more than one -exported-symbols argument allowed"
+	  exit 1
+	fi
+	if test "X$arg" = "X-export-symbols"; then
+	  prev=expsyms
+	else
+	  prev=expsyms_regex
+	fi
 	continue
-        ;;
+	;;
 
       -L*)
-        dir=`$echo "X$arg" | $Xsed -e 's%^-L\(.*\)$%\1%'`
-        case "$dir" in
-        /* | [A-Za-z]:[/\\]*)
-	  # Add the corresponding hardcode_libdir_flag, if it is not identical.
-          ;;
-        *)
-          $echo "$modename: \`-L$dir' cannot specify a relative directory" 1>&2
-          exit 1
-          ;;
-        esac
-        deplibs="$deplibs $arg"
-        lib_search_path="$lib_search_path `expr $arg : '-L\(.*\)'`"
-        ;;
-
-      -l*) deplibs="$deplibs $arg" ;;
-
-      -module)
-        if test "$module" != yes; then
-          module=yes
-	  if test -n "$export_dynamic_flag_spec"; then
-	    eval arg=\"$export_dynamic_flag_spec\"
-	  else
-	    arg=
+	dir=`$echo "X$arg" | $Xsed -e 's/^-L//'`
+	# We need an absolute path.
+	case "$dir" in
+	[\\/]* | [A-Za-z]:[\\/]*) ;;
+	*)
+	  absdir=`cd "$dir" && pwd`
+	  if test -z "$absdir"; then
+	    $echo "$modename: cannot determine absolute directory name of \`$dir'" 1>&2
+	    exit 1
 	  fi
+	  dir="$absdir"
+	  ;;
+	esac
+	case "$deplibs " in
+	*" -L$dir "*) ;;
+	*)
+	  deplibs="$deplibs -L$dir"
+	  lib_search_path="$lib_search_path $dir"
+	  ;;
+	esac
+	case "$host" in
+	*-*-cygwin* | *-*-mingw* | *-*-os2*)
+	  case ":$dllsearchpath:" in
+	  *":$dir:"*) ;;
+	  *) dllsearchpath="$dllsearchpath:$dir";;
+	  esac
+	  ;;
+	esac
+	continue
+	;;
+
+      -l*)
+	if test "$arg" = "-lc"; then
+	  case "$host" in
+	  *-*-cygwin* | *-*-mingw* | *-*-os2* | *-*-beos*)
+	    # These systems don't actually have c library (as such)
+	    continue
+	    ;;
+	  esac
+	elif test "$arg" = "-lm"; then
+	  case "$host" in
+	  *-*-cygwin* | *-*-beos*)
+	    # These systems don't actually have math library (as such)
+	    continue
+	    ;;
+	  esac
 	fi
-        ;;
-	
+	deplibs="$deplibs $arg"
+	continue
+	;;
+
+      -module)
+	module=yes
+	continue
+	;;
+
+      -no-fast-install)
+	fast_install=no
+	continue
+	;;
+
+      -no-install)
+	case "$host" in
+	*-*-cygwin* | *-*-mingw* | *-*-os2*)
+	  # The PATH hackery in wrapper scripts is required on Windows
+	  # in order for the loader to find any dlls it needs.
+	  $echo "$modename: warning: \`-no-install' is ignored for $host" 1>&2
+	  $echo "$modename: warning: assuming \`-no-fast-install' instead" 1>&2
+	  fast_install=no
+	  ;;
+        *-*-rhapsody*)
+	  # rhapsody is a little odd...
+	  deplibs="$deplibs -framework System"
+	  ;;
+	*)
+	  no_install=yes
+	  ;;
+	esac
+	continue
+	;;
+
       -no-undefined)
 	allow_undefined=no
 	continue
@@ -760,23 +1076,97 @@ compiler."
 	;;
 
       -rpath)
-        prev=rpath
-        continue
-        ;;
+	prev=rpath
+	continue
+	;;
+
+      -R)
+	prev=xrpath
+	continue
+	;;
+
+      -R*)
+	dir=`$echo "X$arg" | $Xsed -e 's/^-R//'`
+	# We need an absolute path.
+	case "$dir" in
+	[\\/]* | [A-Za-z]:[\\/]*) ;;
+	*)
+	  $echo "$modename: only absolute run-paths are allowed" 1>&2
+	  exit 1
+	  ;;
+	esac
+	case "$xrpath " in
+	*" $dir "*) ;;
+	*) xrpath="$xrpath $dir" ;;
+	esac
+	continue
+	;;
 
       -static)
 	# If we have no pic_flag, then this is the same as -all-static.
 	if test -z "$pic_flag" && test -n "$link_static_flag"; then
-          compile_command="$compile_command $link_static_flag"
+	  compile_command="$compile_command $link_static_flag"
 	  finalize_command="$finalize_command $link_static_flag"
-        fi
+	fi
+	continue
+	;;
+
+      -thread-safe)
+	thread_safe=yes
 	continue
 	;;
 
       -version-info)
-        prev=vinfo
-        continue
-        ;;
+	prev=vinfo
+	continue
+	;;
+
+      -Wc,*)
+	args=`$echo "X$arg" | $Xsed -e "$sed_quote_subst" -e 's/^-Wc,//'`
+	arg=
+	IFS="${IFS= 	}"; save_ifs="$IFS"; IFS=','
+	for flag in $args; do
+	  IFS="$save_ifs"
+	  case "$flag" in
+	    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	    flag="\"$flag\""
+	    ;;
+	  esac
+	  arg="$arg $wl$flag"
+	  compiler_flags="$compiler_flags $flag"
+	done
+	IFS="$save_ifs"
+	arg=`$echo "X$arg" | $Xsed -e "s/^ //"`
+	;;
+
+      -Wl,*)
+	args=`$echo "X$arg" | $Xsed -e "$sed_quote_subst" -e 's/^-Wl,//'`
+	arg=
+	IFS="${IFS= 	}"; save_ifs="$IFS"; IFS=','
+	for flag in $args; do
+	  IFS="$save_ifs"
+	  case "$flag" in
+	    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	    flag="\"$flag\""
+	    ;;
+	  esac
+	  arg="$arg $wl$flag"
+	  compiler_flags="$compiler_flags $wl$flag"
+	  linker_flags="$linker_flags $flag"
+	done
+	IFS="$save_ifs"
+	arg=`$echo "X$arg" | $Xsed -e "s/^ //"`
+	;;
+
+      -Xcompiler)
+	prev=xcompiler
+	continue
+	;;
+
+      -Xlinker)
+	prev=xlinker
+	continue
+	;;
 
       # Some other compiler flag.
       -* | +*)
@@ -784,22 +1174,23 @@ compiler."
 	# to be aesthetically quoted because they are evaled later.
 	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
 	case "$arg" in
-	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
+	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
 	  arg="\"$arg\""
 	  ;;
 	esac
-        ;;
+	;;
 
-      *.o | *.obj | *.a | *.lib)
-        # A standard object.
-        objs="$objs $arg"
-        ;;
+      *.$objext)
+	# A standard object.
+	objs="$objs $arg"
+	;;
 
       *.lo)
-        # A library object.
+	# A library object.
 	if test "$prev" = dlfiles; then
-	  dlfiles="$dlfiles $arg"
-	  if test "$build_libtool_libs" = yes; then
+	  # This file was specified with -dlopen.
+	  if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then
+	    dlfiles="$dlfiles $arg"
 	    prev=
 	    continue
 	  else
@@ -812,237 +1203,34 @@ compiler."
 	  # Preload the old-style object.
 	  dlprefiles="$dlprefiles "`$echo "X$arg" | $Xsed -e "$lo2o"`
 	  prev=
+	else
+	  libobjs="$libobjs $arg"
 	fi
-	libobjs="$libobjs $arg"
-        ;;
-
-      *.la)
-        # A libtool-controlled library.
-
-        dlname=
-        libdir=
-        library_names=
-        old_library=
-
-        # Check to see that this really is a libtool archive.
-        if (sed -e '2q' $arg | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
-        else
-          $echo "$modename: \`$arg' is not a valid libtool archive" 1>&2
-          exit 1
-        fi
-
-	# If the library was installed with an old release of libtool,
-	# it will not redefine variable installed.
-	installed=yes
-
-        # If there is no directory component, then add one.
-        case "$arg" in
-        */* | *\\*) . $arg ;;
-        *) . ./$arg ;;
-        esac
-
-        # Get the name of the library we link against.
-        linklib=
-        for l in $old_library $library_names; do
-          linklib="$l"
-        done
+	;;
 
-        if test -z "$linklib"; then
-          $echo "$modename: cannot find name of link library for \`$arg'" 1>&2
-          exit 1
-        fi
+      *.$libext)
+	# An archive.
+	deplibs="$deplibs $arg"
+	old_deplibs="$old_deplibs $arg"
+	continue
+	;;
 
-        # Find the relevant object directory and library name.
-        name=`$echo "X$arg" | $Xsed -e 's%^.*/%%' -e 's/\.la$//' -e 's/^lib//'`
+      *.la)
+	# A libtool-controlled library.
 
-	if test "X$installed" = Xyes; then
-	  dir="$libdir"
+	if test "$prev" = dlfiles; then
+	  # This library was specified with -dlopen.
+	  dlfiles="$dlfiles $arg"
+	  prev=
+	elif test "$prev" = dlprefiles; then
+	  # The library was specified with -dlpreopen.
+	  dlprefiles="$dlprefiles $arg"
+	  prev=
 	else
-	  dir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'`
-	  if test "X$dir" = "X$arg"; then
-	    dir="$objdir"
-	  else
-	    dir="$dir/$objdir"
-	  fi
-	fi
-
-        if test -z "$libdir"; then
-	  # It is a libtool convenience library, so add in its objects.
-	  convenience="$convenience $dir/$old_library"
-	  old_convenience="$old_convenience $dir/$old_library"
-	  deplibs="$deplibs$dependency_libs"
-	  compile_command="$compile_command $dir/$old_library$dependency_libs"
-	  finalize_command="$finalize_command $dir/$old_library$dependency_libs"
-	  continue
+	  deplibs="$deplibs $arg"
 	fi
-
-        # This library was specified with -dlopen.
-        if test "$prev" = dlfiles; then
-          dlfiles="$dlfiles $arg"
-          if test -z "$dlname" || test "$build_libtool_libs" = no; then
-            # If there is no dlname or we're linking statically,
-            # we need to preload.
-            prev=dlprefiles
-          else
-            # We should not create a dependency on this library, but we
-	    # may need any libraries it requires.
-	    compile_command="$compile_command$dependency_libs"
-	    finalize_command="$finalize_command$dependency_libs"
-            prev=
-            continue
-          fi
-        fi
-
-        # The library was specified with -dlpreopen.
-        if test "$prev" = dlprefiles; then
-          # Prefer using a static library (so that no silly _DYNAMIC symbols
-          # are required to link).
-          if test -n "$old_library"; then
-            dlprefiles="$dlprefiles $dir/$old_library"
-          else
-            dlprefiles="$dlprefiles $dir/$linklib"
-          fi
-          prev=
-        fi
-
-        if test "$build_libtool_libs" = yes && test -n "$library_names"; then
-          link_against_libtool_libs="$link_against_libtool_libs $arg"
-          if test -n "$shlibpath_var"; then
-            # Make sure the rpath contains only unique directories.
-            case "$temp_rpath " in
-            *" $dir "*) ;;
-            *) temp_rpath="$temp_rpath $dir" ;;
-            esac
-          fi
-
-	  # This is the magic to use -rpath.
-          if test -n "$hardcode_libdir_flag_spec"; then
-            if test -n "$hardcode_libdir_separator"; then
-              if test -z "$hardcode_libdirs"; then
-                # Put the magic libdir with the hardcode flag.
-                hardcode_libdirs="$libdir"
-                libdir="@HARDCODE_LIBDIRS@"
-              else
-                # Just accumulate the unique libdirs.
-		case "$hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator" in
-		*"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
-		  ;;
-		*)
-		  hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
-		  ;;
-		esac
-                libdir=
-              fi
-            fi
-
-            if test -n "$libdir"; then
-              eval flag=\"$hardcode_libdir_flag_spec\"
-
-              compile_command="$compile_command $flag"
-              finalize_command="$finalize_command $flag"
-            fi
-          elif test -n "$runpath_var"; then
-            # Do the same for the permanent run path.
-            case "$perm_rpath " in
-            *" $libdir "*) ;;
-            *) perm_rpath="$perm_rpath $libdir" ;;
-            esac
-          fi
-
-
-	  lib_linked=yes
-          case "$hardcode_action" in
-          immediate | unsupported)
-            if test "$hardcode_direct" = no; then
-              compile_command="$compile_command $dir/$linklib"
-            elif test "$hardcode_minus_L" = no; then
-	      case "$host" in
-	      *-*-sunos*)
-                compile_shlibpath="$compile_shlibpath$dir:"
-		;;
-	      esac
-              compile_command="$compile_command -L$dir -l$name"
-            elif test "$hardcode_shlibpath_var" = no; then
-              compile_shlibpath="$compile_shlibpath$dir:"
-              compile_command="$compile_command -l$name"
-	    else
-	      lib_linked=no
-            fi
-            ;;
-
-          relink)
-            # We need an absolute path.
-            case "$dir" in
-            /* | [A-Za-z]:[/\\]*) ;;
-            *)
-              absdir=`cd "$dir" && pwd`
-              if test -z "$absdir"; then
-                $echo "$modename: cannot determine absolute directory name of \`$dir'" 1>&2
-                exit 1
-              fi
-              dir="$absdir"
-              ;;
-            esac
-
-            if test "$hardcode_direct" = yes; then
-              compile_command="$compile_command $dir/$linklib"
-            elif test "$hardcode_minus_L" = yes; then
-              compile_command="$compile_command -L$dir -l$name"
-            elif test "$hardcode_shlibpath_var" = yes; then
-              compile_shlibpath="$compile_shlibpath$dir:"
-              compile_command="$compile_command -l$name"
-	    else
-	      lib_linked=no
-            fi
-            ;;
-
-	  *)
-	    lib_linked=no
-	    ;;
-          esac
-
-	  if test "$lib_linked" != yes; then
-	    $echo "$modename: configuration error: unsupported hardcode properties"
-	    exit 1
-	  fi
-
-          # Finalize command for both is simple: just hardcode it.
-          if test "$hardcode_direct" = yes; then
-            finalize_command="$finalize_command $libdir/$linklib"
-          elif test "$hardcode_minus_L" = yes; then
-            finalize_command="$finalize_command -L$libdir -l$name"
-          elif test "$hardcode_shlibpath_var" = yes; then
-            finalize_shlibpath="$finalize_shlibpath$libdir:"
-            finalize_command="$finalize_command -l$name"
-          else
-            # We cannot seem to hardcode it, guess we'll fake it.
-            finalize_command="$finalize_command -L$libdir -l$name"
-          fi
-        else
-          # Transform directly to old archives if we don't build new libraries.
-          if test -n "$pic_flag" && test -z "$old_library"; then
-            $echo "$modename: cannot find static library for \`$arg'" 1>&2
-            exit 1
-          fi
-
-	  # Here we assume that one of hardcode_direct or hardcode_minus_L
-	  # is not unsupported.  This is valid on all known static and
-	  # shared platforms.
-	  if test "$hardcode_direct" != unsupported; then
-	    test -n "$old_library" && linklib="$old_library"
-	    compile_command="$compile_command $dir/$linklib"
-	    finalize_command="$finalize_command $dir/$linklib"
-	  else
-	    compile_command="$compile_command -L$dir -l$name"
-	    finalize_command="$finalize_command -L$dir -l$name"
-	  fi
-        fi
-
-	# Add in any libraries that this one depends upon.
-	compile_command="$compile_command$dependency_libs"
-	finalize_command="$finalize_command$dependency_libs"
 	continue
-        ;;
+	;;
 
       # Some other compiler argument.
       *)
@@ -1050,11 +1238,11 @@ compiler."
 	# to be aesthetically quoted because they are evaled later.
 	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
 	case "$arg" in
-	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
+	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
 	  arg="\"$arg\""
 	  ;;
 	esac
-        ;;
+	;;
       esac
 
       # Now actually substitute the argument into the commands.
@@ -1070,96 +1258,890 @@ compiler."
       exit 1
     fi
 
-    if test -n "$export_symbols" && test "$module" = yes; then
-      $echo "$modename: \`-export-symbols' is not supported for modules"
-      exit 1
+    if test "$export_dynamic" = yes && test -n "$export_dynamic_flag_spec"; then
+      eval arg=\"$export_dynamic_flag_spec\"
+      compile_command="$compile_command $arg"
+      finalize_command="$finalize_command $arg"
     fi
-    
+
     oldlibs=
     # calculate the name of the file, without its directory
     outputname=`$echo "X$output" | $Xsed -e 's%^.*/%%'`
+    libobjs_save="$libobjs"
+
+    if test -n "$shlibpath_var"; then
+      # get the directories listed in $shlibpath_var
+      eval shlib_search_path=\`\$echo \"X\${$shlibpath_var}\" \| \$Xsed -e \'s/:/ /g\'\`
+    else
+      shlib_search_path=
+    fi
+    eval sys_lib_search_path=\"$sys_lib_search_path_spec\"
+    eval sys_lib_dlsearch_path=\"$sys_lib_dlsearch_path_spec\"
 
+    output_objdir=`$echo "X$output" | $Xsed -e 's%/[^/]*$%%'`
+    if test "X$output_objdir" = "X$output"; then
+      output_objdir="$objdir"
+    else
+      output_objdir="$output_objdir/$objdir"
+    fi
+    # Create the object directory.
+    if test ! -d $output_objdir; then
+      $show "$mkdir $output_objdir"
+      $run $mkdir $output_objdir
+      status=$?
+      if test $status -ne 0 && test ! -d $output_objdir; then
+	exit $status
+      fi
+    fi
+
+    # Determine the type of output
     case "$output" in
     "")
       $echo "$modename: you must specify an output file" 1>&2
       $echo "$help" 1>&2
       exit 1
       ;;
+    *.$libext) linkmode=oldlib ;;
+    *.lo | *.$objext) linkmode=obj ;;
+    *.la) linkmode=lib ;;
+    *) linkmode=prog ;; # Anything else should be a program.
+    esac
+
+    specialdeplibs=
+    libs=
+    # Find all interdependent deplibs by searching for libraries
+    # that are linked more than once (e.g. -la -lb -la)
+    for deplib in $deplibs; do
+      case "$libs " in
+      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+      esac
+      libs="$libs $deplib"
+    done
+    deplibs=
+    newdependency_libs=
+    newlib_search_path=
+    need_relink=no # whether we're linking any uninstalled libtool libraries
+    uninst_deplibs= # uninstalled libtool libraries
+    uninst_path= # paths that contain uninstalled libtool libraries
+    case $linkmode in
+    lib)
+	passes="conv link"
+	for file in $dlfiles $dlprefiles; do
+	  case "$file" in
+	  *.la) ;;
+	  *)
+	    $echo "$modename: libraries can \`-dlopen' only libtool libraries: $file" 1>&2
+	    exit 1
+	    ;;
+	  esac
+	done
+	;;
+    prog)
+	compile_deplibs=
+	finalize_deplibs=
+	alldeplibs=no
+	newdlfiles=
+	newdlprefiles=
+	passes="conv scan dlopen dlpreopen link"
+	;;
+    *)	passes="conv"
+	;;
+    esac
+    for pass in $passes; do
+      if test "$linkmode,$pass" = "lib,link" ||
+	 test "$linkmode,$pass" = "prog,scan"; then
+	libs="$deplibs"
+	deplibs=
+      fi
+      if test $linkmode = prog; then
+	case $pass in
+	dlopen) libs="$dlfiles" ;;
+	dlpreopen) libs="$dlprefiles" ;;
+	link) libs="$deplibs %DEPLIBS% $dependency_libs" ;;
+	esac
+      fi
+      if test $pass = dlopen; then
+	# Collect dlpreopened libraries
+	save_deplibs="$deplibs"
+	deplibs=
+      fi
+      for deplib in $libs; do
+	lib=
+	found=no
+	case "$deplib" in
+	-l*)
+	  if test $linkmode != lib && test $linkmode != prog; then
+	    $echo "$modename: warning: \`-l' is ignored for archives/objects" 1>&2
+	    continue
+	  fi
+	  if test $pass = conv; then
+	    deplibs="$deplib $deplibs"
+	    continue
+	  fi
+	  name=`$echo "X$deplib" | $Xsed -e 's/^-l//'`
+	  for searchdir in $newlib_search_path $lib_search_path $sys_lib_search_path $shlib_search_path; do
+	    # Search the libtool library
+	    lib="$searchdir/lib${name}.la"
+	    if test -f "$lib"; then
+	      found=yes
+	      break
+	    fi
+	  done
+	  if test "$found" != yes; then
+	    if test "$linkmode,$pass" = "prog,link"; then
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    else
+	      deplibs="$deplib $deplibs"
+	      test $linkmode = lib && newdependency_libs="$deplib $newdependency_libs"
+	    fi
+	    continue
+	  fi
+	  ;;
+	-L*)
+	  case $linkmode in
+	  lib)
+	    deplibs="$deplib $deplibs"
+	    test $pass = conv && continue
+	    newdependency_libs="$deplib $newdependency_libs"
+	    newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`
+	    ;;
+	  prog)
+	    if test $pass = conv; then
+	      deplibs="$deplib $deplibs"
+	      continue
+	    fi
+	    if test $pass = scan; then
+	      deplibs="$deplib $deplibs"
+	      newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`
+	    else
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    fi
+	    ;;
+	  *)
+	    $echo "$modename: warning: \`-L' is ignored for archives/objects" 1>&2
+	    ;;
+	  esac
+	  continue
+	  ;;
+	-R*)
+	  if test $pass = link; then
+	    dir=`$echo "X$deplib" | $Xsed -e 's/^-R//'`
+	    # Make sure the xrpath contains only unique directories.
+	    case "$xrpath " in
+	    *" $dir "*) ;;
+	    *) xrpath="$xrpath $dir" ;;
+	    esac
+	  fi
+	  deplibs="$deplib $deplibs"
+	  continue
+	  ;;
+	*.la) lib="$deplib" ;;
+	*.$libext)
+	  if test $pass = conv; then
+	    deplibs="$deplib $deplibs"
+	    continue
+	  fi
+	  case $linkmode in
+	  lib)
+	    if test "$deplibs_check_method" != pass_all; then
+	      echo
+	      echo "*** Warning: This library needs some functionality provided by $deplib."
+	      echo "*** I have the capability to make that library automatically link in when"
+	      echo "*** you link to this library.  But I can only do this if you have a"
+	      echo "*** shared version of the library, which you do not appear to have."
+	    else
+	      echo
+	      echo "*** Warning: Linking the shared library $output against the"
+	      echo "*** static library $deplib is not portable!"
+	      deplibs="$deplib $deplibs"
+	    fi
+	    continue
+	    ;;
+	  prog)
+	    if test $pass != link; then
+	      deplibs="$deplib $deplibs"
+	    else
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    fi
+	    continue
+	    ;;
+	  esac
+	  ;;
+	*.lo | *.$objext)
+	  if test $pass = conv; then
+	    deplibs="$deplib $deplibs"
+	  elif test $linkmode = prog; then
+	    if test $pass = dlpreopen || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then
+	      # If there is no dlopen support or we're linking statically,
+	      # we need to preload.
+	      newdlprefiles="$newdlprefiles $deplib"
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    else
+	      newdlfiles="$newdlfiles $deplib"
+	    fi
+	  fi
+	  continue
+	  ;;
+	%DEPLIBS%)
+	  alldeplibs=yes
+	  continue
+	  ;;
+	esac
+	if test $found = yes || test -f "$lib"; then :
+	else
+	  $echo "$modename: cannot find the library \`$lib'" 1>&2
+	  exit 1
+	fi
+
+	# Check to see that this really is a libtool archive.
+	if (sed -e '2q' $lib | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
+	else
+	  $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+	  exit 1
+	fi
+
+	ladir=`$echo "X$lib" | $Xsed -e 's%/[^/]*$%%'`
+	test "X$ladir" = "X$lib" && ladir="."
+
+	dlname=
+	dlopen=
+	dlpreopen=
+	libdir=
+	library_names=
+	old_library=
+	# If the library was installed with an old release of libtool,
+	# it will not redefine variable installed.
+	installed=yes
+
+	# Read the .la file
+	case "$lib" in
+	*/* | *\\*) . $lib ;;
+	*) . ./$lib ;;
+	esac
+
+	if test "$linkmode,$pass" = "lib,link" ||
+	   test "$linkmode,$pass" = "prog,scan" ||
+	   { test $linkmode != prog && test $linkmode != lib; }; then
+	  test -n "$dlopen" && dlfiles="$dlfiles $dlopen"
+	  test -n "$dlpreopen" && dlprefiles="$dlprefiles $dlpreopen"
+	fi
+
+	if test $pass = conv; then
+	  # only check for convenience libraries
+	  deplibs="$lib $deplibs"
+	  if test -z "$libdir"; then
+	    if test -z "$old_library"; then
+	      $echo "$modename: cannot find name of link library for \`$lib'" 1>&2
+	      exit 1
+	    fi
+	    # It is a libtool convenience library, so add in its objects.
+	    convenience="$convenience $ladir/$objdir/$old_library"
+	    old_convenience="$old_convenience $ladir/$objdir/$old_library"
+	    tmp_libs=
+	    for deplib in $dependency_libs; do
+	      deplibs="$deplib $deplibs"
+	      case "$tmp_libs " in
+	      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	      esac
+	      tmp_libs="$tmp_libs $deplib"
+	    done
+	  elif test $linkmode != prog && test $linkmode != lib; then
+	    $echo "$modename: \`$lib' is not a convenience library" 1>&2
+	    exit 1
+	  fi
+	  continue
+	fi
+
+	# Get the name of the library we link against.
+	linklib=
+	for l in $old_library $library_names; do
+	  linklib="$l"
+	done
+	if test -z "$linklib"; then
+	  $echo "$modename: cannot find name of link library for \`$lib'" 1>&2
+	  exit 1
+	fi
+
+	# This library was specified with -dlopen.
+	if test $pass = dlopen; then
+	  if test -z "$libdir"; then
+	    $echo "$modename: cannot -dlopen a convenience library: \`$lib'" 1>&2
+	    exit 1
+	  fi
+	  if test -z "$dlname" || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then
+	    # If there is no dlname, no dlopen support or we're linking statically,
+	    # we need to preload.
+	    dlprefiles="$dlprefiles $lib"
+	  else
+	    newdlfiles="$newdlfiles $lib"
+	  fi
+	  continue
+	fi
+
+	# We need an absolute path.
+	case "$ladir" in
+	[\\/]* | [A-Za-z]:[\\/]*) abs_ladir="$ladir" ;;
+	*)
+	  abs_ladir=`cd "$ladir" && pwd`
+	  if test -z "$abs_ladir"; then
+	    $echo "$modename: warning: cannot determine absolute directory name of \`$ladir'" 1>&2
+	    $echo "$modename: passing it literally to the linker, although it might fail" 1>&2
+	    abs_ladir="$ladir"
+	  fi
+	  ;;
+	esac
+	laname=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
+
+	# Find the relevant object directory and library name.
+	if test "X$installed" = Xyes; then
+	  if test ! -f "$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then
+	    $echo "$modename: warning: library \`$lib' was moved." 1>&2
+	    dir="$ladir"
+	    absdir="$abs_ladir"
+	    libdir="$abs_ladir"
+	  else
+	    dir="$libdir"
+	    absdir="$libdir"
+	  fi
+	else
+	  dir="$ladir/$objdir"
+	  absdir="$abs_ladir/$objdir"
+	  # Remove this search path later
+	  uninst_path="$uninst_path $abs_ladir"
+	fi
+	name=`$echo "X$laname" | $Xsed -e 's/\.la$//' -e 's/^lib//'`
+
+	# This library was specified with -dlpreopen.
+	if test $pass = dlpreopen; then
+	  if test -z "$libdir"; then
+	    $echo "$modename: cannot -dlpreopen a convenience library: \`$lib'" 1>&2
+	    exit 1
+	  fi
+	  # Prefer using a static library (so that no silly _DYNAMIC symbols
+	  # are required to link).
+	  if test -n "$old_library"; then
+	    newdlprefiles="$newdlprefiles $dir/$old_library"
+	  else
+	    newdlprefiles="$newdlprefiles $dir/$linklib"
+	  fi
+	fi
+
+	if test -z "$libdir"; then
+	  # link the convenience library
+	  if test $linkmode = lib; then
+	    deplibs="$dir/$old_library $deplibs"
+	  elif test "$linkmode,$pass" = "prog,link"; then
+	    compile_deplibs="$dir/$old_library $compile_deplibs"
+	    finalize_deplibs="$dir/$old_library $finalize_deplibs"
+	  else
+	    deplibs="$lib $deplibs" # used for prog,scan pass
+	  fi
+	  continue
+	fi
+
+	if test $linkmode = prog && test $pass != link; then
+	  newlib_search_path="$newlib_search_path $ladir"
+	  deplibs="$lib $deplibs"
+
+	  linkalldeplibs=no
+	  if test "$link_all_deplibs" != no || test -z "$library_names" ||
+	     test "$build_libtool_libs" = no; then
+	    linkalldeplibs=yes
+	  fi
+
+	  tmp_libs=
+	  for deplib in $dependency_libs; do
+	    case "$deplib" in
+	    -L*) newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`;; ### testsuite: skip nested quoting test
+	    esac
+	    # Need to link against all dependency_libs?
+	    if test $linkalldeplibs = yes; then
+	      deplibs="$deplib $deplibs"
+	    else
+	      # Need to hardcode shared library paths
+	      # or/and link against static libraries
+	      newdependency_libs="$deplib $newdependency_libs"
+	    fi
+	    case "$tmp_libs " in
+	    *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	    esac
+	    tmp_libs="$tmp_libs $deplib"
+	  done
+	  continue
+	fi
+
+	if test "$linkmode,$pass" = "prog,link"; then
+	  if test -n "$library_names" &&
+	     { test "$hardcode_into_libs" != all || test "$alldeplibs" != yes; } &&
+	     { test "$prefer_static_libs" = no || test -z "$old_library"; }; then
+	    # We need to hardcode the library path
+	    if test -n "$shlibpath_var"; then
+	      # Make sure the rpath contains only unique directories.
+	      case "$temp_rpath " in
+	      *" $dir "*) ;;
+	      *" $absdir "*) ;;
+	      *) temp_rpath="$temp_rpath $dir" ;;
+	      esac
+	    fi
+
+	    # Hardcode the library path.
+	    # Skip directories that are in the system default run-time
+	    # search path.
+	    case " $sys_lib_dlsearch_path " in
+	    *" $absdir "*) ;;
+	    *)
+	      case "$compile_rpath " in
+	      *" $absdir "*) ;;
+	      *) compile_rpath="$compile_rpath $absdir"
+	      esac
+	      ;;
+	    esac
+
+	    case " $sys_lib_dlsearch_path " in
+	    *" $libdir "*) ;;
+	    *)
+	      case "$finalize_rpath " in
+	      *" $libdir "*) ;;
+	      *) finalize_rpath="$finalize_rpath $libdir"
+	      esac
+	      ;;
+	    esac
+	  fi
+
+	  if test "$alldeplibs" = yes &&
+	     { test "$deplibs_check_method" = pass_all ||
+	       { test "$build_libtool_libs" = yes &&
+		 test -n "$library_names"; }; }; then
+	    # We only need to search for static libraries
+	    continue
+	  fi
+	fi
+
+	link_static=no # Whether the deplib will be linked statically
+	if test -n "$library_names" &&
+	   { test "$prefer_static_libs" = no || test -z "$old_library"; }; then
+	  if test "$installed" = no; then
+	    uninst_deplibs="$uninst_deplibs $lib"
+	    need_relink=yes
+	  fi
+	  # This is a shared library
+	  if test $linkmode = lib && test "$hardcode_into_libs" = all; then
+	    # Hardcode the library path.
+	    # Skip directories that are in the system default run-time
+	    # search path.
+	    case " $sys_lib_dlsearch_path " in
+	    *" $absdir "*) ;;
+	    *)
+	      case "$compile_rpath " in
+	      *" $absdir "*) ;;
+	      *) compile_rpath="$compile_rpath $absdir"
+	      esac
+	      ;;
+	    esac
+	    case " $sys_lib_dlsearch_path " in
+	    *" $libdir "*) ;;
+	    *)
+	      case "$finalize_rpath " in
+	      *" $libdir "*) ;;
+	      *) finalize_rpath="$finalize_rpath $libdir"
+	      esac
+	      ;;
+	    esac
+	  fi
+
+	  if test -n "$old_archive_from_expsyms_cmds"; then
+	    # figure out the soname
+	    set dummy $library_names
+	    realname="$2"
+	    shift; shift
+	    libname=`eval \\$echo \"$libname_spec\"`
+	    if test -n "$soname_spec"; then
+	      eval soname=\"$soname_spec\"
+	    else
+	      soname="$realname"
+	    fi
+
+	    # Make a new name for the extract_expsyms_cmds to use
+	    newlib="libimp-`echo $soname | sed 's/^lib//;s/\.dll$//'`.a"
+
+	    # If the library has no export list, then create one now
+	    if test -f "$output_objdir/$soname-def"; then :
+	    else
+	      $show "extracting exported symbol list from \`$soname'"
+	      IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	      eval cmds=\"$extract_expsyms_cmds\"
+	      for cmd in $cmds; do
+		IFS="$save_ifs"
+		$show "$cmd"
+		$run eval "$cmd" || exit $?
+	      done
+	      IFS="$save_ifs"
+	    fi
+
+	    # Create $newlib
+	    if test -f "$output_objdir/$newlib"; then :; else
+	      $show "generating import library for \`$soname'"
+	      IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	      eval cmds=\"$old_archive_from_expsyms_cmds\"
+	      for cmd in $cmds; do
+		IFS="$save_ifs"
+		$show "$cmd"
+		$run eval "$cmd" || exit $?
+	      done
+	      IFS="$save_ifs"
+	    fi
+	    # make sure the library variables are pointing to the new library
+	    dir=$output_objdir
+	    linklib=$newlib
+	  fi
+
+	  if test $linkmode = prog || test "$mode" != relink; then
+	    add_shlibpath=
+	    add_dir=
+	    add=
+	    lib_linked=yes
+	    case "$hardcode_action" in
+	    immediate | unsupported)
+	      if test "$hardcode_direct" = no; then
+		add="$dir/$linklib"
+	      elif test "$hardcode_minus_L" = no; then
+		case "$host" in
+		*-*-sunos*) add_shlibpath="$dir" ;;
+		esac
+		add_dir="-L$dir"
+		add="-l$name"
+	      elif test "$hardcode_shlibpath_var" = no; then
+		add_shlibpath="$dir"
+		add="-l$name"
+	      else
+		lib_linked=no
+	      fi
+	      ;;
+	    relink)
+	      if test "$hardcode_direct" = yes; then
+		add="$dir/$linklib"
+	      elif test "$hardcode_minus_L" = yes; then
+		add_dir="-L$dir"
+		add="-l$name"
+	      elif test "$hardcode_shlibpath_var" = yes; then
+		add_shlibpath="$dir"
+		add="-l$name"
+	      else
+		lib_linked=no
+	      fi
+	      ;;
+	    *) lib_linked=no ;;
+	    esac
+
+	    if test "$lib_linked" != yes; then
+	      $echo "$modename: configuration error: unsupported hardcode properties"
+	      exit 1
+	    fi
+
+	    if test -n "$add_shlibpath"; then
+	      case ":$compile_shlibpath:" in
+	      *":$add_shlibpath:"*) ;;
+	      *) compile_shlibpath="$compile_shlibpath$add_shlibpath:" ;;
+	      esac
+	    fi
+	    if test $linkmode = prog; then
+	      test -n "$add_dir" && compile_deplibs="$add_dir $compile_deplibs"
+	      test -n "$add" && compile_deplibs="$add $compile_deplibs"
+	    else
+	      test -n "$add_dir" && deplibs="$add_dir $deplibs"
+	      test -n "$add" && deplibs="$add $deplibs"
+	      if test "$hardcode_direct" != yes && \
+		 test "$hardcode_minus_L" != yes && \
+		 test "$hardcode_shlibpath_var" = yes; then
+		case ":$finalize_shlibpath:" in
+		*":$libdir:"*) ;;
+		*) finalize_shlibpath="$finalize_shlibpath$libdir:" ;;
+		esac
+	      fi
+	    fi
+	  fi
+
+	  if test $linkmode = prog || test "$mode" = relink; then
+	    add_shlibpath=
+	    add_dir=
+	    add=
+	    # Finalize command for both is simple: just hardcode it.
+	    if test "$hardcode_direct" = yes; then
+	      add="$libdir/$linklib"
+	    elif test "$hardcode_minus_L" = yes; then
+	      add_dir="-L$libdir"
+	      add="-l$name"
+	    elif test "$hardcode_shlibpath_var" = yes; then
+	      case ":$finalize_shlibpath:" in
+	      *":$libdir:"*) ;;
+	      *) finalize_shlibpath="$finalize_shlibpath$libdir:" ;;
+	      esac
+	      add="-l$name"
+	    else
+	      # We cannot seem to hardcode it, guess we'll fake it.
+	      add_dir="-L$libdir"
+	      add="-l$name"
+	    fi
+
+	    if test $linkmode = prog; then
+	      test -n "$add_dir" && finalize_deplibs="$add_dir $finalize_deplibs"
+	      test -n "$add" && finalize_deplibs="$add $finalize_deplibs"
+	    else
+	      test -n "$add_dir" && deplibs="$add_dir $deplibs"
+	      test -n "$add" && deplibs="$add deplibs"
+	    fi
+	  fi
+	elif test $linkmode = prog; then
+	  # Here we assume that one of hardcode_direct or hardcode_minus_L
+	  # is not unsupported.  This is valid on all known static and
+	  # shared platforms.
+	  if test "$hardcode_direct" != unsupported; then
+	    test -n "$old_library" && linklib="$old_library"
+	    compile_deplibs="$dir/$linklib $compile_deplibs"
+	    finalize_deplibs="$dir/$linklib $finalize_deplibs"
+	  else
+	    compile_deplibs="-l$name -L$dir $compile_deplibs"
+	    finalize_deplibs="-l$name -L$dir $finalize_deplibs"
+	  fi
+	elif test "$build_libtool_libs" = yes; then
+	  # Not a shared library
+	  if test "$deplibs_check_method" != pass_all; then
+	    # We're trying link a shared library against a static one
+	    # but the system doesn't support it.
+	    # Just print a warning and add the library to dependency_libs so
+	    # that the program can be linked against the static library.
+	    echo
+	    echo "*** Warning: This library needs some functionality provided by $lib."
+	    echo "*** I have the capability to make that library automatically link in when"
+	    echo "*** you link to this library.  But I can only do this if you have a"
+	    echo "*** shared version of the library, which you do not appear to have."
+	  else
+	    convenience="$convenience $dir/$old_library"
+	    old_convenience="$old_convenience $dir/$old_library"
+	    deplibs="$dir/$old_library $deplibs"
+	    link_static=yes
+	  fi
+	fi
+
+	if test $linkmode = lib; then
+	  if test -n "$dependency_libs" &&
+	     { test "$hardcode_into_libs" = no || test $build_old_libs = yes ||
+	       test $link_static = yes; }; then
+	    # Extract -R from dependency_libs
+	    temp_deplibs=
+	    for libdir in $dependency_libs; do
+	      case "$libdir" in
+	      -R*) temp_xrpath=`$echo "X$libdir" | $Xsed -e 's/^-R//'`
+		   case " $xrpath " in
+		   *" $temp_xrpath "*) ;;
+		   *) xrpath="$xrpath $temp_xrpath";;
+		   esac;;
+	      *) temp_deplibs="$temp_deplibs $libdir";;
+	      esac
+	    done
+	    dependency_libs="$temp_deplibs"
+	  fi
 
-    *.a | *.lib)
-      if test -n "$link_against_libtool_libs"; then
-        $echo "$modename: error: cannot link libtool libraries into archives" 1>&2
-        exit 1
+	  newlib_search_path="$newlib_search_path $absdir"
+	  # Link against this library
+	  test "$link_static" = no && newdependency_libs="$abs_ladir/$laname $newdependency_libs"
+	  # ... and its dependency_libs
+	  tmp_libs=
+	  for deplib in $dependency_libs; do
+	    newdependency_libs="$deplib $newdependency_libs"
+	    case "$tmp_libs " in
+	    *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	    esac
+	    tmp_libs="$tmp_libs $deplib"
+	  done
+
+	  if test $link_all_deplibs != no; then
+	    # Add the search paths of all dependency libraries
+	    for deplib in $dependency_libs; do
+	      case "$deplib" in
+	      -L*) path="$deplib" ;;
+	      *.la)
+		dir=`$echo "X$deplib" | $Xsed -e 's%/[^/]*$%%'`
+		test "X$dir" = "X$deplib" && dir="."
+		# We need an absolute path.
+		case "$dir" in
+		[\\/]* | [A-Za-z]:[\\/]*) absdir="$dir" ;;
+		*)
+		  absdir=`cd "$dir" && pwd`
+		  if test -z "$absdir"; then
+		    $echo "$modename: warning: cannot determine absolute directory name of \`$dir'" 1>&2
+		    absdir="$dir"
+		  fi
+		  ;;
+		esac
+		if grep "^installed=no" $deplib > /dev/null; then
+		  path="-L$absdir/$objdir"
+		else
+		  eval libdir=`sed -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
+		  if test -z "$libdir"; then
+		    $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2
+		    exit 1
+		  fi
+		  if test "$absdir" != "$libdir"; then
+		    $echo "$modename: warning: \`$deplib' seems to be moved" 1>&2
+		  fi
+		  path="-L$absdir"
+		fi
+		;;
+	      *) continue ;;
+	      esac
+	      case " $deplibs " in
+	      *" $path "*) ;;
+	      *) deplibs="$deplibs $path" ;;
+	      esac
+	    done
+	  fi
+	fi
+      done
+      dependency_libs="$newdependency_libs"
+      if test $pass = dlpreopen; then
+	# Link the dlpreopened libraries before other libraries
+	for deplib in $save_deplibs; do
+	  deplibs="$deplib $deplibs"
+	done
       fi
+      if test $pass != dlopen; then
+	if test $pass != conv; then
+	  # Make sure lib_search_path contains only unique directories.
+	  lib_search_path=
+	  for dir in $newlib_search_path; do
+	    case "$lib_search_path " in
+	    *" $dir "*) ;;
+	    *) lib_search_path="$lib_search_path $dir" ;;
+	    esac
+	  done
+	  newlib_search_path=
+	fi
 
+	if test "$linkmode,$pass" != "prog,link"; then
+	  vars="deplibs"
+	else
+	  vars="compile_deplibs finalize_deplibs"
+	fi
+	for var in $vars dependency_libs; do
+	  # Make sure that $var contains only unique libraries
+	  # and add them in reverse order
+	  eval tmp_libs=\"\$$var\"
+	  new_libs=
+	  for deplib in $tmp_libs; do
+	    case "$deplib" in
+	    -L*) new_libs="$deplib $new_libs" ;;
+	    *)
+	      case " $specialdeplibs " in
+	      *" $deplib "*) new_libs="$deplib $new_libs" ;;
+	      *)
+		case " $new_libs " in
+		*" $deplib "*) ;;
+		*) new_libs="$deplib $new_libs" ;;
+		esac
+		;;
+	      esac
+	      ;;
+	    esac
+	  done
+	  tmp_libs=
+	  for deplib in $new_libs; do
+	    case "$deplib" in
+	    -L*)
+	      case " $tmp_libs " in
+	      *" $deplib "*) ;;
+	      *) tmp_libs="$tmp_libs $deplib" ;;
+	      esac
+	      ;;
+	    *) tmp_libs="$tmp_libs $deplib" ;;
+	    esac
+	  done
+	  eval $var=\"$tmp_libs\"
+	done
+      fi
+    done
+    if test $linkmode = prog; then
+      dlfiles="$newdlfiles"
+      dlprefiles="$newdlprefiles"
+    fi
+
+    case $linkmode in
+    oldlib)
       if test -n "$deplibs"; then
-        $echo "$modename: warning: \`-l' and \`-L' are ignored for archives" 1>&2
+	$echo "$modename: warning: \`-l' and \`-L' are ignored for archives" 1>&2
       fi
 
-      if test -n "$dlfiles$dlprefiles"; then
-        $echo "$modename: warning: \`-dlopen' is ignored for archives" 1>&2
+      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
+	$echo "$modename: warning: \`-dlopen' is ignored for archives" 1>&2
       fi
 
       if test -n "$rpath"; then
-        $echo "$modename: warning: \`-rpath' is ignored for archives" 1>&2
+	$echo "$modename: warning: \`-rpath' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$xrpath"; then
+	$echo "$modename: warning: \`-R' is ignored for archives" 1>&2
       fi
 
       if test -n "$vinfo"; then
-        $echo "$modename: warning: \`-version-info' is ignored for archives" 1>&2
+	$echo "$modename: warning: \`-version-info' is ignored for archives" 1>&2
       fi
 
       if test -n "$release"; then
-        $echo "$modename: warning: \`-release' is ignored for archives" 1>&2
+	$echo "$modename: warning: \`-release' is ignored for archives" 1>&2
       fi
 
-      if test -n "$export_symbols"; then
-        $echo "$modename: warning: \`-export-symbols' is ignored for archives" 1>&2
+      if test -n "$export_symbols" || test -n "$export_symbols_regex"; then
+	$echo "$modename: warning: \`-export-symbols' is ignored for archives" 1>&2
       fi
 
       # Now set the variables for building old libraries.
       build_libtool_libs=no
       oldlibs="$output"
+      objs="$objs$old_deplibs"
       ;;
 
-    *.la)
+    lib)
       # Make sure we only generate libraries of the form `libNAME.la'.
       case "$outputname" in
-      lib*) ;;
+      lib*)
+	name=`$echo "X$outputname" | $Xsed -e 's/\.la$//' -e 's/^lib//'`
+	eval libname=\"$libname_spec\"
+	;;
       *)
-	$echo "$modename: libtool library \`$output' must begin with \`lib'" 1>&2
-	$echo "$help" 1>&2
-	exit 1
+	if test "$module" = no; then
+	  $echo "$modename: libtool library \`$output' must begin with \`lib'" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	fi
+	if test "$need_lib_prefix" != no; then
+	  # Add the "lib" prefix for modules if required
+	  name=`$echo "X$outputname" | $Xsed -e 's/\.la$//'`
+	  eval libname=\"$libname_spec\"
+	else
+	  libname=`$echo "X$outputname" | $Xsed -e 's/\.la$//'`
+	fi
 	;;
       esac
 
-      name=`$echo "X$outputname" | $Xsed -e 's/\.la$//' -e 's/^lib//'`
-      eval libname=\"$libname_spec\"
-
-      output_objdir=`$echo "X$output" | $Xsed -e 's%/[^/]*$%%'`
-      if test "X$output_objdir" = "X$output"; then
-        output_objdir="$objdir"
-      else
-        output_objdir="$output_objdir/$objdir"
-      fi
-
-      # All the library-specific variables (install_libdir is set above).
-      library_names=
-      old_library=
-      dlname=
-
       if test -n "$objs"; then
-        $echo "$modename: cannot build libtool library \`$output' from non-libtool objects:$objs" 2>&1
-        exit 1
-      fi
-
-      # How the heck are we supposed to write a wrapper for a shared library?
-      if test -n "$link_against_libtool_libs"; then
-        $echo "$modename: error: cannot link shared libraries into libtool libraries" 1>&2
-        exit 1
+	if test "$deplibs_check_method" != pass_all; then
+	  $echo "$modename: cannot build libtool library \`$output' from non-libtool objects on this host:$objs" 2>&1
+	  exit 1
+	else
+	  echo
+	  echo "*** Warning: Linking the shared library $output against the non-libtool"
+	  echo "*** objects $objs is not portable!"
+	  libobjs="$libobjs $objs"
+	fi
       fi
 
-      if test -n "$dlfiles$dlprefiles"; then
-        $echo "$modename: warning: \`-dlopen' is ignored for libtool libraries" 1>&2
+      if test "$dlself" != no; then
+	$echo "$modename: warning: \`-dlopen self' is ignored for libtool libraries" 1>&2
       fi
 
       set dummy $rpath
@@ -1170,11 +2152,13 @@ compiler."
 
       oldlibs=
       if test -z "$rpath"; then
-	# Building a libtool convenience library.
-        libext=al
-	oldlibs="$output_objdir/$libname.$libext $oldlibs"
-	build_libtool_libs=convenience
-	dependency_libs="$deplibs"
+	if test "$build_libtool_libs" = yes; then
+	  # Building a libtool convenience library.
+	  libext=al
+	  oldlibs="$output_objdir/$libname.$libext $oldlibs"
+	  build_libtool_libs=convenience
+	  build_old_libs=yes
+	fi
 
 	if test -n "$vinfo"; then
 	  $echo "$modename: warning: \`-version-info' is ignored for convenience libraries" 1>&2
@@ -1241,6 +2225,20 @@ compiler."
 	case "$version_type" in
 	none) ;;
 
+	irix)
+	  major=`expr $current - $age + 1`
+	  versuffix="$major.$revision"
+	  verstring="sgi$major.$revision"
+
+	  # Add in all the interfaces that we are compatible with.
+	  loop=$revision
+	  while test $loop != 0; do
+	    iface=`expr $revision - $loop`
+	    loop=`expr $loop - 1`
+	    verstring="sgi$major.$iface:$verstring"
+	  done
+	  ;;
+
 	linux)
 	  major=.`expr $current - $age`
 	  versuffix="$major.$age.$revision"
@@ -1295,13 +2293,19 @@ compiler."
 	# Clear the version info if we defaulted, and they specified a release.
 	if test -z "$vinfo" && test -n "$release"; then
 	  major=
-	  versuffix=
 	  verstring="0.0"
-	  case "$host" in
-	  *-*-sunos*)
+	  if test "$need_version" = no; then
+	    versuffix=
+	  else
 	    versuffix=".0.0"
-	    ;;
-	  esac
+	  fi
+	fi
+
+	# Remove version info from name if versioning should be avoided
+	if test "$avoid_version" = yes && test "$need_version" = no; then
+	  major=
+	  versuffix=
+	  verstring=""
 	fi
 
 	# Check to see if the archive will have undefined symbols.
@@ -1315,23 +2319,12 @@ compiler."
 	  # Don't allow undefined symbols.
 	  allow_undefined_flag="$no_undefined_flag"
 	fi
-
-	# Add libc to deplibs on all systems.
-	dependency_libs="$deplibs"
-	deplibs="$deplibs -lc"
       fi
 
-      # Create the output directory, or remove our outputs if we need to.
-      if test -d $output_objdir; then
-        $show "${rm}r $output_objdir/$outputname $output_objdir/$libname.* $output_objdir/${libname}${release}.*"
+      if test "$mode" != relink; then
+	# Remove our outputs.
+	$show "${rm}r $output_objdir/$outputname $output_objdir/$libname.* $output_objdir/${libname}${release}.*"
 	$run ${rm}r $output_objdir/$outputname $output_objdir/$libname.* $output_objdir/${libname}${release}.*
-      else
-        $show "$mkdir $output_objdir"
-        $run $mkdir $output_objdir
-        status=$?
-        if test $status -ne 0 && test ! -d $output_objdir; then
-          exit $status
-        fi
       fi
 
       # Now set the variables for building old libraries.
@@ -1339,173 +2332,329 @@ compiler."
 	oldlibs="$oldlibs $output_objdir/$libname.$libext"
 
 	# Transform .lo files to .o files.
-	oldobjs="$objs"`$echo "X$libobjs " | $Xsed -e 's/[^   ]*\.'${libext}' //g' -e "$los2o" -e 's/ $//g'`
+	oldobjs="$objs "`$echo "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}'$/d' -e "$lo2o" | $NL2SP`
       fi
 
+      # Eliminate all temporary directories.
+      for path in $uninst_path; do
+	lib_search_path=`echo "$lib_search_path " | sed -e 's% $path % %g'`
+	deplibs=`echo "$deplibs " | sed -e 's% -L$path % %g'`
+	dependency_libs=`echo "$dependency_libs " | sed -e 's% -L$path % %g'`
+      done
+
+      if test -n "$xrpath"; then
+	# If the user specified any rpath flags, then add them.
+	temp_xrpath=
+	for libdir in $xrpath; do
+	  temp_xrpath="$temp_xrpath -R$libdir"
+	  case "$finalize_rpath " in
+	  *" $libdir "*) ;;
+	  *) finalize_rpath="$finalize_rpath $libdir" ;;
+	  esac
+	done
+	if test "$hardcode_into_libs" = no || test $build_old_libs = yes; then
+	  dependency_libs="$temp_xrpath $dependency_libs"
+	fi
+      fi
+
+      # Make sure dlfiles contains only unique files that won't be dlpreopened
+      old_dlfiles="$dlfiles"
+      dlfiles=
+      for lib in $old_dlfiles; do
+	case " $dlprefiles $dlfiles " in
+	*" $lib "*) ;;
+	*) dlfiles="$dlfiles $lib" ;;
+	esac
+      done
+
+      # Make sure dlprefiles contains only unique files
+      old_dlprefiles="$dlprefiles"
+      dlprefiles=
+      for lib in $old_dlprefiles; do
+	case "$dlprefiles " in
+	*" $lib "*) ;;
+	*) dlprefiles="$dlprefiles $lib" ;;
+	esac
+      done
+
       if test "$build_libtool_libs" = yes; then
-        # Transform deplibs into only deplibs that can be linked in shared.
-        ## Gordon: Do you check for the existence of the libraries in deplibs
-        ## on the system?  That should maybe be merged in here someplace....
-        ## Actually: I think test_compile and file_magic do this... file_regex
-        ## sorta does this. Only pas_all needs to be changed.  -Toshio
-        name_save=$name
-        libname_save=$libname
-        release_save=$release
-        versuffix_save=$versuffix
-        major_save=$major
-        # I'm not sure if I'm treating the release correctly.  I think
-        # release should show up in the -l (ie -lgmp5) so we don't want to
-        # add it in twice.  Is that correct?
-        release=""
-        versuffix=""
-        major=""
-        newdeplibs=
-        case "$check_shared_deplibs_method" in
-        pass_all)  
-          newdeplibs=$deplibs 
-                    ;; # Don't check for shared/static.  Everything works.
-                       # This might be a little naive.  We might want to check
-                       # whether the library exists or not.  But this is on
-                       # osf3 & osf4 and I'm not really sure... Just
-                       # implementing what was already the behaviour.
-        test_compile)
-          # This code stresses the "libraries are programs" paradigm to its
-          # limits. Maybe even breaks it.  We compile a program, linking it
-          # against the deplibs as a proxy for the library.  Then we can check
-          # whether they linked in statically or dynamically with ldd.
-          $rm conftest.c
-          cat > conftest.c <<EOF
-          int main() { return 0; }
+	if test -n "$rpath"; then
+	  case "$host" in
+	  *-*-cygwin* | *-*-mingw* | *-*-os2* | *-*-beos*)
+	    # these systems don't actually have a c library (as such)!
+	    ;;
+	  *)
+	    # Add libc to deplibs on all other systems.
+	    deplibs="$deplibs -lc"
+	    ;;
+	  esac
+	fi
+
+	# Transform deplibs into only deplibs that can be linked in shared.
+	name_save=$name
+	libname_save=$libname
+	release_save=$release
+	versuffix_save=$versuffix
+	major_save=$major
+	# I'm not sure if I'm treating the release correctly.  I think
+	# release should show up in the -l (ie -lgmp5) so we don't want to
+	# add it in twice.  Is that correct?
+	release=""
+	versuffix=""
+	major=""
+	newdeplibs=
+	droppeddeps=no
+	case "$deplibs_check_method" in
+	pass_all)
+	  # Don't check for shared/static.  Everything works.
+	  # This might be a little naive.  We might want to check
+	  # whether the library exists or not.  But this is on
+	  # osf3 & osf4 and I'm not really sure... Just
+	  # implementing what was already the behaviour.
+	  newdeplibs=$deplibs
+	  ;;
+	test_compile)
+	  # This code stresses the "libraries are programs" paradigm to its
+	  # limits. Maybe even breaks it.  We compile a program, linking it
+	  # against the deplibs as a proxy for the library.  Then we can check
+	  # whether they linked in statically or dynamically with ldd.
+	  $rm conftest.c
+	  cat > conftest.c <<EOF
+	  int main() { return 0; }
 EOF
-          $rm a.out
-          $C_compiler conftest.c $deplibs
-          if test $? -eq 0 ; then
-            ldd_output=`ldd a.out`
-            for i in $deplibs; do
-              name="`expr $i : '-l\(.*\)'`"
-              # If $name is empty we are operating on a -L argument.
-              if test "$name" != "" ; then
-                libname=`eval \\$echo \"$libname_spec\"`
-                deplib_matches=`eval \\$echo \"$library_names_spec\"`
-                set dummy $deplib_matches
-                deplib_match=$2
-                if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
-                  newdeplibs="$newdeplibs $i"
-                else
-                  echo
-                  echo "*** Warning: This library needs some functionality provided by $i."
-                  echo "*** I have the capability to make that library automatically link in when"
-                  echo "*** you link to this library.  But I can only do this if you have a"
-                  echo "*** shared version of the library, which you do not appear to have."
-                fi
-              else
-                newdeplibs="$newdeplibs $i"
-              fi
-            done
-          else
-            # Error occured in the first compile.  Let's try to salvage the situation:
-            # Compile a seperate program for each library.
-            for i in $deplibs; do
-              name="`expr $i : '-l\(.*\)'`"
-             # If $name is empty we are operating on a -L argument.
-              if test "$name" != "" ; then
-                $rm a.out
-                $C_compiler conftest.c $i
-                # Did it work?
-                if test $? -eq 0 ; then
-                  ldd_output=`ldd a.out`
-                    libname=`eval \\$echo \"$libname_spec\"`
-                    deplib_matches=`eval \\$echo \"$library_names_spec\"`
-                    set dummy $deplib_matches
-                    deplib_match=$2
-                    if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
-                      newdeplibs="$newdeplibs $i"
-                    else
-                      echo
-                      echo "*** Warning: This library needs some functionality provided by $i."
-                      echo "*** I have the capability to make that library automatically link in when"
-                      echo "*** you link to this library.  But I can only do this if you have a"
-                      echo "*** shared version of the library, which you do not appear to have."
-                    fi
-                else
-                  echo
-                  echo "*** Warning!  Library $i is needed by this library but I was not able to"
-                  echo "***  make it link in!  You will probably need to install it or some"
-                  echo "*** library that it depends on before this library will be fully"
-                  echo "*** functional.  Installing it before continuing would be even better."
-                fi
-              else
-                newdeplibs="$newdeplibs $i"
-              fi
-            done
-          fi
-          deplibs=$newdeplibs
-          ;;
-        file_magic* | file_regex)
-          set dummy $check_shared_deplibs_method
-          file_magic_regex="`expr \"$check_shared_deplibs_method\" : \"$2\(.*\)\"`"
-          for a_deplib in $deplibs; do
-            name="`expr $a_deplib : '-l\(.*\)'`"
-            # If $name is empty we are operating on a -L argument.
-            if test "$name" != "" ; then
-              libname=`eval \\$echo \"$libname_spec\"`
-              case "$check_shared_deplibs_method" in
-                file_magic*)
-                  for i in $lib_search_path; do
-                   # This needs to be more general than file_regex in order to
-                   # catch things like glibc on linux.  Maybe file_regex
-                   # should be more general as well, but maybe not.  Since
-                   # library names are supposed to conform to
-                   # library_name_spec, I think file_regex should remain
-                   # strict.  What do you think Gordon?
-                    potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
-                    for potent_lib in $potential_libs; do
-                      file_output=`file $potent_lib`
-                      if test `expr "$file_output" : ".*$file_magic_regex"` -ne 0 ; then
-                        newdeplibs="$newdeplibs $a_deplib"
-                        a_deplib=""
-                        break 2
-                      fi
-                    done
-                  done
-                  ;;
-                file_regex)
-                  deplib_matches=`eval \\$echo \"$library_names_spec\"`
-                  set dummy $deplib_matches
-                  deplib_match=$2
-                  for i in $lib_search_path; do
-                    potential_libs=`ls $i/$deplib_match* 2>/dev/null`
-                    if test "$potential_libs" != "" ; then
-                      newdeplibs="$newdeplibs $a_deplib"
-                      a_deplib=""
-                      break
-                    fi
-                  done
-                  ;;
-              esac
-              if test "$a_deplib" != "" ; then
-                echo
-                echo "*** Warning: This library needs some functionality provided by $a_deplib."
-                echo "*** I have the capability to make that library automatically link in when"
-                echo "*** you link to this library.  But I can only do this if you have a"
-                echo "*** shared version of the library, which you do not appear to have."
-              fi
-            else
-              # Add a -L argument.
-              newdeplibs="$newdeplibs $a_deplib"
-            fi
-          done # Gone through all deplibs.
-          ;;
-        none | *)  deplibs="" ;;
-        esac
-        versuffix=$versuffix_save
-        major=$major_save
-        release=$release_save
-        libname=$libname_save
-        name=$name_save
-        deplibs=$newdeplibs
-        # Done checking deplibs!
- 
+	  $rm conftest
+	  $CC -o conftest conftest.c $deplibs
+	  if test $? -eq 0 ; then
+	    ldd_output=`ldd conftest`
+	    for i in $deplibs; do
+	      name="`expr $i : '-l\(.*\)'`"
+	      # If $name is empty we are operating on a -L argument.
+	      if test "$name" != "" ; then
+		libname=`eval \\$echo \"$libname_spec\"`
+		deplib_matches=`eval \\$echo \"$library_names_spec\"`
+		set dummy $deplib_matches
+		deplib_match=$2
+		if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
+		  newdeplibs="$newdeplibs $i"
+		else
+		  droppeddeps=yes
+		  echo
+		  echo "*** Warning: This library needs some functionality provided by $i."
+		  echo "*** I have the capability to make that library automatically link in when"
+		  echo "*** you link to this library.  But I can only do this if you have a"
+		  echo "*** shared version of the library, which you do not appear to have."
+		fi
+	      else
+		newdeplibs="$newdeplibs $i"
+	      fi
+	    done
+	  else
+	    # Error occured in the first compile.  Let's try to salvage the situation:
+	    # Compile a seperate program for each library.
+	    for i in $deplibs; do
+	      name="`expr $i : '-l\(.*\)'`"
+	     # If $name is empty we are operating on a -L argument.
+	      if test "$name" != "" ; then
+		$rm conftest
+		$CC -o conftest conftest.c $i
+		# Did it work?
+		if test $? -eq 0 ; then
+		  ldd_output=`ldd conftest`
+		  libname=`eval \\$echo \"$libname_spec\"`
+		  deplib_matches=`eval \\$echo \"$library_names_spec\"`
+		  set dummy $deplib_matches
+		  deplib_match=$2
+		  if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
+		    newdeplibs="$newdeplibs $i"
+		  else
+		    droppeddeps=yes
+		    echo
+		    echo "*** Warning: This library needs some functionality provided by $i."
+		    echo "*** I have the capability to make that library automatically link in when"
+		    echo "*** you link to this library.  But I can only do this if you have a"
+		    echo "*** shared version of the library, which you do not appear to have."
+		  fi
+		else
+		  droppeddeps=yes
+		  echo
+		  echo "*** Warning!  Library $i is needed by this library but I was not able to"
+		  echo "***  make it link in!  You will probably need to install it or some"
+		  echo "*** library that it depends on before this library will be fully"
+		  echo "*** functional.  Installing it before continuing would be even better."
+		fi
+	      else
+		newdeplibs="$newdeplibs $i"
+	      fi
+	    done
+	  fi
+	  ;;
+	file_magic*)
+	  set dummy $deplibs_check_method
+	  file_magic_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
+	  for a_deplib in $deplibs; do
+	    name="`expr $a_deplib : '-l\(.*\)'`"
+	    # If $name is empty we are operating on a -L argument.
+	    if test "$name" != "" ; then
+	      libname=`eval \\$echo \"$libname_spec\"`
+	      for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
+		    potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
+		    for potent_lib in $potential_libs; do
+		      # Follow soft links.
+		      if ls -lLd "$potent_lib" 2>/dev/null \
+			 | grep " -> " >/dev/null; then
+			continue
+		      fi
+		      # The statement above tries to avoid entering an
+		      # endless loop below, in case of cyclic links.
+		      # We might still enter an endless loop, since a link
+		      # loop can be closed while we follow links,
+		      # but so what?
+		      potlib="$potent_lib"
+		      while test -h "$potlib" 2>/dev/null; do
+			potliblink=`ls -ld $potlib | sed 's/.* -> //'`
+			case "$potliblink" in
+			[\\/]* | [A-Za-z]:[\\/]*) potlib="$potliblink";;
+			*) potlib=`$echo "X$potlib" | $Xsed -e 's,[^/]*$,,'`"$potliblink";;
+			esac
+		      done
+		      if eval $file_magic_cmd \"\$potlib\" 2>/dev/null \
+			 | sed 10q \
+			 | egrep "$file_magic_regex" > /dev/null; then
+			newdeplibs="$newdeplibs $a_deplib"
+			a_deplib=""
+			break 2
+		      fi
+		    done
+	      done
+	      if test -n "$a_deplib" ; then
+		droppeddeps=yes
+		echo
+		echo "*** Warning: This library needs some functionality provided by $a_deplib."
+		echo "*** I have the capability to make that library automatically link in when"
+		echo "*** you link to this library.  But I can only do this if you have a"
+		echo "*** shared version of the library, which you do not appear to have."
+	      fi
+	    else
+	      # Add a -L argument.
+	      newdeplibs="$newdeplibs $a_deplib"
+	    fi
+	  done # Gone through all deplibs.
+	  ;;
+	none | unknown | *)
+	  newdeplibs=""
+	  if $echo "X $deplibs" | $Xsed -e 's/ -lc$//' \
+	       -e 's/ -[LR][^ ]*//g' -e 's/[ 	]//g' |
+	     grep . >/dev/null; then
+	    echo
+	    if test "X$deplibs_check_method" = "Xnone"; then
+	      echo "*** Warning: inter-library dependencies are not supported in this platform."
+	    else
+	      echo "*** Warning: inter-library dependencies are not known to be supported."
+	    fi
+	    echo "*** All declared inter-library dependencies are being dropped."
+	    droppeddeps=yes
+	  fi
+	  ;;
+	esac
+	versuffix=$versuffix_save
+	major=$major_save
+	release=$release_save
+	libname=$libname_save
+	name=$name_save
+
+	if test "$droppeddeps" = yes; then
+	  if test "$module" = yes; then
+	    echo
+	    echo "*** Warning: libtool could not satisfy all declared inter-library"
+	    echo "*** dependencies of module $libname.  Therefore, libtool will create"
+	    echo "*** a static module, that should work as long as the dlopening"
+	    echo "*** application is linked with the -dlopen flag."
+	    if test -z "$global_symbol_pipe"; then
+	      echo
+	      echo "*** However, this would only work if libtool was able to extract symbol"
+	      echo "*** lists from a program, using \`nm' or equivalent, but libtool could"
+	      echo "*** not find such a program.  So, this module is probably useless."
+	      echo "*** \`nm' from GNU binutils and a full rebuild may help."
+	    fi
+	    if test "$build_old_libs" = no; then
+	      oldlibs="$output_objdir/$libname.$libext"
+	      build_libtool_libs=module
+	      build_old_libs=yes
+	    else
+	      build_libtool_libs=no
+	    fi
+	  else
+	    echo "*** The inter-library dependencies that have been dropped here will be"
+	    echo "*** automatically added whenever a program is linked with this library"
+	    echo "*** or is declared to -dlopen it."
+	  fi
+	fi
+	# Done checking deplibs!
+	deplibs=$newdeplibs
+      fi
+
+      # All the library-specific variables (install_libdir is set above).
+      library_names=
+      old_library=
+      dlname=
+
+      # Test again, we may have decided not to build it any more
+      if test "$build_libtool_libs" = yes; then
+	if test "$hardcode_into_libs" != no; then
+	  # Hardcode the library paths
+	  hardcode_libdirs=
+	  dep_rpath=
+	  rpath="$finalize_rpath"
+	  test "$mode" != relink && rpath="$compile_rpath$rpath"
+	  for libdir in $rpath; do
+	    if test -n "$hardcode_libdir_flag_spec"; then
+	      if test -n "$hardcode_libdir_separator"; then
+		if test -z "$hardcode_libdirs"; then
+		  hardcode_libdirs="$libdir"
+		else
+		  # Just accumulate the unique libdirs.
+		  case "$hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator" in
+		  *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		    ;;
+		  *)
+		    hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		    ;;
+		  esac
+		fi
+	      else
+		eval flag=\"$hardcode_libdir_flag_spec\"
+		dep_rpath="$dep_rpath $flag"
+	      fi
+	    elif test -n "$runpath_var"; then
+	      case "$perm_rpath " in
+	      *" $libdir "*) ;;
+	      *) perm_rpath="$perm_rpath $libdir" ;;
+	      esac
+	    fi
+	  done
+	  # Substitute the hardcoded libdirs into the rpath.
+	  if test -n "$hardcode_libdir_separator" &&
+	     test -n "$hardcode_libdirs"; then
+	    libdir="$hardcode_libdirs"
+	    eval dep_rpath=\"$hardcode_libdir_flag_spec\"
+	  fi
+	  if test -n "$runpath_var" && test -n "$perm_rpath"; then
+	    # We should set the runpath_var.
+	    rpath=
+	    for dir in $perm_rpath; do
+	      rpath="$rpath$dir:"
+	    done
+	    eval "$runpath_var='$rpath\$$runpath_var'; export $runpath_var"
+	  fi
+	  test -n "$dep_rpath" && deplibs="$dep_rpath $deplibs"
+	fi
+
+	shlibpath="$finalize_shlibpath"
+	test "$mode" != relink && shlibpath="$compile_shlibpath$shlibpath"
+	if test -n "$shlibpath"; then
+	  eval "$shlibpath_var='$shlibpath\$$shlibpath_var'; export $shlibpath_var"
+	fi
+
 	# Get the real and link names of the library.
 	eval library_names=\"$library_names_spec\"
 	set dummy $library_names
@@ -1524,38 +2673,106 @@ EOF
 	  linknames="$linknames $link"
 	done
 
-	# Use standard objects if they are PIC.
-	test -z "$pic_flag" && libobjs=`$echo "X$libobjs " | $Xsed -e "$los2o" -e 's/ $//g'`
+	# Ensure that we have .o objects for linkers which dislike .lo
+	# (e.g. aix) in case we are running --disable-static
+	for obj in $libobjs; do
+	  xdir=`$echo "X$obj" | $Xsed -e 's%/[^/]*$%%'`
+	  if test "X$xdir" = "X$obj"; then
+	    xdir="."
+	  else
+	    xdir="$xdir"
+	  fi
+	  baseobj=`$echo "X$obj" | $Xsed -e 's%^.*/%%'`
+	  oldobj=`$echo "X$baseobj" | $Xsed -e "$lo2o"`
+	  if test ! -f $xdir/$oldobj; then
+	    $show "(cd $xdir && ${LN_S} $baseobj $oldobj)"
+	    $run eval '(cd $xdir && ${LN_S} $baseobj $oldobj)' || exit $?
+	  fi
+	done
 
-	if test -n "$whole_archive_flag_spec"; then
-	  if test -n "$convenience"; then
-	    eval libobjs=\"\$libobjs $whole_archive_flag_spec\"
+	# Use standard objects if they are pic
+	test -z "$pic_flag" && libobjs=`$echo "X$libobjs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+
+	# Prepare the list of exported symbols
+	if test -z "$export_symbols"; then
+	  if test "$always_export_symbols" = yes || test -n "$export_symbols_regex"; then
+	    $show "generating symbol list for \`$libname.la'"
+	    export_symbols="$output_objdir/$libname.exp"
+	    $run $rm $export_symbols
+	    eval cmds=\"$export_symbols_cmds\"
+	    IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	    for cmd in $cmds; do
+	      IFS="$save_ifs"
+	      $show "$cmd"
+	      $run eval "$cmd" || exit $?
+	    done
+	    IFS="$save_ifs"
+	    if test -n "$export_symbols_regex"; then
+	      $show "egrep -e \"$export_symbols_regex\" \"$export_symbols\" > \"${export_symbols}T\""
+	      $run eval 'egrep -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"'
+	      $show "$mv \"${export_symbols}T\" \"$export_symbols\""
+	      $run eval '$mv "${export_symbols}T" "$export_symbols"'
+	    fi
 	  fi
-	else
-	  for xlib in $convenience; do
-	    # Extract the objects.
-	    xdir="$xlib"x
-	    generated="$generated $xdir"
-	    xlib=`echo "$xlib" | $Xsed -e 's%^.*/%%'`
+	fi
 
-	    $show "${rm}r $xdir"
-	    $run ${rm}r "$xdir"
-	    $show "mkdir $xdir"
-	    $run mkdir "$xdir"
+	if test -n "$export_symbols" && test -n "$include_expsyms"; then
+	  $run eval '$echo "X$include_expsyms" | $SP2NL >> "$export_symbols"'
+	fi
+
+	if test -n "$convenience"; then
+	  if test -n "$whole_archive_flag_spec"; then
+	    eval libobjs=\"\$libobjs $whole_archive_flag_spec\"
+	  else
+	    gentop="$output_objdir/${outputname}x"
+	    $show "${rm}r $gentop"
+	    $run ${rm}r "$gentop"
+	    $show "mkdir $gentop"
+	    $run mkdir "$gentop"
 	    status=$?
-	    if test $status -ne 0 && test ! -d "$xdir"; then
+	    if test $status -ne 0 && test ! -d "$gentop"; then
 	      exit $status
 	    fi
-	    $show "(cd $xdir && $AR x ../$xlib)"
-	    $run eval "(cd \$xdir && $AR x ../\$xlib)" || exit $?
+	    generated="$generated $gentop"
 
-	    libobjs="$libobjs `echo $xdir/*`"
-	  done
+	    for xlib in $convenience; do
+	      # Extract the objects.
+	      case "$xlib" in
+	      [\\/]* | [A-Za-z]:[\\/]*) xabs="$xlib" ;;
+	      *) xabs=`pwd`"/$xlib" ;;
+	      esac
+	      xlib=`$echo "X$xlib" | $Xsed -e 's%^.*/%%'`
+	      xdir="$gentop/$xlib"
+
+	      $show "${rm}r $xdir"
+	      $run ${rm}r "$xdir"
+	      $show "mkdir $xdir"
+	      $run mkdir "$xdir"
+	      status=$?
+	      if test $status -ne 0 && test ! -d "$xdir"; then
+		exit $status
+	      fi
+	      $show "(cd $xdir && $AR x $xabs)"
+	      $run eval "(cd \$xdir && $AR x \$xabs)" || exit $?
+
+	      libobjs="$libobjs "`find $xdir -name \*.o -print -o -name \*.lo -print | $NL2SP`
+	    done
+	  fi
+	fi
+
+	if test "$thread_safe" = yes && test -n "$thread_safe_flag_spec"; then
+	  eval flag=\"$thread_safe_flag_spec\"
+	  linker_flags="$linker_flags $flag"
+	fi
+
+	# Make a backup of the uninstalled library when relinking
+	if test "$mode" = relink && test "$hardcode_into_libs" = all; then
+	  $run eval '(cd $output_objdir && $rm ${realname}U && $mv $realname ${realname}U)' || exit $?
 	fi
 
 	# Do each of the archive commands.
-	if test -n "$export_symbols" && test -n "$archive_sym_cmds"; then
-	  eval cmds=\"$archive_sym_cmds\"
+	if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then
+	  eval cmds=\"$archive_expsym_cmds\"
 	else
 	  eval cmds=\"$archive_cmds\"
 	fi
@@ -1567,11 +2784,17 @@ EOF
 	done
 	IFS="$save_ifs"
 
+	# Restore the uninstalled library and exit
+	if test "$mode" = relink && test "$hardcode_into_libs" = all; then
+	  $run eval '(cd $output_objdir && $rm ${realname}T && $mv $realname ${realname}T && $mv "$realname"U $realname)' || exit $?
+	  exit 0
+	fi
+
 	# Create links to the real library.
 	for linkname in $linknames; do
 	  if test "$realname" != "$linkname"; then
-	    $show "(cd $output_objdir && $LN_S $realname $linkname)"
-	    $run eval '(cd $output_objdir && $LN_S $realname $linkname)' || exit $?
+	    $show "(cd $output_objdir && $rm $linkname && $LN_S $realname $linkname)"
+	    $run eval '(cd $output_objdir && $rm $linkname && $LN_S $realname $linkname)' || exit $?
 	  fi
 	done
 
@@ -1583,412 +2806,624 @@ EOF
       fi
       ;;
 
-    *.lo | *.o | *.obj)
-      if test -n "$link_against_libtool_libs"; then
-        $echo "$modename: error: cannot link libtool libraries into objects" 1>&2
-        exit 1
-      fi
-
+    obj)
       if test -n "$deplibs"; then
-        $echo "$modename: warning: \`-l' and \`-L' are ignored for objects" 1>&2
+	$echo "$modename: warning: \`-l' and \`-L' are ignored for objects" 1>&2
       fi
 
-      if test -n "$dlfiles$dlprefiles"; then
-        $echo "$modename: warning: \`-dlopen' is ignored for objects" 1>&2
+      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
+	$echo "$modename: warning: \`-dlopen' is ignored for objects" 1>&2
       fi
 
       if test -n "$rpath"; then
-        $echo "$modename: warning: \`-rpath' is ignored for objects" 1>&2
+	$echo "$modename: warning: \`-rpath' is ignored for objects" 1>&2
+      fi
+
+      if test -n "$xrpath"; then
+	$echo "$modename: warning: \`-R' is ignored for objects" 1>&2
       fi
 
       if test -n "$vinfo"; then
-        $echo "$modename: warning: \`-version-info' is ignored for objects" 1>&2
+	$echo "$modename: warning: \`-version-info' is ignored for objects" 1>&2
       fi
 
       if test -n "$release"; then
-        $echo "$modename: warning: \`-release' is ignored for objects" 1>&2
+	$echo "$modename: warning: \`-release' is ignored for objects" 1>&2
       fi
 
       case "$output" in
       *.lo)
-        if test -n "$objs"; then
-          $echo "$modename: cannot build library object \`$output' from non-libtool objects" 1>&2
-          exit 1
-        fi
-        libobj="$output"
-        obj=`$echo "X$output" | $Xsed -e "$lo2o"`
-        ;;
+	if test -n "$objs$old_deplibs"; then
+	  $echo "$modename: cannot build library object \`$output' from non-libtool objects" 1>&2
+	  exit 1
+	fi
+	libobj="$output"
+	obj=`$echo "X$output" | $Xsed -e "$lo2o"`
+	;;
       *)
-        libobj=
-        obj="$output"
-        ;;
+	libobj=
+	obj="$output"
+	;;
       esac
 
       # Delete the old objects.
       $run $rm $obj $libobj
 
+      # Objects from convenience libraries.  This assumes
+      # single-version convenience libraries.  Whenever we create
+      # different ones for PIC/non-PIC, this we'll have to duplicate
+      # the extraction.
+      reload_conv_objs=
+      gentop=
+      # reload_cmds runs $LD directly, so let us get rid of
+      # -Wl from whole_archive_flag_spec
+      wl=
+
+      if test -n "$convenience"; then
+	if test -n "$whole_archive_flag_spec"; then
+	  eval reload_conv_objs=\"\$reload_objs $whole_archive_flag_spec\"
+	else
+	  gentop="$output_objdir/${obj}x"
+	  $show "${rm}r $gentop"
+	  $run ${rm}r "$gentop"
+	  $show "mkdir $gentop"
+	  $run mkdir "$gentop"
+	  status=$?
+	  if test $status -ne 0 && test ! -d "$gentop"; then
+	    exit $status
+	  fi
+	  generated="$generated $gentop"
+
+	  for xlib in $convenience; do
+	    # Extract the objects.
+	    case "$xlib" in
+	    [\\/]* | [A-Za-z]:[\\/]*) xabs="$xlib" ;;
+	    *) xabs=`pwd`"/$xlib" ;;
+	    esac
+	    xlib=`$echo "X$xlib" | $Xsed -e 's%^.*/%%'`
+	    xdir="$gentop/$xlib"
+
+	    $show "${rm}r $xdir"
+	    $run ${rm}r "$xdir"
+	    $show "mkdir $xdir"
+	    $run mkdir "$xdir"
+	    status=$?
+	    if test $status -ne 0 && test ! -d "$xdir"; then
+	      exit $status
+	    fi
+	    $show "(cd $xdir && $AR x $xabs)"
+	    $run eval "(cd \$xdir && $AR x \$xabs)" || exit $?
+
+	    reload_conv_objs="$reload_objs "`find $xdir -name \*.o -print -o -name \*.lo -print | $NL2SP`
+	  done
+	fi
+      fi
+
       # Create the old-style object.
-      reload_objs="$objs"`$echo "X$libobjs " | $Xsed -e 's/[^       ]*\.'${libext}' //g' -e 's/[^       ]*\.lib //g' -e "$los2o" -e 's/ $//g'`
+      reload_objs="$objs$old_deplibs "`$echo "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}$'/d' -e '/\.lib$/d' -e "$lo2o" | $NL2SP`" $reload_conv_objs" ### testsuite: skip nested quoting test
 
       output="$obj"
       eval cmds=\"$reload_cmds\"
       IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
       for cmd in $cmds; do
-        IFS="$save_ifs"
-        $show "$cmd"
-        $run eval "$cmd" || exit $?
+	IFS="$save_ifs"
+	$show "$cmd"
+	$run eval "$cmd" || exit $?
       done
       IFS="$save_ifs"
 
       # Exit if we aren't doing a library object file.
-      test -z "$libobj" && exit 0
+      if test -z "$libobj"; then
+	if test -n "$gentop"; then
+	  $show "${rm}r $gentop"
+	  $run ${rm}r $gentop
+	fi
+
+	exit 0
+      fi
 
       if test "$build_libtool_libs" != yes; then
-        # Create an invalid libtool object if no PIC, so that we don't
-        # accidentally link it into a program.
-        $show "echo timestamp > $libobj"
-        $run eval "echo timestamp > $libobj" || exit $?
-        exit 0
-      fi
-
-      if test -n "$pic_flag"; then
-        # Only do commands if we really have different PIC objects.
-        reload_objs="$libobjs"
-        output="$libobj"
-        eval cmds=\"$reload_cmds\"
-        IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
-        for cmd in $cmds; do
-          IFS="$save_ifs"
-          $show "$cmd"
-          $run eval "$cmd" || exit $?
-        done
-        IFS="$save_ifs"
+	if test -n "$gentop"; then
+	  $show "${rm}r $gentop"
+	  $run ${rm}r $gentop
+	fi
+
+	# Create an invalid libtool object if no PIC, so that we don't
+	# accidentally link it into a program.
+	$show "echo timestamp > $libobj"
+	$run eval "echo timestamp > $libobj" || exit $?
+	exit 0
+      fi
+
+      if test -n "$pic_flag" || test "$pic_mode" != default; then
+	# Only do commands if we really have different PIC objects.
+	reload_objs="$libobjs $reload_conv_objs"
+	output="$libobj"
+	eval cmds=\"$reload_cmds\"
+	IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	for cmd in $cmds; do
+	  IFS="$save_ifs"
+	  $show "$cmd"
+	  $run eval "$cmd" || exit $?
+	done
+	IFS="$save_ifs"
       else
-        # Just create a symlink.
-        $show "$LN_S $obj $libobj"
-        $run $LN_S $obj $libobj || exit $?
+	# Just create a symlink.
+	$show $rm $libobj
+	$run $rm $libobj
+	xdir=`$echo "X$libobj" | $Xsed -e 's%/[^/]*$%%'`
+	if test "X$xdir" = "X$libobj"; then
+	  xdir="."
+	else
+	  xdir="$xdir"
+	fi
+	baseobj=`$echo "X$libobj" | $Xsed -e 's%^.*/%%'`
+	oldobj=`$echo "X$baseobj" | $Xsed -e "$lo2o"`
+	$show "(cd $xdir && $LN_S $oldobj $baseobj)"
+	$run eval '(cd $xdir && $LN_S $oldobj $baseobj)' || exit $?
+      fi
+
+      if test -n "$gentop"; then
+	$show "${rm}r $gentop"
+	$run ${rm}r $gentop
       fi
 
       exit 0
       ;;
 
-    # Anything else should be a program.
-    *)
+    prog)
       if test -n "$vinfo"; then
-        $echo "$modename: warning: \`-version-info' is ignored for programs" 1>&2
+	$echo "$modename: warning: \`-version-info' is ignored for programs" 1>&2
       fi
 
       if test -n "$release"; then
-        $echo "$modename: warning: \`-release' is ignored for programs" 1>&2
+	$echo "$modename: warning: \`-release' is ignored for programs" 1>&2
       fi
 
-      if test -n "$rpath"; then
+      if test "$preload" = yes; then
+	if test "$dlopen_support" = unknown && test "$dlopen_self" = unknown &&
+	   test "$dlopen_self_static" = unknown; then
+	  $echo "$modename: warning: \`AC_LIBTOOL_DLOPEN' not used. Assuming no dlopen support."
+	fi
+      fi
+
+      compile_command="$compile_command $compile_deplibs"
+      finalize_command="$finalize_command $finalize_deplibs"
+
+      if test -n "$rpath$xrpath"; then
 	# If the user specified any rpath flags, then add them.
-	for libdir in $rpath; do
-          if test -n "$hardcode_libdir_flag_spec"; then
-            if test -n "$hardcode_libdir_separator"; then
-              if test -z "$hardcode_libdirs"; then
-                # Put the magic libdir with the hardcode flag.
-                hardcode_libdirs="$libdir"
-                libdir="@HARDCODE_LIBDIRS@"
-              else
-                # Just accumulate the unique libdirs.
-		case "$hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator" in
-		*"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
-		  ;;
-		*)
-		  hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
-		  ;;
-		esac
-                libdir=
-              fi
-            fi
-
-            if test -n "$libdir"; then
-              eval flag=\"$hardcode_libdir_flag_spec\"
-
-              compile_command="$compile_command $flag"
-              finalize_command="$finalize_command $flag"
-            fi
-          elif test -n "$runpath_var"; then
-            case "$perm_rpath " in
-            *" $libdir "*) ;;
-            *) perm_rpath="$perm_rpath $libdir" ;;
-            esac
-          fi
+	for libdir in $rpath $xrpath; do
+	  # This is the magic to use -rpath.
+	  case "$finalize_rpath " in
+	  *" $libdir "*) ;;
+	  *) finalize_rpath="$finalize_rpath $libdir" ;;
+	  esac
 	done
       fi
 
-      # Substitute the hardcoded libdirs into the compile commands.
-      if test -n "$hardcode_libdir_separator"; then
-	compile_command=`$echo "X$compile_command" | $Xsed -e "s%@HARDCODE_LIBDIRS@%$hardcode_libdirs%g"`
-	finalize_command=`$echo "X$finalize_command" | $Xsed -e "s%@HARDCODE_LIBDIRS@%$hardcode_libdirs%g"`
+      # Now hardcode the library paths
+      rpath=
+      hardcode_libdirs=
+      for libdir in $compile_rpath $finalize_rpath; do
+	if test -n "$hardcode_libdir_flag_spec"; then
+	  if test -n "$hardcode_libdir_separator"; then
+	    if test -z "$hardcode_libdirs"; then
+	      hardcode_libdirs="$libdir"
+	    else
+	      # Just accumulate the unique libdirs.
+	      case "$hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator" in
+	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		;;
+	      *)
+		hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		;;
+	      esac
+	    fi
+	  else
+	    eval flag=\"$hardcode_libdir_flag_spec\"
+	    rpath="$rpath $flag"
+	  fi
+	elif test -n "$runpath_var"; then
+	  case "$perm_rpath " in
+	  *" $libdir "*) ;;
+	  *) perm_rpath="$perm_rpath $libdir" ;;
+	  esac
+	fi
+	case "$host" in
+	*-*-cygwin* | *-*-mingw* | *-*-os2*)
+	  case ":$dllsearchpath:" in
+	  *":$libdir:"*) ;;
+	  *) dllsearchpath="$dllsearchpath:$libdir";;
+	  esac
+	  ;;
+	esac
+      done
+      # Substitute the hardcoded libdirs into the rpath.
+      if test -n "$hardcode_libdir_separator" &&
+	 test -n "$hardcode_libdirs"; then
+	libdir="$hardcode_libdirs"
+	eval rpath=\" $hardcode_libdir_flag_spec\"
       fi
-
-      output_objdir=`$echo "X$output" | $Xsed -e 's%/[^/]*$%%'`
-      if test "X$output_objdir" = "X$output"; then
-        output_objdir="$objdir"
-      else
-        output_objdir="$output_objdir/$objdir"
+      compile_rpath="$rpath"
+
+      rpath=
+      hardcode_libdirs=
+      for libdir in $finalize_rpath; do
+	if test -n "$hardcode_libdir_flag_spec"; then
+	  if test -n "$hardcode_libdir_separator"; then
+	    if test -z "$hardcode_libdirs"; then
+	      hardcode_libdirs="$libdir"
+	    else
+	      # Just accumulate the unique libdirs.
+	      case "$hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator" in
+	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		;;
+	      *)
+		hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		;;
+	      esac
+	    fi
+	  else
+	    eval flag=\"$hardcode_libdir_flag_spec\"
+	    rpath="$rpath $flag"
+	  fi
+	elif test -n "$runpath_var"; then
+	  case "$finalize_perm_rpath " in
+	  *" $libdir "*) ;;
+	  *) finalize_perm_rpath="$finalize_perm_rpath $libdir" ;;
+	  esac
+	fi
+      done
+      # Substitute the hardcoded libdirs into the rpath.
+      if test -n "$hardcode_libdir_separator" &&
+	 test -n "$hardcode_libdirs"; then
+	libdir="$hardcode_libdirs"
+	eval rpath=\" $hardcode_libdir_flag_spec\"
       fi
+      finalize_rpath="$rpath"
 
       if test -n "$libobjs" && test "$build_old_libs" = yes; then
-        # Transform all the library objects into standard objects.
-        compile_command=`$echo "X$compile_command " | $Xsed -e "$los2o" -e 's/ $//'`
-        finalize_command=`$echo "X$finalize_command " | $Xsed -e "$los2o" -e 's/ $//'`
+	# Transform all the library objects into standard objects.
+	compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+	finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
       fi
 
-      if test "$export_dynamic" = yes && test -n "$NM" && test -n "$global_symbol_pipe"; then
-        dlsyms="${outputname}S.c"
-      else
-        dlsyms=
+      dlsyms=
+      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
+	if test -n "$NM" && test -n "$global_symbol_pipe"; then
+	  dlsyms="${outputname}S.c"
+	else
+	  $echo "$modename: not configured to extract global symbols from dlpreopened files" 1>&2
+	fi
       fi
 
       if test -n "$dlsyms"; then
-        case "$dlsyms" in
-        "") ;;
-        *.c)
-          if test -z "$export_symbols"; then
-            # Add our own program objects to the preloaded list.
-            dlprefiles=`$echo "X$objs$dlprefiles " | $Xsed -e "$los2o" -e 's/ $//'`
-          fi
-
-          # Discover the nlist of each of the dlfiles.
-          nlist="$objdir/${output}.nm"
-
-	  if test -d $objdir; then
-	    $show "$rm $nlist ${nlist}T"
-	    $run $rm "$nlist" "${nlist}T"
-	  else
-	    $show "$mkdir $objdir"
-	    $run $mkdir $objdir
-	    status=$?
-	    if test $status -ne 0 && test ! -d $objdir; then
-	      exit $status
-	    fi
-	  fi
+	case "$dlsyms" in
+	"") ;;
+	*.c)
+	  # Discover the nlist of each of the dlfiles.
+	  nlist="$output_objdir/${outputname}.nm"
+
+	  $show "$rm $nlist ${nlist}S ${nlist}T"
+	  $run $rm "$nlist" "${nlist}S" "${nlist}T"
 
-          # Parse the name list into a source file.
-          $show "creating $objdir/$dlsyms"
+	  # Parse the name list into a source file.
+	  $show "creating $output_objdir/$dlsyms"
 
-          $echo > "$objdir/$dlsyms" "\
+	  test -z "$run" && $echo > "$output_objdir/$dlsyms" "\
 /* $dlsyms - symbol resolution table for \`$outputname' dlsym emulation. */
-/* Generated by $PROGRAM - GNU $PACKAGE $VERSION */
+/* Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP */
 
 #ifdef __cplusplus
 extern \"C\" {
 #endif
 
 /* Prevent the only kind of declaration conflicts we can make. */
-#define dld_preloaded_symbols some_other_symbol
+#define lt_preloaded_symbols some_other_symbol
 
 /* External symbol declarations for the compiler. */\
 "
 
-          if test -n "$export_symbols"; then
-	    sed -e 's/^\(.*\)/\1 \1/' < "$export_symbols" > "$nlist"
-          fi
+	  if test "$dlself" = yes; then
+	    $show "generating symbol list for \`$output'"
 
-          for arg in $dlprefiles; do
+	    test -z "$run" && $echo ': @PROGRAM@ ' > "$nlist"
+
+	    # Add our own program objects to the symbol list.
+	    progfiles=`$echo "X$objs$old_deplibs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+	    for arg in $progfiles; do
+	      $show "extracting global C symbols from \`$arg'"
+	      $run eval "$NM $arg | $global_symbol_pipe >> '$nlist'"
+	    done
+
+	    if test -n "$exclude_expsyms"; then
+	      $run eval 'egrep -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T'
+	      $run eval '$mv "$nlist"T "$nlist"'
+	    fi
+
+	    if test -n "$export_symbols_regex"; then
+	      $run eval 'egrep -e "$export_symbols_regex" "$nlist" > "$nlist"T'
+	      $run eval '$mv "$nlist"T "$nlist"'
+	    fi
+
+	    # Prepare the list of exported symbols
+	    if test -z "$export_symbols"; then
+	      export_symbols="$output_objdir/$output.exp"
+	      $run $rm $export_symbols
+	      $run eval "sed -n -e '/^: @PROGRAM@$/d' -e 's/^.* \(.*\)$/\1/p' "'< "$nlist" > "$export_symbols"'
+	    else
+	      $run eval "sed -e 's/\([][.*^$]\)/\\\1/g' -e 's/^/ /' -e 's/$/$/'"' < "$export_symbols" > "$output_objdir/$output.exp"'
+	      $run eval 'grep -f "$output_objdir/$output.exp" < "$nlist" > "$nlist"T'
+	      $run eval 'mv "$nlist"T "$nlist"'
+	    fi
+	  fi
+
+	  for arg in $dlprefiles; do
 	    $show "extracting global C symbols from \`$arg'"
+	    name=`echo "$arg" | sed -e 's%^.*/%%'`
+	    $run eval 'echo ": $name " >> "$nlist"'
 	    $run eval "$NM $arg | $global_symbol_pipe >> '$nlist'"
-          done
+	  done
 
-          if test -z "$run"; then
-	    # Make sure we at least have an empty file.
+	  if test -z "$run"; then
+	    # Make sure we have at least an empty file.
 	    test -f "$nlist" || : > "$nlist"
 
+	    if test -n "$exclude_expsyms"; then
+	      egrep -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T
+	      $mv "$nlist"T "$nlist"
+	    fi
+
 	    # Try sorting and uniquifying the output.
-	    if sort "$nlist" | uniq > "$nlist"T; then
-	      mv -f "$nlist"T "$nlist"
+	    if grep -v "^: " < "$nlist" | sort +2 | uniq > "$nlist"S; then
+	      :
 	    else
-	      $rm "$nlist"T
+	      grep -v "^: " < "$nlist" > "$nlist"S
 	    fi
 
-	    if test -f "$nlist"; then
-	      sed -e 's/^.* \(.*\)$/extern char \1;/' < "$nlist" >> "$output_objdir/$dlsyms"
-  	    else
+	    if test -f "$nlist"S; then
+	      eval "$global_symbol_to_cdecl"' < "$nlist"S >> "$output_objdir/$dlsyms"'
+	    else
 	      echo '/* NONE */' >> "$output_objdir/$dlsyms"
-  	    fi
+	    fi
 
 	    $echo >> "$output_objdir/$dlsyms" "\
 
-#undef dld_preloaded_symbols
+#undef lt_preloaded_symbols
 
 #if defined (__STDC__) && __STDC__
-# define __ptr_t void *
+# define lt_ptr_t void *
 #else
-# define __ptr_t char *
+# define lt_ptr_t char *
+# define const
 #endif
 
 /* The mapping between symbol names and symbols. */
-struct {
-  char *name;
-  __ptr_t address;
+const struct {
+  const char *name;
+  lt_ptr_t address;
 }
-dld_preloaded_symbols[] =
+lt_preloaded_symbols[] =
 {\
 "
 
-            if test -n "$export_symbols"; then
-              echo >> "$objdir/$dlsyms" "\
-  {\"${output}\", (__ptr_t) 0},"
-	      sed 's/^\(.*\)/  {"\1", (__ptr_t) \&\1},/' < "$export_symbols" >> "$objdir/$dlsyms"
-            fi
-
-            for arg in $dlprefiles; do
-	      name=`echo "$arg" | sed -e 's%^.*/%%'`
-              echo >> "$objdir/$dlsyms" "\
-  {\"$name\", (__ptr_t) 0},"
-	      eval "$NM $arg | $global_symbol_pipe > '$nlist'"
-
-	      if test -f "$nlist"; then
-	        sed 's/^\(.*\) \(.*\)$/  {"\1", (__ptr_t) \&\2},/' < "$nlist" >> "$objdir/$dlsyms"
-	      else
-		echo '/* NONE */' >> "$output_objdir/$dlsyms"
-	      fi
-
-            done
-
-	    if test -f "$nlist"; then
-	      sed 's/^\(.*\) \(.*\)$/  {"\1", (__ptr_t) \&\2},/' < "$nlist" >> "$output_objdir/$dlsyms"
-	    fi
+	    sed -n -e 's/^: \([^ ]*\) $/  {\"\1\", (lt_ptr_t) 0},/p' \
+		-e 's/^. \([^ ]*\) \([^ ]*\)$/  {"\2", (lt_ptr_t) \&\2},/p' \
+		  < "$nlist" >> "$output_objdir/$dlsyms"
 
 	    $echo >> "$output_objdir/$dlsyms" "\
-  {0, (__ptr_t) 0}
+  {0, (lt_ptr_t) 0}
 };
 
+/* This works around a problem in FreeBSD linker */
+#ifdef FREEBSD_WORKAROUND
+static const void *lt_preloaded_setup() {
+  return lt_preloaded_symbols;
+}
+#endif
+
 #ifdef __cplusplus
 }
 #endif\
 "
-          fi
+	  fi
 
-          # Now compile the dynamic symbol file.
-          $show "(cd $objdir && $C_compiler -c$no_builtin_flag \"$dlsyms\")"
-          $run eval '(cd $objdir && $C_compiler -c$no_builtin_flag "$dlsyms")' || exit $?
+	  pic_flag_for_symtable=
+	  case "$host" in
+	  # compiling the symbol table file with pic_flag works around
+	  # a FreeBSD bug that causes programs to crash when -lm is
+	  # linked before any other PIC object.  But we must not use
+	  # pic_flag when linking with -static.  The problem exists in
+	  # FreeBSD 2.2.6 and is fixed in FreeBSD 3.1.
+	  *-*-freebsd2*|*-*-freebsd3.0*|*-*-freebsdelf3.0*)
+	    case "$compile_command " in
+	    *" -static "*) ;;
+	    *) pic_flag_for_symtable=" $pic_flag -DPIC -DFREEBSD_WORKAROUND";;
+	    esac;;
+	  *-*-hpux*)
+	    case "$compile_command " in
+	    *" -static "*) ;;
+	    *) pic_flag_for_symtable=" $pic_flag -DPIC";;
+	    esac
+	  esac
 
-          # Transform the symbol file into the correct name.
-          compile_command=`$echo "X$compile_command" | $Xsed -e "s%@SYMFILE@%$objdir/${output}S.${objext}%"`
-          finalize_command=`$echo "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$objdir/${output}S.${objext}%"`
-	  ;;
-        *)
-          $echo "$modename: unknown suffix for \`$dlsyms'" 1>&2
-          exit 1
-          ;;
-        esac
-      elif test "$export_dynamic" != yes; then
-        test -n "$dlfiles$dlprefiles" && $echo "$modename: warning: \`-dlopen' and \`-dlpreopen' are ignored without \`-export-dynamic'" 1>&2
-      else
-        # We keep going just in case the user didn't refer to
-        # dld_preloaded_symbols.  The linker will fail if global_symbol_pipe
-        # really was required.
-        $echo "$modename: not configured to extract global symbols from dlpreopened files" 1>&2
+	  # Now compile the dynamic symbol file.
+	  $show "(cd $output_objdir && $CC -c$no_builtin_flag$pic_flag_for_symtable \"$dlsyms\")"
+	  $run eval '(cd $output_objdir && $CC -c$no_builtin_flag$pic_flag_for_symtable "$dlsyms")' || exit $?
 
-        # Nullify the symbol file.
-        compile_command=`$echo "X$compile_command" | $Xsed -e "s% @SYMFILE@%%"`
-        finalize_command=`$echo "X$finalize_command" | $Xsed -e "s% @SYMFILE@%%"`
-      fi
+	  # Clean up the generated files.
+	  $show "$rm $output_objdir/$dlsyms $nlist ${nlist}S ${nlist}T"
+	  $run $rm "$output_objdir/$dlsyms" "$nlist" "${nlist}S" "${nlist}T"
 
-      if test -z "$link_against_libtool_libs" || test "$build_libtool_libs" != yes; then
-        # Replace the output file specification.
-        compile_command=`$echo "X$compile_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
-        finalize_command=`$echo "X$finalize_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
+	  # Transform the symbol file into the correct name.
+	  compile_command=`$echo "X$compile_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"`
+	  finalize_command=`$echo "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"`
+	  ;;
+	*)
+	  $echo "$modename: unknown suffix for \`$dlsyms'" 1>&2
+	  exit 1
+	  ;;
+	esac
+      else
+	# We keep going just in case the user didn't refer to
+	# lt_preloaded_symbols.  The linker will fail if global_symbol_pipe
+	# really was required.
 
-        # We have no uninstalled library dependencies, so finalize right now.
-        $show "$compile_command"
-        $run eval "$compile_command"
-        exit $?
+	# Nullify the symbol file.
+	compile_command=`$echo "X$compile_command" | $Xsed -e "s% @SYMFILE@%%"`
+	finalize_command=`$echo "X$finalize_command" | $Xsed -e "s% @SYMFILE@%%"`
       fi
 
-      # Replace the output file specification.
-      compile_command=`$echo "X$compile_command" | $Xsed -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'`
-      finalize_command=`$echo "X$finalize_command" | $Xsed -e 's%@OUTPUT@%'"$output_objdir/$outputname"'T%g'`
+      if test $need_relink = no || test "$build_libtool_libs" != yes; then
+	# Replace the output file specification.
+	compile_command=`$echo "X$compile_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
+	link_command="$compile_command$compile_rpath"
 
-      # Create the binary in the object directory, then wrap it.
-      if test ! -d $output_objdir; then
-        $show "$mkdir $output_objdir"
-	$run $mkdir $output_objdir
+	# We have no uninstalled library dependencies, so finalize right now.
+	$show "$link_command"
+	$run eval "$link_command"
 	status=$?
-	if test $status -ne 0 && test ! -d $objdir; then
-	  exit $status
+
+	# Delete the generated files.
+	if test -n "$dlsyms"; then
+	  $show "$rm $output_objdir/${outputname}S.${objext}"
+	  $run $rm "$output_objdir/${outputname}S.${objext}"
 	fi
+
+	exit $status
       fi
 
       if test -n "$shlibpath_var"; then
-        # We should set the shlibpath_var
-        rpath=
-        for dir in $temp_rpath; do
-          case "$dir" in
-          /* | [A-Za-z]:[/\\]*)
-            # Absolute path.
-            rpath="$rpath$dir:"
-            ;;
-          *)
-            # Relative path: add a thisdir entry.
-            rpath="$rpath\$thisdir/$dir:"
-            ;;
-          esac
-        done
-        temp_rpath="$rpath"
-      fi
-
-      # Delete the old output file.
-      $run $rm $output
-
-      if test -n "$compile_shlibpath"; then
-        compile_command="$shlibpath_var=\"$compile_shlibpath\$$shlibpath_var\" $compile_command"
+	# We should set the shlibpath_var
+	rpath=
+	for dir in $temp_rpath; do
+	  case "$dir" in
+	  [\\/]* | [A-Za-z]:[\\/]*)
+	    # Absolute path.
+	    rpath="$rpath$dir:"
+	    ;;
+	  *)
+	    # Relative path: add a thisdir entry.
+	    rpath="$rpath\$thisdir/$dir:"
+	    ;;
+	  esac
+	done
+	temp_rpath="$rpath"
+      fi
+
+      if test -n "$compile_shlibpath$finalize_shlibpath"; then
+	compile_command="$shlibpath_var=\"$compile_shlibpath$finalize_shlibpath\$$shlibpath_var\" $compile_command"
       fi
       if test -n "$finalize_shlibpath"; then
-        finalize_command="$shlibpath_var=\"$finalize_shlibpath\$$shlibpath_var\" $finalize_command"
+	finalize_command="$shlibpath_var=\"$finalize_shlibpath\$$shlibpath_var\" $finalize_command"
+      fi
+
+      compile_var=
+      finalize_var=
+      if test -n "$runpath_var"; then
+	if test -n "$perm_rpath"; then
+	  # We should set the runpath_var.
+	  rpath=
+	  for dir in $perm_rpath; do
+	    rpath="$rpath$dir:"
+	  done
+	  compile_var="$runpath_var=\"$rpath\$$runpath_var\" "
+	fi
+	if test -n "$finalize_perm_rpath"; then
+	  # We should set the runpath_var.
+	  rpath=
+	  for dir in $finalize_perm_rpath; do
+	    rpath="$rpath$dir:"
+	  done
+	  finalize_var="$runpath_var=\"$rpath\$$runpath_var\" "
+	fi
       fi
 
-      if test -n "$runpath_var" && test -n "$perm_rpath"; then
-        # We should set the runpath_var.
-        rpath=
-        for dir in $perm_rpath; do
-          rpath="$rpath$dir:"
-        done
-        compile_command="$runpath_var=\"$rpath\$$runpath_var\" $compile_command"
-        finalize_command="$runpath_var=\"$rpath\$$runpath_var\" $finalize_command"
+      if test "$no_install" = yes; then
+	# We don't need to create a wrapper script.
+	link_command="$compile_var$compile_command$compile_rpath"
+	# Replace the output file specification.
+	link_command=`$echo "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
+	# Delete the old output file.
+	$run $rm $output
+	# Link the executable and exit
+	$show "$link_command"
+	$run eval "$link_command" || exit $?
+	exit 0
       fi
 
-      if test "$hardcode_action" = relink; then
-        # AGH! Flame the AIX and HP-UX people for me, will ya?
-        $echo "$modename: warning: this platform doesn\'t like uninstalled shared libraries" 1>&2
-        $echo "$modename: \`$output' will be relinked during installation" 1>&2
+      if test "$hardcode_action" = relink || test "$hardcode_into_libs" = all; then
+	# Fast installation is not supported
+	link_command="$compile_var$compile_command$compile_rpath"
+	relink_command="$finalize_var$finalize_command$finalize_rpath"
+
+	$echo "$modename: warning: this platform does not like uninstalled shared libraries" 1>&2
+	$echo "$modename: \`$output' will be relinked during installation" 1>&2
+      else
+	if test "$fast_install" != no; then
+	  link_command="$finalize_var$compile_command$finalize_rpath"
+	  if test "$fast_install" = yes; then
+	    relink_command=`$echo "X$compile_var$compile_command$compile_rpath" | $Xsed -e 's%@OUTPUT@%\$progdir/\$file%g'`
+	  else
+	    # fast_install is set to needless
+	    relink_command=
+	  fi
+	else
+	  link_command="$compile_var$compile_command$compile_rpath"
+	  relink_command="$finalize_var$finalize_command$finalize_rpath"
+	fi
       fi
 
-      $show "$compile_command"
-      $run eval "$compile_command" || exit $?
+      # Replace the output file specification.
+      link_command=`$echo "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'`
+
+      # Delete the old output files.
+      $run $rm $output $output_objdir/$outputname $output_objdir/lt-$outputname
+
+      $show "$link_command"
+      $run eval "$link_command" || exit $?
 
       # Now create the wrapper script.
       $show "creating $output"
 
-      # Quote the finalize command for shipping.
-      finalize_command=`$echo "X$finalize_command" | $Xsed -e "$sed_quote_subst"`
+      # Quote the relink command for shipping.
+      if test -n "$relink_command"; then
+	# Preserve any variables that may affect compiler behavior
+	for var in $variables_saved_for_relink; do
+	  eval var_value=\$$var
+	  var_value=`$echo "X$var_value" | $Xsed -e "$sed_quote_subst"`
+	  relink_command="$var=\"$var_value\"; export $var; $relink_command"
+	done
+	relink_command="cd `pwd`; $relink_command"
+	relink_command=`$echo "X$relink_command" | $Xsed -e "$sed_quote_subst"`
+      fi
 
       # Quote $echo for shipping.
       if test "X$echo" = "X$SHELL $0 --fallback-echo"; then
 	case "$0" in
-	/* | [A-Za-z]:[/\\]*) qecho="$SHELL $0 --fallback-echo";;
+	[\\/]* | [A-Za-z]:[\\/]*) qecho="$SHELL $0 --fallback-echo";;
 	*) qecho="$SHELL `pwd`/$0 --fallback-echo";;
 	esac
 	qecho=`$echo "X$qecho" | $Xsed -e "$sed_quote_subst"`
       else
-        qecho=`$echo "X$echo" | $Xsed -e "$sed_quote_subst"`
+	qecho=`$echo "X$echo" | $Xsed -e "$sed_quote_subst"`
       fi
 
       # Only actually do things if our run command is non-null.
       if test -z "$run"; then
-        $rm $output
-        trap "$rm $output; exit 1" 1 2 15
+	# win32 will think the script is a binary if it has
+	# a .exe suffix, so we strip it off here.
+	case $output in
+	  *.exe) output=`echo $output|sed 's,.exe$,,'` ;;
+	esac
+	$rm $output
+	trap "$rm $output; exit 1" 1 2 15
 
-        $echo > $output "\
+	$echo > $output "\
 #! $SHELL
 
 # $output - temporary wrapper script for $objdir/$outputname
-# Generated by $PROGRAM - GNU $PACKAGE $VERSION
+# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
 #
 # The $output program cannot be directly executed until all the libtool
 # libraries that it depends on are installed.
@@ -1998,18 +3433,19 @@ dld_preloaded_symbols[] =
 
 # Sed substitution that helps us do robust quoting.  It backslashifies
 # metacharacters that are still active within double-quoted strings.
-Xsed='sed -e s/^X//'
+Xsed='sed -e 1s/^X//'
 sed_quote_subst='$sed_quote_subst'
 
 # The HP-UX ksh and POSIX shell print the target directory to stdout
 # if CDPATH is set.
-if test \"\${CDPATH+set}\" = set; then CDPATH=; export CDPATH; fi
+if test \"\${CDPATH+set}\" = set; then CDPATH=:; export CDPATH; fi
+
+relink_command=\"$relink_command\"
 
 # This environment variable determines our operation mode.
 if test \"\$libtool_install_magic\" = \"$magic\"; then
-  # install mode needs the following variables:
-  link_against_libtool_libs='$link_against_libtool_libs'
-  finalize_command=\"cd `pwd | sed -e $sed_quote_subst`; $finalize_command\"
+  # install mode needs the following variable:
+  uninst_deplibs='$uninst_deplibs'
 else
   # When we are sourced in execute mode, \$file and \$echo are already set.
   if test \"\$libtool_execute_magic\" != \"$magic\"; then
@@ -2028,7 +3464,7 @@ else
     fi
   fi\
 "
-        $echo >> $output "\
+	$echo >> $output "\
 
   # Find the directory that this script lives in.
   thisdir=\`\$echo \"X\$file\" | \$Xsed -e 's%/[^/]*$%%'\`
@@ -2042,7 +3478,7 @@ else
     # If there was a directory component, then change thisdir.
     if test \"x\$destdir\" != \"x\$file\"; then
       case \"\$destdir\" in
-      /* | [A-Za-z]:[/\\]*) thisdir=\"\$destdir\" ;;
+      [\\\\/]* | [A-Za-z]:[\\\\/]*) thisdir=\"\$destdir\" ;;
       *) thisdir=\"\$thisdir/\$destdir\" ;;
       esac
     fi
@@ -2054,35 +3490,105 @@ else
   # Try to get the absolute directory name.
   absdir=\`cd \"\$thisdir\" && pwd\`
   test -n \"\$absdir\" && thisdir=\"\$absdir\"
+"
 
+	if test "$fast_install" = yes; then
+	  echo >> $output "\
+  program=lt-'$outputname'
   progdir=\"\$thisdir/$objdir\"
+
+  if test ! -f \"\$progdir/\$program\" || \\
+     { file=\`ls -1dt \"\$progdir/\$program\" \"\$progdir/../\$program\" 2>/dev/null | sed 1q\`; \\
+       test \"X\$file\" != \"X\$progdir/\$program\"; }; then
+
+    file=\"\$\$-\$program\"
+
+    if test ! -d \"\$progdir\"; then
+      $mkdir \"\$progdir\"
+    else
+      $rm \"\$progdir/\$file\"
+    fi"
+
+	  echo >> $output "\
+
+    # relink executable if necessary
+    if test -n \"\$relink_command\"; then
+      if (eval \$relink_command); then :
+      else
+	$rm \"\$progdir/\$file\"
+	exit 1
+      fi
+    fi
+
+    $mv \"\$progdir/\$file\" \"\$progdir/\$program\" 2>/dev/null ||
+    { $rm \"\$progdir/\$program\";
+      $mv \"\$progdir/\$file\" \"\$progdir/\$program\"; }
+    $rm \"\$progdir/\$file\"
+  fi"
+	else
+	  echo >> $output "\
   program='$outputname'
+  progdir=\"\$thisdir/$objdir\"
+"
+	fi
+
+	echo >> $output "\
 
   if test -f \"\$progdir/\$program\"; then"
 
-        # Export our shlibpath_var if we have one.
-        if test -n "$shlibpath_var" && test -n "$temp_rpath"; then
-          $echo >> $output "\
+	# Export our shlibpath_var if we have one.
+	if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then
+	  $echo >> $output "\
     # Add our own library path to $shlibpath_var
     $shlibpath_var=\"$temp_rpath\$$shlibpath_var\"
 
     # Some systems cannot cope with colon-terminated $shlibpath_var
-    $shlibpath_var=\`\$echo \"X\$$shlibpath_var\" | \$Xsed -e 's/:*\$//'\`
+    # The second colon is a workaround for a bug in BeOS R4 sed
+    $shlibpath_var=\`\$echo \"X\$$shlibpath_var\" | \$Xsed -e 's/::*\$//'\`
 
     export $shlibpath_var
 "
-        fi
+	fi
 
-        $echo >> $output "\
+	# fixup the dll searchpath if we need to.
+	if test -n "$dllsearchpath"; then
+	  $echo >> $output "\
+    # Add the dll search path components to the executable PATH
+    PATH=$dllsearchpath:\$PATH
+"
+	fi
+
+	$echo >> $output "\
     if test \"\$libtool_execute_magic\" != \"$magic\"; then
       # Run the actual program with our arguments.
+"
+	case $host in
+	# win32 systems need to use the prog path for dll
+	# lookup to work
+	*-*-cygwin*)
+	  $echo >> $output "\
+      exec \$progdir/\$program \${1+\"\$@\"}
+"
+	  ;;
 
+	# Backslashes separate directories on plain windows
+	*-*-mingw | *-*-os2*)
+	  $echo >> $output "\
+      exec \$progdir\\\\\$program \${1+\"\$@\"}
+"
+	  ;;
+
+	*)
+	  $echo >> $output "\
       # Export the path to the program.
       PATH=\"\$progdir:\$PATH\"
       export PATH
 
       exec \$program \${1+\"\$@\"}
-
+"
+	  ;;
+	esac
+	$echo >> $output "\
       \$echo \"\$0: cannot exec \$program \${1+\"\$@\"}\"
       exit 1
     fi
@@ -2095,7 +3601,7 @@ else
   fi
 fi\
 "
-        chmod +x $output
+	chmod +x $output
       fi
       exit 0
       ;;
@@ -2105,46 +3611,85 @@ fi\
     for oldlib in $oldlibs; do
 
       if test "$build_libtool_libs" = convenience; then
-	oldobjs="$libobjs"
+	oldobjs="$libobjs_save"
 	addlibs="$convenience"
 	build_libtool_libs=no
       else
-	oldobjs="$objs"`$echo "X$libobjs " | $Xsed -e 's/[^   ]*\.'${libext}' //g' -e 's/[^   ]*\.lib //g' -e "$los2o" -e 's/ $//g'`
+	if test "$build_libtool_libs" = module; then
+	  oldobjs="$libobjs_save"
+	  build_libtool_libs=no
+	else
+	  oldobjs="$objs$old_deplibs "`$echo "X$libobjs_save" | $SP2NL | $Xsed -e '/\.'${libext}'$/d' -e '/\.lib$/d' -e "$lo2o" | $NL2SP`
+	fi
 	addlibs="$old_convenience"
       fi
 
-      # Add in members from convenience archives.
-      for xlib in $addlibs; do
-	# Extract the objects.
-	xdir="$xlib"x
-	generated="$generated $xdir"
-	xlib=`echo "$xlib" | $Xsed -e 's%^.*/%%'`
-
-	$show "${rm}r $xdir"
-	$run ${rm}r "$xdir"
-	$show "mkdir $xdir"
-	$run mkdir "$xdir"
+      if test -n "$addlibs"; then
+	gentop="$output_objdir/${outputname}x"
+	$show "${rm}r $gentop"
+	$run ${rm}r "$gentop"
+	$show "mkdir $gentop"
+	$run mkdir "$gentop"
 	status=$?
-	if test $status -ne 0 && test ! -d "$xdir"; then
+	if test $status -ne 0 && test ! -d "$gentop"; then
 	  exit $status
 	fi
-	$show "(cd $xdir && $AR x ../$xlib)"
-	$run eval "(cd \$xdir && $AR x ../\$xlib)" || exit $?
+	generated="$generated $gentop"
+
+	# Add in members from convenience archives.
+	for xlib in $addlibs; do
+	  # Extract the objects.
+	  case "$xlib" in
+	  [\\/]* | [A-Za-z]:[\\/]*) xabs="$xlib" ;;
+	  *) xabs=`pwd`"/$xlib" ;;
+	  esac
+	  xlib=`$echo "X$xlib" | $Xsed -e 's%^.*/%%'`
+	  xdir="$gentop/$xlib"
+
+	  $show "${rm}r $xdir"
+	  $run ${rm}r "$xdir"
+	  $show "mkdir $xdir"
+	  $run mkdir "$xdir"
+	  status=$?
+	  if test $status -ne 0 && test ! -d "$xdir"; then
+	    exit $status
+	  fi
+	  $show "(cd $xdir && $AR x $xabs)"
+	  $run eval "(cd \$xdir && $AR x \$xabs)" || exit $?
 
-	oldobjs="$oldobjs `echo $xdir/*`"
-      done
+	  oldobjs="$oldobjs "`find $xdir -name \*.${objext} -print -o -name \*.lo -print | $NL2SP`
+	done
+      fi
 
       # Do each command in the archive commands.
       if test -n "$old_archive_from_new_cmds" && test "$build_libtool_libs" = yes; then
 	eval cmds=\"$old_archive_from_new_cmds\"
       else
+	# Ensure that we have .o objects in place in case we decided
+	# not to build a shared library, and have fallen back to building
+	# static libs even though --disable-static was passed!
+	for oldobj in $oldobjs; do
+	  if test ! -f $oldobj; then
+	    xdir=`$echo "X$oldobj" | $Xsed -e 's%/[^/]*$%%'`
+	    if test "X$xdir" = "X$oldobj"; then
+	      xdir="."
+	    else
+	      xdir="$xdir"
+	    fi
+	    baseobj=`$echo "X$oldobj" | $Xsed -e 's%^.*/%%'`
+	    obj=`$echo "X$baseobj" | $Xsed -e "$o2lo"`
+	    $show "(cd $xdir && ${LN_S} $obj $baseobj)"
+	    $run eval '(cd $xdir && ${LN_S} $obj $baseobj)' || exit $?
+	  fi
+	done
+
 	eval cmds=\"$old_archive_cmds\"
       fi
       IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
       for cmd in $cmds; do
-        IFS="$save_ifs"
-        $show "$cmd"
-        $run eval "$cmd" || exit $?
+	IFS="$save_ifs"
+	$show "$cmd"
+	$run eval "$cmd" || exit $?
       done
       IFS="$save_ifs"
     done
@@ -2161,11 +3706,71 @@ fi\
       test "$build_old_libs" = yes && old_library="$libname.$libext"
       $show "creating $output"
 
+      # Preserve any variables that may affect compiler behavior
+      for var in $variables_saved_for_relink; do
+	eval var_value=\$$var
+	var_value=`$echo "X$var_value" | $Xsed -e "$sed_quote_subst"`
+	relink_command="$var=\"$var_value\"; export $var; $relink_command"
+      done
+      # Quote the link command for shipping.
+      relink_command="cd `pwd`; $SHELL $0 --mode=relink $libtool_args"
+      relink_command=`$echo "X$relink_command" | $Xsed -e "$sed_quote_subst"`
+
       # Only create the output if not a dry run.
       if test -z "$run"; then
-        $echo > $output "\
-# $output - a libtool library file
-# Generated by $PROGRAM - GNU $PACKAGE $VERSION
+	for installed in no yes; do
+	  if test "$installed" = yes; then
+	    if test -z "$install_libdir"; then
+	      break
+	    fi
+	    output="$output_objdir/$outputname"i
+	    # Replace all uninstalled libtool libraries with the installed ones
+	    newdependency_libs=
+	    for deplib in $dependency_libs; do
+	      case "$deplib" in
+	      *.la)
+		name=`$echo "X$deplib" | $Xsed -e 's%^.*/%%'`
+		eval libdir=`sed -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
+		if test -z "$libdir"; then
+		  $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2
+		  exit 1
+		fi
+		newdependency_libs="$newdependency_libs $libdir/$name"
+		;;
+	      *) newdependency_libs="$newdependency_libs $deplib" ;;
+	      esac
+	    done
+	    dependency_libs="$newdependency_libs"
+	    newdlfiles=
+	    for lib in $dlfiles; do
+	      name=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
+	      eval libdir=`sed -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
+	      if test -z "$libdir"; then
+		$echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+		exit 1
+	      fi
+	      newdlfiles="$newdlfiles $libdir/$name"
+	    done
+	    dlfiles="$newdlfiles"
+	    newdlprefiles=
+	    for lib in $dlprefiles; do
+	      name=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
+	      eval libdir=`sed -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
+	      if test -z "$libdir"; then
+		$echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+		exit 1
+	      fi
+	      newdlprefiles="$newdlprefiles $libdir/$name"
+	    done
+	    dlprefiles="$newdlprefiles"
+	  fi
+	  $rm $output
+	  $echo > $output "\
+# $outputname - a libtool library file
+# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
+#
+# Please DO NOT delete this file!
+# It is necessary for linking the library.
 
 # The name that we can dlopen(3).
 dlname='$dlname'
@@ -2185,17 +3790,26 @@ age=$age
 revision=$revision
 
 # Is this an already installed library?
-installed=no
+installed=$installed
+
+# Files to dlopen/dlpreopen
+dlopen='$dlfiles'
+dlpreopen='$dlprefiles'
 
 # Directory that this library needs to be installed in:
-libdir='$install_libdir'\
-"
+libdir='$install_libdir'"
+	  if test $hardcode_into_libs = all &&
+	     test "$installed" = no && test $need_relink = yes; then
+	    $echo >> $output "\
+relink_command=\"$relink_command\""
+	  fi
+	done
       fi
 
       # Do a symbolic link so that the libtool archive can be found in
       # LD_LIBRARY_PATH before the program is installed.
-      $show "(cd $output_objdir && $LN_S ../$outputname $outputname)"
-      $run eval "(cd $output_objdir && $LN_S ../$outputname $outputname)" || exit $?
+      $show "(cd $output_objdir && $rm $outputname && $LN_S ../$outputname $outputname)"
+      $run eval '(cd $output_objdir && $rm $outputname && $LN_S ../$outputname $outputname)' || exit $?
       ;;
     esac
     exit 0
@@ -2244,9 +3858,9 @@ libdir='$install_libdir'\
     for arg
     do
       if test -n "$dest"; then
-        files="$files $dest"
-        dest="$arg"
-        continue
+	files="$files $dest"
+	dest="$arg"
+	continue
       fi
 
       case "$arg" in
@@ -2256,20 +3870,20 @@ libdir='$install_libdir'\
       -m) prev="-m" ;;
       -o) prev="-o" ;;
       -s)
-        stripme=" -s"
-        continue
-        ;;
+	stripme=" -s"
+	continue
+	;;
       -*) ;;
 
       *)
-        # If the previous option needed an argument, then skip it.
-        if test -n "$prev"; then
-          prev=
-        else
-          dest="$arg"
-          continue
-        fi
-        ;;
+	# If the previous option needed an argument, then skip it.
+	if test -n "$prev"; then
+	  prev=
+	else
+	  dest="$arg"
+	  continue
+	fi
+	;;
       esac
 
       # Aesthetically quote the argument.
@@ -2296,9 +3910,9 @@ libdir='$install_libdir'\
 
     if test -z "$files"; then
       if test -z "$dest"; then
-        $echo "$modename: no file or destination specified" 1>&2
+	$echo "$modename: no file or destination specified" 1>&2
       else
-        $echo "$modename: you must specify a destination" 1>&2
+	$echo "$modename: you must specify a destination" 1>&2
       fi
       $echo "$help" 1>&2
       exit 1
@@ -2320,23 +3934,23 @@ libdir='$install_libdir'\
       # Not a directory, so check to see that there is only one file specified.
       set dummy $files
       if test $# -gt 2; then
-        $echo "$modename: \`$dest' is not a directory" 1>&2
-        $echo "$help" 1>&2
-        exit 1
+	$echo "$modename: \`$dest' is not a directory" 1>&2
+	$echo "$help" 1>&2
+	exit 1
       fi
     fi
     case "$destdir" in
-    /* | [A-Za-z]:[/\\]*) ;;
+    [\\/]* | [A-Za-z]:[\\/]*) ;;
     *)
       for file in $files; do
-        case "$file" in
-        *.lo) ;;
-        *)
-          $echo "$modename: \`$destdir' must be an absolute directory name" 1>&2
-          $echo "$help" 1>&2
-          exit 1
-          ;;
-        esac
+	case "$file" in
+	*.lo) ;;
+	*)
+	  $echo "$modename: \`$destdir' must be an absolute directory name" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	  ;;
+	esac
       done
       ;;
     esac
@@ -2352,213 +3966,240 @@ libdir='$install_libdir'\
 
       # Do each installation.
       case "$file" in
-      *.a | *.lib)
-        # Do the static libraries later.
-        staticlibs="$staticlibs $file"
-        ;;
+      *.$libext)
+	# Do the static libraries later.
+	staticlibs="$staticlibs $file"
+	;;
 
       *.la)
-        # Check to see that this really is a libtool archive.
-        if (sed -e '2q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
-        else
-          $echo "$modename: \`$file' is not a valid libtool archive" 1>&2
-          $echo "$help" 1>&2
-          exit 1
-        fi
-
-        library_names=
-        old_library=
-        # If there is no directory component, then add one.
-        case "$file" in
-        */* | *\\*) . $file ;;
-        *) . ./$file ;;
-        esac
-
-        # Add the libdir to current_libdirs if it is the destination.
-        if test "X$destdir" = "X$libdir"; then
-          case "$current_libdirs " in
-          *" $libdir "*) ;;
-          *) current_libdirs="$current_libdirs $libdir" ;;
-          esac
-        else
-          # Note the libdir as a future libdir.
-          case "$future_libdirs " in
-          *" $libdir "*) ;;
-          *) future_libdirs="$future_libdirs $libdir" ;;
-          esac
-        fi
-
-        dir="`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`/"
-        test "X$dir" = "X$file/" && dir=
-        dir="$dir$objdir"
-
-        # See the names of the shared library.
-        set dummy $library_names
-        if test -n "$2"; then
-          realname="$2"
-          shift
-          shift
-
-          # Install the shared library and build the symlinks.
-          $show "$install_prog $dir/$realname $destdir/$realname"
-          $run eval "$install_prog $dir/$realname $destdir/$realname" || exit $?
-          test "X$dlname" = "X$realname" && dlname=
-
-          if test $# -gt 0; then
-            # Delete the old symlinks, and create new ones.
-            for linkname
-            do
-              test "X$dlname" = "X$linkname" && dlname=
+	# Check to see that this really is a libtool archive.
+	if (sed -e '2q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
+	else
+	  $echo "$modename: \`$file' is not a valid libtool archive" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	fi
+
+	library_names=
+	old_library=
+	relink_command=
+	# If there is no directory component, then add one.
+	case "$file" in
+	*/* | *\\*) . $file ;;
+	*) . ./$file ;;
+	esac
+
+	# Add the libdir to current_libdirs if it is the destination.
+	if test "X$destdir" = "X$libdir"; then
+	  case "$current_libdirs " in
+	  *" $libdir "*) ;;
+	  *) current_libdirs="$current_libdirs $libdir" ;;
+	  esac
+	else
+	  # Note the libdir as a future libdir.
+	  case "$future_libdirs " in
+	  *" $libdir "*) ;;
+	  *) future_libdirs="$future_libdirs $libdir" ;;
+	  esac
+	fi
+
+	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`/
+	test "X$dir" = "X$file/" && dir=
+	dir="$dir$objdir"
+
+	if test "$hardcode_into_libs" = all && test -n "$relink_command"; then
+	  $echo "$modename: warning: relinking \`$file'" 1>&2
+	  $show "$relink_command"
+	  if $run eval "$relink_command"; then :
+	  else
+	    $echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2
+	    continue
+	  fi
+	fi
+
+	# See the names of the shared library.
+	set dummy $library_names
+	if test -n "$2"; then
+	  realname="$2"
+	  shift
+	  shift
+
+	  srcname="$realname"
+	  test "$hardcode_into_libs" = all && test -n "$relink_command" && srcname="$realname"T
+
+	  # Install the shared library and build the symlinks.
+	  $show "$install_prog $dir/$srcname $destdir/$realname"
+	  $run eval "$install_prog $dir/$srcname $destdir/$realname" || exit $?
+	  if test -n "$stripme" && test -n "$striplib"; then
+	    $show "$striplib $destdir/$realname"
+	    $run eval "$striplib $destdir/$realname" || exit $?
+	  fi
+
+	  if test $# -gt 0; then
+	    # Delete the old symlinks, and create new ones.
+	    for linkname
+	    do
 	      if test "$linkname" != "$realname"; then
 		$show "(cd $destdir && $rm $linkname && $LN_S $realname $linkname)"
 		$run eval "(cd $destdir && $rm $linkname && $LN_S $realname $linkname)"
 	      fi
-            done
-          fi
-
-          if test -n "$dlname"; then
-            # Install the dynamically-loadable library.
-            $show "$install_prog $dir/$dlname $destdir/$dlname"
-            $run eval "$install_prog $dir/$dlname $destdir/$dlname" || exit $?
-          fi
-
-          # Do each command in the postinstall commands.
-          lib="$destdir/$realname"
-          eval cmds=\"$postinstall_cmds\"
-          IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
-          for cmd in $cmds; do
-            IFS="$save_ifs"
-            $show "$cmd"
-            $run eval "$cmd" || exit $?
-          done
-          IFS="$save_ifs"
-        fi
-
-        # Install the pseudo-library for information purposes.
-        name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+	    done
+	  fi
+
+	  # Do each command in the postinstall commands.
+	  lib="$destdir/$realname"
+	  eval cmds=\"$postinstall_cmds\"
+	  IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	  for cmd in $cmds; do
+	    IFS="$save_ifs"
+	    $show "$cmd"
+	    $run eval "$cmd" || exit $?
+	  done
+	  IFS="$save_ifs"
+	fi
+
+	# Install the pseudo-library for information purposes.
+	name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
 	instname="$dir/$name"i
-	$show "Creating $instname"
-	$rm "$instname"
-	sed 's/^installed=no$/installed=yes/' "$file" > "$instname"
-        $show "$install_prog $instname $destdir/$name"
-        $run eval "$install_prog $instname $destdir/$name" || exit $?
-	$show "$rm $instname"
-	$rm "$instname"
-
-        # Maybe install the static library, too.
-        test -n "$old_library" && staticlibs="$staticlibs $dir/$old_library"
-        ;;
+	$show "$install_prog $instname $destdir/$name"
+	$run eval "$install_prog $instname $destdir/$name" || exit $?
+
+	# Maybe install the static library, too.
+	test -n "$old_library" && staticlibs="$staticlibs $dir/$old_library"
+	;;
 
       *.lo)
-        # Install (i.e. copy) a libtool object.
-
-        # Figure out destination file name, if it wasn't already specified.
-        if test -n "$destname"; then
-          destfile="$destdir/$destname"
-        else
-          destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
-          destfile="$destdir/$destfile"
-        fi
-
-        # Deduce the name of the destination old-style object file.
-        case "$destfile" in
-        *.lo)
-          staticdest=`$echo "X$destfile" | $Xsed -e "$lo2o"`
-          ;;
-        *.o | *.obj)
-          staticdest="$destfile"
-          destfile=
-          ;;
-        *)
-          $echo "$modename: cannot copy a libtool object to \`$destfile'" 1>&2
-          $echo "$help" 1>&2
-          exit 1
-          ;;
-        esac
-
-        # Install the libtool object if requested.
-        if test -n "$destfile"; then
-          $show "$install_prog $file $destfile"
-          $run eval "$install_prog $file $destfile" || exit $?
-        fi
-
-        # Install the old object if enabled.
-        if test "$build_old_libs" = yes; then
-          # Deduce the name of the old-style object file.
-          staticobj=`$echo "X$file" | $Xsed -e "$lo2o"`
-
-          $show "$install_prog $staticobj $staticdest"
-          $run eval "$install_prog \$staticobj \$staticdest" || exit $?
-        fi
-        exit 0
-        ;;
+	# Install (i.e. copy) a libtool object.
+
+	# Figure out destination file name, if it wasn't already specified.
+	if test -n "$destname"; then
+	  destfile="$destdir/$destname"
+	else
+	  destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+	  destfile="$destdir/$destfile"
+	fi
+
+	# Deduce the name of the destination old-style object file.
+	case "$destfile" in
+	*.lo)
+	  staticdest=`$echo "X$destfile" | $Xsed -e "$lo2o"`
+	  ;;
+	*.$objext)
+	  staticdest="$destfile"
+	  destfile=
+	  ;;
+	*)
+	  $echo "$modename: cannot copy a libtool object to \`$destfile'" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	  ;;
+	esac
+
+	# Install the libtool object if requested.
+	if test -n "$destfile"; then
+	  $show "$install_prog $file $destfile"
+	  $run eval "$install_prog $file $destfile" || exit $?
+	fi
+
+	# Install the old object if enabled.
+	if test "$build_old_libs" = yes; then
+	  # Deduce the name of the old-style object file.
+	  staticobj=`$echo "X$file" | $Xsed -e "$lo2o"`
+
+	  $show "$install_prog $staticobj $staticdest"
+	  $run eval "$install_prog \$staticobj \$staticdest" || exit $?
+	fi
+	exit 0
+	;;
 
       *)
-        # Figure out destination file name, if it wasn't already specified.
-        if test -n "$destname"; then
-          destfile="$destdir/$destname"
-        else
-          destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
-          destfile="$destdir/$destfile"
-        fi
-
-        # Do a test to see if this is really a libtool program.
-        if (sed -e '4q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
-          link_against_libtool_libs=
-          finalize_command=
-
-          # If there is no directory component, then add one.
-          case "$file" in
-          */* | *\\*) . $file ;;
-          *) . ./$file ;;
-          esac
-
-          # Check the variables that should have been set.
-          if test -z "$link_against_libtool_libs" || test -z "$finalize_command"; then
-            $echo "$modename: invalid libtool wrapper script \`$file'" 1>&2
-            exit 1
-          fi
-
-          finalize=yes
-          for lib in $link_against_libtool_libs; do
-            # Check to see that each library is installed.
-            libdir=
-            if test -f "$lib"; then
-              # If there is no directory component, then add one.
-              case "$lib" in
-              */* | *\\*) . $lib ;;
-              *) . ./$lib ;;
-              esac
-            fi
-            libfile="$libdir/`$echo "X$lib" | $Xsed -e 's%^.*/%%g'`"
-            if test -n "$libdir" && test ! -f "$libfile"; then
-              $echo "$modename: warning: \`$lib' has not been installed in \`$libdir'" 1>&2
-              finalize=no
-            fi
-          done
-
-          if test "$hardcode_action" = relink; then
-            if test "$finalize" = yes; then
-              $echo "$modename: warning: relinking \`$file' on behalf of your buggy system linker" 1>&2
-              $show "$finalize_command"
-              if $run eval "$finalize_command"; then :
-              else
-                $echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2
-                continue
-              fi
-              file="$objdir/$file"T
-            else
-              $echo "$modename: warning: cannot relink \`$file' on behalf of your buggy system linker" 1>&2
-            fi
-          else
-            # Install the binary that we compiled earlier.
+	# Figure out destination file name, if it wasn't already specified.
+	if test -n "$destname"; then
+	  destfile="$destdir/$destname"
+	else
+	  destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+	  destfile="$destdir/$destfile"
+	fi
+
+	# Do a test to see if this is really a libtool program.
+	if (sed -e '4q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	  uninst_deplibs=
+	  relink_command=
+
+	  # If there is no directory component, then add one.
+	  case "$file" in
+	  */* | *\\*) . $file ;;
+	  *) . ./$file ;;
+	  esac
+
+	  # Check the variables that should have been set.
+	  if test -z "$uninst_deplibs"; then
+	    $echo "$modename: invalid libtool wrapper script \`$file'" 1>&2
+	    exit 1
+	  fi
+
+	  finalize=yes
+	  for lib in $uninst_deplibs; do
+	    # Check to see that each library is installed.
+	    libdir=
+	    if test -f "$lib"; then
+	      # If there is no directory component, then add one.
+	      case "$lib" in
+	      */* | *\\*) . $lib ;;
+	      *) . ./$lib ;;
+	      esac
+	    fi
+	    libfile="$libdir/"`$echo "X$lib" | $Xsed -e 's%^.*/%%g'` ### testsuite: skip nested quoting test
+	    if test -n "$libdir" && test ! -f "$libfile"; then
+	      $echo "$modename: warning: \`$lib' has not been installed in \`$libdir'" 1>&2
+	      finalize=no
+	    fi
+	  done
+
+	  relink_command=
+	  # If there is no directory component, then add one.
+	  case "$file" in
+	  */* | *\\*) . $file ;;
+	  *) . ./$file ;;
+	  esac
+
+	  outputname=
+	  if test "$fast_install" = no && test -n "$relink_command"; then
+	    if test "$finalize" = yes && test -z "$run"; then
+	      tmpdir="/tmp"
+	      test -n "$TMPDIR" && tmpdir="$TMPDIR"
+	      tmpdir="$tmpdir/libtool-$$"
+	      if $mkdir -p "$tmpdir" && chmod 700 "$tmpdir"; then :
+	      else
+		$echo "$modename: error: cannot create temporary directory \`$tmpdir'" 1>&2
+		continue
+	      fi
+	      file=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+	      outputname="$tmpdir/$file"
+	      # Replace the output file specification.
+	      relink_command=`$echo "X$relink_command" | $Xsed -e 's%@OUTPUT@%'"$outputname"'%g'`
+
+	      $show "$relink_command"
+	      if $run eval "$relink_command"; then :
+	      else
+		$echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2
+		${rm}r "$tmpdir"
+		continue
+	      fi
+	      file="$outputname"
+	    else
+	      $echo "$modename: warning: cannot relink \`$file'" 1>&2
+	    fi
+	  else
+	    # Install the binary that we compiled earlier.
 	    file=`$echo "X$file" | $Xsed -e "s%\([^/]*\)$%$objdir/\1%"`
-          fi
-        fi
+	  fi
+	fi
 
-        $show "$install_prog$stripme $file $destfile"
-        $run eval "$install_prog\$stripme \$file \$destfile" || exit $?
-        ;;
+	$show "$install_prog$stripme $file $destfile"
+	$run eval "$install_prog\$stripme \$file \$destfile" || exit $?
+	test -n "$outputname" && ${rm}r "$tmpdir"
+	;;
       esac
     done
 
@@ -2571,13 +4212,18 @@ libdir='$install_libdir'\
       $show "$install_prog $file $oldlib"
       $run eval "$install_prog \$file \$oldlib" || exit $?
 
+      if test -n "$stripme" && test -n "$striplib"; then
+	$show "$old_striplib $oldlib"
+	$run eval "$old_striplib $oldlib" || exit $?
+      fi
+
       # Do each command in the postinstall commands.
       eval cmds=\"$old_postinstall_cmds\"
       IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
       for cmd in $cmds; do
-        IFS="$save_ifs"
-        $show "$cmd"
-        $run eval "$cmd" || exit $?
+	IFS="$save_ifs"
+	$show "$cmd"
+	$run eval "$cmd" || exit $?
       done
       IFS="$save_ifs"
     done
@@ -2605,21 +4251,21 @@ libdir='$install_libdir'\
     if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then
       for dir
       do
-        libdirs="$libdirs $dir"
+	libdirs="$libdirs $dir"
       done
 
       for libdir in $libdirs; do
 	if test -n "$finish_cmds"; then
 	  # Do each command in the finish commands.
 	  eval cmds=\"$finish_cmds\"
-          IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
-          for cmd in $cmds; do
-            IFS="$save_ifs"
-            $show "$cmd"
-            $run eval "$cmd" || admincmds="$admincmds
+	  IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	  for cmd in $cmds; do
+	    IFS="$save_ifs"
+	    $show "$cmd"
+	    $run eval "$cmd" || admincmds="$admincmds
        $cmd"
-          done
-          IFS="$save_ifs"
+	  done
+	  IFS="$save_ifs"
 	fi
 	if test -n "$finish_eval"; then
 	  # Do the single finish_eval.
@@ -2639,10 +4285,10 @@ libdir='$install_libdir'\
       echo "   $libdir"
     done
     echo
-    echo "To link against installed libraries in a given directory, LIBDIR,"
-    echo "you must use the \`-LLIBDIR' flag during linking."
-    echo
-    echo " You will also need to do at least one of the following:"
+    echo "If you ever happen to want to link against installed libraries"
+    echo "in a given directory, LIBDIR, you must either use libtool, and"
+    echo "specify the full pathname of the library, or use \`-LLIBDIR'"
+    echo "flag during linking and do at least one of the following:"
     if test -n "$shlibpath_var"; then
       echo "   - add LIBDIR to the \`$shlibpath_var' environment variable"
       echo "     during execution"
@@ -2693,22 +4339,22 @@ libdir='$install_libdir'\
       dir=
       case "$file" in
       *.la)
-        # Check to see that this really is a libtool archive.
-        if (sed -e '2q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
-        else
-          $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
-          $echo "$help" 1>&2
-          exit 1
-        fi
+	# Check to see that this really is a libtool archive.
+	if (sed -e '2q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
+	else
+	  $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	fi
 
 	# Read the libtool library.
 	dlname=
 	library_names=
 
-        # If there is no directory component, then add one.
+	# If there is no directory component, then add one.
 	case "$file" in
 	*/* | *\\*) . $file ;;
-        *) . ./$file ;;
+	*) . ./$file ;;
 	esac
 
 	# Skip this library if it cannot be dlopened.
@@ -2737,7 +4383,7 @@ libdir='$install_libdir'\
 
       *)
 	$echo "$modename: warning \`-dlopen' is ignored for non-libtool libraries and objects" 1>&2
-        continue
+	continue
 	;;
       esac
 
@@ -2764,8 +4410,8 @@ libdir='$install_libdir'\
       case "$file" in
       -*) ;;
       *)
-        # Do a test to see if this is really a libtool program.
-        if (sed -e '4q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	# Do a test to see if this is really a libtool program.
+	if (sed -e '4q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
 	  # If there is no directory component, then add one.
 	  case "$file" in
 	  */* | *\\*) . $file ;;
@@ -2775,7 +4421,7 @@ libdir='$install_libdir'\
 	  # Transform arg to wrapped name.
 	  file="$progdir/$program"
 	fi
-        ;;
+	;;
       esac
       # Quote arguments (to preserve shell metacharacters).
       file=`$echo "X$file" | $Xsed -e "$sed_quote_subst"`
@@ -2783,15 +4429,17 @@ libdir='$install_libdir'\
     done
 
     if test -z "$run"; then
-      # Export the shlibpath_var.
-      eval "export $shlibpath_var"
+      if test -n "$shlibpath_var"; then
+	# Export the shlibpath_var.
+	eval "export $shlibpath_var"
+      fi
 
       # Restore saved enviroment variables
       if test "${save_LC_ALL+set}" = set; then
-        LC_ALL="$save_LC_ALL"; export LC_ALL
+	LC_ALL="$save_LC_ALL"; export LC_ALL
       fi
       if test "${save_LANG+set}" = set; then
-        LANG="$save_LANG"; export LANG
+	LANG="$save_LANG"; export LANG
       fi
 
       # Now actually exec the command.
@@ -2801,19 +4449,25 @@ libdir='$install_libdir'\
       exit 1
     else
       # Display what would be done.
-      eval "\$echo \"\$shlibpath_var=\$$shlibpath_var\""
-      $echo "export $shlibpath_var"
+      if test -n "$shlibpath_var"; then
+	eval "\$echo \"\$shlibpath_var=\$$shlibpath_var\""
+	$echo "export $shlibpath_var"
+      fi
       $echo "$cmd$args"
       exit 0
     fi
     ;;
 
-  # libtool uninstall mode
-  uninstall)
-    modename="$modename: uninstall"
+  # libtool clean and uninstall mode
+  clean | uninstall)
+    modename="$modename: $mode"
     rm="$nonopt"
     files=
 
+    # This variable tells wrapper scripts just to set variables rather
+    # than running their programs.
+    libtool_install_magic="$magic"
+
     for arg
     do
       case "$arg" in
@@ -2830,70 +4484,82 @@ libdir='$install_libdir'\
 
     for file in $files; do
       dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
-      test "X$dir" = "X$file" && dir=.
+      if test "X$dir" = "X$file"; then
+	dir=.
+	objdir="$objdir"
+      else
+	objdir="$dir/$objdir"
+      fi
       name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+      test $mode = uninstall && objdir="$dir"
 
       rmfiles="$file"
 
       case "$name" in
       *.la)
-        # Possibly a libtool archive, so verify it.
-        if (sed -e '2q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
-          . $dir/$name
-
-          # Delete the libtool libraries and symlinks.
-          for n in $library_names; do
-            rmfiles="$rmfiles $dir/$n"
-            test "X$n" = "X$dlname" && dlname=
-          done
-          test -n "$dlname" && rmfiles="$rmfiles $dir/$dlname"
-          test -n "$old_library" && rmfiles="$rmfiles $dir/$old_library"
-
-	  $show "$rm $rmfiles"
-	  $run $rm $rmfiles
-
-	  if test -n "$library_names"; then
-	    # Do each command in the postuninstall commands.
-	    eval cmds=\"$postuninstall_cmds\"
-	    IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
-	    for cmd in $cmds; do
+	# Possibly a libtool archive, so verify it.
+	if (sed -e '2q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	  . $dir/$name
+
+	  # Delete the libtool libraries and symlinks.
+	  for n in $library_names; do
+	    rmfiles="$rmfiles $objdir/$n"
+	  done
+	  test -n "$old_library" && rmfiles="$rmfiles $objdir/$old_library"
+	  test $mode = clean && rmfiles="$rmfiles $objdir/$name $objdir/${name}i"
+
+	  if test $mode = uninstall; then
+	    if test -n "$library_names"; then
+	      # Do each command in the postuninstall commands.
+	      eval cmds=\"$postuninstall_cmds\"
+	      IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	      for cmd in $cmds; do
+		IFS="$save_ifs"
+		$show "$cmd"
+		$run eval "$cmd"
+	      done
 	      IFS="$save_ifs"
-	      $show "$cmd"
-	      $run eval "$cmd"
-	    done
-	    IFS="$save_ifs"
-	  fi
+	    fi
 
-          if test -n "$old_library"; then
-	    # Do each command in the old_postuninstall commands.
-	    eval cmds=\"$old_postuninstall_cmds\"
-	    IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
-	    for cmd in $cmds; do
+	    if test -n "$old_library"; then
+	      # Do each command in the old_postuninstall commands.
+	      eval cmds=\"$old_postuninstall_cmds\"
+	      IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	      for cmd in $cmds; do
+		IFS="$save_ifs"
+		$show "$cmd"
+		$run eval "$cmd"
+	      done
 	      IFS="$save_ifs"
-	      $show "$cmd"
-	      $run eval "$cmd"
-	    done
-	    IFS="$save_ifs"
+	    fi
+	    # FIXME: should reinstall the best remaining shared library.
 	  fi
-
-          # FIXME: should reinstall the best remaining shared library.
-        fi
-        ;;
+	fi
+	;;
 
       *.lo)
-        if test "$build_old_libs" = yes; then
-          oldobj=`$echo "X$name" | $Xsed -e "$lo2o"`
-          rmfiles="$rmfiles $dir/$oldobj"
-        fi
-	$show "$rm $rmfiles"
-	$run $rm $rmfiles
-        ;;
+	if test "$build_old_libs" = yes; then
+	  oldobj=`$echo "X$name" | $Xsed -e "$lo2o"`
+	  rmfiles="$rmfiles $dir/$oldobj"
+	fi
+	;;
 
       *)
-      	$show "$rm $rmfiles"
-	$run $rm $rmfiles
+	# Do a test to see if this is a libtool program.
+	if test $mode = clean &&
+	   (sed -e '4q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	  relink_command=
+	  . $dir/$file
+
+	  rmfiles="$rmfiles $objdir/$name $objdir/${name}S.${objext}"
+	  if test "$fast_install" = yes && test -n "$relink_command"; then
+	    rmfiles="$rmfiles $objdir/lt-$name"
+	  fi
+	fi
 	;;
       esac
+      $show "$rm $rmfiles"
+      $run $rm $rmfiles
     done
     exit 0
     ;;
@@ -2930,6 +4596,7 @@ Provide generalized library-building support services.
 
 MODE must be one of the following:
 
+      clean           remove files from the build directory
       compile         compile a source file into a libtool object
       execute         automatically set library path, then run a program
       finish          complete the installation of libtool libraries
@@ -2942,6 +4609,20 @@ a more detailed description of MODE."
   exit 0
   ;;
 
+clean)
+  $echo \
+"Usage: $modename [OPTION]... --mode=clean RM [RM-OPTION]... FILE...
+
+Remove files from the build directory.
+
+RM is the name of the program to use to delete files associated with each FILE
+(typically \`/bin/rm').  RM-OPTIONS are options (such as \`-f') to be passed
+to RM.
+
+If FILE is a libtool library, object or program, all the files associated
+with it are deleted. Otherwise, only FILE itself is deleted using RM."
+  ;;
+
 compile)
   $echo \
 "Usage: $modename [OPTION]... --mode=compile COMPILE-COMMAND... SOURCEFILE
@@ -2950,6 +4631,7 @@ Compile a source file into a libtool library object.
 
 This mode accepts the following additional options:
 
+  -o OUTPUT-FILE    set the output file name to OUTPUT-FILE
   -static           always build a \`.o' file suitable for static linking
 
 COMPILE-COMMAND is a command to be used in creating a \`standard' object file
@@ -3018,18 +4700,27 @@ a program from several object files.
 The following components of LINK-COMMAND are treated specially:
 
   -all-static       do not do any dynamic linking at all
+  -avoid-version    do not add a version suffix if possible
   -dlopen FILE      \`-dlpreopen' FILE if it cannot be dlopened at runtime
-  -dlpreopen FILE   link in FILE and add its symbols to dld_preloaded_symbols
+  -dlpreopen FILE   link in FILE and add its symbols to lt_preloaded_symbols
   -export-dynamic   allow symbols from OUTPUT-FILE to be resolved with dlsym(3)
+  -export-symbols SYMFILE
+		    try to export only the symbols listed in SYMFILE
+  -export-symbols-regex REGEX
+		    try to export only the symbols matching REGEX
   -LLIBDIR          search LIBDIR for required installed libraries
   -lNAME            OUTPUT-FILE requires the installed library libNAME
+  -module           build a library that can dlopened
+  -no-fast-install  disable the fast-install mode
+  -no-install       link a not-installable executable
   -no-undefined     declare that a library does not refer to external symbols
   -o OUTPUT-FILE    create OUTPUT-FILE from the specified objects
   -release RELEASE  specify package release information
   -rpath LIBDIR     the created library will eventually be installed in LIBDIR
+  -R[ ]LIBDIR       add LIBDIR to the runtime path of programs and libraries
   -static           do not do any dynamic linking of libtool libraries
   -version-info CURRENT[:REVISION[:AGE]]
-                    specify library version info [each variable defaults to 0]
+		    specify library version info [each variable defaults to 0]
 
 All other options (arguments beginning with \`-') are ignored.
 
@@ -3037,8 +4728,9 @@ Every other argument is treated as a filename.  Files ending in \`.la' are
 treated as uninstalled libtool libraries, other files are standard or library
 object files.
 
-If the OUTPUT-FILE ends in \`.la', then a libtool library is created, only
-library objects (\`.lo' files) may be specified, and \`-rpath' is required.
+If the OUTPUT-FILE ends in \`.la', then a libtool library is created,
+only library objects (\`.lo' files) may be specified, and \`-rpath' is
+required, except when creating a convenience library.
 
 If OUTPUT-FILE ends in \`.a' or \`.lib', then a standard library is created
 using \`ar' and \`ranlib', or on Windows using \`lib'.
@@ -3048,7 +4740,7 @@ is created, otherwise an executable program is created."
   ;;
 
 uninstall)
-  $echo
+  $echo \
 "Usage: $modename [OPTION]... --mode=uninstall RM [RM-OPTION]... FILE...
 
 Remove libraries from an installation directory.
diff --git a/crypto/heimdal/missing b/crypto/heimdal/missing
index bdf90f5..1570c79 100644
--- a/crypto/heimdal/missing
+++ b/crypto/heimdal/missing
@@ -1,2 +1,265 @@
 #! /bin/sh
-# This is a silly file that automake needs
+# Common stub for a few missing GNU programs while installing.
+# Copyright (C) 1996, 1997, 1999, 2000 Free Software Foundation, Inc.
+# Originally by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+# 02111-1307, USA.
+
+if test $# -eq 0; then
+  echo 1>&2 "Try \`$0 --help' for more information"
+  exit 1
+fi
+
+run=:
+
+case "$1" in
+--run)
+  # Try to run requested program, and just exit if it succeeds.
+  run=
+  shift
+  "$@" && exit 0
+  ;;
+esac
+
+# If it does not exist, or fails to run (possibly an outdated version),
+# try to emulate it.
+case "$1" in
+
+  -h|--h|--he|--hel|--help)
+    echo "\
+$0 [OPTION]... PROGRAM [ARGUMENT]...
+
+Handle \`PROGRAM [ARGUMENT]...' for when PROGRAM is missing, or return an
+error status if there is no known handling for PROGRAM.
+
+Options:
+  -h, --help      display this help and exit
+  -v, --version   output version information and exit
+  --run           try to run the given command, and emulate it if it fails
+
+Supported PROGRAM values:
+  aclocal      touch file \`aclocal.m4'
+  autoconf     touch file \`configure'
+  autoheader   touch file \`config.h.in'
+  automake     touch all \`Makefile.in' files
+  bison        create \`y.tab.[ch]', if possible, from existing .[ch]
+  flex         create \`lex.yy.c', if possible, from existing .c
+  help2man     touch the output file
+  lex          create \`lex.yy.c', if possible, from existing .c
+  makeinfo     touch the output file
+  tar          try tar, gnutar, gtar, then tar without non-portable flags
+  yacc         create \`y.tab.[ch]', if possible, from existing .[ch]"
+    ;;
+
+  -v|--v|--ve|--ver|--vers|--versi|--versio|--version)
+    echo "missing 0.3 - GNU automake"
+    ;;
+
+  -*)
+    echo 1>&2 "$0: Unknown \`$1' option"
+    echo 1>&2 "Try \`$0 --help' for more information"
+    exit 1
+    ;;
+
+  aclocal)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+         you modified \`acinclude.m4' or \`configure.in'.  You might want
+         to install the \`Automake' and \`Perl' packages.  Grab them from
+         any GNU archive site."
+    touch aclocal.m4
+    ;;
+
+  autoconf)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+         you modified \`configure.in'.  You might want to install the
+         \`Autoconf' and \`GNU m4' packages.  Grab them from any GNU
+         archive site."
+    touch configure
+    ;;
+
+  autoheader)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+         you modified \`acconfig.h' or \`configure.in'.  You might want
+         to install the \`Autoconf' and \`GNU m4' packages.  Grab them
+         from any GNU archive site."
+    files=`sed -n 's/^[ ]*A[CM]_CONFIG_HEADER(\([^)]*\)).*/\1/p' configure.in`
+    test -z "$files" && files="config.h"
+    touch_files=
+    for f in $files; do
+      case "$f" in
+      *:*) touch_files="$touch_files "`echo "$f" |
+				       sed -e 's/^[^:]*://' -e 's/:.*//'`;;
+      *) touch_files="$touch_files $f.in";;
+      esac
+    done
+    touch $touch_files
+    ;;
+
+  automake)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+         you modified \`Makefile.am', \`acinclude.m4' or \`configure.in'.
+         You might want to install the \`Automake' and \`Perl' packages.
+         Grab them from any GNU archive site."
+    find . -type f -name Makefile.am -print |
+	   sed 's/\.am$/.in/' |
+	   while read f; do touch "$f"; done
+    ;;
+
+  bison|yacc)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+         you modified a \`.y' file.  You may need the \`Bison' package
+         in order for those modifications to take effect.  You can get
+         \`Bison' from any GNU archive site."
+    rm -f y.tab.c y.tab.h
+    if [ $# -ne 1 ]; then
+        eval LASTARG="\${$#}"
+	case "$LASTARG" in
+	*.y)
+	    SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'`
+	    if [ -f "$SRCFILE" ]; then
+	         cp "$SRCFILE" y.tab.c
+	    fi
+	    SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'`
+	    if [ -f "$SRCFILE" ]; then
+	         cp "$SRCFILE" y.tab.h
+	    fi
+	  ;;
+	esac
+    fi
+    if [ ! -f y.tab.h ]; then
+	echo >y.tab.h
+    fi
+    if [ ! -f y.tab.c ]; then
+	echo 'main() { return 0; }' >y.tab.c
+    fi
+    ;;
+
+  lex|flex)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+         you modified a \`.l' file.  You may need the \`Flex' package
+         in order for those modifications to take effect.  You can get
+         \`Flex' from any GNU archive site."
+    rm -f lex.yy.c
+    if [ $# -ne 1 ]; then
+        eval LASTARG="\${$#}"
+	case "$LASTARG" in
+	*.l)
+	    SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'`
+	    if [ -f "$SRCFILE" ]; then
+	         cp "$SRCFILE" lex.yy.c
+	    fi
+	  ;;
+	esac
+    fi
+    if [ ! -f lex.yy.c ]; then
+	echo 'main() { return 0; }' >lex.yy.c
+    fi
+    ;;
+
+  help2man)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+	 you modified a dependency of a manual page.  You may need the
+	 \`Help2man' package in order for those modifications to take
+	 effect.  You can get \`Help2man' from any GNU archive site."
+
+    file=`echo "$*" | sed -n 's/.*-o \([^ ]*\).*/\1/p'`
+    if test -z "$file"; then
+	file=`echo "$*" | sed -n 's/.*--output=\([^ ]*\).*/\1/p'`
+    fi
+    if [ -f "$file" ]; then
+	touch $file
+    else
+	test -z "$file" || exec >$file
+	echo ".ab help2man is required to generate this page"
+	exit 1
+    fi
+    ;;
+
+  makeinfo)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+         you modified a \`.texi' or \`.texinfo' file, or any other file
+         indirectly affecting the aspect of the manual.  The spurious
+         call might also be the consequence of using a buggy \`make' (AIX,
+         DU, IRIX).  You might want to install the \`Texinfo' package or
+         the \`GNU make' package.  Grab either from any GNU archive site."
+    file=`echo "$*" | sed -n 's/.*-o \([^ ]*\).*/\1/p'`
+    if test -z "$file"; then
+      file=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'`
+      file=`sed -n '/^@setfilename/ { s/.* \([^ ]*\) *$/\1/; p; q; }' $file`
+    fi
+    touch $file
+    ;;
+
+  tar)
+    shift
+    if test -n "$run"; then
+      echo 1>&2 "ERROR: \`tar' requires --run"
+      exit 1
+    fi
+
+    # We have already tried tar in the generic part.
+    # Look for gnutar/gtar before invocation to avoid ugly error
+    # messages.
+    if (gnutar --version > /dev/null 2>&1); then
+       gnutar ${1+"$@"} && exit 0
+    fi
+    if (gtar --version > /dev/null 2>&1); then
+       gtar ${1+"$@"} && exit 0
+    fi
+    firstarg="$1"
+    if shift; then
+	case "$firstarg" in
+	*o*)
+	    firstarg=`echo "$firstarg" | sed s/o//`
+	    tar "$firstarg" ${1+"$@"} && exit 0
+	    ;;
+	esac
+	case "$firstarg" in
+	*h*)
+	    firstarg=`echo "$firstarg" | sed s/h//`
+	    tar "$firstarg" ${1+"$@"} && exit 0
+	    ;;
+	esac
+    fi
+
+    echo 1>&2 "\
+WARNING: I can't seem to be able to run \`tar' with the given arguments.
+         You may want to install GNU tar or Free paxutils, or check the
+         command line arguments."
+    exit 1
+    ;;
+
+  *)
+    echo 1>&2 "\
+WARNING: \`$1' is needed, and you do not seem to have it handy on your
+         system.  You might have modified some files without having the
+         proper tools for further handling them.  Check the \`README' file,
+         it often tells you about the needed prerequirements for installing
+         this package.  You may also peek at any GNU archive site, in case
+         some other package would contain this missing \`$1' program."
+    exit 1
+    ;;
+esac
+
+exit 0
diff --git a/crypto/heimdal/tools/Makefile.am b/crypto/heimdal/tools/Makefile.am
new file mode 100644
index 0000000..4f02904
--- /dev/null
+++ b/crypto/heimdal/tools/Makefile.am
@@ -0,0 +1,25 @@
+# $Id: Makefile.am,v 1.5 2001/01/29 06:56:33 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+EXTRA_DIST = krb5-config.1
+
+CLEANFILES = krb5-config
+
+bin_SCRIPTS = krb5-config
+
+man_MANS = krb5-config.1
+
+krb5-config: krb5-config.in
+	sed	-e "s,@PACKAGE\@,$(PACKAGE),g" \
+		-e "s,@VERSION\@,$(VERSION),g" \
+		-e "s,@prefix\@,$(prefix),g" \
+		-e "s,@exec_prefix\@,$(exec_prefix),g" \
+		-e "s,@libdir\@,$(libdir),g" \
+		-e "s,@includedir\@,$(includedir),g" \
+		-e "s,@LIB_crypt\@,$(LIB_crypt),g" \
+		-e "s,@LIB_dbopen\@,$(LIB_dbopen),g" \
+		-e "s,@LIB_des_appl\@,$(LIB_des_appl),g" \
+		-e "s,@LIBS\@,$(LIBS),g" \
+		$(srcdir)/krb5-config.in > $@
+	chmod +x $@
diff --git a/crypto/heimdal/tools/Makefile.in b/crypto/heimdal/tools/Makefile.in
new file mode 100644
index 0000000..85afdc4
--- /dev/null
+++ b/crypto/heimdal/tools/Makefile.in
@@ -0,0 +1,524 @@
+# Makefile.in generated automatically by automake 1.4a from Makefile.am
+
+# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.5 2001/01/29 06:56:33 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+EXTRA_DIST = krb5-config.1
+
+CLEANFILES = krb5-config
+
+bin_SCRIPTS = krb5-config
+
+man_MANS = krb5-config.1
+subdir = tools
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../include/config.h
+CONFIG_CLEAN_FILES = 
+SCRIPTS =  $(bin_SCRIPTS)
+
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES = 
+man1dir = $(mandir)/man1
+MANS = $(man_MANS)
+depcomp = 
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .et .h .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign tools/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+install-binSCRIPTS: $(bin_SCRIPTS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_SCRIPTS)'; for p in $$list; do \
+	  f="`echo $$p|sed '$(transform)'`"; \
+	  if test -f $$p; then \
+	    echo " $(INSTALL_SCRIPT) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(INSTALL_SCRIPT) $$p $(DESTDIR)$(bindir)/$$f; \
+	  elif test -f $(srcdir)/$$p; then \
+	    echo " $(INSTALL_SCRIPT) $(srcdir)/$$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(INSTALL_SCRIPT) $(srcdir)/$$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-binSCRIPTS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_SCRIPTS)'; for p in $$list; do \
+	  f="`echo $$p|sed '$(transform)'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
+
+install-man1:
+	$(mkinstalldirs) $(DESTDIR)$(man1dir)
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \
+	done
+
+uninstall-man1:
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man1dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man1
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man1
+tags: TAGS
+TAGS:
+
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binSCRIPTS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binSCRIPTS uninstall-man
+uninstall: uninstall-am
+all-am: Makefile $(SCRIPTS) $(MANS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: uninstall-binSCRIPTS install-binSCRIPTS install-man1 \
+uninstall-man1 install-man uninstall-man tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+krb5-config: krb5-config.in
+	sed	-e "s,@PACKAGE\@,$(PACKAGE),g" \
+		-e "s,@VERSION\@,$(VERSION),g" \
+		-e "s,@prefix\@,$(prefix),g" \
+		-e "s,@exec_prefix\@,$(exec_prefix),g" \
+		-e "s,@libdir\@,$(libdir),g" \
+		-e "s,@includedir\@,$(includedir),g" \
+		-e "s,@LIB_crypt\@,$(LIB_crypt),g" \
+		-e "s,@LIB_dbopen\@,$(LIB_dbopen),g" \
+		-e "s,@LIB_des_appl\@,$(LIB_des_appl),g" \
+		-e "s,@LIBS\@,$(LIBS),g" \
+		$(srcdir)/krb5-config.in > $@
+	chmod +x $@
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/tools/krb5-config.1 b/crypto/heimdal/tools/krb5-config.1
new file mode 100644
index 0000000..1eb2e09
--- /dev/null
+++ b/crypto/heimdal/tools/krb5-config.1
@@ -0,0 +1,60 @@
+.\" $Id: krb5-config.1,v 1.3 2000/12/01 04:59:53 assar Exp $
+.\"
+.Dd November 30, 2000
+.Dt KRB5-CONFIG 1
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5-config
+.Nd
+give information on how to link code against Heimdal libraries
+.Sh SYNOPSIS
+.Nm
+.Op Fl -prefix Ns Op = Ns Ar dir
+.Op Fl -exec-prefix Ns Op = Ns Ar dir
+.Op Fl -libs
+.Op Fl -cflags
+.Op Ar libraries
+.Sh DESCRIPTION
+.Nm
+tells the application programmer what special flags to use to compile
+and link programs against the libraries installed by Heimdal.
+.Pp
+Options supported:
+.Bl -tag -width Ds
+.It Fl -prefix Ns Op = Ns Ar dir
+Print the prefix if no
+.Ar dir
+is specified, otherwise set prefix to
+.Ar dir .
+.It Fl -exec-prefix Ns Op = Ns Ar dir
+Print the exec-prefix if no
+.Ar dir
+is specified, otherwise set exec-prefix to
+.Ar dir .
+.It Fl -libs
+Output the set of libraries that should be linked against.
+.It Fl -cflags
+Output the set of flags to give to the C compiler when using the
+Heimdal libraries.
+.El
+.Pp
+By default
+.Nm
+will output the set of flags and libraries to be used by a normal
+program using the krb5 API.  The user can also supply a library to be
+used, the supported ones are:
+.Bl -tag -width Ds
+.It krb5
+(the default)
+.It gssapi
+use the krb5 gssapi mechanism
+.It kadm-client
+use the client-side kadmin libraries
+.It kadm-server
+use the server-side kadmin libraries
+.El
+.Sh SEE ALSO
+.Xr cc 1
+.Sh HISTORY
+.Nm
+appeared in Heimdal 0.3d.
diff --git a/crypto/heimdal/tools/krb5-config.in b/crypto/heimdal/tools/krb5-config.in
new file mode 100755
index 0000000..e1235ac
--- /dev/null
+++ b/crypto/heimdal/tools/krb5-config.in
@@ -0,0 +1,110 @@
+#!/bin/sh
+# $Id: krb5-config.in,v 1.8 2001/01/29 06:56:51 assar Exp $
+
+do_libs=no
+do_cflags=no
+do_usage=no
+print_prefix=no
+print_exec_prefix=no
+library=krb5
+
+if test $# -eq 0; then
+  do_usage=yes
+  usage_exit=1
+fi
+
+for i in $*; do
+  case $i in
+  --help)
+    do_usage=yes
+    usage_exit=0
+    ;;
+  --version)
+    echo "@PACKAGE@ @VERSION@"
+    echo '$Id: krb5-config.in,v 1.8 2001/01/29 06:56:51 assar Exp $'
+    exit 0
+    ;;
+  --prefix=*)
+    prefix=`echo $i | sed 's/^--prefix=//'`
+    ;;
+  --prefix)
+    print_prefix=yes
+    ;;
+  --exec-prefix=*)
+    exec_prefix=`echo $i | sed 's/^--exec-prefix=//'`
+    ;;
+  --exec-prefix)
+    print_exec_prefix=yes
+    ;;
+  --libs)
+    do_libs=yes
+    ;;
+  --cflags)
+    do_cflags=yes
+    ;;
+  krb5)
+    library=krb5
+    ;;
+  gssapi)
+    library=gssapi
+    ;;
+  kadm-client)
+    library=kadm-client
+    ;;
+  kadm-server)
+    library=kadm-server
+    ;;
+  *)
+    echo "unknown option: $i"
+    exit 1
+    ;;
+  esac
+done
+
+if test "$do_usage" = "yes"; then
+    echo "usage: $0 [options] [libraries]"
+    echo "options: [--prefix[=dir]] [--exec-prefix[=dir]] [--libs] [--cflags]"
+    echo "libraries: krb5 gssapi kadm-client kadm-server"
+    exit $usage_exit
+fi
+
+if test "$prefix" = ""; then
+  prefix=@prefix@
+fi
+if test "$exec_prefix" = ""; then
+  exec_prefix=@exec_prefix@
+fi
+
+libdir=@libdir@
+includedir=@includedir@
+
+if test "$print_prefix" = "yes"; then
+    echo $prefix
+fi
+
+if test "$print_exec_prefix" = "yes"; then
+    echo $exec_prefix
+fi
+
+if test "$do_libs" = "yes"; then
+    lib_flags="-L${libdir}"
+    case $library in
+    gssapi)
+	lib_flags="$lib_flags -lgssapi"
+	;;
+    kadm-client)
+	lib_flags="$lib_flags -lkadm5clnt"
+	;;
+    kadm-server)
+	lib_flags="$lib_flags -lkadm5srv"
+	;;
+    esac
+    lib_flags="$lib_flags -lkrb5 -lasn1 @LIB_des_appl@ -lroken"
+    lib_flags="$lib_flags @LIB_crypt@ @LIB_dbopen@ @LIBS@"
+    echo $lib_flags
+fi
+if test "$do_cflags" = "yes"; then
+    echo "-I${includedir}"
+fi
+
+exit 0